gh0strat | cd397335c360e1e71e9b65be8b24b6c2e6eea1447ae95bb814dfa361f7aae0f7

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07-09-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

quickq-setup.exe
Size

125.1MB
MD5

ee40b74f94dd1ed9d4a7f4d4f822d4cc
SHA1

2f3dfaddacd891eeb81d696a95f66e5eb13d80ba
SHA256

cd397335c360e1e71e9b65be8b24b6c2e6eea1447ae95bb814dfa361f7aae0f7
SHA512

a5b311d352bb7ce1750033fef6770079c2992dc298bde898039ca8727a07d5aa5b48fb39cd2014be2c364c2298622b4f6d5facc81ee5c0e35e81d6fdcfbdfcea
SSDEEP

3145728:Qj5e6GreS1e3aoeAmloP6AxVmsOQq9x/tDkIH2t0/5:1ULzmUBx3sjBOt85

Score

10^/10

gh0strat purplefox discovery rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2064-13243-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral2/memory/2064-13648-0x0000000000400000-0x0000000001F86000-memory.dmp	purplefox_rootkit
behavioral2/memory/14972-26422-0x0000000000400000-0x0000000001F86000-memory.dmp	purplefox_rootkit
behavioral2/memory/50836-39566-0x0000000010000000-0x000000001019F000-memory.dmp	purplefox_rootkit
behavioral2/memory/50836-39573-0x0000000000400000-0x0000000001F86000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/2064-13243-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral2/memory/2064-13648-0x0000000000400000-0x0000000001F86000-memory.dmp	family_gh0strat
behavioral2/memory/14972-26422-0x0000000000400000-0x0000000001F86000-memory.dmp	family_gh0strat
behavioral2/memory/50836-39566-0x0000000010000000-0x000000001019F000-memory.dmp	family_gh0strat
behavioral2/memory/50836-39573-0x0000000000400000-0x0000000001F86000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Executes dropped EXE 6 IoCs

pid	Process
4976	MSIB8B8.tmp
4404	win32-quickq.exe
1220	MSIBC05.tmp
2064	WindowsProgram.exe
14972	Vwogw.exe
50836	Vwogw.exe

Loads dropped DLL 22 IoCs

pid	Process
1824	MsiExec.exe
1824	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
2316	MsiExec.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe
4404	win32-quickq.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	Vwogw.exe
File opened (read-only)	\??\Z:	Vwogw.exe
File opened (read-only)	\??\U:	Vwogw.exe
File opened (read-only)	\??\N:	quickq-setup.exe
File opened (read-only)	\??\Z:	quickq-setup.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	Vwogw.exe
File opened (read-only)	\??\O:	Vwogw.exe
File opened (read-only)	\??\Q:	quickq-setup.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	quickq-setup.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	Vwogw.exe
File opened (read-only)	\??\P:	Vwogw.exe
File opened (read-only)	\??\T:	Vwogw.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	Vwogw.exe
File opened (read-only)	\??\V:	Vwogw.exe
File opened (read-only)	\??\A:	quickq-setup.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	quickq-setup.exe
File opened (read-only)	\??\H:	quickq-setup.exe
File opened (read-only)	\??\J:	quickq-setup.exe
File opened (read-only)	\??\O:	quickq-setup.exe
File opened (read-only)	\??\R:	quickq-setup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\I:	Vwogw.exe
File opened (read-only)	\??\N:	Vwogw.exe
File opened (read-only)	\??\W:	Vwogw.exe
File opened (read-only)	\??\B:	quickq-setup.exe
File opened (read-only)	\??\M:	quickq-setup.exe
File opened (read-only)	\??\P:	quickq-setup.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	quickq-setup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	Vwogw.exe
File opened (read-only)	\??\Y:	quickq-setup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Vwogw.exe	WindowsProgram.exe
File opened for modification	C:\Windows\SysWOW64\Vwogw.exe	WindowsProgram.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 36 IoCs

pid	Process
2064	WindowsProgram.exe
2064	WindowsProgram.exe
2064	WindowsProgram.exe
14972	Vwogw.exe
2064	WindowsProgram.exe
14972	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIADA5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE53.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF30.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FDEE07BB-D7EC-4457-B813-AE6D741924CF}	msiexec.exe
File created	C:\Windows\Installer\e57ad38.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE42.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB750.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ad38.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF50.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC05.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	quickq-setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32-quickq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIBC05.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vwogw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Vwogw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIB8B8.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WindowsProgram.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
50772	cmd.exe
8384	PING.EXE

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Vwogw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Vwogw.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
14808	taskkill.exe
15028	taskkill.exe
16308	taskkill.exe
17728	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum\Version = "7"	Vwogw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum	Vwogw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	Vwogw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	Vwogw.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	Vwogw.exe

Modifies registry class 35 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 560031000000000002597b6312004170704461746100400009000400efbe02597b63275954732e00000072e10100000001000000000000000000000000000000480966004100700070004400610074006100000016000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 500031000000000027595b7310004c6f63616c003c0009000400efbe02597b6327595b732e00000085e1010000000100000000000000000000000000000083a223004c006f00630061006c00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 780031000000000002597b631100557365727300640009000400efbe874f7748275954732e000000c70500000000010000000000000000003a00000000009ef4710055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 50003100000000000259696c100041646d696e003c0009000400efbe02597b63275954732e00000067e1010000000100000000000000000000000000000070398e00410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 540031000000000027596e731000517569636b5100003e0009000400efbe27595b73275972732e00000053e50100000008000000000000000000000000000000fd55040051007500690063006b005100000016000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
8384	PING.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
16100	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3932	msiexec.exe
3932	msiexec.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe
50836	Vwogw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	3932	msiexec.exe
Token: SeCreateTokenPrivilege	2884	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	2884	quickq-setup.exe
Token: SeLockMemoryPrivilege	2884	quickq-setup.exe
Token: SeIncreaseQuotaPrivilege	2884	quickq-setup.exe
Token: SeMachineAccountPrivilege	2884	quickq-setup.exe
Token: SeTcbPrivilege	2884	quickq-setup.exe
Token: SeSecurityPrivilege	2884	quickq-setup.exe
Token: SeTakeOwnershipPrivilege	2884	quickq-setup.exe
Token: SeLoadDriverPrivilege	2884	quickq-setup.exe
Token: SeSystemProfilePrivilege	2884	quickq-setup.exe
Token: SeSystemtimePrivilege	2884	quickq-setup.exe
Token: SeProfSingleProcessPrivilege	2884	quickq-setup.exe
Token: SeIncBasePriorityPrivilege	2884	quickq-setup.exe
Token: SeCreatePagefilePrivilege	2884	quickq-setup.exe
Token: SeCreatePermanentPrivilege	2884	quickq-setup.exe
Token: SeBackupPrivilege	2884	quickq-setup.exe
Token: SeRestorePrivilege	2884	quickq-setup.exe
Token: SeShutdownPrivilege	2884	quickq-setup.exe
Token: SeDebugPrivilege	2884	quickq-setup.exe
Token: SeAuditPrivilege	2884	quickq-setup.exe
Token: SeSystemEnvironmentPrivilege	2884	quickq-setup.exe
Token: SeChangeNotifyPrivilege	2884	quickq-setup.exe
Token: SeRemoteShutdownPrivilege	2884	quickq-setup.exe
Token: SeUndockPrivilege	2884	quickq-setup.exe
Token: SeSyncAgentPrivilege	2884	quickq-setup.exe
Token: SeEnableDelegationPrivilege	2884	quickq-setup.exe
Token: SeManageVolumePrivilege	2884	quickq-setup.exe
Token: SeImpersonatePrivilege	2884	quickq-setup.exe
Token: SeCreateGlobalPrivilege	2884	quickq-setup.exe
Token: SeCreateTokenPrivilege	2884	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	2884	quickq-setup.exe
Token: SeLockMemoryPrivilege	2884	quickq-setup.exe
Token: SeIncreaseQuotaPrivilege	2884	quickq-setup.exe
Token: SeMachineAccountPrivilege	2884	quickq-setup.exe
Token: SeTcbPrivilege	2884	quickq-setup.exe
Token: SeSecurityPrivilege	2884	quickq-setup.exe
Token: SeTakeOwnershipPrivilege	2884	quickq-setup.exe
Token: SeLoadDriverPrivilege	2884	quickq-setup.exe
Token: SeSystemProfilePrivilege	2884	quickq-setup.exe
Token: SeSystemtimePrivilege	2884	quickq-setup.exe
Token: SeProfSingleProcessPrivilege	2884	quickq-setup.exe
Token: SeIncBasePriorityPrivilege	2884	quickq-setup.exe
Token: SeCreatePagefilePrivilege	2884	quickq-setup.exe
Token: SeCreatePermanentPrivilege	2884	quickq-setup.exe
Token: SeBackupPrivilege	2884	quickq-setup.exe
Token: SeRestorePrivilege	2884	quickq-setup.exe
Token: SeShutdownPrivilege	2884	quickq-setup.exe
Token: SeDebugPrivilege	2884	quickq-setup.exe
Token: SeAuditPrivilege	2884	quickq-setup.exe
Token: SeSystemEnvironmentPrivilege	2884	quickq-setup.exe
Token: SeChangeNotifyPrivilege	2884	quickq-setup.exe
Token: SeRemoteShutdownPrivilege	2884	quickq-setup.exe
Token: SeUndockPrivilege	2884	quickq-setup.exe
Token: SeSyncAgentPrivilege	2884	quickq-setup.exe
Token: SeEnableDelegationPrivilege	2884	quickq-setup.exe
Token: SeManageVolumePrivilege	2884	quickq-setup.exe
Token: SeImpersonatePrivilege	2884	quickq-setup.exe
Token: SeCreateGlobalPrivilege	2884	quickq-setup.exe
Token: SeCreateTokenPrivilege	2884	quickq-setup.exe
Token: SeAssignPrimaryTokenPrivilege	2884	quickq-setup.exe
Token: SeLockMemoryPrivilege	2884	quickq-setup.exe
Token: SeIncreaseQuotaPrivilege	2884	quickq-setup.exe
Token: SeMachineAccountPrivilege	2884	quickq-setup.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
2884	quickq-setup.exe
3352	msiexec.exe
3352	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4404	win32-quickq.exe
16100	explorer.exe
16100	explorer.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3932 wrote to memory of 1824	3932	msiexec.exe	88
PID 3932 wrote to memory of 1824	3932	msiexec.exe	88
PID 3932 wrote to memory of 1824	3932	msiexec.exe	88
PID 2884 wrote to memory of 3352	2884	quickq-setup.exe	89
PID 2884 wrote to memory of 3352	2884	quickq-setup.exe	89
PID 2884 wrote to memory of 3352	2884	quickq-setup.exe	89
PID 3932 wrote to memory of 2316	3932	msiexec.exe	90
PID 3932 wrote to memory of 2316	3932	msiexec.exe	90
PID 3932 wrote to memory of 2316	3932	msiexec.exe	90
PID 3932 wrote to memory of 4976	3932	msiexec.exe	91
PID 3932 wrote to memory of 4976	3932	msiexec.exe	91
PID 3932 wrote to memory of 4976	3932	msiexec.exe	91
PID 3932 wrote to memory of 1220	3932	msiexec.exe	93
PID 3932 wrote to memory of 1220	3932	msiexec.exe	93
PID 3932 wrote to memory of 1220	3932	msiexec.exe	93
PID 4404 wrote to memory of 14808	4404	win32-quickq.exe	96
PID 4404 wrote to memory of 14808	4404	win32-quickq.exe	96
PID 4404 wrote to memory of 14808	4404	win32-quickq.exe	96
PID 4404 wrote to memory of 15028	4404	win32-quickq.exe	100
PID 4404 wrote to memory of 15028	4404	win32-quickq.exe	100
PID 4404 wrote to memory of 15028	4404	win32-quickq.exe	100
PID 4404 wrote to memory of 16308	4404	win32-quickq.exe	102
PID 4404 wrote to memory of 16308	4404	win32-quickq.exe	102
PID 4404 wrote to memory of 16308	4404	win32-quickq.exe	102
PID 4404 wrote to memory of 17728	4404	win32-quickq.exe	104
PID 4404 wrote to memory of 17728	4404	win32-quickq.exe	104
PID 4404 wrote to memory of 17728	4404	win32-quickq.exe	104
PID 4404 wrote to memory of 50516	4404	win32-quickq.exe	106
PID 4404 wrote to memory of 50516	4404	win32-quickq.exe	106
PID 4404 wrote to memory of 50516	4404	win32-quickq.exe	106
PID 4404 wrote to memory of 50576	4404	win32-quickq.exe	108
PID 4404 wrote to memory of 50576	4404	win32-quickq.exe	108
PID 4404 wrote to memory of 50576	4404	win32-quickq.exe	108
PID 2064 wrote to memory of 50772	2064	WindowsProgram.exe	110
PID 2064 wrote to memory of 50772	2064	WindowsProgram.exe	110
PID 2064 wrote to memory of 50772	2064	WindowsProgram.exe	110
PID 14972 wrote to memory of 50836	14972	Vwogw.exe	111
PID 14972 wrote to memory of 50836	14972	Vwogw.exe	111
PID 14972 wrote to memory of 50836	14972	Vwogw.exe	111
PID 50772 wrote to memory of 8384	50772	cmd.exe	116
PID 50772 wrote to memory of 8384	50772	cmd.exe	116
PID 50772 wrote to memory of 8384	50772	cmd.exe	116
PID 4404 wrote to memory of 5340	4404	win32-quickq.exe	119
PID 4404 wrote to memory of 5340	4404	win32-quickq.exe	119
PID 4404 wrote to memory of 5340	4404	win32-quickq.exe	119
PID 4404 wrote to memory of 5408	4404	win32-quickq.exe	121
PID 4404 wrote to memory of 5408	4404	win32-quickq.exe	121
PID 4404 wrote to memory of 5408	4404	win32-quickq.exe	121
PID 4404 wrote to memory of 16144	4404	win32-quickq.exe	126
PID 4404 wrote to memory of 16144	4404	win32-quickq.exe	126
PID 4404 wrote to memory of 16144	4404	win32-quickq.exe	126

C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe
"C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\QuickQ\QuickQ 6.0.137.0\install\quickq-setup.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\quickq-setup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1725478575 " AI_EUIMSI=""
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:3352

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EA7781F5207569170B43078A8BCD19D2 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1824
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BF7C93E4D851AC8586DDB43EB6278A7E
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2316
- C:\Windows\Installer\MSIB8B8.tmp
  "C:\Windows\Installer\MSIB8B8.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4976
- C:\Windows\Installer\MSIBC05.tmp
  "C:\Windows\Installer\MSIBC05.tmp" /DontWait "C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1220

C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe
"C:\Users\Admin\AppData\Local\Temp\win32-quickq.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4404
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickq.exe -t
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:14808
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickq-browser.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:15028
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM typeperf.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:16308
- C:\Windows\SysWOW64\taskkill.exe
  taskkill -F -IM quickqservice-*
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  PID:17728
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:50516
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:50576
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5340
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:5408
- C:\Windows\SysWOW64\explorer.exe
  explorer.exe /select,"C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:16144

C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe
"C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\WINDOW~1.EXE > nul
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:50772
- - C:\Windows\SysWOW64\PING.EXE
    ping -n 2 127.0.0.1
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:8384

C:\Windows\SysWOW64\Vwogw.exe
C:\Windows\SysWOW64\Vwogw.exe -auto
1⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:14972
- C:\Windows\SysWOW64\Vwogw.exe
  C:\Windows\SysWOW64\Vwogw.exe -acsi
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  PID:50836

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:16100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:15976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ad3b.rbs

Filesize
421KB

MD5
699317170aaa54731e7547d8b8deec62

SHA1
bbbcdf0be8604861915abd8a0cce81c908bd2ee7

SHA256
363715784c5ceda9ae2fadcfe3d008238c16d7c90a1100a5d3f5fe22d5fc7e6c

SHA512
a47edeba3bf442c0496593a8944583a7bb34cf81d548cf9b6a23536861677a4c58cbfc3c3c283c831190b3dad5c927d00e97cf36bc84a9c4fbcb804eba941f06

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe

Filesize
2.0MB

MD5
ab0e135992a4c0676e8506f2847d5275

SHA1
44b8201033afeddab58fea80f1f662b5914434f2

SHA256
00e28fb333fdd952138c2586ab7d698a039deae52be39b2bb7350b67141b902f

SHA512
243fed0896ac0bd0956905eb66a91ce03f4fb222032244609c6a6ad76b1e2fa6224159cb00ceaab6d23b0b4c6edd8a486749b67a115271ddf6f45fa7d76bb178

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\QuickQ.lnk

Filesize
1KB

MD5
6617d744203a4a79d2cf052a0f385919

SHA1
1e75b0f391da7ce19991a63a8a4075072b0bcdef

SHA256
0f0b9dd909f9a5ee54dbc7050b9eeac96ddb6d73fac5997e07dd1e8d553b08ea

SHA512
abcb683958b494065204f012778e92299fbc968f8151a576eaf06143e7b97f24944dbc48ac949404d9c766ef61d3f12683d19154bc49a209674b36b510d65250

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\locales\bg.pak.info

Filesize
742KB

MD5
d611503e029dab3c1262127dff2f899e

SHA1
415ccea2e7e47f294366490fde386d74261f8e33

SHA256
d0b585f25524b300bc67a510bb9674558656656d97a145ea13ae43aad3b7b9a6

SHA512
97df2a88fa4414c2d8f66aecefe166c5044db2576efc39c76446446850702d0d9e0221476c435f8ec44b38eafae49912f7c81fefd194c919d87f7178b9fc3f4c

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\notification_helper.exe

Filesize
829KB

MD5
f02412897f9fede5ad9b8426bea4ceb4

SHA1
2867508e60bcd0b1e9333755845377cd921770fa

SHA256
d123e505bf5fda510c2ea066d034b7d5adf5fa4e8fe7e8321ecfe5791a24959b

SHA512
1f546e97cadf91d34e2c39d4fe4a4518c7a43b2bc8222b46dbc37759aefc27d500734c47b481c94e784c6eb5967dd7a4b3a09b88e6b3e32ede13f98f015d9e2f

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc.exe

Filesize
23KB

MD5
2955a0fac28d3951ffa5738ba07de7ce

SHA1
30633ca29e79bbecb1e7b074dd2f5783f05c556b

SHA256
01b2e339f7205794e3708cebf66db7bb4940e7ae82497244307ff9561a001986

SHA512
f1dc5387b4862091ff912be801dd146d6c3a1f913a56cd3040a0ddbfcbc516c448d78606b47f609a3b05ff808d5a6ac5ef3aab0fa276bee96d0fd5e7e829b129

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc_64.exe

Filesize
23KB

MD5
07e5da1aebc7f4d96cd8481f227798dd

SHA1
101e92945a762869f26d2dfd242b3e957f6afedb

SHA256
9db5f4b9ddd00abd44decce002f6a23d5efffe00afddeaf84f5a31611ffc95dd

SHA512
a5bc4206b448d4cc68f6d05768af5589e18e7adfa2a89c283778e6268f37d41815686ec0b22f6387b722eef57c13426fef49cbaeb9b53cd8ff28ebe5fca38993

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAA79.tmp

Filesize
587KB

MD5
c7fbd5ee98e32a77edf1156db3fca622

SHA1
3e534fc55882e9fb940c9ae81e6f8a92a07125a0

SHA256
e140990b509dd6884a5742bde64f2cdaa10012d472b0b32de43ebecbc83242b6

SHA512
8691ac8b214cc1e4f34a3ab2bbc0c2391f7f11ebbe5db0dc82825195b5fe5a05310ed1e14d253a9b74a64050d2f2a6623dd2fcd912f80fef51e51845ef1e3a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WindowsProgram.exe

Filesize
27.5MB

MD5
e3a4619f74bf5ddb0b86a608c856533c

SHA1
df104c58287ac6c8bcabea6a90c8e983808f8584

SHA256
f45ee58da74b210038b528fe2fbd9fc1593b26acb1fb94a5b8ef21d77485d011

SHA512
1b6fcd259bce33a5d0d406e72fb15bdeba4183c36a75a3e98daa802385614e2ce87ab6aef7286eef83cdf2bc41e07636b883717d4bfe7dc7fc4ba35315009284

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBCB9.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBCB9.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBCB9.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBCB9.tmp\ioSpecial.ini

Filesize
541B

MD5
909ba1b5692109aed15657ed237bcf79

SHA1
ad1f896cbfe46d45ab177478f69803008ea9c86d

SHA256
b89cc3a773ad42d89cb431e6828dfa76e1fd2e2c59f60868a4845dbbb2995d3a

SHA512
42fd76e9057edbb8685ccb68660403b949750af7a988809fbc05624c475c2996b75879ef22bc63b4ad481bebac49f7df8f2fce04723e972cd95c9c56860a27c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBCB9.tmp\ioSpecial.ini

Filesize
541B

MD5
2ee5f032c5570e133e50e5a011e2fb59

SHA1
bacca5aa17177e735eb05e402eb5083e61b25653

SHA256
666816914bc004135b99984006a6e253af7a78ece0744b6b242a4c6003756cc4

SHA512
1b2bf2ef12129588e8a31bf78afa03ac3b04ed7770bfc3408bac8ba9e831cb643da537360556fbf3cb54798561b9a2f8accc1a7d820ce3c541378fc5064182b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBCB9.tmp\ioSpecial.ini

Filesize
679B

MD5
ba278b7c22cd9ac31c3de0bbe8cac080

SHA1
8aac2d92d758bcc8b4b047546cfe439a92c1c84d

SHA256
bd21d8574eb944fc4b3c3599c7deb51cc6c8a2d37130caf4feb797ea9d6399a1

SHA512
a6789ca42f412badba8b505b1136eab56a8b236975cff448cf63c37448a4d817ff8d771ac8405278cf107492cabb588ad487e922529a977ce9e709609ae61c99

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBCB9.tmp\nsExec.dll

Filesize
6KB

MD5
1f49d8af9be9e915d54b2441c4a79adf

SHA1
1ee4f809c693e31f34bc6d8153664a6dc2c3e499

SHA256
b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782

SHA512
c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsgBCB9.tmp\nsis7z.dll

Filesize
436KB

MD5
d7778720208a94e2049972fb7a1e0637

SHA1
080d607b10f93c839ec3f07faec3548bb78ac4dc

SHA256
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

SHA512
98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

Download Submit
C:\Users\Admin\AppData\Roaming\QuickQ\QuickQ 6.0.137.0\install\quickq-setup.msi

Filesize
2.2MB

MD5
34c56b004794b7e45868551db3549239

SHA1
56524535090d9e491948a34c378666c98f4e9fe2

SHA256
9f269b2606604ddb8e11ab813f582670072c00723cfc5ce337ea84360b200707

SHA512
1693a8e291cf05d413b325b9c0b5d8e31e88d447a0b6a72859a62e93a0953f74570f863ec5f94d4797be15264dbf70795759d81d894a133d1fdaa477d4840eb5

Download Submit
C:\Windows\Installer\MSIAF50.tmp

Filesize
709KB

MD5
89136bfd28a2e1ec6b6d841214e1e670

SHA1
4c6aab98925cb556f7bf2dbbc9f7ed0da92ef2ab

SHA256
1a3c0e60aad0a3bb92a6e0b786df93920aed7b0c7ec56ab49f2692102ac5adec

SHA512
22237702745fe11a6f23a943f16a12f23b42fe04d87af6383afeccd854320f3a6961590a76ab6a04f020f9830fb3d9f8b34315ad007a5464dbdba2d543851812

Download Submit
C:\Windows\Installer\MSIB8B8.tmp

Filesize
419KB

MD5
cac0eaeb267d81cf3fa968ee23a6af9d

SHA1
cf6ae8e44fb4949d5f0b01b110eaba49d39270a2

SHA256
f1dd0dd1e83b28ffa2ed30f46f98e94a4919ec1f4e9d33720354288b77153774

SHA512
8edf9f733dda9000a6e2b70da61912dbc15f74c836d738391ceddcdff20f5b420a678450523cf331aa9bce90217aa92ac6e73d1880ae15c9842ccc7d3296f95b

Download Submit
memory/2064-13243-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/2064-13648-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/2064-13237-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/2064-13233-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/2064-13232-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/2064-13231-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/2064-13230-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/2064-6045-0x00000000770B0000-0x000000007712A000-memory.dmp

Filesize
488KB

Download
memory/2064-4036-0x0000000076440000-0x00000000765E0000-memory.dmp

Filesize
1.6MB

Download
memory/2064-162-0x0000000076E60000-0x0000000077075000-memory.dmp

Filesize
2.1MB

Download
memory/2064-161-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/14972-26351-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/14972-26422-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/14972-13257-0x0000000076E60000-0x0000000077075000-memory.dmp

Filesize
2.1MB

Download
memory/14972-17140-0x0000000076440000-0x00000000765E0000-memory.dmp

Filesize
1.6MB

Download
memory/14972-19149-0x00000000770B0000-0x000000007712A000-memory.dmp

Filesize
488KB

Download
memory/14972-26346-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/14972-26352-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/14972-26356-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/14972-26354-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/14972-26362-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/50836-39561-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/50836-39573-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/50836-39566-0x0000000010000000-0x000000001019F000-memory.dmp

Filesize
1.6MB

Download
memory/50836-39565-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/50836-39562-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/50836-39563-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/50836-26428-0x0000000076E60000-0x0000000077075000-memory.dmp

Filesize
2.1MB

Download
memory/50836-39560-0x0000000000400000-0x0000000001F86000-memory.dmp

Filesize
27.5MB

Download
memory/50836-32369-0x00000000770B0000-0x000000007712A000-memory.dmp

Filesize
488KB

Download
memory/50836-30347-0x0000000076440000-0x00000000765E0000-memory.dmp

Filesize
1.6MB

Download