694b2199e4e6a5e8661b36995fdf6a3af99d2107e07f043349e4a5d85671f192

Analysis

max time kernel
117s
max time network
118s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe
Size

8.2MB
MD5

2871cab28f5c78492ce34a47bfb25156
SHA1

88e622979025c35616e7f0a88a832fb18c14b2ae
SHA256

694b2199e4e6a5e8661b36995fdf6a3af99d2107e07f043349e4a5d85671f192
SHA512

649419536a0b29a41a95794c1355d020f13ab7ea51b45845719a47353e6cb932fd57e53f1e1925b630ea401d9054f7d71dd1693bf1bb1182b7dc6d430fd9e168
SSDEEP

196608:+YWvGxC9wm2KvzVrJutj6srWkzERANwJPu5VbmPQIqppjlq6Ci:v+wm2IzVrJut2srWsERdJP6Vb+QlCi

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
2276	Setup.exe
2740	IKernel.exe
1912	IKernel.exe
2928	iKernel.exe
2480	QPSTServer.exe
1276	QCNView.exe
1824	Download.exe
952	AtmnServer.exe

Loads dropped DLL 64 IoCs

pid	Process
2124	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe
2276	Setup.exe
2276	Setup.exe
2276	Setup.exe
2276	Setup.exe
2276	Setup.exe
2276	Setup.exe
2740	IKernel.exe
2740	IKernel.exe
2740	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
2928	iKernel.exe
2928	iKernel.exe
2928	iKernel.exe
1912	IKernel.exe
2276	Setup.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
2480	QPSTServer.exe
2480	QPSTServer.exe
2480	QPSTServer.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1912	IKernel.exe
1276	QCNView.exe
1276	QCNView.exe
1276	QCNView.exe
1912	IKernel.exe
1824	Download.exe
1824	Download.exe
1824	Download.exe
1912	IKernel.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\QPST\bin\ServiceProg.hlp	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\Automation Samples\offline.pl	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Phon671c.rra	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Serv67d7.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\DownloadAgentLib.dll	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\aprg6825.rra	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Serv6864.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Rled68e1.rra	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\QPST699c.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\Automation Samples\obl_dwnld_gui.pl	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\FTM-RF-EVAL.HLP	IKernel.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{31228E31-2BFF-11D2-8866-00805F0D9D40}\Setup.exe	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\PhoneLib.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\PhoneModelLib.dll	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Phon67a9.rra	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Atla67c8.rra	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Conf67f7.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\FtmEval.exe	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\corecomp.ini	IKernel.exe
File opened for modification	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\ctor.dll	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Down6864.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\GANGIMAGE.HLP	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\Automation Samples\cefs.pl	IKernel.exe
File created	C:\Program Files (x86)\QPST\Automation Samples\soft69cb.rra	IKernel.exe
File created	C:\Program Files (x86)\InstallShield Installation Information\{31228E31-2BFF-11D2-8866-00805F0D9D40}\data66ce.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{31228E31-2BFF-11D2-8866-00805F0D9D40}\Setup.ini	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\ConfigAgentLib.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\NPRG6800.hex	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\Download.cnt	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\NV D699c.rra	IKernel.exe
File created	C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\cored421.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\PhonePropLib5.dll	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Down6816.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\EFSExplorer.cnt	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\Rleditor.hlp	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\Automation Samples\sendcommand.vbs	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\AtlasMarshal.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\QPSTConfig.cnt	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\APRG6250.HEX	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\GangImage.CNT	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\QPSTProxyComponents.dll	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\Automation Samples\enumerate.vbs	IKernel.exe
File opened for modification	C:\Program Files (x86)\InstallShield Installation Information\{31228E31-2BFF-11D2-8866-00805F0D9D40}\data1.cab	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\ServiceProgAgentLib.dll	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\QPST67f7.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\aprg6500.hex	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\nprg6500.hex	IKernel.exe
File created	C:\Program Files (x86)\QPST\Automation Samples\prov69bb.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\Automation Samples\provisioning.vbs	IKernel.exe
File opened for modification	C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Phon6789.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\SerialPortLib.dll	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\nprg6845.rra	IKernel.exe
File created	C:\Program Files (x86)\QPST\Automation Samples\Auto69ab.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\Automation Samples\enumerate.pl	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\armprg.hex	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Serv6883.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\Scramp\Scramp.exe	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\PhoneMarshal.dll	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\Phon677a.rra	IKernel.exe
File opened for modification	C:\Program Files (x86)\QPST\bin\QPSTools2.ocx	IKernel.exe
File created	C:\Program Files (x86)\QPST\bin\FTM-693e.rra	IKernel.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Download.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AtmnServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IKernel.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QPSTServer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QCNView.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iKernel.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{0714DC6A-E78B-11D2-886E-00805F85C790}\TypeLib\ = "{62E36B39-EE0A-11D3-BF96-0008C78F17BD}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneModelLib.AtlasModelNvIntfDisplayC.1\ = "AtlasModelNvIntfDisplayC Class"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AtlasUITools.QCMobModelTools.1\CLSID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{73E704F6-EED3-11D3-A096-00805F9B0C38}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{84D9BC8A-DE1A-11D2-886E-00805F85C790}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{9B697780-DBBC-11D2-80C7-00104B1F6CEA}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneLib.AtlasEFSBackup\CurVer\ = "PhoneLib.AtlasEFSBackup.1"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62E36B25-EE0A-11d3-BF96-0008C78F17BD}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{40D3D365-2C53-11D4-B51C-0008C7D32C94}\TypeLib\ = "{62E36B39-EE0A-11D3-BF96-0008C78F17BD}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57378330-F37D-11d3-B518-0008C7D32C94}\InprocServer32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5737833B-F37D-11d3-B518-0008C7D32C94}\ = "AtlasModelNvIntfSecurityB Class"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57378341-F37D-11d3-B518-0008C7D32C94}\VersionIndependentProgID	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\TypeLib	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{4F3CA7C0-F243-4FB0-8785-AE65F609151A}\VersionIndependentProgID	QPSTServer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73E70500-EED3-11D3-A096-00805F9B0C38}\1.0\HELPDIR	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73E70488-EED3-11D3-A096-00805F9B0C38}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneModelLib.AtlasModelNvIntfDualBandCDMA	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57378339-F37D-11d3-B518-0008C7D32C94}\VersionIndependentProgID\ = "PhoneModelLib.AtlasModelNvIntfAlertsD"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73E704C9-EED3-11D3-A096-00805F9B0C38}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62E36B1C-EE0A-11d3-BF96-0008C78F17BD}\VersionIndependentProgID\ = "PhonePropLib2.AtlasModelNvIntfRFCalRFR"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73E704E7-EED3-11d3-A096-00805F9B0C38}\MiscStatus\1\ = "131473"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AtlasUITools.QCMobModelTools\CurVer	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneModelLib.AtlasModelNvIntfAlertsD.1\ = "AtlasModelNvIntfAlertsD Class"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qualcomm.AtlasSerialPort\ = "AtlasSerialPort Class"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73E704B0-EED3-11d3-A096-00805F9B0C38}\VersionIndependentProgID\ = "Qualcomm.AtlasSerialPort"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73E7047B-EED3-11D3-A096-00805F9B0C38}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73E70482-EED3-11D3-A096-00805F9B0C38}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AF57A6F1-4101-11D3-88F6-00C04F72F303}\TypeLib\ = "{27D2CF3C-D5B0-11D2-8094-00104B1F9838}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73E704E0-EED3-11D3-A096-00805F9B0C38}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{73E704E9-EED3-11D3-A096-00805F9B0C38}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73E704ED-EED3-11d3-A096-00805F9B0C38}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{8415DDF9-1C1D-11D3-889D-00C04F72F303}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{682C25C5-D7D9-11D2-80C5-00104B1F6CEA}\1.0\HELPDIR	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneModelLib.AtlasModelNvIntfQuadAmps.1\CLSID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57378326-F37D-11d3-B518-0008C7D32C94}\ProgID\ = "PhoneModelLib.AtlasModelNvIntfSoundB.1"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneModelLib.AtlasModelNvIntfSoundC	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{57378319-F37D-11D3-B518-0008C7D32C94}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73E704EA-EED3-11d3-A096-00805F9B0C38}\Version	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{8C3C1B10-E59D-11D2-B40B-00A024B9DDDD}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{73E704F5-EED3-11D3-A096-00805F9B0C38}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73E704EC-EED3-11D3-A096-00805F9B0C38}\TypeLib\ = "{73E704DE-EED3-11D3-A096-00805F9B0C38}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3D8B6331-D8B1-11D2-80C5-00104B1F6CEA}\ProxyStubClsid32	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{73E704A3-EED3-11D3-A096-00805F9B0C38}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneModelLib.AtlasModel3100Surf800.1\CLSID	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62E36B29-EE0A-11d3-BF96-0008C78F17BD}\InprocServer32\ThreadingModel = "Free"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{57378334-F37D-11d3-B518-0008C7D32C94}\TypeLib\ = "{57378320-F37D-11d3-B518-0008C7D32C94}"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{91814EC5-B5F0-11D2-80B9-00104B1F6CEA}\ = "ISetupComponents"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{2C265259-A161-11D5-B53A-0008C7D32C94}\ProgID\ = "PhoneModelLib.AtlasModel5200Surf.1"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62E36B27-EE0A-11d3-BF96-0008C78F17BD}\InprocServer32\ThreadingModel = "Free"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{5737833E-F37D-11d3-B518-0008C7D32C94}	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{73E7050C-EED3-11D3-A096-00805F9B0C38}	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Qualcomm.AtlasPhoneModPhoneInfo\ = "AtlasModPhoneInfo Class"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PhoneModelLib.AtlasModelNvIntfRWWLL\CLSID	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2C26525C-A161-11D5-B53A-0008C7D32C94}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE6115A1-7DE5-48DC-AD2A-25060E00FCE2}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{1F9922A2-F026-11D2-8822-00C04F72F303}\TypeLib	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7BB118F1-6D5B-470E-82D0-AFB042724560}\ = "ISetupReboot2"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{62E36B29-EE0A-11d3-BF96-0008C78F17BD}\ProgID\ = "PhoneModelLib.AtlasModelNvIntfDualPcsCDMA.1"	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{5737831A-F37D-11D3-B518-0008C7D32C94}\ = "IAtlasModelIntfSound"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2EB2EB74-F481-11D3-BF93-0008C78F17BD}\ProxyStubClsid32	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{2400DD87-0390-11D6-B546-0008C7D32C94}\TypeLib\Version = "1.0"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ATLASMFCCONTROLS.AtlasReportCtrl.1	IKernel.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3EE77D8B-40C1-4A2A-9B77-421907F02058}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	IKernel.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AA7E2060-CB55-11D2-8094-00104B1F9838}\TypeLib	IKernel.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	1276	QCNView.exe
Token: SeBackupPrivilege	1276	QCNView.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1276	QCNView.exe
1276	QCNView.exe
1824	Download.exe
952	AtmnServer.exe

Suspicious use of WriteProcessMemory 53 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2276	2124	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2276	2124	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2276	2124	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2276	2124	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2276	2124	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2276	2124	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2276	2124	2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe	30
PID 2276 wrote to memory of 2740	2276	Setup.exe	31
PID 2276 wrote to memory of 2740	2276	Setup.exe	31
PID 2276 wrote to memory of 2740	2276	Setup.exe	31
PID 2276 wrote to memory of 2740	2276	Setup.exe	31
PID 2276 wrote to memory of 2740	2276	Setup.exe	31
PID 2276 wrote to memory of 2740	2276	Setup.exe	31
PID 2276 wrote to memory of 2740	2276	Setup.exe	31
PID 1912 wrote to memory of 2928	1912	IKernel.exe	33
PID 1912 wrote to memory of 2928	1912	IKernel.exe	33
PID 1912 wrote to memory of 2928	1912	IKernel.exe	33
PID 1912 wrote to memory of 2928	1912	IKernel.exe	33
PID 1912 wrote to memory of 2928	1912	IKernel.exe	33
PID 1912 wrote to memory of 2928	1912	IKernel.exe	33
PID 1912 wrote to memory of 2928	1912	IKernel.exe	33
PID 1912 wrote to memory of 2480	1912	IKernel.exe	35
PID 1912 wrote to memory of 2480	1912	IKernel.exe	35
PID 1912 wrote to memory of 2480	1912	IKernel.exe	35
PID 1912 wrote to memory of 2480	1912	IKernel.exe	35
PID 1912 wrote to memory of 2480	1912	IKernel.exe	35
PID 1912 wrote to memory of 2480	1912	IKernel.exe	35
PID 1912 wrote to memory of 2480	1912	IKernel.exe	35
PID 1912 wrote to memory of 1276	1912	IKernel.exe	36
PID 1912 wrote to memory of 1276	1912	IKernel.exe	36
PID 1912 wrote to memory of 1276	1912	IKernel.exe	36
PID 1912 wrote to memory of 1276	1912	IKernel.exe	36
PID 1912 wrote to memory of 1276	1912	IKernel.exe	36
PID 1912 wrote to memory of 1276	1912	IKernel.exe	36
PID 1912 wrote to memory of 1276	1912	IKernel.exe	36
PID 1912 wrote to memory of 1824	1912	IKernel.exe	37
PID 1912 wrote to memory of 1824	1912	IKernel.exe	37
PID 1912 wrote to memory of 1824	1912	IKernel.exe	37
PID 1912 wrote to memory of 1824	1912	IKernel.exe	37
PID 1912 wrote to memory of 1824	1912	IKernel.exe	37
PID 1912 wrote to memory of 1824	1912	IKernel.exe	37
PID 1912 wrote to memory of 1824	1912	IKernel.exe	37
PID 1912 wrote to memory of 952	1912	IKernel.exe	38
PID 1912 wrote to memory of 952	1912	IKernel.exe	38
PID 1912 wrote to memory of 952	1912	IKernel.exe	38
PID 1912 wrote to memory of 952	1912	IKernel.exe	38
PID 1912 wrote to memory of 952	1912	IKernel.exe	38
PID 1912 wrote to memory of 952	1912	IKernel.exe	38
PID 1912 wrote to memory of 952	1912	IKernel.exe	38
PID 1912 wrote to memory of 1592	1912	IKernel.exe	39
PID 1912 wrote to memory of 1592	1912	IKernel.exe	39
PID 1912 wrote to memory of 1592	1912	IKernel.exe	39
PID 1912 wrote to memory of 1592	1912	IKernel.exe	39

C:\Users\Admin\AppData\Local\Temp\2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2871cab28f5c78492ce34a47bfb25156_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\Setup.exe
  "C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\Setup.exe" /SMS
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:2740

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
  "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2928
- C:\Program Files (x86)\QPST\bin\QPSTServer.exe
  "C:\Program Files (x86)\QPST\bin\QPSTServer.exe" /REGSERVER
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:2480
- C:\Program Files (x86)\QPST\bin\QCNView.exe
  "C:\Program Files (x86)\QPST\bin\QCNView.exe" -s
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:1276
- C:\Program Files (x86)\QPST\bin\Download.exe
  "C:\Program Files (x86)\QPST\bin\Download.exe" -RegServer
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1824
- C:\Program Files (x86)\QPST\bin\AtmnServer.exe
  "C:\Program Files (x86)\QPST\bin\AtmnServer.exe" /register
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:952
- C:\Windows\notepad.exe
  C:\Windows\notepad.exe "C:\Program Files (x86)\QPST\README.txt"
  2⤵
  PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini

Filesize
27KB

MD5
62d5f9827d867eb3e4ab9e6b338348a1

SHA1
828e72f9c845b1c0865badaef40d63fb36447293

SHA256
5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5

SHA512
b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732

Download Submit
C:\Program Files (x86)\QPST\bin\AtmnServer.exe

Filesize
44KB

MD5
c140f864593c8e67a31db1e475611750

SHA1
c656d8ccc09ce6f59c95cafe2224487862c45d5c

SHA256
e7a5f0256083f15cdcb85c3fcc1c2ec6dfc41accbf3224a6c8edee633c0ef453

SHA512
3a6cb748cc9c0367b9f1792cdda619ddf0af1e25dfa52b84c75323c12388b833c6ad50014e6aef80164102ed24c7a2e8ba36dfa7422942a3bf0eca2d40b20259

Download Submit
C:\Program Files (x86)\QPST\bin\BuildGangImage.exe

Filesize
60KB

MD5
81b1c06f1de291e9f1f94ae9e57ae5ec

SHA1
88c96260f16021ed988418cb9b66e87619fbdfa3

SHA256
4772510180ba3155575fd4188bc2724249d1c2b12c0ebe904615dcea2ebf633c

SHA512
d110df359c425bafe4138e7a346bb87460a095f2cc8f86fbd4cc7ffe00d7d894945abad1f431fdeae3338b264d6c00b04ec0d4ec064bba6107633b4987d87681

Download Submit
C:\Program Files (x86)\QPST\bin\ConfigAgentLib.dll

Filesize
84KB

MD5
59133a5d3d4eb78251af1a04386d883e

SHA1
7cd1facf8345f12d964e69d63f696f089a7855e4

SHA256
c4767879f965d4a6d6e06bacbbbdece057dea04a388792c9c02b366a9b69c44d

SHA512
bb76f98c48aaa9883d37df3fad1572c4db233cf513f4ae02ba88b68cf9d668543171f69c060c355ee1af2d1a662e017d63d1001b9d73d5462f99d6cd55dd0967

Download Submit
C:\Program Files (x86)\QPST\bin\DMProxyWin.exe

Filesize
68KB

MD5
0f660951adac238c97c494dc166533be

SHA1
fcee30316cd9f3ba8e981523723882dcb806cd55

SHA256
40f1ba79f7c9e18fbafb90fb3ace2aa4ee6a4b8840140bf0f68d8d1a7525954b

SHA512
bc70a00f4bb0c9d77a75e488ef90b93b37a4d9049d2324b432e77e5424b67b68b208f2efcc7e3556500d664fdcac8b02c031f98cdb1c470bf72c685c62ce794d

Download Submit
C:\Program Files (x86)\QPST\bin\Download.exe

Filesize
392KB

MD5
e5cc95e2b46c06730415aad1bfbbb550

SHA1
97c90715d8f41bc135c534e558a014ea6b3a431a

SHA256
4912449ba6e094ace06f1ebbf525005c9a640e06394eeac6e635c8a9c9bf7610

SHA512
2048ccc19981b78db6b9e11a11d7154473f7efdea16973a9f96718aebd3af72dc08eaacbf105fc9e1b014940231888824d64caceee44bbad588282bfeef7e8ad

Download Submit
C:\Program Files (x86)\QPST\bin\DownloadAgentLib.dll

Filesize
308KB

MD5
3de786a502341e4bee06a3ea017ffcdb

SHA1
d7af779c9126910e93140667e44723185d3450c4

SHA256
1a9a6b44b90d4e8beeb86f31ca7e264985c3ec62db15e16dbc3d9b5b13fd93fd

SHA512
9363cb5f1df1f61fd5aaa46c8dc1db0433eb65003b597853310f6f544453671d535f2e8b71f0f8e6381f32190c3275380aa9075cad56bf90d437a76a431f43fb

Download Submit
C:\Program Files (x86)\QPST\bin\EFSExpCtrl.ocx

Filesize
208KB

MD5
60cab7e60cf93a07add84aac3e4f0c23

SHA1
ff7a5a7ebdb1bee625f96bf0dff3f12e60c038d5

SHA256
22e804c5f67bd43a26a12f68bb8a2ff9caccf5e101e3159219e3ed8b0d3b3134

SHA512
a449a3022256feb999aa95b981cb79b1a494869a5c1624516d159c823ee00e7621ba3c2c744ba381afbd558e070316f5fc5beb660aa1c7c327002d5999c7d0f1

Download Submit
C:\Program Files (x86)\QPST\bin\EFSExplorer.exe

Filesize
96KB

MD5
352c50f3902ac1e72f6c252f5637243a

SHA1
fae86af9280f3d32eaf10b301baba38aeb1b6ff5

SHA256
4fe3067526709826727ae98684787664cb1c28265074594a756417b3d80f3501

SHA512
e83eaf10806a9859da00001ef3985271ad066210b5375c761067006f524a3fe1849773926d28752475ee087790559f2b9f212634ba1742cc1dd030aeaaa3f5f0

Download Submit
C:\Program Files (x86)\QPST\bin\FtmEval.exe

Filesize
916KB

MD5
9be53a59247522d45952ba605462635b

SHA1
913e8e1400e4a5c4adbc67bf9fa7e503fba82ed6

SHA256
984db22c0b22f3513d6b0c76025327539b439a402ff604a8c94783a31466ac26

SHA512
6e1406c1c840c9f924e9b52c70d6f1c1dd820d13f457dcf51a230e4a5b5d6f7e1abf58f66dfd8303ad4d6316009d572d0e9757bf76d1845b3ed757ed5ecacf09

Download Submit
C:\Program Files (x86)\QPST\bin\NPRG6800.hex

Filesize
50KB

MD5
ddbb77ced58b9cd37d057e1322e2ab66

SHA1
c027bd4b0dcd085dcb8ed5b05ca007b2dde8c826

SHA256
0245563ae68499215b08f7a0b2e227e9fda14fb3b1651bb1b785a26b4ff26869

SHA512
74bbbfbee7dc8a6f72f5fddb4a00494267335a6518e541ee41cd8d190c07f9295fd71f3c6c9c1f1bb5700ab3232293148ad789ebcda2530d6fdc811afbd206d2

Download Submit
C:\Program Files (x86)\QPST\bin\PhonePropLib1.dll

Filesize
32KB

MD5
1165595c54129cfd8da2755bc1e0ca9c

SHA1
08bed2f7d11d65d83c57964a76f4428f3705ea87

SHA256
8c1215d179bae0efe362d26820844a0680a7a809740d91aa030ef6b27318dd89

SHA512
009df50ec5864fee3c3095abdaa606e7eafbcf185d75b864fb72a3ac2f75e7b69e83668011bbd868c241644938346dfc03bb24a23725e3db636451327fd3c04a

Download Submit
C:\Program Files (x86)\QPST\bin\PhonePropLib2.dll

Filesize
128KB

MD5
79cc9433f042d9e57fd12cd4ec2db632

SHA1
3b90ddecb61d0b47f3c7e3a67af3205aecf5379f

SHA256
f40dc2616011fbee1ab572244a784f0019c76ad8047a6207534fbb43cf437146

SHA512
d81fd9eea6f3f74e29d5fa1bedef08a2452cd2b31df52243f0be8b43dff9cfd6b339c2a974589d8f20932f83ebc1200a96bd2a4b943ed249648cab01f9964d78

Download Submit
C:\Program Files (x86)\QPST\bin\QCNView.exe

Filesize
176KB

MD5
c185c86f9c83689fabcf6463e8937229

SHA1
836472e7c4310d481d990fc049f3dbb7a2fc3465

SHA256
8041aa9787da3f6326711dbbebdc5ac1f5c3a1fcd5d677d73a9950a456077c28

SHA512
9bbf44b538103561a73c78c74af13808a39d4df6d4c8161f406bf8e4c02eca136759859874a438f99af1371b939c3e70270b2d1d2b92b7ba94a6f06458fb8981

Download Submit
C:\Program Files (x86)\QPST\bin\QPSTConfig.exe

Filesize
68KB

MD5
b396370a69e26ae18e88c60081fa7166

SHA1
c5b59a8ac61633433ba5137d765888f3b1e1cea4

SHA256
c486e9072eb8d69c9dad25ac37e9ddddd721bd4717434f6db1cf5af4b595a826

SHA512
6b92825cf40dd636c4142115bdcbbc23c54bc63f2a24cfe7e26b76894775ba25483811412b06dea561ef295c249188aa456573603295ba9d3964d4a9b837e87b

Download Submit
C:\Program Files (x86)\QPST\bin\QPSTProxyComponents.dll

Filesize
216KB

MD5
6e89750675223eb1d827bd2edc2f35b6

SHA1
0083c775663b616ffd3f7e52dc12d6aa77fdb384

SHA256
ef41f86881374f875eca6d01e3cca18b3bce59041653249ead0d854ebf76c7ab

SHA512
bbdf5d0da8764e4b4e1c6c9890eeb689fbc69c7584734a41808d351b26080b3a3ac5ea8b4d20c0a37c8d2e3611ae57480641df702741a42484c425dcf830502d

Download Submit
C:\Program Files (x86)\QPST\bin\RLEditor.exe

Filesize
324KB

MD5
14f5663670667297a92d2c15bd77b80f

SHA1
acbfe7df27e5b30a64d2d8563de89d15c25e1320

SHA256
f77f00db259e7db81bdb36cc7b5493e0599000ec12afc7f283037e8e1d5a4898

SHA512
1596abaaf457b6ada69b9b91400c719e8dd175289d9de13835a2e0bf90579f852e865b4976565fc78a4f5c67d2967da37fcb838d711fc68162265feb90e76db8

Download Submit
C:\Program Files (x86)\QPST\bin\ServiceProg.exe

Filesize
1.5MB

MD5
68d5a8cb461683e7e0feeca374865098

SHA1
05080f97e170819ab5b4caf26cef77fca4a20dc2

SHA256
d60dff8ba7fbdb4ed732ddf18b30bf22c6d97d74dbe50ba9b4ef1680ebbe7b7e

SHA512
872a7580e44951fcab7326c4ec776789ab4e802437e3de73249aa957f250ed402ef427f5ae2bdc1e906c087619158512cd9b2238b523dce17690de02d6312e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\IECD25C.tmp

Filesize
338KB

MD5
93b63f516482715a784bbec3a0bf5f3a

SHA1
2478feca446576c33e96e708256d4c6c33e3fa68

SHA256
fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249

SHA512
2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\data1.cab

Filesize
464KB

MD5
b75081d7364028e31ca693443b644ad7

SHA1
2bcbe0cd2dcbb947b03b24fcc86195bac64a5776

SHA256
9a30b3a875b2a240657b49a3dc18be53989142436d3a8d984f94fcdb699c87a6

SHA512
7dce995174088a7e2fa88212b15377c547b3c35076bb23da236d937096d36c96845e53dfd801b8a06bc816ddbfb5c2c7a1abe257dcaea79647f79b60cc8cee1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\data2.cab

Filesize
5.6MB

MD5
afa8b3506509adff29dc26f160515698

SHA1
86f621f0df60f1a2b7a49d6a2fae38c5d57949da

SHA256
4dab543122d8630d3562fb8b237dfb38db0693d70b72c4c440f0ed90383990cb

SHA512
d368588f7fed7e7fa62bdb28949e14d3cd88538549e7da415af53d9e7d69d3902e77f1d5c56c1beab1515d7b89ef1efd9c5da7921cf7342df251f693e2044ad9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\layout.bin

Filesize
435B

MD5
142779ce42aaa218b2f1a5b00893e21e

SHA1
afb3ab12b274c46680caf3a085308b1deadeed22

SHA256
abcef5e37fb70a9a726d5c3cd9d54cd785574cd206ab8288defc1be3edd4e3aa

SHA512
0dcfad51ffa5e1fe953325f60e1ac4699752ad5b1a40824e42f56df8a3f50189064ceb22d44e644a06a5d641dd2f70b2fad168c2a19f92a4beadfc9f1de35e47

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\pftw1.pkg

Filesize
8.1MB

MD5
b3b6d61f857afdcfec8d50db05022f7a

SHA1
bb80d97e870042c4f088588f6d5b821012c5da57

SHA256
1e884ae40e246d5ad2f38cce29236b060a501513d8a3563672a080201c900fed

SHA512
1c331fd5cc2647d9785de951924ce4d3099b297e1489296a770b58dfeaacb4e6474b17d6823597678f6ecb766401914ec2a67488cbd51a25448c5f3601260d53

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\setup.bmp

Filesize
322KB

MD5
c86a5c90a3a55f6ef8c20469834a608c

SHA1
a9edbf714ecff7fa697a9bab541afc8bd293f356

SHA256
ef0b58cf267af80bda94a6b0a7acbfbe30c6158b683133178f9e7f82f411de37

SHA512
5b3148dc3572c102f06fc37c45ddd8994e995fb9934a018ab537b81ecb5645a14a1e9c661407e92f86918c1f05d250d9f777a7866ab3f747a51b78ce3066100e

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\setup.ini

Filesize
93B

MD5
d5fb577d24f384160882e2ceec3b2c74

SHA1
6179bc1340274405725eb4db8f537f0edd8cdbbf

SHA256
12d8391db61d34e60245e7e97398420edb289bc897fd51392be0ecff62f16ec4

SHA512
f37b31700326e52b2a835b968bcf44dd966a4451c37e59e5e8481bb981299d0cad954f039ec587d851665d00218a9bce2b118bdd959a0cfd4288b3b89a52a436

Download Submit
C:\Users\Admin\AppData\Local\Temp\pftD155~tmp\setup.inx

Filesize
173KB

MD5
9a7b5146dfe59634de3b3bfd09475e8b

SHA1
fae23e083cec361000ca693c3dfcb6362cd3f47b

SHA256
5263dec2f328c1b17278e03a0160015a690e10bd7d03ded5eb638c94c832cf7b

SHA512
3a5853f30a4bd9bd0d87a99461f05e543f49eb08cd2ef47d18eee6f92131131f9d0c40ae668ff5f94faef3af656e34070880982333ae13e4101896eae02f8210

Download Submit
C:\Users\Admin\AppData\Local\Temp\plfD134.tmp

Filesize
4KB

MD5
19a2283172165182d05bbd5745372f62

SHA1
4cd50813878acf10fd5164c814d0692280c773e1

SHA256
379addfc2e4a0309ec0526507d564fc79eeb6635963c0e84f10cb8b103036c54

SHA512
b14f8f6efcc6d3395ab41c5eab22a2c1201f760627f40929e8575aa9c16092ace0370f4248e9b6a7ef2cf74ae53d4e9e5f8cb42253fe0a5b2c61a4bce72abeb5

Download Submit
\??\c:\users\admin\appdata\local\temp\pftd155~tmp\data1.hdr

Filesize
32KB

MD5
489fb865cd9ad1e0e146216120b1f1c7

SHA1
31f1a9a0e4c7395d22c1c45495ab3037d67a9e9a

SHA256
e34de7ed5aa4899da2f713234750281e16c8d04376ad502d40621af075d9f144

SHA512
e9d6f493440288ba006de53b9b45f3b6a9889742462ae85c7949ee3fe4373e3200624227b6e63ce42a12fc160906a5f5c166b58ff1dbf8ee091b19e6046e2df8

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll

Filesize
76KB

MD5
003a6c011aac993bcde8c860988ce49b

SHA1
6d39d650dfa5ded45c4e0cb17b986893061104a7

SHA256
590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

SHA512
032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll

Filesize
172KB

MD5
377765fd4de3912c0f814ee9f182feda

SHA1
a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

SHA256
8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

SHA512
31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

Download Submit
\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll

Filesize
32KB

MD5
8f02b204853939f8aefe6b07b283be9a

SHA1
c161b9374e67d5fa3066ea03fc861cc0023eb3cc

SHA256
32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

SHA512
8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

Download Submit
\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll

Filesize
220KB

MD5
b2f7e6dc7e4aae3147fbfc74a2ddb365

SHA1
716301112706e93f85977d79f0e8f18f17fb32a7

SHA256
4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

SHA512
e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

Download Submit
\Program Files (x86)\QPST\bin\AtlasMarshal.dll

Filesize
40KB

MD5
38ed36c97ff37edcbeca2f6761a30602

SHA1
d09af3a6369ff75ff1abb2fc029dc0b60407ce33

SHA256
98c7cdca198253015255aa2db8e225f67dcc6b5a49d8cd30e86e5c125e9fa617

SHA512
3a9d6d24aac2109c6a367d6621a52b0dd192dad2e0630cc43001fb46beb0e18657bdb7d3c829e873724c1c3b7485722c36830eebc4b0c465cbc9bdc222087c91

Download Submit
\Program Files (x86)\QPST\bin\PhoneLib.dll

Filesize
404KB

MD5
0eaad95c4f04ff84e49806e624dd9c3d

SHA1
dcdb33cab9214fae6e99fe51f9b2ee96297cf128

SHA256
98e7bc2b5c6a2bdc330270934d7e4fcd3ca7cfbcb2614d54cf43f8c5fa838a7b

SHA512
3d64288af2c5360e3e8a65d8a769ea785112538fafe7c4f89d97cf43926ff0b9dc9718ed78b633274d6f25cf70a36309a7570563baeecc3ffd468ff971f7ac2c

Download Submit
\Program Files (x86)\QPST\bin\PhoneMarshal.dll

Filesize
32KB

MD5
bbaeef64ee36197357ae0da4b7b0fe24

SHA1
ccd7d69531b9b36235125cf3d6b4cc4778b1e7b5

SHA256
030a22d344e48c855103a4d7b55cb01199b8724ba466faa8333273b33641800c

SHA512
bd49f855fd5aed4ed28f1dab17f681f60ec01dbaf4c8ac7db55d6b8517c78195e34a28b2d2b3691205b4d36ed2c8c20bea06ec8d18a306ab3a11080cf5d7e9dc

Download Submit
\Program Files (x86)\QPST\bin\PhoneModelLib.dll

Filesize
928KB

MD5
4d665a26ac857b03b14cf54d72db4046

SHA1
852632775f634ffe16440ed291b777905f013766

SHA256
79340d7816bb539be2ed853552f41f12cd2bda5ee96f05790bbaf1ef4b9e17bf

SHA512
0e15b1f1d28a53b7b8fb1d681f6adad93eb130596d0e3e095d2309f8ae8fa249e29f52ff6b4dcbbae348c1ed68b10355fbc57441383d0354550f6a57d6216ae0

Download Submit
\Program Files (x86)\QPST\bin\PhonePropLib3.dll

Filesize
496KB

MD5
a8dc61edac5d56c80bf2947375bcffbc

SHA1
5ff7f2a02cfbccb05791125f17c8a78df787d7f1

SHA256
a52cc30e1268a03b1b493115fd3d1d790e9ed9d10d6d6deb796d679a77bee0c7

SHA512
2ae5bdc7e08e9871e44a628119a7307b7298d1587a102f18f6ed01e2ebec864f97342b128e6dd4d392050cb4a17ed9d8fc942f805cb0785027bc7c112e25d70e

Download Submit
\Program Files (x86)\QPST\bin\PhonePropLib4.dll

Filesize
476KB

MD5
0f3f85e0fdb274679a674ad25ec16491

SHA1
cb024ec87a825e838776659e19b28d7815c59d47

SHA256
3d3faa5e6dd544fba03c7504dd69f8f9dfc0106256f3b7bc78f89288d8e4a50c

SHA512
c638c148df11d380dc3cb85b492a6c1e722965552aa000cdd9529faeaa0d175550593512ca1449b55208880e454d7bce613ce816e49fbf569a47b2ae8eec1679

Download Submit
\Program Files (x86)\QPST\bin\PhonePropLib5.dll

Filesize
96KB

MD5
957bc44b0288175939a0ca9139bcd61c

SHA1
55c5bc44ce20a5fe7533fe3a5af0d20706c822c4

SHA256
30516b0eae1045c1ba0b450a5754a4516703e59bb159a6743ec0d6e38346fa6a

SHA512
44a34ed94dc3be1179ac9e8738b5ae9ec21876d850ff07597a32b249d162def749939f365d0c9b3056962541f7e1fb03f5e704cd2de59b7f36151639cdc323af

Download Submit
\Program Files (x86)\QPST\bin\QPSTServer.exe

Filesize
644KB

MD5
acfa420338cde9e6e7376505bb9e22fc

SHA1
ee9697868bb3f572f592d2fb0a4b48f9e4b09843

SHA256
61051492505104af543f4fe1e73b7f6d2cec9a34b931de0229afd230c167dba3

SHA512
c72b0f6a9b54f2fcebbb520ef36139210ff743595f9e57a238bd2cac2f49b8f9541b6bf5e42ac40b675f026453891e7fbc496fdfa6464623021a05d0e8a1d0c8

Download Submit
\Program Files (x86)\QPST\bin\QPSTools.dll

Filesize
596KB

MD5
8730d0ff18309f3d08979eb545b1b653

SHA1
4cfff9eac3253012cd9eb5ead870888336253db1

SHA256
feabfd32a5376e9633c18987663d32ebd1286bbe079c5ad2f26b59b166a6490e

SHA512
c7fa4ec53f42cc1b73f2170f0e5b4c1a01213db197c6f33b5de5a04a8b86d7e161cf4112954baac7ebd32ef2582777a384f6b743a0647db2449a1f40aff4bbd2

Download Submit
\Program Files (x86)\QPST\bin\QPSTools2.ocx

Filesize
48KB

MD5
0876863212439a2ac51d73e5d6881b96

SHA1
50f896f24437672e75d208f0d49258b21d0fd2c7

SHA256
bafbeaf8bb43c8634c11d27e918ffe8deac8f7856aa45656f198d1297a0b7ac7

SHA512
265c08df20480016bdca1a3c1be1a0f601a940e4f33e44f802cd0f9006e950d4326a2871f5a81084c5e6115b0e0ca9930e3cebff13fc48a780742761ee2f6cdf

Download Submit
\Program Files (x86)\QPST\bin\SerialPortLib.dll

Filesize
300KB

MD5
56e0dd2ad31a457c13a26bab211b140a

SHA1
4c1fec69b775ce66760208fc56a5514384747960

SHA256
df2caec15fdf00a6e9176517246f626b1d440b0758d2a62bec425e950ed89794

SHA512
81a0c6e67bcd52b9bb50b86c94e1ea8be1ed8294419796585a77080e05d3924bd687e38762886a757f1ea1ebfec6a8afb7fc8d19cda38e29fb39634b6f1811d1

Download Submit
\Program Files (x86)\QPST\bin\ServiceProgAgentLib.dll

Filesize
104KB

MD5
e0ddf6de8ea1ab59f72c35a28c588693

SHA1
3c5551b08ba968006205494b8d01c27b9a7b3798

SHA256
0cc45b3d819dd81779195f79be6824018e283a8fceae68b91e9276a117157bc5

SHA512
ff0a07c5037fdcb18a1dfd2f0c7fcf9be615259a7ed3e1da16474dfbefe707b79c5416eab630d1f60ee878bbad4ff9b0b23dec596318e483ec1ec502f978dc21

Download Submit
\Users\Admin\AppData\Local\Temp\IEUD25D.tmp

Filesize
600KB

MD5
b3fd01873bd5fd163ab465779271c58f

SHA1
e1ff9981a09ab025d69ac891bfc931a776294d4d

SHA256
985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931

SHA512
6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43

Download Submit
\Users\Admin\AppData\Local\Temp\pftD155~tmp\Setup.exe

Filesize
53KB

MD5
d765793f5d803673d1b4b5586e8fd66c

SHA1
0882a9b627ca6caaed8daf756754b8d336714e52

SHA256
83616018bd22f9dc52d0f560e6ea3fb8a3f0049870aa636e7620bbf303c4a41a

SHA512
1818472c926ad5ba2bf11d75a2e92bf5074120af0fab38142894321d1d9c17b485f0d82a66d9d863a7ed2d5770b3c66cb4b6cb4ad605438e824c77805ae54073

Download Submit
\Users\Admin\AppData\Local\Temp\{31228e31-2bff-11d2-8866-00805f0d9d40}\_IsRes.dll

Filesize
212KB

MD5
37554142e54a38de6d2142ba80353f0f

SHA1
6fb0102aa862674169cb7f506ee185ad5299ff19

SHA256
0888d2a696ca222ebc35641502548e5b79b55c9f7c094466a1a52d9d4d429a64

SHA512
1b3c16d792993569999e0e8271daa4165e29400942e21bcd73423c8d517144aa487d906ef593c7bc67c5877ba3fc098f25386170ddebedf8156f87adc947b181

Download Submit
\Users\Admin\AppData\Local\Temp\{31228e31-2bff-11d2-8866-00805f0d9d40}\isrt.dll

Filesize
316KB

MD5
ecaf7e06e2bc2c86191a067b0d791550

SHA1
48f4707a62b8b3600682c34ded75706dd1241554

SHA256
589ff69d2aecfdd83bdd5a420bed5d3c6c4a51b970a9462b5819fa7edffcf547

SHA512
022b0b0d5bcfadf51a96f47625f1fe276936559998189d48a1b05262291d22fa1144b2d5bb459e04361f6e8f748738e6acb129ec07f0daabc0dadc665a6601d1

Download Submit
memory/1912-503-0x0000000003CF0000-0x0000000003D09000-memory.dmp

Filesize
100KB

Download
memory/1912-540-0x0000000003CF0000-0x0000000003D27000-memory.dmp

Filesize
220KB

Download
memory/1912-536-0x0000000003CF0000-0x0000000003D25000-memory.dmp

Filesize
212KB

Download
memory/1912-498-0x0000000004730000-0x00000000047A8000-memory.dmp

Filesize
480KB

Download
memory/1912-493-0x0000000004730000-0x00000000047AD000-memory.dmp

Filesize
500KB

Download
memory/1912-489-0x0000000003CF0000-0x0000000003D11000-memory.dmp

Filesize
132KB

Download
memory/1912-176-0x0000000003390000-0x00000000033E2000-memory.dmp

Filesize
328KB

Download
memory/1912-180-0x0000000000770000-0x000000000079C000-memory.dmp

Filesize
176KB

Download
memory/1912-171-0x0000000000BA0000-0x0000000000BD8000-memory.dmp

Filesize
224KB

Download
memory/1912-168-0x00000000006C0000-0x00000000006D3000-memory.dmp

Filesize
76KB

Download