Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-10-2024 16:14

General

  • Target

    63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe

  • Size

    7.0MB

  • MD5

    80fc186d5e0d36d61aa30e7806847b37

  • SHA1

    dbfb171d5774306ff5437bdf11405c2d09771b76

  • SHA256

    63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219

  • SHA512

    6e9f7077de1da76e05dff833bd6d8f7558441df91db9bddbe339afad4271a76745618337631ef76b22ba47e81f55c8bfb7e1a941a5aa314043286edbef83e622

  • SSDEEP

    196608:2KXbeO7G9Ghf7Ejo+xyvsLD26vhn2IGJ3:b7GEhio0yI265GJ3

Malware Config

Signatures

  • Detect PurpleFox Rootkit 12 IoCs

    Detect PurpleFox Rootkit.

  • Gh0st RAT payload 12 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

  • Drops file in Drivers directory 2 IoCs
  • Server Software Component: Terminal Services DLL 1 TTPs 3 IoCs
  • Sets service image path in registry 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 29 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 13 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 35 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • NSIS installer 4 IoCs
  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 8 IoCs
  • Modifies registry class 34 IoCs
  • Runs ping.exe 1 TTPs 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
    "C:\Users\Admin\AppData\Local\Temp\63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\R.exe
      C:\Users\Admin\AppData\Local\Temp\\R.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      PID:1984
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 448
        3⤵
        • Program crash
        PID:4892
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 1984 -s 388
        3⤵
        • Program crash
        PID:1368
    • C:\Users\Admin\AppData\Local\Temp\N.exe
      C:\Users\Admin\AppData\Local\Temp\\N.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3676
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Suspicious use of WriteProcessMemory
        PID:3476
        • C:\Windows\SysWOW64\PING.EXE
          ping -n 2 127.0.0.1
          4⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:4580
    • C:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
      C:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2668
      • C:\Users\Admin\AppData\Local\Temp\Temp\IK_Multimedia_Keygen.exe
        "C:\Users\Admin\AppData\Local\Temp\Temp\IK_Multimedia_Keygen.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2548
        • C:\Users\Admin\AppData\Local\Temp\._cache_IK_Multimedia_Keygen.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_IK_Multimedia_Keygen.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4448
          • C:\Users\Admin\AppData\Local\Temp\R.exe
            C:\Users\Admin\AppData\Local\Temp\\R.exe
            5⤵
            • Server Software Component: Terminal Services DLL
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:4984
          • C:\Users\Admin\AppData\Local\Temp\N.exe
            C:\Users\Admin\AppData\Local\Temp\\N.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2424
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              • Suspicious use of WriteProcessMemory
              PID:3924
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 2 127.0.0.1
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4980
          • C:\Users\Admin\AppData\Local\Temp\HD_._cache_IK_Multimedia_Keygen.exe
            C:\Users\Admin\AppData\Local\Temp\HD_._cache_IK_Multimedia_Keygen.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1920
            • C:\Users\Admin\AppData\Local\Temp\keygen.exe
              C:\Users\Admin\AppData\Local\Temp\keygen.exe
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:4580
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:3288
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            PID:1512
            • C:\Users\Admin\AppData\Local\Temp\R.exe
              C:\Users\Admin\AppData\Local\Temp\\R.exe
              6⤵
              • Server Software Component: Terminal Services DLL
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              PID:4388
            • C:\Users\Admin\AppData\Local\Temp\N.exe
              C:\Users\Admin\AppData\Local\Temp\\N.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of AdjustPrivilegeToken
              PID:4172
              • C:\Windows\SysWOW64\cmd.exe
                C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\N.exe > nul
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                PID:1664
                • C:\Windows\SysWOW64\PING.EXE
                  ping -n 2 127.0.0.1
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • System Network Configuration Discovery: Internet Connection Discovery
                  • Runs ping.exe
                  PID:4180
            • C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe
              C:\Users\Admin\AppData\Local\Temp\HD_._cache_Synaptics.exe
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3836
              • C:\Users\Admin\AppData\Local\Temp\keygen.exe
                C:\Users\Admin\AppData\Local\Temp\keygen.exe
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Modifies registry class
                • Suspicious use of SetWindowsHookEx
                PID:4184
      • C:\Users\Admin\AppData\Local\Temp\Temp\S.exe
        "C:\Users\Admin\AppData\Local\Temp\Temp\S.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3244
        • C:\Users\Admin\AppData\Local\Temp\._cache_S.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_S.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:664
          • C:\Users\Admin\AppData\Local\Temp\R.exe
            C:\Users\Admin\AppData\Local\Temp\\R.exe
            5⤵
            • Server Software Component: Terminal Services DLL
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            PID:1104
          • C:\Users\Admin\AppData\Local\Temp\N.exe
            C:\Users\Admin\AppData\Local\Temp\\N.exe
            5⤵
            • Executes dropped EXE
            PID:1424
          • C:\Users\Admin\AppData\Local\Temp\HD_._cache_S.exe
            C:\Users\Admin\AppData\Local\Temp\HD_._cache_S.exe
            5⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3116
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\Users\Admin\AppData\Local\Temp\HD__CA~2.EXE > nul
              6⤵
              • System Location Discovery: System Language Discovery
              • System Network Configuration Discovery: Internet Connection Discovery
              PID:2976
              • C:\Windows\SysWOW64\PING.EXE
                ping -n 2 127.0.0.1
                7⤵
                • System Location Discovery: System Language Discovery
                • System Network Configuration Discovery: Internet Connection Discovery
                • Runs ping.exe
                PID:4316
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1984 -ip 1984
    1⤵
      PID:3604
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 1984 -ip 1984
      1⤵
        PID:1892
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -auto
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:896
        • C:\Windows\SysWOW64\TXPlatfor.exe
          C:\Windows\SysWOW64\TXPlatfor.exe -acsi
          2⤵
          • Drops file in Drivers directory
          • Sets service image path in registry
          • Executes dropped EXE
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          PID:4612
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k "Remote Data"
        1⤵
        • Loads dropped DLL
        • Drops file in System32 directory
        • System Location Discovery: System Language Discovery
        PID:4976
        • C:\Windows\SysWOW64\Remote Data.exe
          "C:\Windows\system32\Remote Data.exe" "c:\windows\system32\240611781.txt",MainThread
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:4980
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -auto
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2428
        • C:\Windows\SysWOW64\TXPlatfor.exe
          C:\Windows\SysWOW64\TXPlatfor.exe -acsi
          2⤵
          • Executes dropped EXE
          PID:3000
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x4f0 0x4d8
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1028
      • C:\Windows\SysWOW64\sainbox.exe
        C:\Windows\SysWOW64\sainbox.exe -auto
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3664
        • C:\Windows\SysWOW64\sainbox.exe
          C:\Windows\SysWOW64\sainbox.exe -acsi
          2⤵
          • Drops file in Drivers directory
          • Sets service image path in registry
          • Executes dropped EXE
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: LoadsDriver
          • Suspicious use of AdjustPrivilegeToken
          PID:4080
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:4576
      • C:\Windows\SysWOW64\TXPlatfor.exe
        C:\Windows\SysWOW64\TXPlatfor.exe -auto
        1⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1616
        • C:\Windows\SysWOW64\TXPlatfor.exe
          C:\Windows\SysWOW64\TXPlatfor.exe -acsi
          2⤵
          • Executes dropped EXE
          PID:3872

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\._cache_IK_Multimedia_Keygen.exe

        Filesize

        3.2MB

        MD5

        9a3c61df86c424daee504806bb14b49d

        SHA1

        831cae7baccb88bcc041a43f8a2539b029cc7604

        SHA256

        d38bccf5f566c87affa25ac6db124e9f26735b42a7ef531b4555a1ed5d9e5688

        SHA512

        af87fa1246005a515f1405a508db87b59e5c50ccc03a4baf22cbb38c3c1e735c12d5d6f45a356e3025406426da4f3342aeeef5596813d78993e9c213df900627

      • C:\Users\Admin\AppData\Local\Temp\._cache_S.exe

        Filesize

        3.8MB

        MD5

        cf523a51798ea37faf7c3e08e9bcc3ba

        SHA1

        89ad48c34eb3567c164c76b9b77166c4646837fd

        SHA256

        96bb7d7cfb7d64b6b057ed724c60bc26b95a74d10793c5aa3a93bd016463e7ca

        SHA512

        e32858df3c3fe8dde1a371235d3d42112f65bd2ce42b83b367c3e01e690fcd2d2866aad5e922244b2687601fb0a71cb49bce9c9dbe2cafbc26f85fe5289860ed

      • C:\Users\Admin\AppData\Local\Temp\BASSMOD.dll

        Filesize

        33KB

        MD5

        e4ec57e8508c5c4040383ebe6d367928

        SHA1

        b22bcce36d9fdeae8ab7a7ecc0b01c8176648d06

        SHA256

        8ad9e47693e292f381da42ddc13724a3063040e51c26f4ca8e1f8e2f1ddd547f

        SHA512

        77d5cf66caf06e192e668fae2b2594e60a498e8e0ccef5b09b9710721a4cdb0c852d00c446fd32c5b5c85e739de2e73cb1f1f6044879fe7d237341bbb6f27822

      • C:\Users\Admin\AppData\Local\Temp\D2875E00

        Filesize

        22KB

        MD5

        ddc122e37538ddb39f4fd4976bc9def2

        SHA1

        909d5eb0f9cbe68986aba92c243959a1e7370eb3

        SHA256

        8e5c52e152ef1fa851e018982cb4f64fb91688f53ed777a5a3143d7b0722ab01

        SHA512

        38911977a89448addbf7829d9aa6e17be071c1e4108448ef194a52f510b159281f252f1b738b5295526b7aadefe9a339a620dbfb5a7dc27f4ac7f76ed3de130d

      • C:\Users\Admin\AppData\Local\Temp\HD_._cache_IK_Multimedia_Keygen.exe

        Filesize

        547KB

        MD5

        13e77ef36e4a1d4ef4195c0f6f5101af

        SHA1

        5e19192dc762b496b68d85ed63a53b0bc10bdf96

        SHA256

        ba8c443e35e4d3d77b617959636d8f5e268788e8d954db4b83713e6f90709559

        SHA512

        8967cf035d79f1d319c5cf39dad66650e888221f786f312c96e2afd9247da7c6894d3d21682638cdc9dda40d5646244f54f787f63b2abe7aa94d5c0008c0c2ce

      • C:\Users\Admin\AppData\Local\Temp\HD_._cache_S.exe

        Filesize

        1.3MB

        MD5

        7fecb2665333ecf24969b5e0219122dd

        SHA1

        a99a230924690bc838230cdf466a9db6ce529568

        SHA256

        ebb1fbe882a201461c9a3556813e1d62c85efc5e064c708049aa14fb2310f5dc

        SHA512

        06e2375c52ac9079a0e95da0ca27ee0c70de197ce42af86fbe7cfbba28b9d4e503dbc07bf26640695a893ae7747707b97fec766bd2911ecf988a49702c29f135

      • C:\Users\Admin\AppData\Local\Temp\HD_63987b3405748d059a28a07f7a5e24f7fad1c6bbfcfce507b7c0aea651f02219.exe

        Filesize

        4.4MB

        MD5

        e714b9df7d623016aa19ea43ad488a02

        SHA1

        6bceb16c3125f82054d55c37b969f12ad31e8170

        SHA256

        67625ece2bda081b8b918a24148c4344e168801351e7fde79487565d0342cb84

        SHA512

        bff4a3e129f9749bd9eaecfc17ce4ed2e122baf405aff1960897e33f2b00b50cfa221dd214c923c598f9d7926fa380b9ef7b9644e4ae3ddca74229d42bbadb6a

      • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

        Filesize

        2.6MB

        MD5

        e5d12d9bbd73b479612758f61dc8899d

        SHA1

        4a8ac777f4e8ec19f47d936d253412a1d07f13dd

        SHA256

        321d61f4896d22057d407a425488ed8cd587a7c0a8652d397c9d3f196c1e23cd

        SHA512

        82a802cab448274645309bf633fd30371a559ebad7dfa6eb3d4fc9b889514d79c88408ba88e01d3e5454d847c1bab161870f251df23795fc3156effc91294e4a

      • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

        Filesize

        2.6MB

        MD5

        e4f19a6659d30ed6786bfaa09960745a

        SHA1

        07bdc6547282935ce0854df40715eda0a7534d4d

        SHA256

        80e91b73eb3c600c0a628cc77b84b0ed8ff2b0583be7bf3f5b1ee2de57136817

        SHA512

        df1eccba764aa0de6c64bce94c8b4c816aa489a46c8eb6a48ceb29c9834bfb1873e6d68d22fd19dd0414fffed461324e6abf7987c8d35901cb4890325780b0b2

      • C:\Users\Admin\AppData\Local\Temp\HD_X.dat

        Filesize

        2.6MB

        MD5

        dba980e5e11128b1a9e64c5bdff31ed3

        SHA1

        199a1b39f54c24fa349c50de5856dfd7986e3a83

        SHA256

        e77c2c396c3e462093dbf27d800cc53efdff8d90142b39039cb868162f5a2326

        SHA512

        7ae39d12c24331a65f570eaa4db2ce005e214e99507fc96ae5b26c1d6622c2aa0c4ea59472fec6f2fba3ec1f949448bd29d94f4db5e725a5a83c4a726d312777

      • C:\Users\Admin\AppData\Local\Temp\N.exe

        Filesize

        377KB

        MD5

        4a36a48e58829c22381572b2040b6fe0

        SHA1

        f09d30e44ff7e3f20a5de307720f3ad148c6143b

        SHA256

        3de6c02f52a661b8f934f59541d0cf297bb489eb2155e346b63c7338e09aeaf8

        SHA512

        5d0ea398792f6b9eb3f188813c50b7f43929183b5733d2b595b2fd1c78722764fd15f62db1086b5c7edfb157661a6dcd544ddd80907ee7699dddbca1ef4022d0

      • C:\Users\Admin\AppData\Local\Temp\R.exe

        Filesize

        941KB

        MD5

        8dc3adf1c490211971c1e2325f1424d2

        SHA1

        4eec4a4e7cb97c5efa6c72e0731cd090c0c4adc5

        SHA256

        bc29f2022ab3b812e50c8681ff196f090c038b5ab51e37daffac4469a8c2eb2c

        SHA512

        ae92ea20b359849dcdba4808119b154e3af5ef3687ee09de1797610fe8c4d3eb9065b068074d35adddb4b225d17c619baff3944cb137ad196bcef7a6507f920d

      • C:\Users\Admin\AppData\Local\Temp\R2RIKM2.dll

        Filesize

        79KB

        MD5

        511e942e713956682c1ea73f33a63542

        SHA1

        a6fdada3858cda2608937c668590be3d51869c39

        SHA256

        7f8124c4b402bcdb0a0628447079cafda7755ec17397616b5ce510a98a4f3f07

        SHA512

        b5dc43deff1bc153eb2850b9854db1bc02c34128a75ddec0a1f617d472a0ad5851e940a59fb9a511f9def18c50f0a9c29843b0ca66c5b23b413f407d0b0db429

      • C:\Users\Admin\AppData\Local\Temp\Temp\IK_Multimedia_Keygen.exe

        Filesize

        3.9MB

        MD5

        d88f282137d036dcb87ef1dd77fdd1e9

        SHA1

        d40dc44af20a1be2fc580c9f2ab7b0d0fd5208e5

        SHA256

        f4792d51698b4cca7032ef76aafe0c26dd2a1e8f50203de9b227ededc9575476

        SHA512

        969f256dcbcd8d7ffa1a778d3ca279490cae19072cd158e573bd5d38708f2e63b6760a2a07c4c49d19c2b864a28865985122b170499be87e42b6eb3014301499

      • C:\Users\Admin\AppData\Local\Temp\Temp\S.exe

        Filesize

        4.6MB

        MD5

        8963e3c3c5117e505c33a83eaede97c9

        SHA1

        48e8c67ccbb3c29350fd3638980a07f4080232c1

        SHA256

        5b10c85d67bce30052060eca7dc492d14bd0e3cdcafc1feb49222698a61515b1

        SHA512

        9c67b55428118117adf1e6e7694a12d871f0ddffb211c3992354f52a707af9c4e85bb55fa92b2a89a38bebec8db846b8677b7d6842d308b9ff586dbb02e53f15

      • C:\Users\Admin\AppData\Local\Temp\bgm.xm

        Filesize

        53KB

        MD5

        a30878984af33ee69ace5cf8e330b974

        SHA1

        916e9098ad80f3e79502adac42820b1ffbae1eb6

        SHA256

        498eadc5b3d65aaf34b8496954c3362f033297c489d7ef4559cba8890c530171

        SHA512

        f3ddaf6d3b4e12928efe5c167e8d010c858f19d4bf5a9698b4aabe21e53b5762ad667c81bd4e119083b6213bc96869056538dfc6fcdfc8147cfb1f1ea0c2162f

      • C:\Users\Admin\AppData\Local\Temp\keygen.exe

        Filesize

        676KB

        MD5

        e7347f21d9f7ace4da3f8ec96a448b97

        SHA1

        26a8742221afa65a08caf93ee71723fbde7aa661

        SHA256

        a0948635cc81f38e5ed40a378a39c889f3e787118f9e85a51dfeef4b8bb7e3e7

        SHA512

        6fe7256a9e13a34434c5ffbff9720526afa17c4ea664189622caf03b721a33b1bccbeb46ca4c00d22b82e572763ff979eac4da7f72a654a7282f351c1dc4a6b7

      • C:\Windows\SysWOW64\240607750.txt

        Filesize

        899KB

        MD5

        195348bea799618dc843bbea6663eb85

        SHA1

        76e58b44e633bdb19afdae98963f139ddd336a06

        SHA256

        5e59a187646759f626a4188445d70f56972c7a6c5ef468628a7ab1a3d4507b5f

        SHA512

        06b8f754bc93453a4c0dc4fc725f3df91a448ca50d1143f809a3a4aa812ed8baf2644fdcfedfb30f40d21476f480561aac5c79db86c05a04f1bf3d552b335e52

      • C:\Windows\SysWOW64\ini.ini

        Filesize

        44B

        MD5

        6e317929ed9489c99d8dcaf8d8cb7b2b

        SHA1

        24afc0a78713dc8d3cbd24a87fe6908b8eb19cb9

        SHA256

        5c83cbae6aec5f43b44ef3f75a510d4744e3625f47013f8656975b667427eb78

        SHA512

        403838879d597bedb4e44c7f19eab22fea2abab11c2c6f631b0135769dc93a85928ccff596dd5305cc4ea644a567517fa851b3597973df7aeb279debe1d441c8

      • C:\Windows\system32\drivers\QAssist.sys

        Filesize

        76KB

        MD5

        4e34c068e764ad0ff0cb58bc4f143197

        SHA1

        1a392a469fc8c65d80055c1a7aaee27bf5ebe7c4

        SHA256

        6cce28b275d5ec20992bb13790976caf434ab46ddbfd5cfd431d33424943122b

        SHA512

        dcea6d76452b1ac9e3c1fed7463fe873b4dd4603ec67a4e204c27ba2c1ea79415508c3044223626f0ae499a9b7a3d6fb283f0978b5e20a58e959c9440376e98b

      • memory/896-24-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/896-23-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/896-21-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/896-27-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/896-37-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/2548-261-0x0000000000400000-0x00000000007F7000-memory.dmp

        Filesize

        4.0MB

      • memory/2668-67-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/2668-31-0x0000000000400000-0x000000000041C000-memory.dmp

        Filesize

        112KB

      • memory/3116-371-0x0000000010000000-0x000000001019F000-memory.dmp

        Filesize

        1.6MB

      • memory/3244-196-0x0000000000400000-0x0000000000896000-memory.dmp

        Filesize

        4.6MB

      • memory/3664-383-0x0000000010000000-0x000000001019F000-memory.dmp

        Filesize

        1.6MB

      • memory/3676-15-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/3676-18-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/3676-14-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/3676-12-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4184-461-0x0000000010000000-0x0000000010013000-memory.dmp

        Filesize

        76KB

      • memory/4184-527-0x0000000010000000-0x0000000010013000-memory.dmp

        Filesize

        76KB

      • memory/4576-426-0x00007FF7D6870000-0x00007FF7D6880000-memory.dmp

        Filesize

        64KB

      • memory/4576-422-0x00007FF7D6870000-0x00007FF7D6880000-memory.dmp

        Filesize

        64KB

      • memory/4576-421-0x00007FF7D6870000-0x00007FF7D6880000-memory.dmp

        Filesize

        64KB

      • memory/4576-420-0x00007FF7D6870000-0x00007FF7D6880000-memory.dmp

        Filesize

        64KB

      • memory/4576-423-0x00007FF7D6870000-0x00007FF7D6880000-memory.dmp

        Filesize

        64KB

      • memory/4580-524-0x0000000010000000-0x0000000010013000-memory.dmp

        Filesize

        76KB

      • memory/4580-363-0x0000000010000000-0x0000000010013000-memory.dmp

        Filesize

        76KB

      • memory/4612-45-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB

      • memory/4612-38-0x0000000010000000-0x00000000101B6000-memory.dmp

        Filesize

        1.7MB