banload | 7f0005d39580ba537d4f9581b47c28adf132a6586d62881a62cd56fa1b24ab27

Analysis

max time kernel
190s
max time network
96s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
02-11-2024 17:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RPGXP_E.exe
Size

27.2MB
MD5

4db4691a4f71af97b109b11ee2c70ec9
SHA1

ba5eaa22936505df35a10319dbce60ed6e873383
SHA256

7f0005d39580ba537d4f9581b47c28adf132a6586d62881a62cd56fa1b24ab27
SHA512

2688575f993dd7c2b0bff1634465149103412032bc882d09ccd492033ec94b27c84e4a1655118264728fea358969504ff748a8e6fe73dd313789f2a2d142f15a
SSDEEP

786432:F6HKbIBBYy9IMhfpNIubCq9iS2wvX1RA6rxiShm0RML1P:+iI3/9IM6uejAX1RUShT

Score

10^/10

banload discovery downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload
Banload family
banload

Checks BIOS information in registry 2 TTPs 6 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RPGXP.exeRPGXP.exeRPGXP.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe

Executes dropped EXE 6 IoCs

Processes:

RPGXP_E.tmpxp_rtp104e.exexp_rtp104e.tmpRPGXP.exeRPGXP.exeRPGXP.exe

pid	Process
2932	RPGXP_E.tmp
2572	xp_rtp104e.exe
4828	xp_rtp104e.tmp
784	RPGXP.exe
4116	RPGXP.exe
2952	RPGXP.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

Processes:

GameBarPresenceWriter.exe

pid	Process
2772	GameBarPresenceWriter.exe

Drops file in System32 directory 6 IoCs

Processes:

xp_rtp104e.tmp

description	ioc	Process
File created	C:\Windows\SysWOW64\is-J11OQ.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-3JDR9.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-1FACS.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-781V1.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-T8BT1.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-KCA3A.tmp	xp_rtp104e.tmp

Drops file in Program Files directory 64 IoCs

Processes:

xp_rtp104e.tmpRPGXP_E.tmp

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-N4IR4.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-JRFJR.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-0252R.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-97BE5.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-O7IGT.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-POLPI.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-87E10.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-OLOA9.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-CRII6.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-2HIC0.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-99RAO.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-3SJ6P.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-3B7P0.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-CR7HF.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-S67HO.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-7JVJ7.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-U45EG.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-3LJOT.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-TQ1EJ.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-G4RNS.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-8VI7F.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-V2DC1.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-OKE9G.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-3OCP9.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Animations\is-CMO35.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-0J52D.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-50MO9.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-8UBB8.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Gameovers\is-C8OMA.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-GQP2J.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-9P9H9.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-OGGMT.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-1P2I2.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-63U4A.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-8QR9K.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Transitions\is-M0U75.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-HKES3.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-SB112.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-64HAU.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-A5LLR.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-NNJ8N.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGS\is-UGJ29.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-AIP1L.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-3M3AF.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-3KKSR.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-DC09S.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Tilesets\is-D4N45.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-58PO5.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-UNI38.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-F3UN4.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-QVQF5.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-P2RVO.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Panoramas\is-FVVDJ.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-LISO1.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-5CO00.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-JGF16.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-O04VU.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-ABSRO.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-6Q494.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-OL2P4.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-69PTO.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-9LCH9.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-KI0JO.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-P1C75.tmp	RPGXP_E.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

RPGXP_E.exeRPGXP_E.tmpxp_rtp104e.exexp_rtp104e.tmpRPGXP.exeRPGXP.exeRPGXP.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RPGXP_E.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RPGXP_E.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xp_rtp104e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xp_rtp104e.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RPGXP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RPGXP.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RPGXP.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe

Modifies Internet Explorer settings 1 TTPs 12 IoCs

adware spyware

Modify Registry

T1112

Processes:

RPGXP.exeRPGXP.exeRPGXP.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main	RPGXP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Internet Explorer\Main	RPGXP.exe

Modifies registry class 64 IoCs

Processes:

RPGXP_E.tmpRPGXP.exesvchost.exeRPGXP.exeRPGXP.exesvchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\ = "RPGXP Project"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\" /n \"%1\""	RPGXP_E.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\lrkPlevhzyvf = "tdj[uI[jCetXnC^ZZX"	RPGXP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{6A6C62EF-068C-48F1-8EDF-0D2FCFDD97F6}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\gWOcirgbnvd = "vbvnIfkCNJOpCk_VBAytEUH{sFCW"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\XpuwdAzkDwkc = "u~O[bP\\DFLaQ`dhYy]"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\shell\open\command	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\InprocServer32	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\ProgID\ = "ADODB.Connection.6.0"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\lrkPlevhzyvf = "jwqEFmudc`G\|rnvmTF"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\XpuwdAzkDwkc = "\x7fHKgl@RUGuDuZOQcKX"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\" \"%1\""	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\ = "RGSS Encrypted Archive"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\ProgID	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\Eloc = "tSw@~aXN\\xfd^tAdOKn^rKKStLV"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\",2"	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\laxnqp = "TQ~QyFKnJlr\|XEMpIq\|XB"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\wfcYvTkpwc = "mn`j{WhH[IPQC\\UPSsf\|cN\x7fWni^"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\DefaultIcon	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\yiuZnLAgGOY = "wVzifV}tgokdsaGaeBzv`nY{icE@"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\lrkPlevhzyvf = "tdj[uI[jCetXnC^ZZX"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\Eloc = "tSw@~aXN\\xfd^tAdOKn^rKKStLV"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\",1"	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxproj\ = "RPGXP.Project"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxdata	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\Eloc = "AmDyFZAMpJGa]VgYTOVLQNHRxr]"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\lgqXkhqfFYq = "ROBThrtzRUkODaeA"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\lgqXkhqfFYq = "yH@JEc^oxKVj{rNH"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\ = "ADODB.Connection"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\InprocServer32\ThreadingModel = "Apartment"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\VersionIndependentProgID	RPGXP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{2D9B64AB-2CA2-432E-8DA5-1FE7D8B60455}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\DefaultIcon	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{33914037-345C-4976-A189-CB80A2C0A9F8}	svchost.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{8A210896-865B-484A-8D2C-CC8092502922}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\shell\open\command	RPGXP_E.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\gWOcirgbnvd = "}cbXSE}WRbgjiooqS]pqlmMQdvGo"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\laxnqp = "T_@\\\\]lVy{QJTCwNYa}XS"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\lgqXkhqfFYq = "yH@JEc^oxKVj{rNH"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\wfcYvTkpwc = "\\cEz^UbUhXFlcdah]XaYaqToE^r"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxproj	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\",3"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open\command	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ado\\msado15.dll"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\laxnqp = "T_@\\\\]lVy{QJTCwNYa}XS"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\lgqXkhqfFYq = "ROBThrtzRUkODaeA"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\wfcYvTkpwc = "mn`j{WhH[IPQC\\UPSsf\|cN\x7fWni^"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\laxnqp = "TQ~QyFKnJlr\|XEMpIq\|XB"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\lrkPlevhzyvf = "jwqEFmudc`G\|rnvmTF"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\" /n \"%1\""	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rgssad\ = "RPGXP.Archive"	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\yiuZnLAgGOY = "wVzifV}tgokdsaGadBzv`nR{@{Ft"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\XpuwdAzkDwkc = "\x7fHKgl@RUGuDuZOQcKX"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\yiuZnLAgGOY = "d]kWX\x7fvgNchy_^MCCmlZNXaGcFox"	RPGXP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{AE36BB43-E8A1-46D0-B005-BA80D250D22C}	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\shell	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\shell\open	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxdata\ = "RPGXP.Data"	RPGXP_E.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RPGXP_E.tmp

pid	Process
2932	RPGXP_E.tmp
2932	RPGXP_E.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RPGXP_E.tmp

pid	Process
2932	RPGXP_E.tmp

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

RPGXP.exeOpenWith.exeRPGXP.exeOpenWith.exeRPGXP.exeOpenWith.exe

pid	Process
784	RPGXP.exe
784	RPGXP.exe
3652	OpenWith.exe
4116	RPGXP.exe
4116	RPGXP.exe
1688	OpenWith.exe
2952	RPGXP.exe
2952	RPGXP.exe
4740	OpenWith.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

RPGXP_E.exeRPGXP_E.tmpxp_rtp104e.exe

description	pid	Process	procid_target
PID 4268 wrote to memory of 2932	4268	RPGXP_E.exe	80
PID 4268 wrote to memory of 2932	4268	RPGXP_E.exe	80
PID 4268 wrote to memory of 2932	4268	RPGXP_E.exe	80
PID 2932 wrote to memory of 2572	2932	RPGXP_E.tmp	83
PID 2932 wrote to memory of 2572	2932	RPGXP_E.tmp	83
PID 2932 wrote to memory of 2572	2932	RPGXP_E.tmp	83
PID 2572 wrote to memory of 4828	2572	xp_rtp104e.exe	84
PID 2572 wrote to memory of 4828	2572	xp_rtp104e.exe	84
PID 2572 wrote to memory of 4828	2572	xp_rtp104e.exe	84

C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe
"C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Users\Admin\AppData\Local\Temp\is-PQLGF.tmp\RPGXP_E.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-PQLGF.tmp\RPGXP_E.tmp" /SL5="$502E4,28152842,118784,C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Users\Admin\AppData\Local\Temp\is-KHGAK.tmp\xp_rtp104e.exe
    "C:\Users\Admin\AppData\Local\Temp\is-KHGAK.tmp\xp_rtp104e.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2572
  - - C:\Users\Admin\AppData\Local\Temp\is-OK5PJ.tmp\xp_rtp104e.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-OK5PJ.tmp\xp_rtp104e.tmp" /SL5="$C0070,22729139,53248,C:\Users\Admin\AppData\Local\Temp\is-KHGAK.tmp\xp_rtp104e.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4828

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:784

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
- Network Service Discovery
PID:2772

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3652

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:1404

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:3936

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
PID:2804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2500

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:2328

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\d9a7ca93c64d403c8d269b63ee227d31 /t 3812 /p 4116
1⤵
PID:1776

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\2a59cb4d791d46ea9416e1a3ba221024 /t 1172 /p 784
1⤵
PID:1484

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Network Service Discovery

T1046

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe

Filesize
3.2MB

MD5
6f6ccdccf5bd0946a2b55a014329bdac

SHA1
48bbe60410e70a991d7ffea90e3e1279ee456c78

SHA256
ecb1f0805161e359adedb28b2fa7f8c4d8586d6d5d69a37dd05757618f9e551f

SHA512
092d982773dd62e4d6f3a60c83d7e0f7c8ab07afaca3ecfdf960014452e78d4f6437008e8b110993b8e6a798110a736b9be0189f932c348d5b74b23c6cd7b7e1

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-activate.png

Filesize
8KB

MD5
592adc03e205672e8a4f790f685c658f

SHA1
70e40b322ad187e9860d3619edac25d30624d17f

SHA256
aabb33a465c18dcba522190d57100cf3e07107651084275645785625f3f4ff7e

SHA512
c21e1eaee0ced3e57e518bc72c87b9cfa615d84d44081e868dcaa4f5fcb95273028a1ebb7854d7feab098973e066a607d586b537b5ad2ac2a04f88e7048ec03e

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-background.png

Filesize
644KB

MD5
2ecb353c8974f1020d1425dfb8d4f591

SHA1
64b4196b78b4cdba32d8a5f14391861973dbe676

SHA256
614ffaa33a9bf1453dbac9033c941aea534cf12fe89f568344d94217497ac674

SHA512
0b079efff3c97d059eeed87df6433fc3929f18542d700bbee5c4f32ba5e2e216c68cc8403c2d9224cae2cc92550c7e668b1152586db6b8579f4ddaa8fbbbb9df

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-buy-now.png

Filesize
9KB

MD5
ffffdaaf9f1c7c47a4761df64f4ee56b

SHA1
6a3fd89cf56f9341bd872fad778af56f39a418f2

SHA256
c4c87ffce5df52d6acf28a94aa5414fd7305d44825394fe4cb809ca20e6bcf54

SHA512
b19ddd75a6a6d1dc44e70c30a01c7474bed5eab02d366786ef063be756a4993896038f0a368a00b5e383d639005ecf1f2e0f1d4223133b0b40340f8d777d0c2d

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-continue.png

Filesize
10KB

MD5
ff708a85d46bc03f24dbf1e5119aadab

SHA1
39882cb9b2c82f8d1fbcefe1e0b0b41acbff5205

SHA256
dba7d3497b93f4752169ea3b19ee9a2727aed3dc0f58f722908d77e315851497

SHA512
f1869c1f5f46d8d906cbe142aa4f1b08e21ce388265e80622dbc099ecdc1987709a20546f8b33018cfc4806d8c4eda3e1b4ee1f362a77802bc0eb592e30c3fd4

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-key-box.png

Filesize
4KB

MD5
7f1b95225ec76ae446a9f149bd6124f5

SHA1
0c0e5c159facd1a075e1b50b013123fab5ad6706

SHA256
a90e6a055e9b38788ca782a0641a247b58e857bdd91364ac6248d67497b1c817

SHA512
d914061975c0f1debfabe59a0bca8db00a5ac4af96d3f530cbf0cdd02e6e848bc0cff17cddd9436b7d0159671b3e791770b665fafabba89a642304b2b1cd5965

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B3938F7.TMP

Filesize
136B

MD5
ddde943e60b711399007f7894722a77a

SHA1
0ca8e93c5f8862c39038777497d2c6fe506826a3

SHA256
29dcba55ab1c35f14b4db7b1b956c54abf452f05add27cfae9222568008eed1b

SHA512
13f9eef3b9007ea04667311288d475bee432b37ef44616565392469df1db46239607a930659686182ee89dde63af0d1428939e315f3acb52d4087cf2e02ba3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HTMB503.tmp

Filesize
3KB

MD5
a8d38bf2fdf4c910a5dacbfcb4e438ad

SHA1
0d908e6870f88982bcde6f16ecedf14f521bc2a1

SHA256
ed8f601c12da4519e2a5396259b926d8ab7222365b62dbada0d75fbc237dd6c3

SHA512
0b157454b032c619d31dd7afd643390e595294abf7701a98294d566e90097134d58d42a6dc6c6a7670450a2e854d59888b987b1e961342630a3f07af774af2f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9NV61.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-KHGAK.tmp\xp_rtp104e.exe

Filesize
21.9MB

MD5
611881d2a5b8825df189616e7a2760f3

SHA1
2a907a5371d27dbf80cd9efc399fff76109a3968

SHA256
b3bd20ad7f413b40ac233aafd2e061de1dc429c2eadb59d0b3157ba3c47f16b2

SHA512
d79d8f57f8219574723239c0091068db64d2304e6b7495187247397491371e8761e711d027cab36bd08cbf86a1bf805dfbfeaff910f6b49458ff9c0c5872af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OK5PJ.tmp\xp_rtp104e.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PQLGF.tmp\RPGXP_E.tmp

Filesize
1.1MB

MD5
63b15124be653dbe589c7981da9d397c

SHA1
af8874bdf2ad726f5420e8132c10becc2bbcd93c

SHA256
61674b90891ca099d5fee62bf063a948a80863530ab6a31e7f9e06f0e5bc7599

SHA512
339b284b5dd7386dcfa86c8fdcf239a0e97cc168229ea9a66fc0c6b26771401fa7f27c2c6a435a836a43ea9c7e634a3e47ec77e0d27985794bbb4416dfc97ac8

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini

Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/784-1944-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/784-1910-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/784-1941-0x00000000044E0000-0x00000000046E4000-memory.dmp

Filesize
2.0MB

Download
memory/784-1919-0x00000000044E0000-0x00000000046E4000-memory.dmp

Filesize
2.0MB

Download
memory/784-1915-0x00000000044E0000-0x00000000046E4000-memory.dmp

Filesize
2.0MB

Download
memory/784-1912-0x00000000044E0000-0x00000000046E4000-memory.dmp

Filesize
2.0MB

Download
memory/2572-527-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2572-97-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2572-99-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2572-1902-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2932-20-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2932-1905-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2932-7-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2932-18-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2932-16-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2932-14-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2932-111-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/2952-1966-0x00000000043B0000-0x00000000045B4000-memory.dmp

Filesize
2.0MB

Download
memory/2952-1975-0x00000000043B0000-0x00000000045B4000-memory.dmp

Filesize
2.0MB

Download
memory/2952-1980-0x00000000043B0000-0x00000000045B4000-memory.dmp

Filesize
2.0MB

Download
memory/2952-1981-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/2952-1970-0x00000000043B0000-0x00000000045B4000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1953-0x00000000043C0000-0x00000000045C4000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1949-0x00000000043C0000-0x00000000045C4000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1957-0x00000000043C0000-0x00000000045C4000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1962-0x00000000043C0000-0x00000000045C4000-memory.dmp

Filesize
2.0MB

Download
memory/4116-1963-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/4268-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4268-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4268-1906-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/4268-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/4828-110-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4828-1900-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4828-919-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/4828-921-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download