gh0strat | 010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-12-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2.msi
Size

96.3MB
MD5

cc9cd8ad9a22acb8305eb14d0a8bfcd1
SHA1

a097850d43b2a7c094069ac758c8cdc6565af8e5
SHA256

010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2
SHA512

9a529b79c727474f45f55093972885503103a8ca7437600562adf4c5f0112e7113ff892726d1e67edce4655a910d5e49337543dac4db7d381aa725a544aa7f8d
SSDEEP

3145728:N+LEmAi0QDF3gzILlHgytL79ORBow2zanEL+X:NonQchHNP9EgBL

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4812-160-0x000000002C8C0000-0x000000002CA7C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4812-162-0x000000002C8C0000-0x000000002CA7C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4812-163-0x000000002C8C0000-0x000000002CA7C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4812-164-0x000000002C8C0000-0x000000002CA7C000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4812-160-0x000000002C8C0000-0x000000002CA7C000-memory.dmp	family_gh0strat
behavioral2/memory/4812-162-0x000000002C8C0000-0x000000002CA7C000-memory.dmp	family_gh0strat
behavioral2/memory/4812-163-0x000000002C8C0000-0x000000002CA7C000-memory.dmp	family_gh0strat
behavioral2/memory/4812-164-0x000000002C8C0000-0x000000002CA7C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4804	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\R:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\T:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\Q:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\E:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\O:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\M:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\Z:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\H:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\L:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\Y:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	nzUbVPvBzDwZ.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	nzUbVPvBzDwZ.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\77EC63BDA74BD0D0E0426DC8F8008506	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Tencent\Logs\QTStart.txt	hZqXonCbANHi.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache	nzUbVPvBzDwZ.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData	nzUbVPvBzDwZ.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File created	C:\Program Files\LogDisplayAPI\2_nzUbVPvBzDwZ.exe	AgVKOCOPgZUKZaE.exe
File created	C:\Program Files\LogDisplayAPI\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ	AgVKOCOPgZUKZaE.exe
File created	C:\Program Files\LogDisplayAPI\hZqXonCbANHi.exe	AgVKOCOPgZUKZaE.exe
File created	C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe	msiexec.exe
File created	C:\Program Files\LogDisplayAPI\TsuNgNucABNGLKF	msiexec.exe
File created	C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ	AgVKOCOPgZUKZaE.exe
File opened for modification	C:\Program Files\LogDisplayAPI\2_nzUbVPvBzDwZ.exe	AgVKOCOPgZUKZaE.exe
File opened for modification	C:\Program Files\LogDisplayAPI\hZqXonCbANHi.exe	AgVKOCOPgZUKZaE.exe
File opened for modification	C:\Program Files\LogDisplayAPI	nzUbVPvBzDwZ.exe
File created	C:\Program Files\LogDisplayAPI\qiJlRUmNGLOJIQR	AgVKOCOPgZUKZaE.exe
File opened for modification	C:\Program Files\LogDisplayAPI\qiJlRUmNGLOJIQR	AgVKOCOPgZUKZaE.exe
File opened for modification	C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe	MsiExec.exe
File created	C:\Program Files\LogDisplayAPI\QTalk.exe	MsiExec.exe
File created	C:\Program Files\LogDisplayAPI\win32quickq.exe	msiexec.exe
File created	C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe	MsiExec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58268e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4BB5A68E-87E8-4BCA-809C-4144AB47842B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI28FF.tmp	msiexec.exe
File created	C:\Windows\Installer\e582690.msi	msiexec.exe
File created	C:\Windows\Installer\e58268e.msi	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
1672	AgVKOCOPgZUKZaE.exe
3904	AgVKOCOPgZUKZaE.exe
4972	nzUbVPvBzDwZ.exe
1984	win32quickq.exe
3988	hZqXonCbANHi.exe
4580	QTalk.exe
4812	nzUbVPvBzDwZ.exe

Loads dropped DLL 14 IoCs

pid	Process
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe
1984	win32quickq.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3576	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nzUbVPvBzDwZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nzUbVPvBzDwZ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgVKOCOPgZUKZaE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	win32quickq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	QTalk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AgVKOCOPgZUKZaE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hZqXonCbANHi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	nzUbVPvBzDwZ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	nzUbVPvBzDwZ.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	explorer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	explorer.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4896	taskkill.exe
3908	taskkill.exe
3064	taskkill.exe
1200	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-181 = "Mountain Daylight Time (Mexico)"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time"	QTalk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	QTalk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2772 = "Omsk Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2842 = "Saratov Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2162 = "Altai Standard Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time"	QTalk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers	win32quickq.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe = "RUNASADMIN"	win32quickq.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time"	QTalk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\ExplorerStartupTraceRecorded = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1871 = "Russia TZ 7 Daylight Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time"	QTalk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-931 = "Coordinated Universal Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2491 = "Aus Central W. Daylight Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-752 = "Tonga Standard Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-42 = "E. South America Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-152 = "Central America Standard Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1932 = "Russia TZ 11 Standard Time"	QTalk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2792 = "Novosibirsk Standard Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-452 = "Caucasus Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-501 = "Nepal Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-282 = "Central Europe Standard Time"	QTalk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-412 = "E. Africa Standard Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-502 = "Nepal Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2062 = "North Korea Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2631 = "Norfolk Daylight Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-1501 = "Turkey Daylight Time"	QTalk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-81 = "Atlantic Daylight Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2532 = "Chatham Islands Standard Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-752 = "Tonga Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-402 = "Arabic Standard Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-122 = "SA Pacific Standard Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2392 = "Aleutian Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-334 = "Jordan Daylight Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2411 = "Marquesas Daylight Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2492 = "Aus Central W. Standard Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-221 = "Alaskan Daylight Time"	QTalk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-2042 = "Eastern Standard Time (Mexico)"	QTalk.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-2511 = "Lord Howe Daylight Time"	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-292 = "Central European Standard Time"	QTalk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@tzres.dll,-361 = "GTB Daylight Time"	nzUbVPvBzDwZ.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\C:\Windows\system32\,@tzres.dll,-982 = "Kamchatka Standard Time"	QTalk.exe

Modifies registry class 57 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7F58F935A46F260449731C3FAED296CA\E86A5BB48E78ACB408C91444BA7448B2	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\PackageName = "010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 19002f433a5c000000000000000000000000000000000000000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\DeploymentFlags = "3"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0 = 500031000000000090596e2510004c6f63616c003c0009000400efbe4759f14990596e252e00000082e101000000010000000000000000000000000000004722d3004c006f00630061006c00000014000000	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\Version = "327683"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\NodeSlot = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 500031000000000047599853100041646d696e003c0009000400efbe4759f149905959252e00000063e10100000001000000000000000000000000000000dce87300410064006d0069006e00000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\Media	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\7F58F935A46F260449731C3FAED296CA	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 78003100000000004759f1491100557365727300640009000400efbe874f7748905959252e000000c70500000000010000000000000000003a00000000009c1a220055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0 = 56003100000000004759f14912004170704461746100400009000400efbe4759f149905959252e0000006ee10100000001000000000000000000000000000000d06b11004100700070004400610074006100000016000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0 = 5400310000000000905975251000517569636b5100003e0009000400efbe90596e25905977252e000000e83c0200000008000000000000000000000000000000b584d50051007500690063006b005100000016000000	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E86A5BB48E78ACB408C91444BA7448B2\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\ProductName = "LogDisplayAPI"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E86A5BB48E78ACB408C91444BA7448B2	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0\0\0	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\PackageCode = "31BC73B34277DF241A4DBAB1F9FC4E10"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E86A5BB48E78ACB408C91444BA7448B2\AdvertiseFlags = "388"	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	explorer.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	nzUbVPvBzDwZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 0f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee420000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	nzUbVPvBzDwZ.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 19000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877620000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	nzUbVPvBzDwZ.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4	QTalk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 04000000010000001000000091de0625abdafd32170cbb25172a84670f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec53726187760b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b06010505070301620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae4140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e31d000000010000001000000099949d2179811f6b30a8c99c4f6b42260300000001000000140000002796bae63f1801e277261ba0d77770028f20eee419000000010000001000000063664b080559a094d10f0a3c5f4f629020000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	QTalk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\2796BAE63F1801E277261BA0D77770028F20EEE4\Blob = 5c00000001000000040000000008000019000000010000001000000063664b080559a094d10f0a3c5f4f62900300000001000000140000002796bae63f1801e277261ba0d77770028f20eee41d000000010000001000000099949d2179811f6b30a8c99c4f6b4226140000000100000014000000d2c4b0d291d44c1171b361cb3da1fedda86ad4e3620000000100000020000000c3846bf24b9e93ca64274c0ec67c1ecc5e024ffcacd2d74019350e81fe546ae409000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000005d82adb90d5dd3c7e3524f56f787ec537261877604000000010000001000000091de0625abdafd32170cbb25172a846720000000010000000404000030820400308202e8a003020102020100300d06092a864886f70d01010505003063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137303632305a170d3334303632393137303632305a3063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100de9dd7ea571849a15bebd75f4886eabeddffe4ef671cf46568b35771a05e77bbed9b49e970803d561863086fdaf2ccd03f7f0254225410d8b281d4c0753d4b7fc777c33e78ab1a03b5206b2f6a2bb1c5887ec4bb1eb0c1d845276faa3758f78726d7d82df6a917b71f72364ea6173f659892db2a6e5da2fe88e00bde7fe58d15e1ebcb3ad5e212a2132dd88eaf5f123da0080508b65ca565380445991ea3606074c541a572621b62c51f6f5f1a42be025165a8ae23186afc7803a94d7f80c3faab5afca140a4ca1916feb2c8ef5e730dee77bd9af67998bcb10767a2150ddda058c6447b0a3e62285fba41075358cf117e3874c5f8ffb569908f8474ea971baf020103a381c03081bd301d0603551d0e04160414d2c4b0d291d44c1171b361cb3da1fedda86ad4e330818d0603551d230481853081828014d2c4b0d291d44c1171b361cb3da1fedda86ad4e3a167a4653063310b30090603550406130255533121301f060355040a131854686520476f2044616464792047726f75702c20496e632e3131302f060355040b1328476f20446164647920436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100324bf3b2ca3e91fc12c6a1078c8e77a03306145c901e18f708a63d0a19f98780116e69e4961730ff3491637238eecc1c01a31d9428a431f67ac454d7f6e5315803a2ccce62db944573b5bf45c924b5d58202ad2379698db8b64dcecf4cca3323e81c88aa9d8b416e16c920e5899ecd3bda70f77e992620145425ab6e7385e69b219d0a6c820ea8f8c20cfa101e6c96ef870dc40f618badee832b95f88e92847239eb20ea83ed83cd976e08bceb4e26b6732be4d3f64cfe2671e26111744aff571a870f75482ecf516917a002126195d5d140b2104ceec4ac1043a6a59e0ad595629a0dcf8882c5320ce42b9f45e60d9f289cb1b92a5a57ad370faf1d7fdbbd9f	QTalk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4932	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
852	msiexec.exe
852	msiexec.exe
4804	powershell.exe
4804	powershell.exe
4804	powershell.exe
4972	nzUbVPvBzDwZ.exe
4972	nzUbVPvBzDwZ.exe
4580	QTalk.exe
4580	QTalk.exe
4580	QTalk.exe
4580	QTalk.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe
4812	nzUbVPvBzDwZ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	852	msiexec.exe
Token: SeCreateTokenPrivilege	3576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3576	msiexec.exe
Token: SeLockMemoryPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeMachineAccountPrivilege	3576	msiexec.exe
Token: SeTcbPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeLoadDriverPrivilege	3576	msiexec.exe
Token: SeSystemProfilePrivilege	3576	msiexec.exe
Token: SeSystemtimePrivilege	3576	msiexec.exe
Token: SeProfSingleProcessPrivilege	3576	msiexec.exe
Token: SeIncBasePriorityPrivilege	3576	msiexec.exe
Token: SeCreatePagefilePrivilege	3576	msiexec.exe
Token: SeCreatePermanentPrivilege	3576	msiexec.exe
Token: SeBackupPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeDebugPrivilege	3576	msiexec.exe
Token: SeAuditPrivilege	3576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3576	msiexec.exe
Token: SeChangeNotifyPrivilege	3576	msiexec.exe
Token: SeRemoteShutdownPrivilege	3576	msiexec.exe
Token: SeUndockPrivilege	3576	msiexec.exe
Token: SeSyncAgentPrivilege	3576	msiexec.exe
Token: SeEnableDelegationPrivilege	3576	msiexec.exe
Token: SeManageVolumePrivilege	3576	msiexec.exe
Token: SeImpersonatePrivilege	3576	msiexec.exe
Token: SeCreateGlobalPrivilege	3576	msiexec.exe
Token: SeBackupPrivilege	4404	vssvc.exe
Token: SeRestorePrivilege	4404	vssvc.exe
Token: SeAuditPrivilege	4404	vssvc.exe
Token: SeBackupPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeDebugPrivilege	4804	powershell.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3576	msiexec.exe
3576	msiexec.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4932	explorer.exe
4932	explorer.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 224	852	msiexec.exe	96
PID 852 wrote to memory of 224	852	msiexec.exe	96
PID 852 wrote to memory of 448	852	msiexec.exe	101
PID 852 wrote to memory of 448	852	msiexec.exe	101
PID 448 wrote to memory of 4804	448	MsiExec.exe	102
PID 448 wrote to memory of 4804	448	MsiExec.exe	102
PID 448 wrote to memory of 1672	448	MsiExec.exe	105
PID 448 wrote to memory of 1672	448	MsiExec.exe	105
PID 448 wrote to memory of 1672	448	MsiExec.exe	105
PID 448 wrote to memory of 3904	448	MsiExec.exe	107
PID 448 wrote to memory of 3904	448	MsiExec.exe	107
PID 448 wrote to memory of 3904	448	MsiExec.exe	107
PID 448 wrote to memory of 4972	448	MsiExec.exe	109
PID 448 wrote to memory of 4972	448	MsiExec.exe	109
PID 448 wrote to memory of 4972	448	MsiExec.exe	109
PID 448 wrote to memory of 1984	448	MsiExec.exe	111
PID 448 wrote to memory of 1984	448	MsiExec.exe	111
PID 448 wrote to memory of 1984	448	MsiExec.exe	111
PID 3988 wrote to memory of 4580	3988	hZqXonCbANHi.exe	114
PID 3988 wrote to memory of 4580	3988	hZqXonCbANHi.exe	114
PID 3988 wrote to memory of 4580	3988	hZqXonCbANHi.exe	114
PID 4580 wrote to memory of 4812	4580	QTalk.exe	117
PID 4580 wrote to memory of 4812	4580	QTalk.exe	117
PID 4580 wrote to memory of 4812	4580	QTalk.exe	117
PID 1984 wrote to memory of 4896	1984	win32quickq.exe	123
PID 1984 wrote to memory of 4896	1984	win32quickq.exe	123
PID 1984 wrote to memory of 4896	1984	win32quickq.exe	123
PID 1984 wrote to memory of 3908	1984	win32quickq.exe	125
PID 1984 wrote to memory of 3908	1984	win32quickq.exe	125
PID 1984 wrote to memory of 3908	1984	win32quickq.exe	125
PID 1984 wrote to memory of 3064	1984	win32quickq.exe	127
PID 1984 wrote to memory of 3064	1984	win32quickq.exe	127
PID 1984 wrote to memory of 3064	1984	win32quickq.exe	127
PID 1984 wrote to memory of 1200	1984	win32quickq.exe	129
PID 1984 wrote to memory of 1200	1984	win32quickq.exe	129
PID 1984 wrote to memory of 1200	1984	win32quickq.exe	129
PID 1984 wrote to memory of 4524	1984	win32quickq.exe	131
PID 1984 wrote to memory of 4524	1984	win32quickq.exe	131
PID 1984 wrote to memory of 4524	1984	win32quickq.exe	131
PID 1984 wrote to memory of 4428	1984	win32quickq.exe	133
PID 1984 wrote to memory of 4428	1984	win32quickq.exe	133
PID 1984 wrote to memory of 4428	1984	win32quickq.exe	133
PID 1984 wrote to memory of 2500	1984	win32quickq.exe	135
PID 1984 wrote to memory of 2500	1984	win32quickq.exe	135
PID 1984 wrote to memory of 2500	1984	win32quickq.exe	135
PID 1984 wrote to memory of 3316	1984	win32quickq.exe	137
PID 1984 wrote to memory of 3316	1984	win32quickq.exe	137
PID 1984 wrote to memory of 3316	1984	win32quickq.exe	137
PID 1984 wrote to memory of 1892	1984	win32quickq.exe	140
PID 1984 wrote to memory of 1892	1984	win32quickq.exe	140
PID 1984 wrote to memory of 1892	1984	win32quickq.exe	140

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\010367d9fc0fdd9de68af62a4e56a5e311a7c8c9d76b706cae59ea8a38f7d9f2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:224
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 49D7B35CAE87E0A15F088A66A925FD13 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:448
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\LogDisplayAPI','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4804
- - C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe
    "C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe" x "C:\Program Files\LogDisplayAPI\TsuNgNucABNGLKF." "C:\Program Files\LogDisplayAPI\" -p"82172xEZ9}JD}HyN3N}." -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1672
- - C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe
    "C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe" x "C:\Program Files\LogDisplayAPI\qiJlRUmNGLOJIQR." -x"1_nzUbVPvBzDwZ.exe" -x"sss" -x"1_ZEtMZROjFEXUunp.exe" -x"1_" -x"1_" -x"sa" "C:\Program Files\LogDisplayAPI\" -p"540768fgP}GcRPOdgPox" -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3904
- - C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe
    "C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe" -nbg 274
    3⤵
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Modifies system certificate store
    - Suspicious behavior: EnumeratesProcesses
    PID:4972
- - C:\Program Files\LogDisplayAPI\win32quickq.exe
    "C:\Program Files\LogDisplayAPI\win32quickq.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:1984
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -F -IM quickq.exe -t
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:4896
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -F -IM quickq-browser.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3908
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -F -IM typeperf.exe
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:3064
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill -F -IM quickqservice-*
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1200
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4524
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat" "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache.dat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c copy "C:\Users\Admin\AppData\Local\QuickQ\cachebak6.dat" "C:\Users\Admin\AppData\Local\QuickQ\User Data\Default\cache6.dat"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3316
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe /select,"C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe"
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Modifies data under HKEY_USERS
      PID:1892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4404

C:\Program Files\LogDisplayAPI\hZqXonCbANHi.exe
"C:\Program Files\LogDisplayAPI\hZqXonCbANHi.exe" -nbg 102
1⤵
- Drops file in System32 directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988
- C:\Program Files\LogDisplayAPI\QTalk.exe
  "C:\Program Files\LogDisplayAPI\QTalk.exe" -nbg 102
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe
    "C:\Program Files\LogDisplayAPI\nzUbVPvBzDwZ.exe" -nbg 72
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58268f.rbs

Filesize
7KB

MD5
16a2ad559d0dc0b8b8d529a22d0c0fff

SHA1
29a31da32f671b3b830ea9ccc5f47a7f37010b49

SHA256
0fe7694c46391ed760b0c3127168243c89bf3f5d29fa48f93df643e46bdeb7ef

SHA512
c2c9761be2d0c7e9a865c03de3aafc50101af5e1af08c81296c1becc6f04d326d9817ca61c9935bd81f4a26e4c743734d4b2b3bd24ab0a416cee5eb44e7f3002

Download Submit
C:\Program Files\LogDisplayAPI\2_nzUbVPvBzDwZ.exe

Filesize
5.4MB

MD5
3edc4a0a0e0cecf47293ee1afdd4f026

SHA1
463a23a83411274b844f3a0a2432736e08ec83cd

SHA256
a61c490dc3731726b04044e473e3d72874815dd98243486c1703796631f66865

SHA512
6fa20e4806bb0b15d989df16abbd7084c2609cc1408791f2a154ef59d840122a8f01e1c6d05f1258f6621c6dc3812d76a27493ec86cdf29e9bd2496458cb59f0

Download Submit
C:\Program Files\LogDisplayAPI\AgVKOCOPgZUKZaE.exe

Filesize
752KB

MD5
9b08fd1d59cb47aa7bf456e6d388f6c2

SHA1
31923271d11a2f8d2aaf758e00fc2029a3614335

SHA256
0a88d153334d6865273920593d947bb3b6f9af945f7d479865b1e9f3354042b5

SHA512
0a35c61dda6b0d8d307a87a024bf7390690de83aee938f2b53e56768f466dd872237dc638fbab5a427c44221331236f1350b38292cb763fd5a65967317063457

Download Submit
C:\Program Files\LogDisplayAPI\TsuNgNucABNGLKF

Filesize
2.5MB

MD5
f244487106eb4e1ba09ff94195324f59

SHA1
77610e900c07e850cf5b17eac50a4ea54934b748

SHA256
381f110fae77625187f631e8314f0fca826c3cb4e1b6a8e8c96ab0d4e9c6b689

SHA512
3efac761e1221b55f73ff71ebad3d40591c9aeef3790934171e7d69db7b7b260f827f8d0c81469d7dfe12d9c40a8d1ebae06bc95384a71ec83257640fe663c4a

Download Submit
C:\Program Files\LogDisplayAPI\hZqXonCbANHi.exe

Filesize
545KB

MD5
f6f07b72bcf2de6a4b783ea6954dddc0

SHA1
f2bc5356e2a98bf789f53b95a8a23eac4f447749

SHA256
551addcac530901fe73a8c3e13e0e056c78d61b996a3f2cabd2ffbdea1108fa1

SHA512
2b3db895a9712a9f7924763c898dd9574ce3a406653f614405a8771cbddc6eda13baa0e372851458caaa9e8a256eb13cef9ea1aa0af13997a6ce74e33a8ce9a0

Download Submit
C:\Program Files\LogDisplayAPI\qiJlRUmNGLOJIQR

Filesize
2.4MB

MD5
4a15a9b8be8cb41729a6dc744e4eed59

SHA1
b5db15960baac1297674808b8fd2b6f260f7a8aa

SHA256
1ac597850a81d21740528aea1740a9b32c23816a53717d61118cd93e6860a9ba

SHA512
3d754ea574be11a206cce86e9d1ed47eadc86582a3c3aecae445fbcf27bd7bb82d18ed5676aa52ba3f2156e74593f28f69d92d47e0322d863f3949a0957ec9a0

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\QuickQ.exe

Filesize
2.0MB

MD5
d19a519f6017c8a93864c8701f9bbfdc

SHA1
51fef45333b1611d66dfc9592cfb5cc8875bdfe9

SHA256
072df70d3dfb776e89a7cfe8b95d8a098dcd6b236b0c7f7337fec14cb21ef9ff

SHA512
6bf83ec138768ff417499f9a1dc6f703acd198d9979f6604789ab5b428ecc3109d1ff20a54883c7c48bedf637f76cb8831a3eb107d7999fec6bf81f487a0560b

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\QuickQ.lnk

Filesize
1KB

MD5
638477c980b0202772de9d88913a4e73

SHA1
f9f23fa8252227c556a4315b2d4638465df31937

SHA256
9854bc9214c97f9027ec9e47b8d2c9bc5fd00113304f0cc8b9eb7399fa53513c

SHA512
6a7cda19026ece4aacc113046154ccb671407d31bdd9ae7826b8ccefac3132dc576eb2b40ef059aa453a6944bf514722653ee58ff3a7b7097c2a755f30927c5d

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\locales\bg.pak.info

Filesize
742KB

MD5
d611503e029dab3c1262127dff2f899e

SHA1
415ccea2e7e47f294366490fde386d74261f8e33

SHA256
d0b585f25524b300bc67a510bb9674558656656d97a145ea13ae43aad3b7b9a6

SHA512
97df2a88fa4414c2d8f66aecefe166c5044db2576efc39c76446446850702d0d9e0221476c435f8ec44b38eafae49912f7c81fefd194c919d87f7178b9fc3f4c

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\notification_helper.exe

Filesize
829KB

MD5
1c287b45610da3bf4a0da42de90c19b6

SHA1
2f2cf36ecf7338956c4428b06cb44da0390d95f7

SHA256
656dbf601d1afc44b074d91c7a8bc87d331326b52850bfbcb7132925671d323c

SHA512
4632f5045fc7294c5378e84812b0538e770bc5a96b8e87bd3abf1ff1b40b14df2208482095034d75897d50562c525a9e983ff888a5fb688f7bf084676912c463

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc.exe

Filesize
23KB

MD5
2955a0fac28d3951ffa5738ba07de7ce

SHA1
30633ca29e79bbecb1e7b074dd2f5783f05c556b

SHA256
01b2e339f7205794e3708cebf66db7bb4940e7ae82497244307ff9561a001986

SHA512
f1dc5387b4862091ff912be801dd146d6c3a1f913a56cd3040a0ddbfcbc516c448d78606b47f609a3b05ff808d5a6ac5ef3aab0fa276bee96d0fd5e7e829b129

Download Submit
C:\Users\Admin\AppData\Local\QuickQ\resource\win32\winproc\4\quickq_winproc_64.exe

Filesize
23KB

MD5
07e5da1aebc7f4d96cd8481f227798dd

SHA1
101e92945a762869f26d2dfd242b3e957f6afedb

SHA256
9db5f4b9ddd00abd44decce002f6a23d5efffe00afddeaf84f5a31611ffc95dd

SHA512
a5bc4206b448d4cc68f6d05768af5589e18e7adfa2a89c283778e6268f37d41815686ec0b22f6387b722eef57c13426fef49cbaeb9b53cd8ff28ebe5fca38993

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lx3mhvdn.rpf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F38.tmp\InstallOptions.dll

Filesize
14KB

MD5
8d5a5529462a9ba1ac068ee0502578c7

SHA1
875e651e302ce0bfc8893f341cf19171fee25ea5

SHA256
e625dcd0188594b1289891b64debddeb5159aca182b83a12675427b320bf7790

SHA512
101da2c33f47bd85b8934318e0f0b72f820afc928a2a21e2c7823875e3a0e830f7c67f42b4c2f30596eaa073617790c89700c0d95b7949ec617e52800b61d462

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F38.tmp\LangDLL.dll

Filesize
5KB

MD5
77ff758c10c66937de6d86c388aa431c

SHA1
14bd5628eaf8a12b55cd38f9560c839cb21ce77a

SHA256
6a033e367714ec0d13fca0589c165bdbf4d1dac459fa7ec7415815223fa3c008

SHA512
319837951be276a179ead69efcd24bd7566061abc7997ea782af50bd4b0d69e5ec1a6e4cdeb2825bafedf87edf03380396b7bcf58682b6a3a824c8dc4b966bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F38.tmp\System.dll

Filesize
11KB

MD5
b0c77267f13b2f87c084fd86ef51ccfc

SHA1
f7543f9e9b4f04386dfbf33c38cbed1bf205afb3

SHA256
a0cac4cf4852895619bc7743ebeb89f9e4927ccdb9e66b1bcd92a4136d0f9c77

SHA512
f2b57a2eea00f52a3c7080f4b5f2bb85a7a9b9f16d12da8f8ff673824556c62a0f742b72be0fd82a2612a4b6dbd7e0fdc27065212da703c2f7e28d199696f66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F38.tmp\ioSpecial.ini

Filesize
541B

MD5
2314ce69e994b8d826f5f698d8699e96

SHA1
ecb7e0b3de28e44b67bd7c737c0d809470e2167a

SHA256
a7176b88d7efc6ce34101fbf2119cd6e39dbaf9fdd593e1b566510a1bca0ce70

SHA512
dc92b1bc9fb318c3c64b1fe69249bd593c86cde40e1e755261f6554d32a34cd5452ecb64b8184f4e5750e0075e5f029dd2178a187bd4f7f13602e9130723712e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F38.tmp\ioSpecial.ini

Filesize
542B

MD5
453b94dc20e6df02f8db8db45068a699

SHA1
917591324ff133866ee9003f4808bd3d59d98841

SHA256
ea38180a05367f584516178a58a90aaff7b5e0eedc66197dadd222a11c19c2fe

SHA512
b1da0559470a9b1ceb05957ae8ad15e857f3a42fc01b0ef90f43594f0c9150d6cdfb3581659385d8a8ded1c58f748789939a98715df33783a8909ebc216b3921

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F38.tmp\ioSpecial.ini

Filesize
679B

MD5
88c8d65954f5d294f32c962f7ed0da11

SHA1
83e906220d9bb8c5f1f08c1a42ad44569ab8af71

SHA256
0689e64df24c8177e442198449b795ea0579fec64dfb3a8e35f75663a5520884

SHA512
233edabe000cbec7f90ae57a60b95be69aff968bedea73b58f03786286f740608d4393ef725f93cbf08d702bcfe9207df4a1e86355f488f38c79339e6fa39db1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F38.tmp\nsExec.dll

Filesize
6KB

MD5
1f49d8af9be9e915d54b2441c4a79adf

SHA1
1ee4f809c693e31f34bc6d8153664a6dc2c3e499

SHA256
b22c8f676dec58be8d25fbad1a37835ffc4029f29aaf79f4dc0337ca73a38782

SHA512
c60827e322e3168a79795ffd4beb0b0039842128255100d6b005d261402d2ff570f3866f441f3d3c063097c71d44bc5ae80d177fa91ef4e46fc8c2d97de27aa4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd3F38.tmp\nsis7z.dll

Filesize
436KB

MD5
d7778720208a94e2049972fb7a1e0637

SHA1
080d607b10f93c839ec3f07faec3548bb78ac4dc

SHA256
98f425f30e42e85f57e039356e30d929e878fdb551e67abfb9f71c31eeb5d44e

SHA512
98493ea271738ed6ba3a02de774deef267bfa3c16f3736f1a1a3856b9fecc07f0ea8670827e7eb4ed05c907e96425a0c762e7010cb55a09302ca3cfb3fe44b2b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
71e35be5d31c9b5ff93026a5eac85d2f

SHA1
bb7085a9ecef7a23e994f974044e75e261051b12

SHA256
adaf8502bf627e4221a22f692d9da8bef8846e4826e215684f4be3a2ab91d822

SHA512
113fa4a3064f8b73cab2d9828852a53f25921ba2e530295b94c4c9edb800ff7be46da435152cf53e992037d009100ab3b9d62dc8943dae89ee3d921a7363168e

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2d7173bb-8eaa-4869-a76e-2dec9cab2a6e}_OnDiskSnapshotProp

Filesize
6KB

MD5
f8a630d8e29fe602569fa08fbd350389

SHA1
f0f924ccaf8f07686d17dee42cd9567277f8c289

SHA256
317b0f2df18bd9a41a7acd1dbc713280719c2607c7902089bf4e46c100bec294

SHA512
eb4574c86412e1f67acfd4cd7e5e3cf148b812f0f76d7e2aca2f76901a6a6cb3020419e091de66cd3d847fdd75baefd6df93ff4eb9d598f5cb3ea386d453fa59

Download Submit
memory/4804-22-0x00000225BDC60000-0x00000225BDC82000-memory.dmp

Filesize
136KB

Download
memory/4812-163-0x000000002C8C0000-0x000000002CA7C000-memory.dmp

Filesize
1.7MB

Download
memory/4812-164-0x000000002C8C0000-0x000000002CA7C000-memory.dmp

Filesize
1.7MB

Download
memory/4812-159-0x000000002C440000-0x000000002C484000-memory.dmp

Filesize
272KB

Download
memory/4812-162-0x000000002C8C0000-0x000000002CA7C000-memory.dmp

Filesize
1.7MB

Download
memory/4812-160-0x000000002C8C0000-0x000000002CA7C000-memory.dmp

Filesize
1.7MB

Download
memory/4972-147-0x000000002A280000-0x000000002A2AA000-memory.dmp

Filesize
168KB

Download