a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe

Analysis

max time kernel
142s
max time network
120s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe
Size

12.8MB
MD5

2d0330fae641aa321b8c0365a5edd1b5
SHA1

0207713e73f9e1104e1a141f4cd833261b88904e
SHA256

a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe
SHA512

0f5a1c9ab3640772d5a9e60489376f30be5d2705020770702768ef65e112d45af455fcdcc2f9539114f6eb6a7dc0bd4fcd988a2ff8a7b3233b57c5ae367a312e
SSDEEP

196608:fSlhq9kKXlH6ub1TZi5pTemYWRBVZLdSkN:6i51HZ1QxemXRBVZL

Score

9^/10

bootkit evasion persistence upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

zipsw.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ zipsw.exe
ACProtect 1.3x - 1.4x DLL software 1 IoCs
Detects file using ACProtect software.

Processes:

resource yara_rule

\Users\Admin\AppData\Local\Temp\QM\nb.dll acprotect
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.

Query Registry
T1012

System Information Discovery
T1082

Processes:

zipsw.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion zipsw.exe
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion zipsw.exe
Executes dropped EXE 1 IoCs

Processes:

zipsw.exe

pid process

2628 zipsw.exe
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

zipsw.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine zipsw.exe
Loads dropped DLL 8 IoCs

Processes:

a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exezipsw.exe

pid process

1884 a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe
2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	zipsw.exe

resource	yara_rule
\Users\Admin\AppData\Local\Temp\QM\nb.dll	acprotect

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	zipsw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	zipsw.exe

pid	process
2628	zipsw.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Wine	zipsw.exe

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\QM\nb.dll	upx
behavioral1/memory/2628-290-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-295-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-300-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-303-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-305-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-309-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-311-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-313-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-315-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-317-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx
behavioral1/memory/2628-323-0x0000000008880000-0x0000000008DAE000-memory.dmp	upx

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

zipsw.exe

description ioc process

File opened for modification \??\PhysicalDrive0 zipsw.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	\??\PhysicalDrive0	zipsw.exe

Modifies registry class 64 IoCs

Processes:

zipsw.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32\ThreadingModel = "Apartment"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\TypeLib\ = "{F5113012-EE31-BFC7-07C9-7DB8FDD67613}"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ProgID\ = "MyMacro.MyGUIMacroControlServer"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\ = "QMDispatch.QMLibrary"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\ = "Ilyrsjy"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C6084D32-27EE-D533-A395-FC0E634F0587}\ProgID	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5113012-EE31-BFC7-07C9-7DB8FDD67613}\1.0\0	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lyr.lyrsjy\ = "lyr.lyrsjy"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\TypeLib\Version = "1.0"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InProcServer32	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMLibrary\CLSID\ = "{EBEB87A6-E151-4054-AB45-A6E094C5334B}"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\ = "QMPlugin.Sys"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C6084D32-27EE-D533-A395-FC0E634F0587}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\QM\\nb.dll"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5113012-EE31-BFC7-07C9-7DB8FDD67613}\1.0\FLAGS\ = "0"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zipsw.exe"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ProgID	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5113012-EE31-BFC7-07C9-7DB8FDD67613}\1.0\HELPDIR\	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\ = "MyMacro.MyGUIMacroControlServer"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID\ = "{DACDED71-1201-4F76-9C30-BDA795A55678}"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID\ = "{33414471-126E-4FC8-B430-1C6143484AA9}"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C6084D32-27EE-D533-A395-FC0E634F0587}\ = "lyr.lyrsjy"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ProgID	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\InprocServer32	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\ = "QMPlugin.Sys"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lyr.lyrsjy\CLSID	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\TypeLib\Version = "1.0"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys\CLSID	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lyr.lyrsjy\CLSID\ = "{C6084D32-27EE-D533-A395-FC0E634F0587}"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5113012-EE31-BFC7-07C9-7DB8FDD67613}	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\ProxyStubClsid32	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{EBEB87A6-E151-4054-AB45-A6E094C5334B}\ = "QMDispatch.QMLibrary"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MyMacro.MyGUIMacroControlServer\CLSID	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\InprocServer32	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\TypeLib	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\TypeLib\ = "{F5113012-EE31-BFC7-07C9-7DB8FDD67613}"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3C0C1B93-B3B8-9C30-3C27-2A9C8ADDDA3E}\ = "Ilyrsjy"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{241D7F03-9232-4024-8373-149860BE27C0}\InprocServer32	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\ = "MyMacro.MyGUIMacroControlServer"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{34531331-126E-4FC8-B430-1C6143484AA9}\ProgID\ = "QMPlugin.RegDll"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\ = "QMDispatch.QMRoutine"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\ = "QMDispatch.QMRoutine"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5113012-EE31-BFC7-07C9-7DB8FDD67613}\1.0\0\win32	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.Sys	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lyr.lyrsjy	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F5113012-EE31-BFC7-07C9-7DB8FDD67613}\1.0	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMRoutine\CLSID\ = "{C07DB6A3-34FC-4084-BE2E-76BB9203B049}"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}\InprocServer32	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{DACDED71-1201-4F76-9C30-BDA795A55678}\InprocHandler32\ = "ole32.dll"	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{33414471-126E-4FC8-B430-1C6143484AA9}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\plugin\\SYS.dll"	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\QMPlugin.RegDll\CLSID	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lyr.lyrsjy\CurVer	zipsw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{C07DB6A3-34FC-4084-BE2E-76BB9203B049}	zipsw.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\QMDispatch.QMVBSRoutine\ = "QMDispatch.QMVBSRoutine"	zipsw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

zipsw.exe

description pid process

Token: SeDebugPrivilege 2628 zipsw.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

zipsw.exe

pid process

2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

zipsw.exe

pid process

2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe
2628 zipsw.exe

description	pid	process
Token: SeDebugPrivilege	2628	zipsw.exe

pid	process
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe

pid	process
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exezipsw.exe

pid	process
1884	a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe
1884	a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe
2628	zipsw.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exezipsw.exe

description	pid	process	target process
PID 1884 wrote to memory of 2628	1884	a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe	zipsw.exe
PID 1884 wrote to memory of 2628	1884	a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe	zipsw.exe
PID 1884 wrote to memory of 2628	1884	a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe	zipsw.exe
PID 1884 wrote to memory of 2628	1884	a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe	zipsw.exe
PID 2628 wrote to memory of 2800	2628	zipsw.exe	regsvr32.exe
PID 2628 wrote to memory of 2800	2628	zipsw.exe	regsvr32.exe
PID 2628 wrote to memory of 2800	2628	zipsw.exe	regsvr32.exe
PID 2628 wrote to memory of 2800	2628	zipsw.exe	regsvr32.exe
PID 2628 wrote to memory of 2800	2628	zipsw.exe	regsvr32.exe
PID 2628 wrote to memory of 2800	2628	zipsw.exe	regsvr32.exe
PID 2628 wrote to memory of 2800	2628	zipsw.exe	regsvr32.exe

C:\Users\Admin\AppData\Local\Temp\a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe
"C:\Users\Admin\AppData\Local\Temp\a4e2f937be55cef890bf7cbd1e658d63d85ee63ea3bf7bbef66fcbe04b55affe.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1884

C:\Users\Admin\AppData\Local\Temp\zipsw.exe
C:\Users\Admin\AppData\Local\Temp\zipsw.exe
2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Identifies Wine through registry keys
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2628

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\System32\regsvr32.exe" atl.dll /s
3⤵
PID:2800

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1B4E.tmp
Filesize
417B

MD5
d4dc8f619ac37fb183cb25c0b26a9b0d

SHA1
abb1b89e82c2d88eb0b0f5d3cc63d425d7fc1003

SHA256
ccaad2629f1bb7d4eb3a409feb3598c893bee800cd9c1bf6f8ef914454c195a7

SHA512
0a6e00ab14e2870dc76659c11a30e1fdab61c85bfae6cab609e89bca9c74d13d16f118b8730e0cea5bc39fec8df58e21d9939312e46c81f0069810a0a52a8c2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\477204F.tmp
Filesize
5.7MB

MD5
517210a7d447f164e71fad26c5d6e58b

SHA1
244d44f8eb931f23e5448a9d4d4fe128553e0103

SHA256
4967770600dd2d1a41bbf018570dd5114263bd3de5473c5b0b8754544a75cc14

SHA512
72fbf1bd211c7492b4aab19a8757e8f3d081c6acc2d1b8d844af832dd3ed4736643a15ed270ae946029f1c3e47c04c9b5124fe01a894a58cb1fc9cb751ded176

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugin\ND.DLL
Filesize
24KB

MD5
e29d9a912204844df5306ca3935b1f1c

SHA1
19ba6440827ad2ac515aeb6c8700fbb4c896e61c

SHA256
3453bb9b4550dd5a51a64c3d2d25f1b49744b05ac740c57f2dd9f89084811318

SHA512
9229d5c845eeb36cd293e8d998aca63ed14f41b43d7d11da8682ede4d24853eff19bf0801b8ab055d50c849be7cbf94b890a672d90b55eec5019cebf98925a3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\plugin\SYS.ini
Filesize
1KB

MD5
09c6b26d1e0ff380321f586473d81098

SHA1
261ba0c9c3ddf3c9e8715ead3628212d2859bcba

SHA256
bc8eaa229e13a93be3bef498443182eb5d97551fbc5fcb1208d014b56161588f

SHA512
7700e2ab0c38f7b1a3190843f603b572f7952e4a3567855fbaf2f1085f7e5b4fcdaa97e9195a43299594a5c3b31d15232cb66d9c59a4231cc83487663ded832c

Download Submit
\Users\Admin\AppData\Local\Temp\QM\nb.dll
Filesize
4.1MB

MD5
2c685c5e7e1aaf03845d273ab5adeb6c

SHA1
dae12ddf186d6e8b49a57b49c5a215ad67ec3462

SHA256
3143d166f4f7001169ba8d79972e1b8703258e0273252b37671dc433855e2b1d

SHA512
dad75b1cd531b7068980d73ae896de39fb5be891979fc58bfbe4d127edb6b40ef7c937ecba18f87db5837571ddeaa901ea55781ed03e623b083a526620a8bf6a

Download Submit
\Users\Admin\AppData\Local\Temp\cfgdll.dll
Filesize
59KB

MD5
3f9711ab8cfa0cbbeaeceba7904c8700

SHA1
94085220d65eb8c572fb394ab0d19815dcf80680

SHA256
517df7f719bcc34ea934868e46c77932768ee77abccc3bccac62bf9bfeed0af5

SHA512
e595acdc6b857a6180f88ddb0bd8c50f66bd1768d129e996dcd8934e9462150d041dc79addd2251b933e1a63ccccf03070ecce8ed485ea35622af1c18c60fcc5

Download Submit
\Users\Admin\AppData\Local\Temp\plugin\SYS.DLL
Filesize
32KB

MD5
18c393dfa1c0f3d2da0f4acdec5d7639

SHA1
84f666216085f177bccb8fa94900ba625f7552bc

SHA256
3c3599cf74407476a92ce4ee66ed3ce00d0b3ea5326f796c191e6ed0a9a87b3a

SHA512
ba61370b69b239754ff8f4e07f456755422667340c9a27bf2ace272b0e90a0818da595b973e90cd9ca4fc502028caef078e16bc7c87b2a6a8fa465141f54b3b4

Download Submit
\Users\Admin\AppData\Local\Temp\zipsw.exe
Filesize
12.0MB

MD5
4bd88fcc39a751c876c18a276e5b4082

SHA1
843c373ddc57bb0fc3e8eecb01fa1bdc8281d4f7

SHA256
80fa5cfef30a9bab2184c003979e84ad6f5d7cd8b3ec0b3f0637545442136b77

SHA512
d99576a0fb7ff03ddd34035320998a6a9cd98f4166d40343cb2e17c7484651dd1d02986ad0caf571a32113541c57520812b718b3cbe2439fa53190a706a89678

Download Submit
\Users\Admin\AppData\Roaming\mymacro\qdisp.dll
Filesize
43KB

MD5
7171bc500507f070355c8903e0ea6d3d

SHA1
073d479fdbd1f2af5d494e90b950098be63dee75

SHA256
3e02f67604dcc1f9e2f107e3dc04f9dcdc59431b2a9323838b61c427c63b997c

SHA512
a8162de29e73f7a198ab7b592c393c8b39e42d5f6649efeca300a90dd7c70178fca1cfcd1f721588dcff296d5245f9ebfa289c6525c7e8621c8eef3e77787622

Download Submit
memory/1884-6-0x0000000002D60000-0x00000000032F4000-memory.dmp

Filesize
5.6MB

Download
memory/2628-303-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-309-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-10-0x0000000000401000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/2628-290-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-295-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-298-0x0000000008F10000-0x0000000008F1A000-memory.dmp

Filesize
40KB

Download
memory/2628-297-0x0000000008F10000-0x0000000008F1A000-memory.dmp

Filesize
40KB

Download
memory/2628-299-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-300-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-301-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-302-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-304-0x0000000000401000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/2628-7-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-305-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-307-0x0000000008F10000-0x0000000008F1A000-memory.dmp

Filesize
40KB

Download
memory/2628-306-0x0000000008F10000-0x0000000008F1A000-memory.dmp

Filesize
40KB

Download
memory/2628-308-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-46-0x00000000041B0000-0x00000000041BF000-memory.dmp

Filesize
60KB

Download
memory/2628-310-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-311-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-312-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-313-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-314-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-315-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-316-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-317-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-318-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-320-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-322-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-323-0x0000000008880000-0x0000000008DAE000-memory.dmp

Filesize
5.2MB

Download
memory/2628-324-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-326-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-328-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download
memory/2628-330-0x0000000000400000-0x0000000000994000-memory.dmp

Filesize
5.6MB

Download