banload | 7f0005d39580ba537d4f9581b47c28adf132a6586d62881a62cd56fa1b24ab27

Analysis

max time kernel
304s
max time network
273s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-07-2024 09:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RPGXP_E.exe
Size

27.2MB
MD5

4db4691a4f71af97b109b11ee2c70ec9
SHA1

ba5eaa22936505df35a10319dbce60ed6e873383
SHA256

7f0005d39580ba537d4f9581b47c28adf132a6586d62881a62cd56fa1b24ab27
SHA512

2688575f993dd7c2b0bff1634465149103412032bc882d09ccd492033ec94b27c84e4a1655118264728fea358969504ff748a8e6fe73dd313789f2a2d142f15a
SSDEEP

786432:F6HKbIBBYy9IMhfpNIubCq9iS2wvX1RA6rxiShm0RML1P:+iI3/9IM6uejAX1RUShT

Score

10^/10

banload discovery downloader dropper trojan

Malware Config

Signatures

Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Checks BIOS information in registry 2 TTPs 8 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

RPGXP.exeRPGXP.exeRPGXP.exeRPGXP.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	RPGXP.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RPGXP.exe

Executes dropped EXE 6 IoCs

Processes:

RPGXP_E.tmpxp_rtp104e.exeRPGXP.exeRPGXP.exeRPGXP.exeRPGXP.exe

pid process

4648 RPGXP_E.tmp
1172 xp_rtp104e.exe
1800 RPGXP.exe
3404 RPGXP.exe
4516 RPGXP.exe
2276 RPGXP.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Drops desktop.ini file(s) 1 IoCs

Processes:

svchost.exe

description ioc process

File opened for modification C:\Users\Admin\Videos\Captures\desktop.ini svchost.exe

pid	process
4648	RPGXP_E.tmp
1172	xp_rtp104e.exe
1800	RPGXP.exe
3404	RPGXP.exe
4516	RPGXP.exe
2276	RPGXP.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Videos\Captures\desktop.ini	svchost.exe

Drops file in System32 directory 6 IoCs

Processes:

xp_rtp104e.tmp

description	ioc	process
File created	C:\Windows\SysWOW64\is-OEAOM.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-A5JBQ.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-PI8LM.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-GTEQC.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-SBVI0.tmp	xp_rtp104e.tmp
File created	C:\Windows\SysWOW64\is-TDL9G.tmp	xp_rtp104e.tmp

Drops file in Program Files directory 64 IoCs

Processes:

xp_rtp104e.tmpRPGXP_E.tmp

description	ioc	process
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-9FGD4.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-NFP9T.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Icons\is-PU4TL.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-8IRIR.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-HVT95.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Tilesets\is-G61UF.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-DSSG1.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-AF09S.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGS\is-MTFA0.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-EQC47.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-HFGQ2.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-NVJK4.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-94A1P.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-UQ3AS.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\ME\is-P6RD1.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-KQF06.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-NMSI8.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-U1MNB.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-EATJ5.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-9P7P8.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-I1MDI.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-QF6G0.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-OGCGC.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-GJPEB.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Fogs\is-LI939.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-UDBLI.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGS\is-6SN8O.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-MMQSP.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-D83VG.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Animations\is-0MBSQ.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Icons\is-L6TNV.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-H6VLR.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-HHSDO.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-2AV8N.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-16RRV.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-BKVS2.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-A8LEN.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-P5GA6.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Icons\is-EST4P.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\System\Data\is-CBR3H.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-UP1TA.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-ER5AV.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-ISL93.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-848HV.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Icons\is-9DQ4H.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-7J6BN.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-00LN2.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Icons\is-EH531.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-NJFVN.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\BGM\is-UVO62.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-UF9LV.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-97K57.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-N5C56.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-FPTRC.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-IEG5Q.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Icons\is-2B4C7.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-AP4TT.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlebacks\is-FIDL7.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Enterbrain\RPGXP\drm\is-2JOHC.tmp	RPGXP_E.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-6EVL1.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Audio\SE\is-E1IQ1.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Characters\is-4CHU3.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Autotiles\is-DU014.tmp	xp_rtp104e.tmp
File created	C:\Program Files (x86)\Common Files\Enterbrain\RGSS\Standard\Graphics\Battlers\is-MAVL7.tmp	xp_rtp104e.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exesvchost.exesvchost.exesvchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

RPGXP.exeRPGXP.exeRPGXP.exeRPGXP.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync	RPGXP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe
Key created	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Software\Microsoft\Internet Explorer\IESettingSync	RPGXP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	RPGXP.exe

Modifies registry class 64 IoCs

Processes:

RPGXP_E.tmpRPGXP.exeRPGXP.exeRPGXP.exesvchost.exeRPGXP.exesvchost.exesvchost.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open\command	RPGXP_E.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\gpfjrrubfdjsU = "jC^@bqt~ZZXtSw@~aXN"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\sguRzrzhZ = "pJGa]VgYTOVLQNHR"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\gpfjrrubfdjsU = "dc[sFmYVmTFAmDyFZAM"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\sguRzrzhZ = "pJGa]VgYTOVLQNHR"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\kFdnafHvPsdw = "T_@\\\\]lVy{QJTCwNYjAXS}"	RPGXP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{7014859A-7A98-46C6-9933-F75015D4D79F}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\kFdnafHvPsdw = "T_@\\\\]lVy{QJTCwNYjAXS}"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\DefaultIcon	RPGXP_E.tmp
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\cjuxzqZou = "a]XSE}WRbgjiooqS]pqlmM"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\fghevuiMuobp = "ygpHzcUSxdfhDrEttKZYJI["	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\sguRzrzhZ = "\\xfd^tAdOKn^rKKS"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\Xyriodul = "^rd]kWX\x7fvgNchy_^MCCmlZNXaY~"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\sguRzrzhZ = "\\xfd^tAdOKn^rKKS"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\" /n \"%1\""	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\DefaultIcon	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\kFdnafHvPsdw = "TQ~QyFKnJlr\|XEMpIz@XBv"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\fghevuiMuobp = "R`rVWr\x7fFRz[M{an}jXAGymu"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\fcib = "xr]mn`j{WhH[IPQC\\UPSsf\|cN\x7fWn"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rgssad\ = "RPGXP.Archive"	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\cjuxzqZou = "`InIfkCNJOpCk_VBAytEUH"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\cjuxzqZou = "a]XSE}WRbgjiooqS]pqlmM"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\",2"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}	RPGXP.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{DADFABEC-09A2-4193-A5CF-96EAD277567F}	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\RoluPZTmyS = "QdvGottKH\\BmULIDZjMnc@d"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\RoluPZTmyS = "{sFCW~BOtRRcDMpa~PfWYra"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\gpfjrrubfdjsU = "jC^@bqt~ZZXtSw@~aXN"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxproj\ = "RPGXP.Project"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\ = "RPGXP Data"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\shell\open	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\ = "AboveLockApplicationFrameworkProxy"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\InProcServer32	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\fcib = "tLV\\cEz^UbUhXFlcdah]XaYaqToE"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Project\DefaultIcon	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Data\shell	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\fghevuiMuobp = "R`rVWr\x7fFRz[M{an}jXAGymu"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\cjuxzqZou = "a]XSE}WRbgjiooqS]pqlmM"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\XnpsbdqC = "`mt"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\cjuxzqZou = "`InIfkCNJOpCk_VBAytEUH"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\fcib = "tLV\\cEz^UbUhXFlcdah]XaYaqToE"	RPGXP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxproj	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\DefaultIcon\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\",3"	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rxdata	RPGXP_E.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\RoluPZTmyS = "{sFCW~BOtRRcDMpa~PfWYra"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\RoluPZTmyS = "{sFCW~BOtRRcDMpa~PfWYra"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\XnpsbdqC = "]Dx"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\fghevuiMuobp = "ygpHzcUSxdfhDrEttKZYJI["	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\RPGXP.Archive\shell\open\command\ = "\"C:\\Program Files (x86)\\Enterbrain\\RPGXP\\RPGXP.exe\" /n \"%1\""	RPGXP_E.tmp
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1181767204-2009306918-3718769404-1000\{40E72A0A-F118-4DFB-A54B-B252A6164C39}	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\Xyriodul = "i^wVzifV}tgokdsaGadBzv`nRe]"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\XnpsbdqC = "EGL"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\fcib = "tLV\\cEz^UbUhXFlcdah]XaYaqToE"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\gpfjrrubfdjsU = "jC^@bqt~ZZXtSw@~aXN"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\XnpsbdqC = "UOp"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\RoluPZTmyS = "QdvGottKH\\BmULIDZjMnc@d"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\gpfjrrubfdjsU = "dc[sFmYVmTFAmDyFZAM"	RPGXP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{33CC1979-AF01-1C1F-8930-A34DE15A1DA7}\fcib = "xr]mn`j{WhH[IPQC\\UPSsf\|cN\x7fWn"	RPGXP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\{3B3938F7-03CE-13D1-B2E4-0060975B8649}\kFdnafHvPsdw = "T_@\\\\]lVy{QJTCwNYjAXS}"	RPGXP.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

RPGXP_E.tmp

pid process

4648 RPGXP_E.tmp
4648 RPGXP_E.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

RPGXP_E.tmp

pid process

4648 RPGXP_E.tmp
Suspicious use of SetWindowsHookEx 12 IoCs

Processes:

RPGXP.exeOpenWith.exeRPGXP.exeOpenWith.exeRPGXP.exeOpenWith.exeRPGXP.exeOpenWith.exe

pid process

1800 RPGXP.exe
1800 RPGXP.exe
1532 OpenWith.exe
3404 RPGXP.exe
3404 RPGXP.exe
3008 OpenWith.exe
4516 RPGXP.exe
4516 RPGXP.exe
3728 OpenWith.exe
2276 RPGXP.exe
2276 RPGXP.exe
4852 OpenWith.exe

pid	process
4648	RPGXP_E.tmp
4648	RPGXP_E.tmp

pid	process
4648	RPGXP_E.tmp

pid	process
1800	RPGXP.exe
1800	RPGXP.exe
1532	OpenWith.exe
3404	RPGXP.exe
3404	RPGXP.exe
3008	OpenWith.exe
4516	RPGXP.exe
4516	RPGXP.exe
3728	OpenWith.exe
2276	RPGXP.exe
2276	RPGXP.exe
4852	OpenWith.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

RPGXP_E.exeRPGXP_E.tmp

description	pid	process	target process
PID 512 wrote to memory of 4648	512	RPGXP_E.exe	RPGXP_E.tmp
PID 512 wrote to memory of 4648	512	RPGXP_E.exe	RPGXP_E.tmp
PID 512 wrote to memory of 4648	512	RPGXP_E.exe	RPGXP_E.tmp
PID 4648 wrote to memory of 1172	4648	RPGXP_E.tmp	xp_rtp104e.exe
PID 4648 wrote to memory of 1172	4648	RPGXP_E.tmp	xp_rtp104e.exe
PID 4648 wrote to memory of 1172	4648	RPGXP_E.tmp	xp_rtp104e.exe

C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe
"C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\is-M4FS9.tmp\RPGXP_E.tmp
"C:\Users\Admin\AppData\Local\Temp\is-M4FS9.tmp\RPGXP_E.tmp" /SL5="$301F4,28152842,118784,C:\Users\Admin\AppData\Local\Temp\RPGXP_E.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4648

C:\Users\Admin\AppData\Local\Temp\is-E16HC.tmp\xp_rtp104e.exe
"C:\Users\Admin\AppData\Local\Temp\is-E16HC.tmp\xp_rtp104e.exe"
3⤵
- Executes dropped EXE
PID:1172

C:\Users\Admin\AppData\Local\Temp\is-G4RVC.tmp\xp_rtp104e.tmp
"C:\Users\Admin\AppData\Local\Temp\is-G4RVC.tmp\xp_rtp104e.tmp" /SL5="$100068,22729139,53248,C:\Users\Admin\AppData\Local\Temp\is-E16HC.tmp\xp_rtp104e.exe"
4⤵
- Drops file in System32 directory
- Drops file in Program Files directory
PID:1488

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4196,i,1999448010053300448,1112699187621658374,262144 --variations-seed-version --mojo-platform-channel-handle=4624 /prefetch:8
1⤵
PID:2560

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:3260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:1532

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
PID:5060

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\f4c9625f0cdf46e2b29647ca993a27ec /t 2160 /p 1800
1⤵
PID:972

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4916

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3404

C:\Windows\System32\GameBarPresenceWriter.exe
"C:\Windows\System32\GameBarPresenceWriter.exe" -ServerName:Windows.Gaming.GameBar.Internal.PresenceWriterServer
1⤵
PID:60

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
- Modifies registry class
PID:4892

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\ee0255f00e7f4f5ea222d778a2a2056f /t 464 /p 3404
1⤵
PID:3900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
- Checks processor information in registry
PID:1700

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3728

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3480

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
"C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe"
1⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2276

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService
1⤵
PID:4944

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Enterbrain\RPGXP\RPGXP.exe
Filesize
3.2MB

MD5
6f6ccdccf5bd0946a2b55a014329bdac

SHA1
48bbe60410e70a991d7ffea90e3e1279ee456c78

SHA256
ecb1f0805161e359adedb28b2fa7f8c4d8586d6d5d69a37dd05757618f9e551f

SHA512
092d982773dd62e4d6f3a60c83d7e0f7c8ab07afaca3ecfdf960014452e78d4f6437008e8b110993b8e6a798110a736b9be0189f932c348d5b74b23c6cd7b7e1

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-activate.png
Filesize
8KB

MD5
592adc03e205672e8a4f790f685c658f

SHA1
70e40b322ad187e9860d3619edac25d30624d17f

SHA256
aabb33a465c18dcba522190d57100cf3e07107651084275645785625f3f4ff7e

SHA512
c21e1eaee0ced3e57e518bc72c87b9cfa615d84d44081e868dcaa4f5fcb95273028a1ebb7854d7feab098973e066a607d586b537b5ad2ac2a04f88e7048ec03e

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-background.png
Filesize
644KB

MD5
2ecb353c8974f1020d1425dfb8d4f591

SHA1
64b4196b78b4cdba32d8a5f14391861973dbe676

SHA256
614ffaa33a9bf1453dbac9033c941aea534cf12fe89f568344d94217497ac674

SHA512
0b079efff3c97d059eeed87df6433fc3929f18542d700bbee5c4f32ba5e2e216c68cc8403c2d9224cae2cc92550c7e668b1152586db6b8579f4ddaa8fbbbb9df

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-buy-now.png
Filesize
9KB

MD5
ffffdaaf9f1c7c47a4761df64f4ee56b

SHA1
6a3fd89cf56f9341bd872fad778af56f39a418f2

SHA256
c4c87ffce5df52d6acf28a94aa5414fd7305d44825394fe4cb809ca20e6bcf54

SHA512
b19ddd75a6a6d1dc44e70c30a01c7474bed5eab02d366786ef063be756a4993896038f0a368a00b5e383d639005ecf1f2e0f1d4223133b0b40340f8d777d0c2d

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-continue.png
Filesize
10KB

MD5
ff708a85d46bc03f24dbf1e5119aadab

SHA1
39882cb9b2c82f8d1fbcefe1e0b0b41acbff5205

SHA256
dba7d3497b93f4752169ea3b19ee9a2727aed3dc0f58f722908d77e315851497

SHA512
f1869c1f5f46d8d906cbe142aa4f1b08e21ce388265e80622dbc099ecdc1987709a20546f8b33018cfc4806d8c4eda3e1b4ee1f362a77802bc0eb592e30c3fd4

Download Submit
C:\Program Files (x86)\Enterbrain\RPGXP\drm\drm-key-box.png
Filesize
4KB

MD5
7f1b95225ec76ae446a9f149bd6124f5

SHA1
0c0e5c159facd1a075e1b50b013123fab5ad6706

SHA256
a90e6a055e9b38788ca782a0641a247b58e857bdd91364ac6248d67497b1c817

SHA512
d914061975c0f1debfabe59a0bca8db00a5ac4af96d3f530cbf0cdd02e6e848bc0cff17cddd9436b7d0159671b3e791770b665fafabba89a642304b2b1cd5965

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B3938F7.TMP
Filesize
136B

MD5
a07fc8d93e284c277e85d244de843b85

SHA1
6e88a8e69f95048251f49aa58c661959ebedf7af

SHA256
2e0e3be0f10aff26efcb760cab630fecf8a42a39893d21b1a384ac8c4e80e775

SHA512
bec9d6e1e5406a6c6047a4c9b11dd4350c799298f4e5749fcfe67da4d22bab071ae8781444d2c150d2b0567c1449f3e451ea3301b5df2ff3e8e2d64fbcf2eafe

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B3938F7.TMP
Filesize
136B

MD5
4f554ae411dd5f2e0fd576d57f5203a0

SHA1
b3f1e1cdbd265532c60036993b5146094accabe4

SHA256
25886efd10b8b7262aee633d8204153a83585ea64d5082f97ba2c85df7e043e8

SHA512
d790209b0cefc0457c93006253a9016f0b3e35df1a8c4d741c073d6a8657639b27454cf7c02683f0398938b1d8e72e1fd9df722387e8af53f7bd3c197e57035b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HTM856D.tmp
Filesize
3KB

MD5
7741ca655eae3de3edd79b3ff5c09091

SHA1
e51c78456b97069163d2151bb05b47be9d9063cc

SHA256
88e77e4d914a55963121af6ebdeb47adac43ffd5997beb0cfeb20047bb9f6cfc

SHA512
8bc9e1e0432942d97d3cb301c5138bf10107ca91d9a613747a645af9a22525ca1d135d64984d7cd4ff7764894cc7b9929dc86ddf4e43ce53156ddf02f23cfabb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E16HC.tmp\xp_rtp104e.exe
Filesize
21.9MB

MD5
611881d2a5b8825df189616e7a2760f3

SHA1
2a907a5371d27dbf80cd9efc399fff76109a3968

SHA256
b3bd20ad7f413b40ac233aafd2e061de1dc429c2eadb59d0b3157ba3c47f16b2

SHA512
d79d8f57f8219574723239c0091068db64d2304e6b7495187247397491371e8761e711d027cab36bd08cbf86a1bf805dfbfeaff910f6b49458ff9c0c5872af23

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-M4FS9.tmp\RPGXP_E.tmp
Filesize
1.1MB

MD5
63b15124be653dbe589c7981da9d397c

SHA1
af8874bdf2ad726f5420e8132c10becc2bbcd93c

SHA256
61674b90891ca099d5fee62bf063a948a80863530ab6a31e7f9e06f0e5bc7599

SHA512
339b284b5dd7386dcfa86c8fdcf239a0e97cc168229ea9a66fc0c6b26771401fa7f27c2c6a435a836a43ea9c7e634a3e47ec77e0d27985794bbb4416dfc97ac8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-SROAJ.tmp\_isetup\_shfoldr.dll
Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\Videos\Captures\desktop.ini
Filesize
190B

MD5
b0d27eaec71f1cd73b015f5ceeb15f9d

SHA1
62264f8b5c2f5034a1e4143df6e8c787165fbc2f

SHA256
86d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2

SHA512
7b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c

Download Submit
memory/512-0-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/512-2-0x0000000000401000-0x0000000000412000-memory.dmp

Filesize
68KB

Download
memory/512-1926-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/512-12-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1172-1922-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1172-1881-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1488-1921-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1488-1884-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1800-1964-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1800-1931-0x0000000005B00000-0x0000000005D04000-memory.dmp

Filesize
2.0MB

Download
memory/1800-1939-0x0000000005B00000-0x0000000005D04000-memory.dmp

Filesize
2.0MB

Download
memory/1800-1930-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/1800-1961-0x0000000005B00000-0x0000000005D04000-memory.dmp

Filesize
2.0MB

Download
memory/1800-1935-0x0000000005B00000-0x0000000005D04000-memory.dmp

Filesize
2.0MB

Download
memory/3404-1967-0x0000000005990000-0x0000000005B94000-memory.dmp

Filesize
2.0MB

Download
memory/3404-1982-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/4516-2000-0x0000000000400000-0x000000000099A000-memory.dmp

Filesize
5.6MB

Download
memory/4648-13-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4648-15-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4648-21-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4648-101-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4648-7-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download
memory/4648-1925-0x0000000000400000-0x000000000052B000-memory.dmp

Filesize
1.2MB

Download