gh0strat | 4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

klianghaxx.msi
Size

35.7MB
MD5

b50224d2998918a46f53631e95d0c82a
SHA1

b87a7ac613227efff93e5ee806587bdff1407561
SHA256

4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb
SHA512

35ace3df1e35e5b633184d78df5c8aa56f180ff55cc3d90304fdb720d9908325af36fb82151b5a7bbf175d2afbb140a13e5c4f9fea46e12a5719c5a8e8fcf1c8
SSDEEP

786432:qkhIiFQmQPoasemFaut9MNGXQAXPrWDP7THYKuPQplTiE7Fym:b0m8oasgutuN9AXPrWDPvHduGTifm

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/1960-106-0x000000002BC70000-0x000000002BE2A000-memory.dmp	purplefox_rootkit
behavioral2/memory/1960-108-0x000000002BC70000-0x000000002BE2A000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/1960-106-0x000000002BC70000-0x000000002BE2A000-memory.dmp	family_gh0strat
behavioral2/memory/1960-108-0x000000002BC70000-0x000000002BE2A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	eCIiCJQGvW16.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	eCIiCJQGvW16.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	eCIiCJQGvW16.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	eCIiCJQGvW16.exe
File opened (read-only)	\??\Y:	eCIiCJQGvW16.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	eCIiCJQGvW16.exe
File opened (read-only)	\??\N:	eCIiCJQGvW16.exe
File opened (read-only)	\??\S:	eCIiCJQGvW16.exe
File opened (read-only)	\??\V:	eCIiCJQGvW16.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	eCIiCJQGvW16.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	eCIiCJQGvW16.exe
File opened (read-only)	\??\E:	eCIiCJQGvW16.exe
File opened (read-only)	\??\R:	eCIiCJQGvW16.exe
File opened (read-only)	\??\Z:	eCIiCJQGvW16.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	eCIiCJQGvW16.exe
File opened (read-only)	\??\J:	eCIiCJQGvW16.exe
File opened (read-only)	\??\P:	eCIiCJQGvW16.exe
File opened (read-only)	\??\U:	eCIiCJQGvW16.exe
File opened (read-only)	\??\X:	eCIiCJQGvW16.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	eCIiCJQGvW16.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File created	C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log	gLvRGFqwFJmB.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log	gLvRGFqwFJmB.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast	eCIiCJQGvW16.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\UnityPlayer.dll	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.xml	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe	RprxlqTjDBnm.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log	gLvRGFqwFJmB.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf	msiexec.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.xml	RprxlqTjDBnm.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C24D2210-555C-41E3-8B2A-8D29388791D8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE56E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e409.msi	msiexec.exe
File created	C:\Windows\Installer\e57e407.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e407.msi	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
4116	RprxlqTjDBnm.exe
116	eCIiCJQGvW16.exe
1288	letsvpn.exe
5044	gLvRGFqwFJmB.exe
4168	gLvRGFqwFJmB.exe
4876	gLvRGFqwFJmB.exe
3220	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe

Loads dropped DLL 3 IoCs

pid	Process
1288	letsvpn.exe
1288	letsvpn.exe
1288	letsvpn.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5024	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1016	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eCIiCJQGvW16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eCIiCJQGvW16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RprxlqTjDBnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eCIiCJQGvW16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000096fabf83e47a2dea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000096fabf830000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090096fabf83000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d96fabf83000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000096fabf8300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eCIiCJQGvW16.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	eCIiCJQGvW16.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Version = "67108870"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\40D7CD3262B65554CB27A9B80694B49B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\40D7CD3262B65554CB27A9B80694B49B\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\PackageName = "klianghaxx.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0122D42CC5553E14B8A2D8928378198D\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\ProductName = "UpgradeAdvisorSteadfast"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\PackageCode = "9F3668E6BA3100E4789F21AFF2E8BF85"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
624	msiexec.exe
624	msiexec.exe
116	eCIiCJQGvW16.exe
116	eCIiCJQGvW16.exe
5024	powershell.exe
5024	powershell.exe
5024	powershell.exe
4876	gLvRGFqwFJmB.exe
3220	eCIiCJQGvW16.exe
3220	eCIiCJQGvW16.exe
3220	eCIiCJQGvW16.exe
3220	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe
1960	eCIiCJQGvW16.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1016	msiexec.exe
Token: SeSecurityPrivilege	624	msiexec.exe
Token: SeCreateTokenPrivilege	1016	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1016	msiexec.exe
Token: SeLockMemoryPrivilege	1016	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1016	msiexec.exe
Token: SeMachineAccountPrivilege	1016	msiexec.exe
Token: SeTcbPrivilege	1016	msiexec.exe
Token: SeSecurityPrivilege	1016	msiexec.exe
Token: SeTakeOwnershipPrivilege	1016	msiexec.exe
Token: SeLoadDriverPrivilege	1016	msiexec.exe
Token: SeSystemProfilePrivilege	1016	msiexec.exe
Token: SeSystemtimePrivilege	1016	msiexec.exe
Token: SeProfSingleProcessPrivilege	1016	msiexec.exe
Token: SeIncBasePriorityPrivilege	1016	msiexec.exe
Token: SeCreatePagefilePrivilege	1016	msiexec.exe
Token: SeCreatePermanentPrivilege	1016	msiexec.exe
Token: SeBackupPrivilege	1016	msiexec.exe
Token: SeRestorePrivilege	1016	msiexec.exe
Token: SeShutdownPrivilege	1016	msiexec.exe
Token: SeDebugPrivilege	1016	msiexec.exe
Token: SeAuditPrivilege	1016	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1016	msiexec.exe
Token: SeChangeNotifyPrivilege	1016	msiexec.exe
Token: SeRemoteShutdownPrivilege	1016	msiexec.exe
Token: SeUndockPrivilege	1016	msiexec.exe
Token: SeSyncAgentPrivilege	1016	msiexec.exe
Token: SeEnableDelegationPrivilege	1016	msiexec.exe
Token: SeManageVolumePrivilege	1016	msiexec.exe
Token: SeImpersonatePrivilege	1016	msiexec.exe
Token: SeCreateGlobalPrivilege	1016	msiexec.exe
Token: SeBackupPrivilege	3076	vssvc.exe
Token: SeRestorePrivilege	3076	vssvc.exe
Token: SeAuditPrivilege	3076	vssvc.exe
Token: SeBackupPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeBackupPrivilege	1620	srtasks.exe
Token: SeRestorePrivilege	1620	srtasks.exe
Token: SeSecurityPrivilege	1620	srtasks.exe
Token: SeTakeOwnershipPrivilege	1620	srtasks.exe
Token: SeBackupPrivilege	1620	srtasks.exe
Token: SeRestorePrivilege	1620	srtasks.exe
Token: SeSecurityPrivilege	1620	srtasks.exe
Token: SeTakeOwnershipPrivilege	1620	srtasks.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe
Token: SeTakeOwnershipPrivilege	624	msiexec.exe
Token: SeRestorePrivilege	624	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1016	msiexec.exe
1016	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 624 wrote to memory of 1620	624	msiexec.exe	91
PID 624 wrote to memory of 1620	624	msiexec.exe	91
PID 624 wrote to memory of 4284	624	msiexec.exe	95
PID 624 wrote to memory of 4284	624	msiexec.exe	95
PID 624 wrote to memory of 4284	624	msiexec.exe	95
PID 4284 wrote to memory of 4116	4284	MsiExec.exe	96
PID 4284 wrote to memory of 4116	4284	MsiExec.exe	96
PID 4284 wrote to memory of 4116	4284	MsiExec.exe	96
PID 4284 wrote to memory of 116	4284	MsiExec.exe	98
PID 4284 wrote to memory of 116	4284	MsiExec.exe	98
PID 4284 wrote to memory of 116	4284	MsiExec.exe	98
PID 4284 wrote to memory of 1288	4284	MsiExec.exe	99
PID 4284 wrote to memory of 1288	4284	MsiExec.exe	99
PID 4284 wrote to memory of 1288	4284	MsiExec.exe	99
PID 1288 wrote to memory of 5024	1288	letsvpn.exe	100
PID 1288 wrote to memory of 5024	1288	letsvpn.exe	100
PID 1288 wrote to memory of 5024	1288	letsvpn.exe	100
PID 4876 wrote to memory of 3220	4876	gLvRGFqwFJmB.exe	107
PID 4876 wrote to memory of 3220	4876	gLvRGFqwFJmB.exe	107
PID 4876 wrote to memory of 3220	4876	gLvRGFqwFJmB.exe	107
PID 3220 wrote to memory of 1960	3220	eCIiCJQGvW16.exe	108
PID 3220 wrote to memory of 1960	3220	eCIiCJQGvW16.exe	108
PID 3220 wrote to memory of 1960	3220	eCIiCJQGvW16.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\klianghaxx.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1016

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1620
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B61328AB55250BAE2BDC7D226C46929F E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4284
- - C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe" x "C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf" -o"C:\Program Files\UpgradeAdvisorSteadfast\" -pUdhsuLYAGzPmDseEvpqp -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4116
- - C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe" -number 175 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:116
- - C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1288
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:5024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe
"C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe" install
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:5044

C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe
"C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4168

C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe
"C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4876
- C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe
  "C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe" -number 297 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:1960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e408.rbs

Filesize
7KB

MD5
c7ee1af71ab80310c68a1fef5eb002fe

SHA1
a5c9fab466e4f4824a98e6d4de4faea607375ab9

SHA256
821b8e8436bce5f09ec2a18b88a36efc4590ffcb27f859949c2d0175959b7d47

SHA512
0f7c0bda56156b071a422596261719fc527fe21031163a87e7120d75cad7ae6a0bdcd07564e0105ac7463191f5a8d89ea59bf19a63048e9e9f3c8d340c5f78f9

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf

Filesize
1.7MB

MD5
8f3fb6888ea0fa0b469d24ba3c94c7a0

SHA1
07ce9c008e0696f7f199870abcf8f7fce2d44226

SHA256
2fb227f2e083aa82be21d4d1c9d7cdbf6fb0f56004652f836cf444f7e3f88fe5

SHA512
a3703356ed830834fc0e29fde22e2018a6c71e098a1c2aadfb7beab42e587dfe8db243848e7b8b2ff4f962d89e9de450a9b0505dd27bf19564b619af72ddbc96

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe

Filesize
2.9MB

MD5
0e9a77152636348ef1df5bc112457d62

SHA1
759eb71dfed78cb9718e1c8f3dc719f6d3d4b4bb

SHA256
a001a3b643a7d3aafe82ac9e1f49e576d408bad20993844b6051353456127b89

SHA512
ce439b31e4540bbad086ab9508a0817909a508ef8a7bdc27568c52758fd0a0f7465fb93850bd8238cb1d24fe9c38b76276454e093faa3671c574605aa97326e6

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log

Filesize
260B

MD5
ab1e2eb4da94535d1c476a1df16257a3

SHA1
2923163ce39c3e2621f86edb0fe887d443a1c195

SHA256
119aed472f3310c33ee6a3c33757fc790c87eb8913695c96bc1cac7a6053dfee

SHA512
0f4b9693ecfbb1dd9ab6042b7e3845e2e8b92434d991cbc4cc922e96ddbaabc8bd6085656819bbc0ca288a15df49fd8ceb1ba8b82b49ae790dbce4143c9a53a2

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log

Filesize
413B

MD5
cfa9e371b168d3f73448a892270278c1

SHA1
bd2cf8cd7610a15f022dd6b0d9272921ead94dc3

SHA256
2ac12b8a4bb63bb7387945c078ad0b7d18454a09b26bc56d758439daf32feb60

SHA512
261c76ae077e4b0cc53f966e3c3870372232a55722d3d62107c267e8a0b0484b4f17645e8d0d1b9643bdf572e9fb4095611faf625f3cc05b4f3a8a0b6915a005

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log

Filesize
576B

MD5
283845c557143810692f667b91b79b74

SHA1
3b34bbf1e34a5c9e2d037cd371b388a6f6fa5bd8

SHA256
cfe513ac6f2df54474cf913a16e117d899fd37525db37c88046dce648137d304

SHA512
315281b033a49ca4a93d318e9ca05d65d551a6150fd101d2212a4e711b687d9285af2240cc3ad8cdfbc17c58d3b59f855e245ec8a0262bb117fefefa7e6fb07b

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log

Filesize
724B

MD5
e5da157ce63b7e6de874f4d293e36b41

SHA1
10456ec96277453d72333defea450773991291c4

SHA256
fada21b8990aeb271175de9394dad83a2e07aa1060cf9dd4ef82091859d2f286

SHA512
e940149e60b1d26e07474911495f0adf8b79e9911b58b4291a3b30490a100e94505f58617382989639e07717aa7b61fee74e18c0dd69b9d763a957f9d88f2ee9

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.xml

Filesize
435B

MD5
8ac72a64aaff5fb5f8ab55bbc9cd9c27

SHA1
46f8ec71afc049929370966038949428f29a05d1

SHA256
511073d20638765d59fdb70fd2de9ae3a49528c06b91ffc1689a4a4e03e5dc22

SHA512
5d479a9d784c8d32709ac441774b9b45cd7e11570681fbf71a300bb3930430028eb2c2e84067d2bac545d3781550e71612ff98d924e06a9259419b92fa25f2d5

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gLvRGFqwFJmB.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yc1t5ce0.ioc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshF108.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshF108.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nshF108.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Windows\Installer\e57e407.msi

Filesize
35.7MB

MD5
b50224d2998918a46f53631e95d0c82a

SHA1
b87a7ac613227efff93e5ee806587bdff1407561

SHA256
4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb

SHA512
35ace3df1e35e5b633184d78df5c8aa56f180ff55cc3d90304fdb720d9908325af36fb82151b5a7bbf175d2afbb140a13e5c4f9fea46e12a5719c5a8e8fcf1c8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
10561a9948246448e3bee933c56ae39a

SHA1
9f3e8313409979234852b1764fb003c233ce9f0f

SHA256
51e5b700c3904ad61548ba0ae2f568026d276055adc7b9abc3c4a4bad3609272

SHA512
da7c5bfe4ddcf9c734a324ffed9efc898dc3fc6cd681249cb94d07bf1cb2b86987fe500c3e52976f9da446d0c32ea65efdbde0e1e0339f6de71d76f50c10be2b

Download Submit
\??\Volume{83bffa96-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ecbab06f-5268-41bd-90a4-558d7953c006}_OnDiskSnapshotProp

Filesize
6KB

MD5
6fec36fab6126981209fc10794e8d7b9

SHA1
2dc7f9b45604657247b295333991ded042581e7e

SHA256
b1e1d8e35c4907c87074007f74ef78b91a7c1dea13cccf7a130fc6064005f95a

SHA512
de64fa4c0a60dbdefe144a24d310a5300f4b1c1b71d69d7272216ad85ceeab587c627f1f3f92e25eedc8a82aea4ac1b56fe5c63be5533653e6a9808d9b6ad024

Download Submit
memory/1960-108-0x000000002BC70000-0x000000002BE2A000-memory.dmp

Filesize
1.7MB

Download
memory/1960-106-0x000000002BC70000-0x000000002BE2A000-memory.dmp

Filesize
1.7MB

Download
memory/1960-105-0x000000002A050000-0x000000002A093000-memory.dmp

Filesize
268KB

Download
memory/5024-66-0x0000000005D70000-0x0000000005DBC000-memory.dmp

Filesize
304KB

Download
memory/5024-50-0x0000000004E20000-0x0000000005448000-memory.dmp

Filesize
6.2MB

Download
memory/5024-49-0x00000000047B0000-0x00000000047E6000-memory.dmp

Filesize
216KB

Download
memory/5024-51-0x0000000004D70000-0x0000000004D92000-memory.dmp

Filesize
136KB

Download
memory/5024-53-0x00000000056B0000-0x0000000005716000-memory.dmp

Filesize
408KB

Download
memory/5024-52-0x0000000005640000-0x00000000056A6000-memory.dmp

Filesize
408KB

Download
memory/5024-65-0x0000000005D20000-0x0000000005D3E000-memory.dmp

Filesize
120KB

Download
memory/5024-63-0x0000000005720000-0x0000000005A74000-memory.dmp

Filesize
3.3MB

Download
memory/5044-67-0x0000000000E20000-0x0000000000EF6000-memory.dmp

Filesize
856KB

Download