gh0strat | 4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb

Analysis

max time kernel
150s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-09-2024 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

klianghaxx.msi
Size

35.7MB
MD5

b50224d2998918a46f53631e95d0c82a
SHA1

b87a7ac613227efff93e5ee806587bdff1407561
SHA256

4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb
SHA512

35ace3df1e35e5b633184d78df5c8aa56f180ff55cc3d90304fdb720d9908325af36fb82151b5a7bbf175d2afbb140a13e5c4f9fea46e12a5719c5a8e8fcf1c8
SSDEEP

786432:qkhIiFQmQPoasemFaut9MNGXQAXPrWDP7THYKuPQplTiE7Fym:b0m8oasgutuN9AXPrWDPvHduGTifm

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 5 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4372-105-0x000000002BE80000-0x000000002C03A000-memory.dmp	purplefox_rootkit
behavioral2/memory/4372-107-0x000000002BE80000-0x000000002C03A000-memory.dmp	purplefox_rootkit
behavioral2/memory/4372-108-0x000000002BE80000-0x000000002C03A000-memory.dmp	purplefox_rootkit
behavioral2/memory/4372-110-0x000000002BE80000-0x000000002C03A000-memory.dmp	purplefox_rootkit
behavioral2/memory/4372-112-0x000000002BE80000-0x000000002C03A000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 5 IoCs

resource	yara_rule
behavioral2/memory/4372-105-0x000000002BE80000-0x000000002C03A000-memory.dmp	family_gh0strat
behavioral2/memory/4372-107-0x000000002BE80000-0x000000002C03A000-memory.dmp	family_gh0strat
behavioral2/memory/4372-108-0x000000002BE80000-0x000000002C03A000-memory.dmp	family_gh0strat
behavioral2/memory/4372-110-0x000000002BE80000-0x000000002C03A000-memory.dmp	family_gh0strat
behavioral2/memory/4372-112-0x000000002BE80000-0x000000002C03A000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	eCIiCJQGvW16.exe
File opened (read-only)	\??\K:	eCIiCJQGvW16.exe
File opened (read-only)	\??\R:	eCIiCJQGvW16.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	eCIiCJQGvW16.exe
File opened (read-only)	\??\N:	eCIiCJQGvW16.exe
File opened (read-only)	\??\V:	eCIiCJQGvW16.exe
File opened (read-only)	\??\Y:	eCIiCJQGvW16.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	eCIiCJQGvW16.exe
File opened (read-only)	\??\J:	eCIiCJQGvW16.exe
File opened (read-only)	\??\M:	eCIiCJQGvW16.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	eCIiCJQGvW16.exe
File opened (read-only)	\??\Z:	eCIiCJQGvW16.exe
File opened (read-only)	\??\O:	eCIiCJQGvW16.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	eCIiCJQGvW16.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	eCIiCJQGvW16.exe
File opened (read-only)	\??\S:	eCIiCJQGvW16.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	eCIiCJQGvW16.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	eCIiCJQGvW16.exe
File opened (read-only)	\??\W:	eCIiCJQGvW16.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	eCIiCJQGvW16.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log	gLvRGFqwFJmB.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe	msiexec.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.xml	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log	gLvRGFqwFJmB.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log	gLvRGFqwFJmB.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.xml	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast	eCIiCJQGvW16.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\UnityPlayer.dll	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe	RprxlqTjDBnm.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf	msiexec.exe
File created	C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe	RprxlqTjDBnm.exe
File opened for modification	C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe	RprxlqTjDBnm.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C24D2210-555C-41E3-8B2A-8D29388791D8}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC0A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57cac4.msi	msiexec.exe
File created	C:\Windows\Installer\e57cac2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57cac2.msi	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
3620	RprxlqTjDBnm.exe
2552	eCIiCJQGvW16.exe
2152	letsvpn.exe
2316	gLvRGFqwFJmB.exe
1492	gLvRGFqwFJmB.exe
2892	gLvRGFqwFJmB.exe
1372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe

Loads dropped DLL 3 IoCs

pid	Process
2152	letsvpn.exe
2152	letsvpn.exe
2152	letsvpn.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1880	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4040	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RprxlqTjDBnm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eCIiCJQGvW16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	letsvpn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eCIiCJQGvW16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eCIiCJQGvW16.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	eCIiCJQGvW16.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	eCIiCJQGvW16.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0122D42CC5553E14B8A2D8928378198D\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\PackageCode = "9F3668E6BA3100E4789F21AFF2E8BF85"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\PackageName = "klianghaxx.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\ProductName = "UpgradeAdvisorSteadfast"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Version = "67108870"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\40D7CD3262B65554CB27A9B80694B49B	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\40D7CD3262B65554CB27A9B80694B49B\0122D42CC5553E14B8A2D8928378198D	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0122D42CC5553E14B8A2D8928378198D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4284	msiexec.exe
4284	msiexec.exe
2552	eCIiCJQGvW16.exe
2552	eCIiCJQGvW16.exe
1880	powershell.exe
1880	powershell.exe
2892	gLvRGFqwFJmB.exe
2892	gLvRGFqwFJmB.exe
1372	eCIiCJQGvW16.exe
1372	eCIiCJQGvW16.exe
1372	eCIiCJQGvW16.exe
1372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe
4372	eCIiCJQGvW16.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4040	msiexec.exe
Token: SeSecurityPrivilege	4284	msiexec.exe
Token: SeCreateTokenPrivilege	4040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4040	msiexec.exe
Token: SeLockMemoryPrivilege	4040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4040	msiexec.exe
Token: SeMachineAccountPrivilege	4040	msiexec.exe
Token: SeTcbPrivilege	4040	msiexec.exe
Token: SeSecurityPrivilege	4040	msiexec.exe
Token: SeTakeOwnershipPrivilege	4040	msiexec.exe
Token: SeLoadDriverPrivilege	4040	msiexec.exe
Token: SeSystemProfilePrivilege	4040	msiexec.exe
Token: SeSystemtimePrivilege	4040	msiexec.exe
Token: SeProfSingleProcessPrivilege	4040	msiexec.exe
Token: SeIncBasePriorityPrivilege	4040	msiexec.exe
Token: SeCreatePagefilePrivilege	4040	msiexec.exe
Token: SeCreatePermanentPrivilege	4040	msiexec.exe
Token: SeBackupPrivilege	4040	msiexec.exe
Token: SeRestorePrivilege	4040	msiexec.exe
Token: SeShutdownPrivilege	4040	msiexec.exe
Token: SeDebugPrivilege	4040	msiexec.exe
Token: SeAuditPrivilege	4040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4040	msiexec.exe
Token: SeChangeNotifyPrivilege	4040	msiexec.exe
Token: SeRemoteShutdownPrivilege	4040	msiexec.exe
Token: SeUndockPrivilege	4040	msiexec.exe
Token: SeSyncAgentPrivilege	4040	msiexec.exe
Token: SeEnableDelegationPrivilege	4040	msiexec.exe
Token: SeManageVolumePrivilege	4040	msiexec.exe
Token: SeImpersonatePrivilege	4040	msiexec.exe
Token: SeCreateGlobalPrivilege	4040	msiexec.exe
Token: SeBackupPrivilege	4312	vssvc.exe
Token: SeRestorePrivilege	4312	vssvc.exe
Token: SeAuditPrivilege	4312	vssvc.exe
Token: SeBackupPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeBackupPrivilege	872	srtasks.exe
Token: SeRestorePrivilege	872	srtasks.exe
Token: SeSecurityPrivilege	872	srtasks.exe
Token: SeTakeOwnershipPrivilege	872	srtasks.exe
Token: SeBackupPrivilege	872	srtasks.exe
Token: SeRestorePrivilege	872	srtasks.exe
Token: SeSecurityPrivilege	872	srtasks.exe
Token: SeTakeOwnershipPrivilege	872	srtasks.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe
Token: SeTakeOwnershipPrivilege	4284	msiexec.exe
Token: SeRestorePrivilege	4284	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4040	msiexec.exe
4040	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 4284 wrote to memory of 872	4284	msiexec.exe	88
PID 4284 wrote to memory of 872	4284	msiexec.exe	88
PID 4284 wrote to memory of 3880	4284	msiexec.exe	90
PID 4284 wrote to memory of 3880	4284	msiexec.exe	90
PID 4284 wrote to memory of 3880	4284	msiexec.exe	90
PID 3880 wrote to memory of 3620	3880	MsiExec.exe	91
PID 3880 wrote to memory of 3620	3880	MsiExec.exe	91
PID 3880 wrote to memory of 3620	3880	MsiExec.exe	91
PID 3880 wrote to memory of 2552	3880	MsiExec.exe	93
PID 3880 wrote to memory of 2552	3880	MsiExec.exe	93
PID 3880 wrote to memory of 2552	3880	MsiExec.exe	93
PID 3880 wrote to memory of 2152	3880	MsiExec.exe	94
PID 3880 wrote to memory of 2152	3880	MsiExec.exe	94
PID 3880 wrote to memory of 2152	3880	MsiExec.exe	94
PID 2152 wrote to memory of 1880	2152	letsvpn.exe	95
PID 2152 wrote to memory of 1880	2152	letsvpn.exe	95
PID 2152 wrote to memory of 1880	2152	letsvpn.exe	95
PID 2892 wrote to memory of 1372	2892	gLvRGFqwFJmB.exe	106
PID 2892 wrote to memory of 1372	2892	gLvRGFqwFJmB.exe	106
PID 2892 wrote to memory of 1372	2892	gLvRGFqwFJmB.exe	106
PID 1372 wrote to memory of 4372	1372	eCIiCJQGvW16.exe	107
PID 1372 wrote to memory of 4372	1372	eCIiCJQGvW16.exe	107
PID 1372 wrote to memory of 4372	1372	eCIiCJQGvW16.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\klianghaxx.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4284
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 59D63A899BBE1B1B86D7A5B291CFBBA4 E Global\MSI0000
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3880
- - C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe" x "C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf" -o"C:\Program Files\UpgradeAdvisorSteadfast\" -pUdhsuLYAGzPmDseEvpqp -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3620
- - C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe" -number 175 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2552
- - C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      PID:1880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe
"C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe" install
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2316

C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe
"C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1492

C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe
"C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe
  "C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe" -number 297 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1372
- - C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe
    "C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57cac3.rbs

Filesize
7KB

MD5
ce8db15eba2a25093b2fa6a75ffac1b6

SHA1
86badb06226ee5bd2812c0f070aadc202f8e0de3

SHA256
3ad9d7627775db01138b1f99757246aad2eab7a7058d11a5e2c1c0f24a220903

SHA512
4eaaa9566d5d52d95df904bb84116d0477e1312f149a29e82670a22d9851180b77662867de5c247d99b5e65d5bfd7625b27be49fcc817dc2c4120d39c66ad34f

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\RprxlqTjDBnm.exe

Filesize
574KB

MD5
42badc1d2f03a8b1e4875740d3d49336

SHA1
cee178da1fb05f99af7a3547093122893bd1eb46

SHA256
c136b1467d669a725478a6110ebaaab3cb88a3d389dfa688e06173c066b76fcf

SHA512
6bc519a7368ee6bd8c8f69f2d634dd18799b4ca31fbc284d2580ba625f3a88b6a52d2bc17bea0e75e63ca11c10356c47ee00c2c500294abcb5141424fc5dc71c

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\WSycNbZGAgGoCikzCVpf

Filesize
1.7MB

MD5
8f3fb6888ea0fa0b469d24ba3c94c7a0

SHA1
07ce9c008e0696f7f199870abcf8f7fce2d44226

SHA256
2fb227f2e083aa82be21d4d1c9d7cdbf6fb0f56004652f836cf444f7e3f88fe5

SHA512
a3703356ed830834fc0e29fde22e2018a6c71e098a1c2aadfb7beab42e587dfe8db243848e7b8b2ff4f962d89e9de450a9b0505dd27bf19564b619af72ddbc96

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\eCIiCJQGvW16.exe

Filesize
2.9MB

MD5
0e9a77152636348ef1df5bc112457d62

SHA1
759eb71dfed78cb9718e1c8f3dc719f6d3d4b4bb

SHA256
a001a3b643a7d3aafe82ac9e1f49e576d408bad20993844b6051353456127b89

SHA512
ce439b31e4540bbad086ab9508a0817909a508ef8a7bdc27568c52758fd0a0f7465fb93850bd8238cb1d24fe9c38b76276454e093faa3671c574605aa97326e6

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log

Filesize
260B

MD5
cb6df9c4ac7e4ee23d8988f3b899120c

SHA1
91217d656c7415f31d2d4bf95d5f83725629c348

SHA256
7474237581ba7af6a0161a57e1525bf5c08d7fce6b1bae28e7fe4bebf07597a1

SHA512
7a89b2b786e5364c4460f043da5b3b50e8d3c60de3e14c99b5ecb246ea4046a1cc1f559b2f0f279f1abef7a3968366021789c88e427ac620565932b475587151

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log

Filesize
413B

MD5
59c8965392417e35ac4f3f4676791ef8

SHA1
49393a332cb428fa2567a225dd0ca7370e6c6a54

SHA256
e169aa4877ba66db15d4d9c8bed04c42874c41d4307344654a777851d5a8bae7

SHA512
37bf184409d08502706660babcf120b233de7b198936c5403c0c5331752abc658a4e1e47e1750d3eb728e6b25cf911752f15b7db5c47077aaaa97f5a37e5561a

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log

Filesize
576B

MD5
621ee060e21982c3062d4d1c52555548

SHA1
441b2e1cd213dbbd2465cedf5a373b6b0787d7d7

SHA256
17cc744167816a6cacd701bb34a0102dadca5d5dd7b74d87321cc4185902f3dd

SHA512
f5281ea52afcce8e135124eea3ea6c256d4ecf6cdd4ec864ca404c43dfe75f447fbc2e05f59a2d596c029c12e79715d857c4b2bdfbe07e9d648904931fc716e1

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.wrapper.log

Filesize
724B

MD5
adf7d0300ae241836ac608aad1eaeef4

SHA1
43b610267d37a3665e06cbef53a1264d9c979f24

SHA256
942decd7503c16d52405c071771b7f411c5d377239af625f78185dbdc64012e5

SHA512
9ddd5ebafaef347d570a51a15f7992288c374bb6a6c3ec39519cd41d4fbc29ed2510b3b6f66936ea4f2d10f77ad5acb2b3d42e148d02a937ecda48ab40b64296

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\gLvRGFqwFJmB.xml

Filesize
435B

MD5
8ac72a64aaff5fb5f8ab55bbc9cd9c27

SHA1
46f8ec71afc049929370966038949428f29a05d1

SHA256
511073d20638765d59fdb70fd2de9ae3a49528c06b91ffc1689a4a4e03e5dc22

SHA512
5d479a9d784c8d32709ac441774b9b45cd7e11570681fbf71a300bb3930430028eb2c2e84067d2bac545d3781550e71612ff98d924e06a9259419b92fa25f2d5

Download Submit
C:\Program Files\UpgradeAdvisorSteadfast\letsvpn.exe

Filesize
14.5MB

MD5
94f6bd702b7a2e17c45d16eaf7da0d64

SHA1
45f8c05851bcf16416e087253ce962b320e9db8a

SHA256
07f44325eab13b01d536a42e90a0247c6efecf23ccd4586309828aa814f5c776

SHA512
7ffc5183d3f1fb23e38c60d55724ab9e9e1e3832c9fb09296f0635f78d81477c6894c00a28e63096fa395e1c11cbeaa1f77f910f9ff9c1f1ecf0b857aa671b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\gLvRGFqwFJmB.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qxehxwok.dtx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD746.tmp\System.dll

Filesize
11KB

MD5
75ed96254fbf894e42058062b4b4f0d1

SHA1
996503f1383b49021eb3427bc28d13b5bbd11977

SHA256
a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

SHA512
58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD746.tmp\nsDialogs.dll

Filesize
9KB

MD5
ca95c9da8cef7062813b989ab9486201

SHA1
c555af25df3de51aa18d487d47408d5245dba2d1

SHA256
feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

SHA512
a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsrD746.tmp\nsExec.dll

Filesize
6KB

MD5
3d366250fcf8b755fce575c75f8c79e4

SHA1
2ebac7df78154738d41aac8e27d7a0e482845c57

SHA256
8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

SHA512
67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

Download Submit
C:\Windows\Installer\e57cac2.msi

Filesize
35.7MB

MD5
b50224d2998918a46f53631e95d0c82a

SHA1
b87a7ac613227efff93e5ee806587bdff1407561

SHA256
4f47635b4eaa1e3e8eddf090b25af99a07dafc7b71d876cf533e8cf8437d62cb

SHA512
35ace3df1e35e5b633184d78df5c8aa56f180ff55cc3d90304fdb720d9908325af36fb82151b5a7bbf175d2afbb140a13e5c4f9fea46e12a5719c5a8e8fcf1c8

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
cb86611f2c33ab46b54168e1e9c4c916

SHA1
a179d0564de213a03b7de5b5e093411f9adba160

SHA256
feadf0009e8fd8b0366a81251053201562ec7f00629a10ae58dc504c62417c90

SHA512
44f2b1ad568cf27cad30dc65d280e8d74d189cab2b39eba5d406c70066ccbf03b017f29fc4dd3af5c431209f942604f6b5635d1309a6d641b962c9671b333bb9

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ef6c51b9-9590-4042-ac70-bece32a8078a}_OnDiskSnapshotProp

Filesize
6KB

MD5
44b62e69200c09f3e6ef960c6162e923

SHA1
b71f74e71d9f8a157d3aec453afa1ddea279da9c

SHA256
6c91667f77e76673b6b37bde4ffc9990bb0a75b69006369e9fa7b1423f89ca5d

SHA512
bc354534c23e8c7bb7b6f74adba713aeee2acb01c76dcf108dedc3453a69920b2089cc469e0bbbab9bfccf8b3a057c4286cb8d11a970f67f4161e4aee470e883

Download Submit
memory/1880-52-0x00000000052A0000-0x00000000052C2000-memory.dmp

Filesize
136KB

Download
memory/1880-51-0x0000000005300000-0x0000000005928000-memory.dmp

Filesize
6.2MB

Download
memory/1880-66-0x00000000061E0000-0x00000000061FE000-memory.dmp

Filesize
120KB

Download
memory/1880-50-0x0000000002830000-0x0000000002866000-memory.dmp

Filesize
216KB

Download
memory/1880-60-0x0000000005C00000-0x0000000005F54000-memory.dmp

Filesize
3.3MB

Download
memory/1880-59-0x0000000005B10000-0x0000000005B76000-memory.dmp

Filesize
408KB

Download
memory/1880-53-0x0000000005AA0000-0x0000000005B06000-memory.dmp

Filesize
408KB

Download
memory/1880-67-0x0000000006210000-0x000000000625C000-memory.dmp

Filesize
304KB

Download
memory/2316-65-0x00000000002F0000-0x00000000003C6000-memory.dmp

Filesize
856KB

Download
memory/4372-104-0x000000002A100000-0x000000002A143000-memory.dmp

Filesize
268KB

Download
memory/4372-105-0x000000002BE80000-0x000000002C03A000-memory.dmp

Filesize
1.7MB

Download
memory/4372-107-0x000000002BE80000-0x000000002C03A000-memory.dmp

Filesize
1.7MB

Download
memory/4372-108-0x000000002BE80000-0x000000002C03A000-memory.dmp

Filesize
1.7MB

Download
memory/4372-110-0x000000002BE80000-0x000000002C03A000-memory.dmp

Filesize
1.7MB

Download
memory/4372-112-0x000000002BE80000-0x000000002C03A000-memory.dmp

Filesize
1.7MB

Download