gh0strat | 2bd63252d1eeec4888e0674d52d5dfa80bd69d8accd64f7fb1ea6bdcbe9d4a61

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2024, 02:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

yuanchangkuirr-intrallar.msi
Size

72.3MB
MD5

31e8ef3c0591e3ce82cb1c43fb6459c2
SHA1

2adc3a5470d7e7507c60e6bf88d86985b2d3a7b9
SHA256

9e0543dbde32aeacb27324fc070be63ae7bf679fbe69a4836e3dab627812a7b8
SHA512

c1607b5a051fe034378dee8c27aca1effbdf4ab985a500160f2260403bace6f5575117e73a21878ec3f88d1bde49f56cc99184012cb66d1cb2bdc2a7defb4994
SSDEEP

1572864:DNDFH5QOjDdexAgZt/qNOU1bpJh11+exX8t6iwwdM1ZE0d+LH:1xjDdKAqFqQCJh11/xYP50d+7

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4924-81-0x000000002BD00000-0x000000002BEBC000-memory.dmp	purplefox_rootkit
behavioral2/memory/4924-83-0x000000002BD00000-0x000000002BEBC000-memory.dmp	purplefox_rootkit
behavioral2/memory/4924-84-0x000000002BD00000-0x000000002BEBC000-memory.dmp	purplefox_rootkit
behavioral2/memory/4924-85-0x000000002BD00000-0x000000002BEBC000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4924-81-0x000000002BD00000-0x000000002BEBC000-memory.dmp	family_gh0strat
behavioral2/memory/4924-83-0x000000002BD00000-0x000000002BEBC000-memory.dmp	family_gh0strat
behavioral2/memory/4924-84-0x000000002BD00000-0x000000002BEBC000-memory.dmp	family_gh0strat
behavioral2/memory/4924-85-0x000000002BD00000-0x000000002BEBC000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1060	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	fUsKbQztGnwa.exe
File opened (read-only)	\??\N:	fUsKbQztGnwa.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	fUsKbQztGnwa.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	fUsKbQztGnwa.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	fUsKbQztGnwa.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	fUsKbQztGnwa.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	fUsKbQztGnwa.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	fUsKbQztGnwa.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	fUsKbQztGnwa.exe
File opened (read-only)	\??\K:	fUsKbQztGnwa.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	fUsKbQztGnwa.exe
File opened (read-only)	\??\R:	fUsKbQztGnwa.exe
File opened (read-only)	\??\U:	fUsKbQztGnwa.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	fUsKbQztGnwa.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	fUsKbQztGnwa.exe
File opened (read-only)	\??\P:	fUsKbQztGnwa.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	fUsKbQztGnwa.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	fUsKbQztGnwa.exe
File opened (read-only)	\??\T:	fUsKbQztGnwa.exe
File opened (read-only)	\??\Z:	fUsKbQztGnwa.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KigOyawRpuIW.exe.log	KigOyawRpuIW.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2284-54-0x00007FF776730000-0x00007FF777730000-memory.dmp	upx

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe	KXwXckjFEiVp.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer	fUsKbQztGnwa.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log	KigOyawRpuIW.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log	KigOyawRpuIW.exe
File created	C:\Program Files\AnalyzeGentleExplorer\common_clang32.dll	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml	KXwXckjFEiVp.exe
File created	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log	KigOyawRpuIW.exe
File created	C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe	KXwXckjFEiVp.exe
File created	C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF08A.tmp	msiexec.exe
File created	C:\Windows\Installer\e57ee59.msi	msiexec.exe
File created	C:\Windows\Installer\e57ee57.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57ee57.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{024CDB6C-7DDE-4E3D-A2D4-9CAE8EB1D4BF}	msiexec.exe

Executes dropped EXE 9 IoCs

pid	Process
4524	KXwXckjFEiVp.exe
3332	fUsKbQztGnwa.exe
2748	KigOyawRpuIW.exe
2284	SunloginClient15544x64.exe
3480	SunloginClient15544x64.exe
1876	KigOyawRpuIW.exe
1240	KigOyawRpuIW.exe
112	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1912	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KXwXckjFEiVp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fUsKbQztGnwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fUsKbQztGnwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fUsKbQztGnwa.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fUsKbQztGnwa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	fUsKbQztGnwa.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\DeviceInstances	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	SunloginClient15544x64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0\GUID = 3028f7b3e390ef118001444553540000	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput	SunloginClient15544x64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	SunloginClient15544x64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	SunloginClient15544x64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration	SunloginClient15544x64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductName = "AnalyzeGentleExplorer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Version = "67567622"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\PackageCode = "16365A16AE1FE094B86DB5BC2E221855"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\PackageName = "yuanchangkuirr-intrallar.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4724	msiexec.exe
4724	msiexec.exe
3332	fUsKbQztGnwa.exe
3332	fUsKbQztGnwa.exe
1240	KigOyawRpuIW.exe
1240	KigOyawRpuIW.exe
112	fUsKbQztGnwa.exe
112	fUsKbQztGnwa.exe
112	fUsKbQztGnwa.exe
112	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe
4924	fUsKbQztGnwa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	4724	msiexec.exe
Token: SeCreateTokenPrivilege	1912	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1912	msiexec.exe
Token: SeLockMemoryPrivilege	1912	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1912	msiexec.exe
Token: SeMachineAccountPrivilege	1912	msiexec.exe
Token: SeTcbPrivilege	1912	msiexec.exe
Token: SeSecurityPrivilege	1912	msiexec.exe
Token: SeTakeOwnershipPrivilege	1912	msiexec.exe
Token: SeLoadDriverPrivilege	1912	msiexec.exe
Token: SeSystemProfilePrivilege	1912	msiexec.exe
Token: SeSystemtimePrivilege	1912	msiexec.exe
Token: SeProfSingleProcessPrivilege	1912	msiexec.exe
Token: SeIncBasePriorityPrivilege	1912	msiexec.exe
Token: SeCreatePagefilePrivilege	1912	msiexec.exe
Token: SeCreatePermanentPrivilege	1912	msiexec.exe
Token: SeBackupPrivilege	1912	msiexec.exe
Token: SeRestorePrivilege	1912	msiexec.exe
Token: SeShutdownPrivilege	1912	msiexec.exe
Token: SeDebugPrivilege	1912	msiexec.exe
Token: SeAuditPrivilege	1912	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1912	msiexec.exe
Token: SeChangeNotifyPrivilege	1912	msiexec.exe
Token: SeRemoteShutdownPrivilege	1912	msiexec.exe
Token: SeUndockPrivilege	1912	msiexec.exe
Token: SeSyncAgentPrivilege	1912	msiexec.exe
Token: SeEnableDelegationPrivilege	1912	msiexec.exe
Token: SeManageVolumePrivilege	1912	msiexec.exe
Token: SeImpersonatePrivilege	1912	msiexec.exe
Token: SeCreateGlobalPrivilege	1912	msiexec.exe
Token: SeBackupPrivilege	2164	vssvc.exe
Token: SeRestorePrivilege	2164	vssvc.exe
Token: SeAuditPrivilege	2164	vssvc.exe
Token: SeBackupPrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeTakeOwnershipPrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeTakeOwnershipPrivilege	4724	msiexec.exe
Token: SeBackupPrivilege	2688	srtasks.exe
Token: SeRestorePrivilege	2688	srtasks.exe
Token: SeSecurityPrivilege	2688	srtasks.exe
Token: SeTakeOwnershipPrivilege	2688	srtasks.exe
Token: SeBackupPrivilege	2688	srtasks.exe
Token: SeRestorePrivilege	2688	srtasks.exe
Token: SeSecurityPrivilege	2688	srtasks.exe
Token: SeTakeOwnershipPrivilege	2688	srtasks.exe
Token: SeRestorePrivilege	4524	KXwXckjFEiVp.exe
Token: 35	4524	KXwXckjFEiVp.exe
Token: SeSecurityPrivilege	4524	KXwXckjFEiVp.exe
Token: SeSecurityPrivilege	4524	KXwXckjFEiVp.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeTakeOwnershipPrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeTakeOwnershipPrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeTakeOwnershipPrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeTakeOwnershipPrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeTakeOwnershipPrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1912	msiexec.exe
1912	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3480	SunloginClient15544x64.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4724 wrote to memory of 2688	4724	msiexec.exe	100
PID 4724 wrote to memory of 2688	4724	msiexec.exe	100
PID 4724 wrote to memory of 3080	4724	msiexec.exe	102
PID 4724 wrote to memory of 3080	4724	msiexec.exe	102
PID 3080 wrote to memory of 1060	3080	MsiExec.exe	103
PID 3080 wrote to memory of 1060	3080	MsiExec.exe	103
PID 3080 wrote to memory of 4524	3080	MsiExec.exe	105
PID 3080 wrote to memory of 4524	3080	MsiExec.exe	105
PID 3080 wrote to memory of 4524	3080	MsiExec.exe	105
PID 3080 wrote to memory of 3332	3080	MsiExec.exe	107
PID 3080 wrote to memory of 3332	3080	MsiExec.exe	107
PID 3080 wrote to memory of 3332	3080	MsiExec.exe	107
PID 3080 wrote to memory of 2284	3080	MsiExec.exe	108
PID 3080 wrote to memory of 2284	3080	MsiExec.exe	108
PID 2284 wrote to memory of 3480	2284	SunloginClient15544x64.exe	111
PID 2284 wrote to memory of 3480	2284	SunloginClient15544x64.exe	111
PID 1240 wrote to memory of 112	1240	KigOyawRpuIW.exe	117
PID 1240 wrote to memory of 112	1240	KigOyawRpuIW.exe	117
PID 1240 wrote to memory of 112	1240	KigOyawRpuIW.exe	117
PID 112 wrote to memory of 4924	112	fUsKbQztGnwa.exe	118
PID 112 wrote to memory of 4924	112	fUsKbQztGnwa.exe	118
PID 112 wrote to memory of 4924	112	fUsKbQztGnwa.exe	118

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\yuanchangkuirr-intrallar.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1912

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DD8241C19AC5144B998AE78F8C9B5AC0 E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3080
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\AnalyzeGentleExplorer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    PID:1060
- - C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe
    "C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe" x "C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO" -o"C:\Program Files\AnalyzeGentleExplorer\" -pjMgmEjeKlhGKaGgJyBsZ -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:4524
- - C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
    "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 105 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:3332
- - C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
    "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:2284
  - - C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
      "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe" --mod=install --admin=1
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:3480

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2164

C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe
"C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:2748

C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe
"C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1876

C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe
"C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
  "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 274 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
    "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ee58.rbs

Filesize
7KB

MD5
3c00e912b8897ba94133f9a1e7110e3a

SHA1
49c68ac3919e51c63728b98bf1fb032ac70093d7

SHA256
95a48a7c2470d1f66f27691de6d84627ef9f99c9a3b91c2285cf6d2a0d2cf6dc

SHA512
a06b72be4a553960e213d6e68a148a21789084587b88f558b86e9a35153e27ce9cac989e53dad92e69f8631bc7ffc2f16e9ac7674410a3a60befc85a00eed9bc

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log

Filesize
302B

MD5
19f8478776066aaf01c1d635d6f464c7

SHA1
d86d22928b0b7ac786356c8b6dded2ec064c952b

SHA256
47950fde831d9c151a50a96dae3acca28c2dd48f55aabe8ee90e4872542be5c9

SHA512
435bfa33c74a482261e352427a24f462d706e6413ce2322ec7fae9456447fa1806287f2a41b2a2b7bfe3f142445975e47bd3a872c4322771b26a7ae479e2b5ca

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log

Filesize
476B

MD5
49dd6961435700f48320840190fb2a75

SHA1
c9f629ba3320b72a7569fbdb9e6a6f17b8bada1e

SHA256
757a3e7bbbd66157da25e83f3f04ad9da84c4a45826a300ce990320aec3c2e4a

SHA512
8dfb7f35b1427acbf992c11c31bd09f031f00c4f67690d45811519b7a12d416d668d1c627e6074091b3eb934d4c73868462a7f95edda46d2250049511dd2331a

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log

Filesize
660B

MD5
e489360fa7033a947670c2a3859f274c

SHA1
00b339a8083bcd27ab5f91bf9f1884ffd411533e

SHA256
1ec2e234e1f3a27f0426b8b2b4ba4553392244e82a616464e227994085cac6b0

SHA512
284b307ae8619b4279905c109f4e1b43a23c8d418b185045f2e6ab35be8e19d918a7bbc5d25adcfe405bb06d162cc8ec8ad49e1e3b607c3c32ef33b0c762f6b4

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log

Filesize
806B

MD5
64c8963f11bc5ae5eb571dee62fd8277

SHA1
c6cc8967c0648abfd3cf555913485bac27ccd393

SHA256
6186127241d2481fa46ed0689b0b665f26d21e915ef5fd8eb110f4e0a8d2a082

SHA512
12479e88352ca9a84ac0e4beb954144ce3065b57026fe56101f486dcf9d40c0498d036c6d6b916d03ddfbc4557e32df1f8cce8693ba9a4430fbac2b4fb29bf04

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml

Filesize
463B

MD5
037dfea35d309b76b100357b1911aaf7

SHA1
82f3abd9edf807226ec28e6cf8356e3549e9bd81

SHA256
ad6f19216c1ca04185cdcaf257c530f86edde443ebd8d716cf6092b1172ffb33

SHA512
dae7819df2ab7eae72602551bd0fcfd2bb47f7c194c54eb1f7aa03c1d2351598254297bc5d72f5c6a47bf0904f3e11aafa9718edbc97b2773df8f88d57a86c77

Download Submit
C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe

Filesize
2.9MB

MD5
a2e29c5a531ca5fdf5d4c7e75ba2748c

SHA1
1709ea8be99923c6ee4eb369e3971e3522d67f36

SHA256
ef86954f2831682faf3655901cf82afe0d7d6fc62e8335a2f508af5d03f03d5c

SHA512
e4fee7e410f8f199aa79f014290c0312d720fdb92a6efc48db5badea4fa4610bf344f23d3b7516b2a0e181aa8b27b00e446665a83de4b2d0acfa2e664df64434

Download Submit
C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO

Filesize
2.1MB

MD5
5aba1a676ca0de4994c623060e05f946

SHA1
e792c676bdbecd6baf1516fd3adbba06764aec98

SHA256
0a9d3dee1cf01c5f909c19e2821975397106b70581bc32c845ae9ef584bd1c32

SHA512
55bc57941e1f76844881eecd56f65b35c2f7eff614a02a47a0f6b5ab41d2a4512b9b970fd658652b8fc56a07a78b46ce2c246798d82f5d256a80f5025ac5d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_sign_test.log

Filesize
310B

MD5
c256dc950a96c711ae515ce274a3c38a

SHA1
e2a639888d3faf686be8ac6f811f76e6915228eb

SHA256
930ed7283301dcbaac640c35c47f6febea808e64b6e5bd2f51863551aed2011f

SHA512
24d8f26d83c410182fd6787806d01bcf0742748d00b793d27c55e5795a50d862275e9fa3dd8004935bc7427f1d0946949194c9ee2d8cd8e04e041a4db2051a67

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KigOyawRpuIW.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
00f9f07b5b777f929f291967fd138893

SHA1
45eb865dee087935ac48c94a68406048379a11e0

SHA256
08a42c6344dca1b8afd6842f67d4262114d5e0b7287ff2fe988f7ac3abaee690

SHA512
87cba2ac8f7ac2a71e4c3cfffb5aa88810c1a584455ac3841079c0ba0cca03459f6ff3ce9d9f2ca160e9e25027937cfd34933b4cee2f31e3d6796733c0672ace

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5e31f0f0-2ae5-4009-8f46-63b2b362237b}_OnDiskSnapshotProp

Filesize
6KB

MD5
fcc4a29ccf00874de48bb1a79d388994

SHA1
920fa06b831cea8ad88ef89a2485021ea0e78433

SHA256
b4a77e7b5f73f6dab8e54336d123d0705cf60072f443202285601ddf00dbfe1b

SHA512
c1b8e0d6c48ba9c6cec33a3e5746509d06e735718dd8b760e5d5eb4aede3f00436141ac054a55c1c5ef672377a97d33a17d6c36ae9c5bbbbfaa54bdb0e2c4284

Download Submit
memory/2284-54-0x00007FF776730000-0x00007FF777730000-memory.dmp

Filesize
16.0MB

Download
memory/2748-45-0x0000000000610000-0x00000000006E6000-memory.dmp

Filesize
856KB

Download
memory/3332-29-0x00000000299D0000-0x00000000299FC000-memory.dmp

Filesize
176KB

Download
memory/4924-79-0x000000002B880000-0x000000002B8C6000-memory.dmp

Filesize
280KB

Download
memory/4924-81-0x000000002BD00000-0x000000002BEBC000-memory.dmp

Filesize
1.7MB

Download
memory/4924-83-0x000000002BD00000-0x000000002BEBC000-memory.dmp

Filesize
1.7MB

Download
memory/4924-84-0x000000002BD00000-0x000000002BEBC000-memory.dmp

Filesize
1.7MB

Download
memory/4924-85-0x000000002BD00000-0x000000002BEBC000-memory.dmp

Filesize
1.7MB

Download