gh0strat | 2bd63252d1eeec4888e0674d52d5dfa80bd69d8accd64f7fb1ea6bdcbe9d4a61

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-10-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

yuanchangkuirr-intrallar.msi
Size

72.3MB
MD5

31e8ef3c0591e3ce82cb1c43fb6459c2
SHA1

2adc3a5470d7e7507c60e6bf88d86985b2d3a7b9
SHA256

9e0543dbde32aeacb27324fc070be63ae7bf679fbe69a4836e3dab627812a7b8
SHA512

c1607b5a051fe034378dee8c27aca1effbdf4ab985a500160f2260403bace6f5575117e73a21878ec3f88d1bde49f56cc99184012cb66d1cb2bdc2a7defb4994
SSDEEP

1572864:DNDFH5QOjDdexAgZt/qNOU1bpJh11+exX8t6iwwdM1ZE0d+LH:1xjDdKAqFqQCJh11/xYP50d+7

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

Processes:

resource	yara_rule
behavioral2/memory/392-92-0x000000002B800000-0x000000002B9BC000-memory.dmp	purplefox_rootkit
behavioral2/memory/392-96-0x000000002B800000-0x000000002B9BC000-memory.dmp	purplefox_rootkit
behavioral2/memory/392-97-0x000000002B800000-0x000000002B9BC000-memory.dmp	purplefox_rootkit
behavioral2/memory/392-98-0x000000002B800000-0x000000002B9BC000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/392-92-0x000000002B800000-0x000000002B9BC000-memory.dmp	family_gh0strat
behavioral2/memory/392-96-0x000000002B800000-0x000000002B9BC000-memory.dmp	family_gh0strat
behavioral2/memory/392-97-0x000000002B800000-0x000000002B9BC000-memory.dmp	family_gh0strat
behavioral2/memory/392-98-0x000000002B800000-0x000000002B9BC000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

Processes:

powershell.exe

pid	Process
1612	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exefUsKbQztGnwa.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	fUsKbQztGnwa.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	fUsKbQztGnwa.exe
File opened (read-only)	\??\T:	fUsKbQztGnwa.exe
File opened (read-only)	\??\X:	fUsKbQztGnwa.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	fUsKbQztGnwa.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	fUsKbQztGnwa.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	fUsKbQztGnwa.exe
File opened (read-only)	\??\J:	fUsKbQztGnwa.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	fUsKbQztGnwa.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	fUsKbQztGnwa.exe
File opened (read-only)	\??\U:	fUsKbQztGnwa.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	fUsKbQztGnwa.exe
File opened (read-only)	\??\W:	fUsKbQztGnwa.exe
File opened (read-only)	\??\Z:	fUsKbQztGnwa.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	fUsKbQztGnwa.exe
File opened (read-only)	\??\O:	fUsKbQztGnwa.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	fUsKbQztGnwa.exe
File opened (read-only)	\??\Q:	fUsKbQztGnwa.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	fUsKbQztGnwa.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	fUsKbQztGnwa.exe
File opened (read-only)	\??\Y:	fUsKbQztGnwa.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe

Drops file in System32 directory 1 IoCs

Processes:

KigOyawRpuIW.exe

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KigOyawRpuIW.exe.log	KigOyawRpuIW.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/3056-56-0x00007FF6C78C0000-0x00007FF6C88C0000-memory.dmp	upx

Drops file in Program Files directory 16 IoCs

Processes:

KXwXckjFEiVp.exeKigOyawRpuIW.exeKigOyawRpuIW.exefUsKbQztGnwa.exeKigOyawRpuIW.exemsiexec.exe

description	ioc	Process
File created	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml	KXwXckjFEiVp.exe
File created	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log	KigOyawRpuIW.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log	KigOyawRpuIW.exe
File created	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer	fUsKbQztGnwa.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log	KigOyawRpuIW.exe
File created	C:\Program Files\AnalyzeGentleExplorer\common_clang32.dll	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe	KXwXckjFEiVp.exe
File opened for modification	C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe	KXwXckjFEiVp.exe
File created	C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO	msiexec.exe
File created	C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{024CDB6C-7DDE-4E3D-A2D4-9CAE8EB1D4BF}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3718.tmp	msiexec.exe
File created	C:\Windows\Installer\e583526.msi	msiexec.exe
File created	C:\Windows\Installer\e583524.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583524.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 9 IoCs

Processes:

KXwXckjFEiVp.exefUsKbQztGnwa.exeSunloginClient15544x64.exeSunloginClient15544x64.exeKigOyawRpuIW.exeKigOyawRpuIW.exeKigOyawRpuIW.exefUsKbQztGnwa.exefUsKbQztGnwa.exe

pid	Process
3908	KXwXckjFEiVp.exe
2012	fUsKbQztGnwa.exe
3056	SunloginClient15544x64.exe
2832	SunloginClient15544x64.exe
4408	KigOyawRpuIW.exe
700	KigOyawRpuIW.exe
4888	KigOyawRpuIW.exe
264	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

Processes:

msiexec.exe

pid	Process
3092	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

KXwXckjFEiVp.exefUsKbQztGnwa.exefUsKbQztGnwa.exefUsKbQztGnwa.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KXwXckjFEiVp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fUsKbQztGnwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fUsKbQztGnwa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fUsKbQztGnwa.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

fUsKbQztGnwa.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	fUsKbQztGnwa.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	fUsKbQztGnwa.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

powershell.exeSunloginClient15544x64.exeMsiExec.exeSunloginClient15544x64.exemsiexec.exe

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	SunloginClient15544x64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration	SunloginClient15544x64.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\DeviceInstances	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	SunloginClient15544x64.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet	SunloginClient15544x64.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties\PrivateProperties\DirectInput\VID_0627&PID_0001\Calibration\0\GUID = a024eb52e490ef118001444553540000	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\System\CurrentControlSet\Control\MediaProperties	SunloginClient15544x64.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe

Modifies registry class 22 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\PackageName = "yuanchangkuirr-intrallar.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\ProductName = "AnalyzeGentleExplorer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\PackageCode = "16365A16AE1FE094B86DB5BC2E221855"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Version = "67567622"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C19253CA00EB68D488C5FD8D3377BD29\C6BDC420EDD7D3E42A4DC9EAE81B4DFB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C6BDC420EDD7D3E42A4DC9EAE81B4DFB\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exepowershell.exefUsKbQztGnwa.exeKigOyawRpuIW.exefUsKbQztGnwa.exefUsKbQztGnwa.exe

pid	Process
3884	msiexec.exe
3884	msiexec.exe
1612	powershell.exe
1612	powershell.exe
1612	powershell.exe
2012	fUsKbQztGnwa.exe
2012	fUsKbQztGnwa.exe
4888	KigOyawRpuIW.exe
4888	KigOyawRpuIW.exe
264	fUsKbQztGnwa.exe
264	fUsKbQztGnwa.exe
264	fUsKbQztGnwa.exe
264	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe
392	fUsKbQztGnwa.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exepowershell.exeKXwXckjFEiVp.exe

description	pid	Process
Token: SeShutdownPrivilege	3092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3092	msiexec.exe
Token: SeSecurityPrivilege	3884	msiexec.exe
Token: SeCreateTokenPrivilege	3092	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3092	msiexec.exe
Token: SeLockMemoryPrivilege	3092	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3092	msiexec.exe
Token: SeMachineAccountPrivilege	3092	msiexec.exe
Token: SeTcbPrivilege	3092	msiexec.exe
Token: SeSecurityPrivilege	3092	msiexec.exe
Token: SeTakeOwnershipPrivilege	3092	msiexec.exe
Token: SeLoadDriverPrivilege	3092	msiexec.exe
Token: SeSystemProfilePrivilege	3092	msiexec.exe
Token: SeSystemtimePrivilege	3092	msiexec.exe
Token: SeProfSingleProcessPrivilege	3092	msiexec.exe
Token: SeIncBasePriorityPrivilege	3092	msiexec.exe
Token: SeCreatePagefilePrivilege	3092	msiexec.exe
Token: SeCreatePermanentPrivilege	3092	msiexec.exe
Token: SeBackupPrivilege	3092	msiexec.exe
Token: SeRestorePrivilege	3092	msiexec.exe
Token: SeShutdownPrivilege	3092	msiexec.exe
Token: SeDebugPrivilege	3092	msiexec.exe
Token: SeAuditPrivilege	3092	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3092	msiexec.exe
Token: SeChangeNotifyPrivilege	3092	msiexec.exe
Token: SeRemoteShutdownPrivilege	3092	msiexec.exe
Token: SeUndockPrivilege	3092	msiexec.exe
Token: SeSyncAgentPrivilege	3092	msiexec.exe
Token: SeEnableDelegationPrivilege	3092	msiexec.exe
Token: SeManageVolumePrivilege	3092	msiexec.exe
Token: SeImpersonatePrivilege	3092	msiexec.exe
Token: SeCreateGlobalPrivilege	3092	msiexec.exe
Token: SeBackupPrivilege	988	vssvc.exe
Token: SeRestorePrivilege	988	vssvc.exe
Token: SeAuditPrivilege	988	vssvc.exe
Token: SeBackupPrivilege	3884	msiexec.exe
Token: SeRestorePrivilege	3884	msiexec.exe
Token: SeRestorePrivilege	3884	msiexec.exe
Token: SeTakeOwnershipPrivilege	3884	msiexec.exe
Token: SeRestorePrivilege	3884	msiexec.exe
Token: SeTakeOwnershipPrivilege	3884	msiexec.exe
Token: SeBackupPrivilege	4452	srtasks.exe
Token: SeRestorePrivilege	4452	srtasks.exe
Token: SeSecurityPrivilege	4452	srtasks.exe
Token: SeTakeOwnershipPrivilege	4452	srtasks.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeBackupPrivilege	4452	srtasks.exe
Token: SeRestorePrivilege	4452	srtasks.exe
Token: SeSecurityPrivilege	4452	srtasks.exe
Token: SeTakeOwnershipPrivilege	4452	srtasks.exe
Token: SeRestorePrivilege	3908	KXwXckjFEiVp.exe
Token: 35	3908	KXwXckjFEiVp.exe
Token: SeSecurityPrivilege	3908	KXwXckjFEiVp.exe
Token: SeSecurityPrivilege	3908	KXwXckjFEiVp.exe
Token: SeRestorePrivilege	3884	msiexec.exe
Token: SeTakeOwnershipPrivilege	3884	msiexec.exe
Token: SeRestorePrivilege	3884	msiexec.exe
Token: SeTakeOwnershipPrivilege	3884	msiexec.exe
Token: SeRestorePrivilege	3884	msiexec.exe
Token: SeTakeOwnershipPrivilege	3884	msiexec.exe
Token: SeRestorePrivilege	3884	msiexec.exe
Token: SeTakeOwnershipPrivilege	3884	msiexec.exe
Token: SeRestorePrivilege	3884	msiexec.exe
Token: SeTakeOwnershipPrivilege	3884	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
3092	msiexec.exe
3092	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

SunloginClient15544x64.exe

pid	Process
2832	SunloginClient15544x64.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

msiexec.exeMsiExec.exeSunloginClient15544x64.exeKigOyawRpuIW.exefUsKbQztGnwa.exe

description	pid	Process	procid_target
PID 3884 wrote to memory of 4452	3884	msiexec.exe	101
PID 3884 wrote to memory of 4452	3884	msiexec.exe	101
PID 3884 wrote to memory of 464	3884	msiexec.exe	103
PID 3884 wrote to memory of 464	3884	msiexec.exe	103
PID 464 wrote to memory of 1612	464	MsiExec.exe	104
PID 464 wrote to memory of 1612	464	MsiExec.exe	104
PID 464 wrote to memory of 3908	464	MsiExec.exe	106
PID 464 wrote to memory of 3908	464	MsiExec.exe	106
PID 464 wrote to memory of 3908	464	MsiExec.exe	106
PID 464 wrote to memory of 2012	464	MsiExec.exe	108
PID 464 wrote to memory of 2012	464	MsiExec.exe	108
PID 464 wrote to memory of 2012	464	MsiExec.exe	108
PID 464 wrote to memory of 3056	464	MsiExec.exe	109
PID 464 wrote to memory of 3056	464	MsiExec.exe	109
PID 3056 wrote to memory of 2832	3056	SunloginClient15544x64.exe	111
PID 3056 wrote to memory of 2832	3056	SunloginClient15544x64.exe	111
PID 4888 wrote to memory of 264	4888	KigOyawRpuIW.exe	120
PID 4888 wrote to memory of 264	4888	KigOyawRpuIW.exe	120
PID 4888 wrote to memory of 264	4888	KigOyawRpuIW.exe	120
PID 264 wrote to memory of 392	264	fUsKbQztGnwa.exe	121
PID 264 wrote to memory of 392	264	fUsKbQztGnwa.exe	121
PID 264 wrote to memory of 392	264	fUsKbQztGnwa.exe	121

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\yuanchangkuirr-intrallar.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3092

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3884
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4452
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 05A1923F3E823B50EE76E82E58B9ABE7 E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:464
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\AnalyzeGentleExplorer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe
    "C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe" x "C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO" -o"C:\Program Files\AnalyzeGentleExplorer\" -pjMgmEjeKlhGKaGgJyBsZ -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:3908
- - C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
    "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 105 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2012
- - C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
    "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious use of WriteProcessMemory
    PID:3056
  - - C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe
      "C:\Program Files\AnalyzeGentleExplorer\SunloginClient15544x64.exe" --mod=install --admin=1
      4⤵
      Executes dropped EXE
      Modifies data under HKEY_USERS
      Suspicious use of SetWindowsHookEx
      PID:2832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:988

C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe
"C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:4408

C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe
"C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:700

C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe
"C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
  "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 274 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:264
- - C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe
    "C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe" -number 362 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:392

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583525.rbs

Filesize
7KB

MD5
ea0c0ea8c5c5b6dc94d61d738a345592

SHA1
04d63f37be9499ba9fc109db5ac6f8e701678da8

SHA256
a248967acd35996e6100fda788d1d81350a6d38fab005f79673089bf590579c8

SHA512
14dd775d231fd3eb267f1bc57779be6e3b491cc71d31e1410ef56b74c3686cbe4a2be51e9242d663c07c43d576e18dc04b1ea83a556878c0f7da4ae2be1c05fb

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KXwXckjFEiVp.exe

Filesize
577KB

MD5
11fa744ebf6a17d7dd3c58dc2603046d

SHA1
d99de792fd08db53bb552cd28f0080137274f897

SHA256
1b16c41ae39b679384b06f1492b587b650716430ff9c2e079dca2ad1f62c952d

SHA512
424196f2acf5b89807f4038683acc50e7604223fc630245af6bab0e0df923f8b1c49cb09ac709086568c214c3f53dcb7d6c32e8a54af222a3ff78cfab9c51670

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log

Filesize
302B

MD5
5610d8a8b061dbf414bd5facc353099a

SHA1
4a1127e2ff5e22ce3f293469dd47f2789b9307e8

SHA256
bb42b8f6e705a500b5ef2319c58fcd0d60683ec753b759ae1bf6824d80b5a9ef

SHA512
e68d8617d6312e805148fac0e23994cbc101184dcc8336e2040176f61e15046c369b8537a3d5f23afee2d7c2c817be51463ef0286d2a8634469c6606a1ca2853

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log

Filesize
476B

MD5
c78f5ea50c0269769eb08a4536ac1082

SHA1
9cb2072943185ae4d91a6e673cb1f3ceaae61670

SHA256
e25333b9351b4d3db9a1360a85dda2dd8d9e13e6daf459a7c0864416457c746b

SHA512
08e702ad756172740c24ec96fb73c6d387b2ef7acc0445c8ad8db33358c3dccd68c1ccfa2590988dfa7e7aef3dffd9a679e8464c3dbe92ed37023cd0e18ca58c

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log

Filesize
540B

MD5
4e4c296b262ddb11862baba978b305b6

SHA1
9f70eaf89a7379b4cce050c4ec238da4a5923137

SHA256
9f59af3fec2a77ab64e27d19c216d58fbb580b3a5bb515fe0bcccfc931cd3c0c

SHA512
a5e086024d5b277a07ddf3e520b7a27635db309ec3da2b475cb7b2d6393f58e21f36dfa0ca16098d6e741af1136614833bfa67311c12cf5c386ef6385ea393ce

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.wrapper.log

Filesize
846B

MD5
1841c0000fbea3be907b1e7883da6f8c

SHA1
f03603003b7002abd693649a6e1af4c839632561

SHA256
223a3829e5829cc99e72de790eef19ec51484b90e4447ed6013ad716042684c4

SHA512
6e3a5944bec66356e2d90b9994b3417f99870bcee09f42730f650051814f2023763bfb3c32bc3bbc3d4d85c472fb7b6e6c5da8b56423fe79813b6e23006ed624

Download Submit
C:\Program Files\AnalyzeGentleExplorer\KigOyawRpuIW.xml

Filesize
463B

MD5
037dfea35d309b76b100357b1911aaf7

SHA1
82f3abd9edf807226ec28e6cf8356e3549e9bd81

SHA256
ad6f19216c1ca04185cdcaf257c530f86edde443ebd8d716cf6092b1172ffb33

SHA512
dae7819df2ab7eae72602551bd0fcfd2bb47f7c194c54eb1f7aa03c1d2351598254297bc5d72f5c6a47bf0904f3e11aafa9718edbc97b2773df8f88d57a86c77

Download Submit
C:\Program Files\AnalyzeGentleExplorer\fUsKbQztGnwa.exe

Filesize
2.9MB

MD5
a2e29c5a531ca5fdf5d4c7e75ba2748c

SHA1
1709ea8be99923c6ee4eb369e3971e3522d67f36

SHA256
ef86954f2831682faf3655901cf82afe0d7d6fc62e8335a2f508af5d03f03d5c

SHA512
e4fee7e410f8f199aa79f014290c0312d720fdb92a6efc48db5badea4fa4610bf344f23d3b7516b2a0e181aa8b27b00e446665a83de4b2d0acfa2e664df64434

Download Submit
C:\Program Files\AnalyzeGentleExplorer\jtsQyBozxwOIHmIoteVO

Filesize
2.1MB

MD5
5aba1a676ca0de4994c623060e05f946

SHA1
e792c676bdbecd6baf1516fd3adbba06764aec98

SHA256
0a9d3dee1cf01c5f909c19e2821975397106b70581bc32c845ae9ef584bd1c32

SHA512
55bc57941e1f76844881eecd56f65b35c2f7eff614a02a47a0f6b5ab41d2a4512b9b970fd658652b8fc56a07a78b46ce2c246798d82f5d256a80f5025ac5d6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ohfbsux1.wgx.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\check_sign_test.log

Filesize
310B

MD5
c256dc950a96c711ae515ce274a3c38a

SHA1
e2a639888d3faf686be8ac6f811f76e6915228eb

SHA256
930ed7283301dcbaac640c35c47f6febea808e64b6e5bd2f51863551aed2011f

SHA512
24d8f26d83c410182fd6787806d01bcf0742748d00b793d27c55e5795a50d862275e9fa3dd8004935bc7427f1d0946949194c9ee2d8cd8e04e041a4db2051a67

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\KigOyawRpuIW.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
c83919e4629ee82e2b4c11bc8e0969a3

SHA1
d83ac09fe37ceafdd31dd4a4c89f42203d46b218

SHA256
8988f811a79af241d22ed4bc4249806db7f230bb9d3a192b64de68a77776b637

SHA512
805c2268a5d75d0ba11763aeb659ee66cf1627d52595be340e4775a30ee8ebf50da3dca665c15b6601c0e8db70d0307f5b0098eba1adde97c5acaa9612f6ac89

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{540c0fb3-7e51-47ee-a27c-885f1371154b}_OnDiskSnapshotProp

Filesize
6KB

MD5
def27063a9542c67baca332df7023c46

SHA1
aabece130b0b0a501f4812bdb975f2bd34ee8c08

SHA256
88191dfe889dcbe1f7d41f5eb853230ab6b1fa65908da9979c034c264a1bfb55

SHA512
e58bc53022bfd5be9d2a3b8e7820a199261597e5fb056e78b2ea9cfe49c3bd35452498eab750d099bfff19de12241a1d5d49b929dcbd0b3381e154f509f4201a

Download Submit
memory/392-91-0x000000002B3A0000-0x000000002B3E6000-memory.dmp

Filesize
280KB

Download
memory/392-92-0x000000002B800000-0x000000002B9BC000-memory.dmp

Filesize
1.7MB

Download
memory/392-96-0x000000002B800000-0x000000002B9BC000-memory.dmp

Filesize
1.7MB

Download
memory/392-97-0x000000002B800000-0x000000002B9BC000-memory.dmp

Filesize
1.7MB

Download
memory/392-98-0x000000002B800000-0x000000002B9BC000-memory.dmp

Filesize
1.7MB

Download
memory/1612-20-0x00000209F1BD0000-0x00000209F1BF2000-memory.dmp

Filesize
136KB

Download
memory/2012-60-0x000000002A3E0000-0x000000002A40C000-memory.dmp

Filesize
176KB

Download
memory/3056-56-0x00007FF6C78C0000-0x00007FF6C88C0000-memory.dmp

Filesize
16.0MB

Download
memory/4408-63-0x0000000000990000-0x0000000000A66000-memory.dmp

Filesize
856KB

Download