Malware Analysis Report

2025-01-19 00:04

Sample ID 241029-h6xz8avnek
Target Koalageddon-2.0.1.msi
SHA256 793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8
Tags
discovery persistence privilege_escalation
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8

Threat Level: Shows suspicious behavior

The file Koalageddon-2.0.1.msi was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence privilege_escalation

Enumerates connected drives

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Drops file in Program Files directory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Modifies registry class

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Checks processor information in registry

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-29 07:21

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-29 07:21

Reported

2024-10-29 07:25

Platform

win7-20240708-en

Max time kernel

136s

Max time network

134s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Koalageddon-2.0.1.msi

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Control Panel\International\Geo\Nation C:\Program Files\Koalageddon\Koalageddon.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Koalageddon\app\ui-desktop-1.3.0-a7e94e2d777927f3ad9a25ad39acfba2.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\skiko-windows-x64.dll.sha256 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-processthreads-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\logging.properties C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.xml\jcup.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\lib\security\cacerts C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-localization-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ktor-websockets-jvm-2.2.3-3f5e2b16c8fd664048f4df7641eec6.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.base\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\material-ripple-desktop-1.3.0-c98fbd81cc22afec5722db468c90bdd2.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\lcms.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.sql\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-processenvironment-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\security\policy\limited\default_local.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\net.properties C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.desktop\colorimaging.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\runtime-desktop-1.3.0-54ac464446fef98e10ecdf8b20442cc7.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\security\java.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\ucrtbase.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.desktop\harfbuzz.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.naming\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.desktop\jpeg.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-synch-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\asn-one-0.4.0-d3153e6fec8296ebfbc8936fdcef775b.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\annotations-13.0-f4fb462172517b46b6cd900358515a.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\bcprov-jdk15on-1.66-fd57b228172782ae6a73d22a7ac9b45.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-errorhandling-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\SwtJavaFx-1.1-7d5354a35e5b72de6f6f961a3d59a739.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.base\zlib.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ui-graphics-desktop-1.3.0-59b535876d1f4c2a8ec6f15bf7e16c47.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\jawt.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.desktop\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.management\COPYRIGHT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\management.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ui-util-desktop-1.3.0-8493905dc83f28d88ab0bc5efc673cb.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.instrument\COPYRIGHT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\atomicfu-jvm-0.17.2-d6b6f3a195696acf1828b1f125125ed7.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.transaction.xa\COPYRIGHT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\icudtl.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\mlib_image.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-string-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\skiko-awt-0.7.50-f6f802814e7d5cbaca365b09fcbf7b8.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\material-icons-extended-desktop-1.3.0-e5efe76264bf6932939e16916c91c8.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.management\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\lib\tzdb.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\jsound.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\security\policy\limited\default_US_export.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-file-l2-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ktor-http-cio-jvm-2.2.3-619ea76ad4acc6f8eb952895cb7d3839.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-stdio-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ktor-client-core-jvm-2.2.3-10983389bcffa69d59376dc1a9121d1.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-runtime-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\java.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\desktop-jvm-1.3.0-58ea927638b39cfe35a1568cc156f01d.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-sysinfo-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\xz-1.9-57c2fbfeb55e307ccae52e532282e2.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\kotlinx-serialization-core-jvm-1.4.1-a97020d828c89c7df2453bdfd1cd403a.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\tinylog-impl-2.6.0-8726c27d582d10eb1d365cdeb0c5524.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\kodein-di-framework-compose-jvm-7.18.0-d971578ee18e2e4a27be0f364679d.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\kaverit-jvm-2.3.0-17af38bb801a1e7f9991de1afdb3b4ed.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-memory-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f76f3f0.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f3f1.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\JpARPPRODUCTICON C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\JpARPPRODUCTICON C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76f3f1.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIF6DE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f3f3.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIF45D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\icon_1862387937 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76f3f0.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\icon_1862387937 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A C:\Program Files\Koalageddon\Koalageddon.exe N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\Koalageddon\Koalageddon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Program Files\Koalageddon\Koalageddon.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{A7788761-95C6-11EF-9452-E2BC28E7E786} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a4b865739362284b9199a816bd1d7c4e0000000002000000000010660000000100002000000079a3dbad912672da3b6aec0c1721f19bcff091ddedee26c4957d16990b7f056b000000000e8000000002000020000000b511c0925b4a7cc7601f35f0c29f110164b6c054a52f295b1388b84045c8ea1290000000a0fe7ad3fe877260d5a4e2ec60aa6a501479fa9961e16df9c317ff8023d31ff98c63329880ff69bd2b8b0de8193e57d47c4888af50ba3eec93e7e099db2f48904b10e1fed4eb2482484148227d4a19722cc66cc34916f105ce749d6bcaa8bd0802cfa4a1573d63822d91a8070f2612328eab447980931586ea7b5e319dcecfc18f7efff9ec37a25ac649348b1d64822840000000785a36ee6b90dccf6e8ab5e8a9d9bacb77f400f9e8f4ed6121ec3744ccb8f4e327c2a9a5c1f97036bfc45f003ada8ce15d9befdbb133b0663d85cc3115fe388b C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a4b865739362284b9199a816bd1d7c4e00000000020000000000106600000001000020000000beef592aa145155d5f89ab124bdfdc6a64948355f81787171906a1c460d95243000000000e800000000200002000000093a886b337f18b2ef7b6d6bb37ce97df6daae3e194ee8befafb45978c5246e3c2000000061bddd65aec515f4e2418d4c8d01d4003e6151896d3041cb147e8abbd967f81540000000d557ba5de9e6a2005ce47d957dc6f40a30e1d9bdf798cb0b542860dbaac7f24d45e03c44d1e426e9d27ba63883052c665039ee5a50dcca9092b3a633d9680ab6 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436348459" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00e12173d329db01 C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\PackageCode = "EFEAD4423A6F1324DB76D9F43705B59D" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\PackageName = "Koalageddon-2.0.1.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F00B17C060556634A44B1FF3DF15A7F\DefaultFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\ProductIcon = "C:\\Windows\\Installer\\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\\JpARPPRODUCTICON" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\550FE40B7A8BE324E8F68353EA49C3E4 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Version = "33554433" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\ProductName = "Koalageddon" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\550FE40B7A8BE324E8F68353EA49C3E4\0F00B17C060556634A44B1FF3DF15A7F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F00B17C060556634A44B1FF3DF15A7F C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2112 wrote to memory of 2836 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2836 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2836 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2836 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2836 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2836 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2836 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2112 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2112 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2112 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2112 wrote to memory of 1752 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2112 wrote to memory of 2496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2112 wrote to memory of 2496 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1268 wrote to memory of 860 N/A C:\Program Files\Koalageddon\Koalageddon.exe C:\Program Files\Koalageddon\Koalageddon.exe
PID 1268 wrote to memory of 860 N/A C:\Program Files\Koalageddon\Koalageddon.exe C:\Program Files\Koalageddon\Koalageddon.exe
PID 1268 wrote to memory of 860 N/A C:\Program Files\Koalageddon\Koalageddon.exe C:\Program Files\Koalageddon\Koalageddon.exe
PID 860 wrote to memory of 2416 N/A C:\Program Files\Koalageddon\Koalageddon.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 860 wrote to memory of 2416 N/A C:\Program Files\Koalageddon\Koalageddon.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 860 wrote to memory of 2416 N/A C:\Program Files\Koalageddon\Koalageddon.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2416 wrote to memory of 560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 560 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 2732 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 1692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 1692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 1692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2416 wrote to memory of 1692 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Koalageddon-2.0.1.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 312985A5AD245171174EC14605545E27 C

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 15D7A4F1DBA7033CB656AA8A2796D1C0 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005E0" "00000000000005AC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DB6E85A48120DF5F76470307B674A4AD

C:\Program Files\Koalageddon\Koalageddon.exe

"C:\Program Files\Koalageddon\Koalageddon.exe"

C:\Program Files\Koalageddon\Koalageddon.exe

"C:\Program Files\Koalageddon\Koalageddon.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/acidicoala/Koalageddon2/releases/latest

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:472071 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2416 CREDAT:3879952 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 cs.rin.ru udp
US 8.8.8.8:53 cs.rin.ru udp
RO 185.100.87.208:443 cs.rin.ru tcp
RO 185.100.87.208:443 cs.rin.ru tcp
US 8.8.8.8:53 e6.o.lencr.org udp
US 8.8.8.8:53 e6.o.lencr.org udp
GB 2.18.190.73:80 e6.o.lencr.org tcp
GB 2.18.190.73:80 e6.o.lencr.org tcp
RO 185.100.87.208:443 cs.rin.ru tcp
RO 185.100.87.208:443 cs.rin.ru tcp
RO 185.100.87.208:443 cs.rin.ru tcp
RO 185.100.87.208:443 cs.rin.ru tcp
US 8.8.8.8:53 i.ibb.co udp
US 8.8.8.8:53 i.imgur.com udp
US 8.8.8.8:53 i.kym-cdn.com udp
US 199.232.196.193:443 i.imgur.com tcp
US 199.232.196.193:443 i.imgur.com tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
FR 162.19.58.161:443 i.ibb.co tcp
GB 87.248.205.1:443 i.kym-cdn.com tcp
GB 87.248.205.1:443 i.kym-cdn.com tcp
GB 20.26.156.215:443 github.com tcp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 185.199.110.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 crl.microsoft.com udp
GB 2.18.190.73:80 crl.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 184.25.193.234:80 www.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSID3F2.tmp

MD5 4fdd16752561cf585fed1506914d73e0
SHA1 f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256 aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA512 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

C:\Users\Admin\AppData\Local\Temp\MSID431.tmp

MD5 e76ab52d50197baddbc0d921e1d8eea5
SHA1 3789e237ad3b07ef43f4014e99099a0b43b1392d
SHA256 6e3dae02524f00ee37f33123f7fac943ed2a8617988ec4a667fcddb7764c634c
SHA512 f21b9b45a3b8b079c26568962559d56377fe0cbefde287f4fb763c8fd85df72220858bca598dcbaaa47c0fa23ea9c4ed90375a40d6a55ca062dc373cfbe80c6e

C:\Windows\Installer\MSIF45D.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Program Files\Koalageddon\runtime\legal\java.prefs\LICENSE

MD5 16989bab922811e28b64ac30449a5d05
SHA1 51ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA256 86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA512 86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

C:\Program Files\Koalageddon\runtime\legal\jdk.unsupported\COPYRIGHT

MD5 4586c3797f538d41b7b2e30e8afebbc9
SHA1 3419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA256 7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512 f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

C:\Program Files\Koalageddon\Koalageddon.exe

MD5 f3fee249c9335225e3af98f11d805f34
SHA1 1d5065a559c156c11caf81ebfa9f3366caba76b2
SHA256 edfc0e68e302b33410c0bcddca6bd2112f0816861cc9360e22b80c0004852e24
SHA512 f0652631f55e2530ff6e4b5462a48df7109a1969f14af8c9778b413fea84a0113e30c9281ff772921a981d45e8dcb9150d141cbc9b33d0fb98d3fec7a62e4896

C:\Config.Msi\f76f3f2.rbs

MD5 2f794f6149a638c4c4a26cb742c7d2a2
SHA1 6df85383ef4d89bab32602a22f3fc684f1d768be
SHA256 69192f381c6fcf4ed28c26638eee5cf7198abb094cdae11c8537f085082d1203
SHA512 1f1f86f9156e11c9bdc2da15c419dacd76a4581460494b82a72eeff5b594dd196b51e813260c0920152e0317a78df876a24497e326f5b13e6524e6e41cff4278

C:\Windows\Installer\f76f3f0.msi

MD5 155295f8dbaae190dd34adadecfb302e
SHA1 c720229eb480dadd40649a2447b3e618a83d568c
SHA256 793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8
SHA512 cd6d4405bf387faa538426a2cfefdecd4c7f3a649f4cfce1eab85cea22a345f304525d222a48785528b7e19f83b76a536a1895e3f32ea8153d93ddae29850dd7

C:\Program Files\Koalageddon\app\Koalageddon.cfg

MD5 7aa4849ccca139f773ec9600939d134a
SHA1 6f564bc8ff510a34f122c3a003720b7d74fb1040
SHA256 f531d92293ea94b05f5ea513a4e716b7cf1bf16f423ecae8a56463785e368f0b
SHA512 3a21add2eb783318bc9080a60a3b9ccfe511f38dec322da5c75b134d683c531cd103395e754370c4beb43afc36e89f35d0d5d930e6bf2069522b71b277c5c9c1

C:\Program Files\Koalageddon\runtime\bin\jli.dll

MD5 3a315274152a0ff52027c0ba0a960a21
SHA1 e3ebb1bb6fbacbb12fd9f6231d950666f2e5a034
SHA256 4a40a3a94d69ae05a2d31143c3877ff4ab5bb497445324d1bd693998e0b9ef24
SHA512 9705a7cdc86ee88b64235f4d9362c7b4e610367598ac4f4617a9761675c229b3ad94ecbd321e48718f14fb09419545c01ac975d5e577217a1a2ba85723c6c5b9

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 972544ade7e32bfdeb28b39bc734cdee
SHA1 87816f4afabbdec0ec2cfeb417748398505c5aa9
SHA256 7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86
SHA512 5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

\Program Files\Koalageddon\runtime\bin\java.dll

MD5 aa069d2675ed9415ed03ec50618613cf
SHA1 ecdd5d910052006c1a98f51d927fe048739776e9
SHA256 66c02525e5ec60e0d74b4225ed6f7d85c778d774f298b46577aea82b369689c1
SHA512 55d3f64576e6e4bbbe89082b347161a8f8d67d4c0fb0a5104286bfbb4a822d8a8e88c7c161ea3db703032065cf716328fcc3db4acd4637c6157cef712977f845

C:\Program Files\Koalageddon\runtime\lib\modules

MD5 c2ee0e3826328a754236745993350b24
SHA1 11325146dcde886025029df3c23f801c7776ecbc
SHA256 cd381ab9beb6d19f34509b8f9b444b23bb1a01499d65617cfe7b3534668c9696
SHA512 0fb52de03a9d566a92a7f53dc4edb2c878885c1b3f6b147150f1a4620316c9519cef83ce8be7df79a31ce4f44dd5fe2f83685bcb2809140ac904f58ee3afe45a

\Program Files\Koalageddon\runtime\bin\jimage.dll

MD5 bd60efd008e48bb99caeac946ced792e
SHA1 855d278e7ca1c1e918bd5f32c2a3fd8772554f52
SHA256 fc2be5399a034c07beb51270471144eedecc5068139b7ae2a7dfff7719b19746
SHA512 d66a0095c57a521537dde53b4c3d730a719f91d41f51f1eb7efd666f5dbc00b9837e7ff28dd05cf3a8a2310a51083e3be044fd126840b0ddb885ff3e0edf5344

\Program Files\Koalageddon\runtime\bin\server\jvm.dll

MD5 89ad37a2cce32eec711b1df655ce4b8c
SHA1 1fa554d4382696eae8c2523990f3787598a22a24
SHA256 13bcca0624bfb0e41d684a97e50ca07479cb12c6643f61fadf72985688c7a6d1
SHA512 e09a135b86ea9d4778c31ded4a27210114a9db26fdb3085568c70064fb0fa2e8e1903a7286ff7df5025fb8b6fb02af960689fdb6f60820a023b2ae64af5497e8

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-utility-l1-1-0.dll

MD5 dbc27d384679916ba76316fb5e972ea6
SHA1 fb9f021f2220c852f6ff4ea94e8577368f0616a4
SHA256 dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1
SHA512 cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-math-l1-1-0.dll

MD5 a6a3d6d11d623e16866f38185853facd
SHA1 fbeadd1e9016908ecce5753de1d435d6fcf3d0b5
SHA256 a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0
SHA512 abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-time-l1-1-0.dll

MD5 1d48a3189a55b632798f0e859628b0fb
SHA1 61569a8e4f37adc353986d83efc90dc043cdc673
SHA256 b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0
SHA512 47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

C:\Program Files\Koalageddon\app\animation-core-desktop-1.3.0-e4e0deec43a1fe5e167c411ddc9bf385.jar

MD5 5a520c626b84462f370e0fcfc41372b0
SHA1 eb8fdc5755bfedd507c7f9c18c42b5da0e4ef484
SHA256 a81f21bda4c67d075934506f7b738b909bb5fbaad9be5d91b000f7b440dee0ce
SHA512 2586584a5659fc130148e34d7fb196c3d87dd778efb4ac0b9863ea0a17d4d20cde17a514dc42e59490af45ffcbf48eedf3611036adf57b1984aa966da13412aa

\Program Files\Koalageddon\runtime\bin\nio.dll

MD5 cf63016b7c60c45d7707b8aabb705ce3
SHA1 3d4067d14260cd816a52e3640774d1fcd8bd64b7
SHA256 b92a5e3024e1c05427cbdc593deaef2473a74d7baf4c5d98063ce6e98bd0a619
SHA512 d84a0d7ce7d5ebc59f17aced76b2aa12f924f9a823f776da49f7099b4f2c3828b737be0001e47486aca9eb70363d9cb9068a1d75524853d0792d71874ee3ca62

C:\Program Files\Koalageddon\app\atomicfu-jvm-0.17.2-d6b6f3a195696acf1828b1f125125ed7.jar

MD5 123c23839aea1dac0ce76999f987e0a1
SHA1 f157876b2e8c240cccefd78f8a264248fc85f51b
SHA256 128affe73bb8a99351f93b1eeebc3825005df8c241b9a47498f6c64e26d039a5
SHA512 5cd50ce7d9ce01ebfb471cf8020bc3871a3afadba1c24c48e72241c4e4b6525b185362bc6462b4adf7c65e2d80cdcaf7bd9c3c49312bb584caf12528903c4013

C:\Program Files\Koalageddon\app\bcprov-jdk15on-1.66-fd57b228172782ae6a73d22a7ac9b45.jar

MD5 318201d533696e9c309e511e0bb5dd4b
SHA1 d74788b1c608eeaa7b18c9dc306d0753fbfe80d9
SHA256 46c5d19ca0d4eb406b902a35bc35fe4d522b85d5b7505c361662de044611b485
SHA512 e6c1ec7b120422d7ea3a117191558672747ebee3d35aca923de4013c754397a4a24e9ec3f97a66afc36bea75627d9634eaaa44fcd6da80f1177d1623cd03ea59

C:\Program Files\Koalageddon\app\bcpkix-jdk15on-1.66-a5b13435d46cb52abb0a47feb77e5e.jar

MD5 99770ff0bbe41caaa6b4bcef9a81373d
SHA1 ea5589b94b94cb3365d48adea38f83a00fbb9b4e
SHA256 9cab2d6a97fc75e319d72fe6eb4fe207d4a4435b4140f47b41156b38c0863a62
SHA512 3e54afae3f043b0332eb263064e076da3ae791876fbe1026c01c6193244466a507ae53fe1b64e88ea58fab9bca01db2afba27ba17313e18f06b7dba8e8c5c868

C:\Program Files\Koalageddon\app\asn-one-0.4.0-d3153e6fec8296ebfbc8936fdcef775b.jar

MD5 0ed44204e268b6f70e32f1d02e117619
SHA1 74cb25517d18757a664ed9d3dee6aa2b76c45ab1
SHA256 97b97c88f7e87413912bbc3f0588b955b49589f65f88e2d5b5add5ddf3ec19c5
SHA512 32e9c6077e18fd7aad128620dad4c307a72b37a6d01ff8276e378090c5c2b95939da971d2b6c190ce61af9e640c499fdb252f5657b7f3ecd454b4706b32c363c

C:\Program Files\Koalageddon\app\appdirs-1.2.1-accf8bf9c4a91aee4c715d66240d4.jar

MD5 96d905e3b90a53543f2cc5a0654dfee4
SHA1 a5aa1999ebf5c053d497cd58b9221fe8823d6d6d
SHA256 1c3e66c853a6c508814201e28e6a8687576f4a78cdddfdf2febf7f447dd35ffb
SHA512 173a7b21017f7a16138ebba12f18f8df543d8f75da4f770dc37bd40ae38de74c8240fa33de4178d5344f984e08e151399d00c495accfbe588f72d3381d3e483f

C:\Program Files\Koalageddon\app\annotations-13.0-f4fb462172517b46b6cd900358515a.jar

MD5 220caeb4af9453baa13b3beb95405729
SHA1 8539b6d1de27a81dfa5f76099d210205c8126de0
SHA256 21c62075d4bb3f9a0938fc8ec838a717498a2d947ab9949bf2ca024a574a93cf
SHA512 54b719a33cb3164b51b0397bb19a307c9f4f863d409d5fb3051cb5f059c22396e90660d2c14cb77f0cf462cba73f2c60416eb53edf84d2c880463e81d3087d8f

C:\Program Files\Koalageddon\app\animation-desktop-1.3.0-6ed1e4ad7942e528b3f2af8cf36d32d.jar

MD5 ed7365b40630845605a1748e57f1121b
SHA1 f4205490f8f0c53466115f8a8aa459b4f1995eca
SHA256 ae6e222389babc212b96d0582b55a962a52aa249acfcd96bc60629614e807efb
SHA512 626945d618ad48d8410d0a04890a34ea54465651fb42f30074a41b4abf371589793bfa705603fb1c7d4d161c76dda3785dcd80a90363829eb657f7f4e24dc905

\Program Files\Koalageddon\runtime\bin\zip.dll

MD5 ade1f943087e19c5085ce31125f585b1
SHA1 9f6021d049b09008be221cc1721ea5d12d3dc877
SHA256 090ac3d37609f9717861dfb4535466fb1ff48b2213b837ddc3777f9c8d960d1e
SHA512 f3ed6bfd4614574e300b46545c3e43a73d363c252539a0efbf2bd9e2e8921029b0233a7f67f689dbb967eb648c88c0b012944841a4c3e11aad8d4eb66822857f

\Program Files\Koalageddon\runtime\bin\net.dll

MD5 b4e840ed1c5dbca49f34028137fb3178
SHA1 98f24cac1b6f8b86ae24efe532720b5256e635fe
SHA256 e0e567586af9eab9f95b6d84b60fd2785e38e202908ca62579d0fa7261a65a83
SHA512 63610e17bf0a2b357e4bed5f78c2e6449ec4d498e70025ff37a8f80362d41e50cef6c4197b3b0eda6f842a8fa90e0e2f88dd59ff0eda1632f17137b5c852365e

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-locale-l1-1-0.dll

MD5 dd8176e132eedea3322443046ac35ca2
SHA1 d13587c7cc52b2c6fbcaa548c8ed2c771a260769
SHA256 2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e
SHA512 77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

\Program Files\Koalageddon\runtime\bin\msvcp140.dll

MD5 bf78c15068d6671693dfcdfa5770d705
SHA1 4418c03c3161706a4349dfe3f97278e7a5d8962a
SHA256 a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb
SHA512 5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

\Program Files\Koalageddon\runtime\bin\vcruntime140_1.dll

MD5 fcda37abd3d9e9d8170cd1cd15bf9d3f
SHA1 b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2
SHA256 0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6
SHA512 de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

C:\Program Files\Koalageddon\runtime\lib\jvm.cfg

MD5 7ce21bdcfa333c231d74a77394206302
SHA1 c5a940d2dee8e7bfc01a87d585ddca420d37e226
SHA256 aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0
SHA512 8b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-environment-l1-1-0.dll

MD5 7a859e91fdcf78a584ac93aa85371bc9
SHA1 1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7
SHA256 b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607
SHA512 a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-convert-l1-1-0.dll

MD5 4ec4790281017e616af632da1dc624e1
SHA1 342b15c5d3e34ab4ac0b9904b95d0d5b074447b7
SHA256 5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639
SHA512 80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-stdio-l1-1-0.dll

MD5 55b2eb7f17f82b2096e94bca9d2db901
SHA1 44d85f1b1134ee7a609165e9c142188c0f0b17e0
SHA256 f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb
SHA512 0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-string-l1-1-0.dll

MD5 9b79965f06fd756a5efde11e8d373108
SHA1 3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50
SHA256 1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6
SHA512 7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-heap-l1-1-0.dll

MD5 8906279245f7385b189a6b0b67df2d7c
SHA1 fcf03d9043a2daafe8e28dee0b130513677227e4
SHA256 f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f
SHA512 67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-runtime-l1-1-0.dll

MD5 f1a23c251fcbb7041496352ec9bcffbe
SHA1 be4a00642ec82465bc7b3d0cc07d4e8df72094e8
SHA256 d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198
SHA512 31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

\Program Files\Koalageddon\runtime\bin\vcruntime140.dll

MD5 7415c1cc63a0c46983e2a32581daefee
SHA1 5f8534d79c84ac45ad09b5a702c8c5c288eae240
SHA256 475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1
SHA512 3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

memory/860-346-0x0000000001F80000-0x0000000001F8A000-memory.dmp

memory/860-347-0x0000000001F80000-0x0000000001F8A000-memory.dmp

memory/860-393-0x0000000001F80000-0x0000000001F8A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6D06.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar6DD5.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d7b45da50b4f2648940b2ab5f05db6d4
SHA1 efa64ac224f95949b4307045238477f3ee064204
SHA256 e572c35a8bf9664259a4552e2e9e1ce0ad2131aeebb96c395ecaa9dc52ce9d5f
SHA512 ad9c87e262ec6cdabfe54984c29a4f43b94d4ce932346606316dcdb2d3cd37fed1bcfa8dcd8dd8618761d786d68fd83038209d999f408b86f65e6aa87e42ecf6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1947b02463825b46404585d9024955a7
SHA1 25c7ca9ac89b6ca368041a0823a0177face03745
SHA256 c88edd4163835424898cfd280b4593936bb6800b443e3251bd492515c0078051
SHA512 f39f44bc3f99e226e8c16ec0264d6bf3980f7c3f389496ac1f71c1ca4adf5594678b8581002358d80d70b5c154bd8fe366658e36031105c0ff388215b2619999

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 914682fe7df3c8714a4ed4f7459b9327
SHA1 aad17660febb49433adff96df3c9cdf7b62945c2
SHA256 f870bb917141ff6d1c03378eb98100aab9a94511ab7e8f01dbc4cf59bcf19289
SHA512 3fc181bdb20b1aa32d43122fa69bffa3dd5df2e4413c886c59c2ac85092e13ed8415905f5df5bc4e0cc1d3667ceef54aafee607bdde16cdeee17094b995bd380

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

MD5 3e4efa039941dfe2057cb46f92854b86
SHA1 99187690805cc8609d3337461e77387ee7b6a1c8
SHA256 ba8e5bb549d2fdae58711f3953add753665665d83a708166d94a09671e4ab0de
SHA512 3dc0fcf60487cffe67385965ce0c184304c5109eb831153e175b1164185437f1a8b01f3990a151cba42fee8f1536c3250aec35bef888b89470f351f186d644e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad6fa24d132406b97a74b8fabcdf8d36
SHA1 5c5f225f23f15ec2f7f6f8c2370e1aaeefe8ca0b
SHA256 418285d87ba0f705056381b108d1db3076481abad81cb2c7d26a206eea8f2f2b
SHA512 5bf9efd2e8b5622cb91f703aaa63aadb0a633a91cfaa0a6375eff9f1ac8426f51b18beeac6532c6e8b9ffadc4e3f9d2356b2d2b9d9e06d49b2bc8482f34bf9fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

MD5 e3f1b9255eca2219b8a325faca005f57
SHA1 35ab872568a0a470838ab1f11154f8a21c34d23a
SHA256 0e8a2056cbcc9166cda3965726b408b22f244955297ff38305026f55e4948c8d
SHA512 b7c31c1a03a8165ce5642f010a2464ffd8c0d1fab4190b81a58e07f861eb7f78f261055dcc3a11d483c12ddfd133c4368a31229e60f7813b60e4ea389cc05988

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7189082b2c87d14f03806d17d279f0a6
SHA1 bcf500beeb143cdf02727d9b7a00277c8eb30adc
SHA256 313aeda06250b63d0a544fdb5f678ab17ee15cb67d312834c73ef1e07f01ccdd
SHA512 7a6fca30f90e885e9bc271ee91342345700e7b79d1c96e43b4135ebc978b12816e3e00e0344b11705f79c8eed6663ae4e283a64877057a518be6412f27912a65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9d41a3f810ecbfd938483a3c2c7af760
SHA1 c1f0af1d69125416a32c1b8e0a4d6f0e80b19220
SHA256 bb11301a2636e46779a029073a15c28d10cdc6b9105bf9f42028f91e7fe85292
SHA512 996fe73800d83b0771789f77ab91cad9b7145ba87d0d946a21b0ae13a9bc12c2b2013e6939a8365daf67e5769e35732fc8a39d714d00588aefd759e0a20f1255

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4c308af4429315b9c124447000482ab
SHA1 89f381fd68f1aba0556e6cc3cbaf88f41e6a15b4
SHA256 15a6f48cfe3339836f5679be14f073260724e107789628a5b3e6edbc633f8db3
SHA512 d0009c7442a8fab0b66c49309963b441bf9ea1c261bdcb2dd19e2b62842297d0bc3f8fc1e9429f84e59380714370bc74a7a7e9b5036d2aba9f2d27b448631778

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ee56dce2792e614b58b80b47f34c3a8a
SHA1 4dae2f76670a3f467538d391367dd1c0584496fd
SHA256 57e1070f1671600b5020a4b0eb8a754cd90b53b3aca2e17e1b7f07bbfd940657
SHA512 dc1dc0e05077320022ad1242106569e023e2916f7e4eb653108117364ca99f486adf5be9d2bdddbb5f294ba726d0b2da2227f7d181c4d01ef616b83790cf01df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a98f7dcadc704cbe0052292531cd9bb7
SHA1 f5ed4328bad0699db9ce5cde285de3e6d37e70e3
SHA256 07f7a615248c2c14fc50c233cfb08daa8b091cbdb3635679667f41f46a97eb7e
SHA512 d7f10483cf63ea1b8a08f30ab1ddf01b8cf06662ca1bb60008154dc7cbf60d225f1620bbe54ee9540de847cb9fe02981285bff040cd5c80c55af690953d4390b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a3336cc3a15a0747011aad1a4d11af21
SHA1 e64dda17b4ce13270223f19ac7f4d425ab674f7d
SHA256 bd87398af5b7c5f2b9355a281137a453a80c3d5b0aa3622a663127cc7787eff0
SHA512 52daed3eb0def439a5e470871ce23a06010e18aa015ee1f8a25233fa245b684eb8454b72701528617f66dcad140a3ee6f530709474938a9c5a017c8c5cad84fd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04db7d07b0053dbd22ee6ed76d2821e9
SHA1 c40153df27dac9a8f31f31edc6247d23415cd838
SHA256 a9dd728e932dc227e0e2972e2f5a27d2dfd93708c56aee7f15a2207b4a45eaab
SHA512 3f6bfd71d41d5a020906f03b119ad029af464c5c96fa1f2fd02668923f20d5a865280953309a24ed76a6e337c226de9afc7c286115ba942c5e8fee72be284d01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b0b8656825d6bb341051c4dc00fc2f6
SHA1 8bc5918b6a8ac417b6cd2561172963ee11b58bea
SHA256 79f7480254c763b43325e34cdd4fe1761807a6480ffa75cdcef883fa13ca7714
SHA512 df429c7bc55d5b4a164b9db7e9349141e67bdad06458aefa1d38a48608a2e7a4712ece1b0a6b7e51be7e055593ab66c2bad97b20d920113bc5dde9490f9e0988

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 76a06b019b87eca2966ac617f8b310ea
SHA1 4ddd0e68b52eae3b7a522f384ebcf0037cc7f6bf
SHA256 d5ef476723e865a9831fdd260ebe46a76f7eca485c99df3b03eb8dada6e1a9f8
SHA512 b73ba8cf969992e698a0fe1b959dd70d4d0faac106b9fafadb039d2dce3676c2bc9541fdf49f1f6fecfbe510fa0f7d4b0893cd0133d453c011618436d7d4349a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cb0c0e4b12e371d54ab68ddddc2413f7
SHA1 58018720ee17058a7c01f737c8e5cdeea6c94c2c
SHA256 f46c1dcb3f968deab1c216284a75c595ab1fe3abdca3dab46d1633bc4832b239
SHA512 46667c88fd29a8fd2caf706d56db8f9cc487f3fe3e4f81e0ba475086fc09e55589c2efafa6164e0b003bff2dff559560bde57a1b6d4da5c03dcd74717efb6cce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 04f1effaff7469b9dddb359171b86dff
SHA1 94ca82cd8b171cc7e2740dcad3d026d40dbbec50
SHA256 ddd3328a899444c2d577701c520f30529538818d9a5aa0998e39040890df5f1c
SHA512 4be4d98092e537b432c740fc512a22b52a3137bef8eea6817543e48510fa9a4580120dd975f07bc24d2ad99cba261626a617ebc55f5733854264408132b989a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 df9db5947610079fbf2513315e200701
SHA1 28140f9e2c1dac7c4ce14a6bd231fa9972a2557d
SHA256 d683716ce7c60ddbece68137e5f70baa4f869dd944eda8f7e83953c83ba55d4f
SHA512 67dcb809ec70f4206f2acd99b64281cd7f803b9ea11b9fde0b2caf8d06ee36f1cc4d353f485855d0bfc1ec2a35767ec78bb65226673dc0d5a9abfb1a9a7769ae

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f30fec66344a7bec5843ed533245e44
SHA1 2ca388cd5c2d37a0d72c8d50525705e4b029587a
SHA256 da1f150c958fb86076e295b08511bf9745731cb7cc92fb7dfdcfbc68dc77c9fa
SHA512 379a2dc2184bb493e30d569533a2573fbc00e60f1188c251d6405ade6cc4f53f16cf50481e3a07a3038ecc9ca620837ebde9e26c32127b93c46069f9adeb4d17

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 058ad81e7ea7e053912d59290fc414b6
SHA1 6a764d45da90282c89f66e9e0269126bd625225f
SHA256 d8ac62e0489f5a28d2bbc66fa6d8a2c44fe92f0a5129eb0ba58eb0a45b5efed7
SHA512 58b0ea19ebe618eb26c5c64f4df64aab3b0ee036f8af943c07eb6345486d52dbd6998657fd3313d46055db755734e477cadd20cea0a247a49c2275894efd6fe9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8353712c8ed5561964d7541bb7dc3637
SHA1 83f3172e0ed207f04f7ab19e4b7415c6eb006e4e
SHA256 c3bd2df92f0e8d5c68287bfc3d35374ba56dc6524a2d5977a2f329521d5fdbee
SHA512 a41aba7b1df1a388d19e539415b0f8d364f111ff358f1e5587ddf8017b94b59210afac1a3c8cfe95d02081bde14478d713b84197b988949af00bfdbfe2331329

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 56da34bc7555ef1f302163d23f19cfc3
SHA1 b1c66af21b0518c532124a09b2e8675ebcabd6e0
SHA256 56507ba41eb760f074e898b8a3f249ee2e6587aed830505fe32a1eec942ca999
SHA512 87477a7446de1e85eb0266c8d1e59098704963b5daf8212663aad9cf480b4c9071a466de78c8dbb8b14c751a6052622078d3b1ccaaffbec74f0839adf619a947

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d51c6cd1562835d274c17c2ec18aa9e3
SHA1 27cb17ee3c984aa2d6a82dca5589b2c7dd218c60
SHA256 b452f63ea9a5b108f70d9fcb5fb6cbf32f305e2a16d80cf6ee086290d01d5d7a
SHA512 4a5d553c780ffe7be1427e8f6ad2ae8bbb49768238adaffcbf0c501ac29b278a219bd1ae1ca263038517490830b4cfb985b43385f0a03b6de5225f8f057ac6f3

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\39GEHZPO\favicon[1].png

MD5 346e09471362f2907510a31812129cd2
SHA1 323b99430dd424604ae57a19a91f25376e209759
SHA256 74cf90ac2fe6624ab1056cacea11cf7ed4f8bef54bbb0e869638013bba45bc08
SHA512 a62b0fcc02e671d6037725cf67935f8ca1c875f764ce39fed267420935c0b7bad69ab50d3f9f8c628e9b3cff439885ee416989e31ceaa5d32ae596dd7e5fedbd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4b4738d68b2ea14bfc150f2837c0cf87
SHA1 03fe68a1afb9ba7d24a8a4c50393bc2e594f6d20
SHA256 4c549cec696b9ec56fc0f35fc719af2a1689ceb1871b08c1ed2140cf5fd74a82
SHA512 7f9265c29faac63ebf1018977aba608588c257e1b6eb041a5aad99de2bedf80a6fecf35345acd78fc49a08b764a091d3e367d2cd1053849cdbb24e59809af11d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0f8befbe71c2882d2493dd683bfd2f9
SHA1 8f45b5f9dd40881975a5a27532249ae2d78fa37d
SHA256 3fe00e246ce1125de2b040e42b329d1a59008579e5eedfa721f0e7f25dde6063
SHA512 6a469a441e312e5f7b30bdb5dbe5b6062c26235974adf74b4a557114f5a0b4c32c71839b3b173c547d032f876f4a386dbf8413c6fd3c38b920fa626d68b89e5f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 731f9607a608208b675f46d0ebb605d4
SHA1 ccc490012f3d72c2fd55b0ef8fc6037cd8120faf
SHA256 ef2ca25478db2f4cce0ca9ccf6ef24437bc98a0c73ef9aa21c8bdf0f260d0f99
SHA512 72885540bbbd8aa164f688501a1c229a9f21ea32fa6eda90ce661be0242b7781b67785fa193254ed5dbd58e15e955d76bfdc3316a6dd19b3e395b4b667ec9542

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8340ce92f24fb4e5d422417ed232df93
SHA1 0da4870fd28bc0c9e1e61cfb845c0a89fc43226d
SHA256 3eeeea1e0ce89ee67207b829dcec56becc492e6020c6bed36d5e3bc3cb060ee7
SHA512 5b2713c62710d32cec61ba05f0c22898d8c11131853333a9bff7d07c05b9b050763341091f173d722b31a1c4df7e516696c30828a72e46c3f382ea312147d692

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ce0d6e655f0f03399790952db3d1d35
SHA1 62e2f053b9f6fb21d65d60a8d27ea02ae4850940
SHA256 680a7c2a9c3e5d97bebbf10857e29fc92dbbd89b401c7b15bbc33a1d5c318b36
SHA512 ea99d20324f66c42ddfbf8e1adb404ed0652ddfb37f411001f74d9e889367274f00a69466c15a22d843077f617288981a30a3a95c4d5b1e033da3e44191c96df

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a20e974824d2b23f67b1739dc247e584
SHA1 7f889fa83bfb62efcd46a673398dee826126c041
SHA256 165afe2899bc0f3060160db9ffae0fa0eae114d8896a11b6e08a83c617cb28a7
SHA512 7ed341a5fbb09d628487d387630dff680e696f05fef73976d441f634579b75c981550ce7cdaff07e2e1864ea6eec523eba896c0de2c27851b214cd09e517bc65

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0985598bbb14b97846c1cc375ed3d53f
SHA1 d314b1292170e31019e7359214d912e4e23c6c7c
SHA256 0efd925b90b47bd1c10fc2faf8f4622fe7b43af2172811714c1747d437e46663
SHA512 c2f8151bf9a0767235b6ee50cb2caa59afd61c7353074e0e694f36550442135bc5ab540812b48eaaf0843dd16ae1735eac907204c0d842cb460ddfb1618fa272

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b3fc11f47826ce7ded03999464ce74d5
SHA1 a905e02272df1df7cfabbbf1c3f2125f237ac263
SHA256 fa9c801960f3af14f44b0e1771c6e2be416ecb10b83b8fe9385f25792a9197e2
SHA512 56d88b28ea45827dcfbb97f2cd941c60f757ce31752cd146e0ee55634822fe64cc2b5db9d562bf17113568488c56ba096b657beb2c414e7a753c2dabbe0b1bdf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e71ad5ee2ea9b03627cc6a03456577b
SHA1 395c3ae2f5725a17e8bc9fafc7315446712e1d45
SHA256 418b1cc514eeeaf45a17019132cec50514b3f4bd36299b849e5672a74b48d489
SHA512 82ac1046547f562ef67c867a58e2c10e074ed99ee0d530bfcb8a7846e4d5cc99f612ee61333427cd87af8fd82b09e2cbd19d98d5bab2afbd20f8b800bd185f4d

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\LPQ313RR\favicon[1].ico

MD5 5fca16a17be6508b9fe8dd5b140c2844
SHA1 d875da7a7d8373da9554adc8731e28a09106e431
SHA256 b9d1c1e32c898c508737a4eaaf66f204630fbef3783d809259c6e9639886696f
SHA512 32333c755f8b0e53ce41fe9af4b934579c940ae14d292d4269f6ba37b8f5907736c198ec5e72090d6a24bf5ef251485e64639fab6feb100daa69d6960034f4ac

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd5a7cb16b8a8bde0e9e3621bcfd4bd3
SHA1 87b5a99669e417463625fcb7d8d77c5fec57fd30
SHA256 0ac996cd42ec5097c027fd8dfb07d40eaca92d98ae0a961b9398cd4671f73ec8
SHA512 03dc5623f5835ea01096f22fdb9b83473d882f8cae65e901c1eb6b8ec403a430e30c2bda476a246198c7b7be0dbe727bc25e4deffd25e599b13a712a4879d5c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6898e0801bf3749e52c1c8a1be8b14bb
SHA1 e4f6768b7d7fda623a9e047f8604ca75f3c4134a
SHA256 1f00217903ecfc7caf619199b869843913ea58741a99f0ead1c770c4f7e7f61a
SHA512 59079c68e092bcfc1985abb2f2f78deb4cdd41028639f4d7b0ea79894a213ba8baac53cebae744271b9cc60d0807ac89bc3ad1809c2084b09a6778d1832e4f43

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cbc22b12f6bf1135797ba3a4759bdbea
SHA1 02b944e6dbfc6b45fa12c022dc24692a1c8518b2
SHA256 c39d58330125b0cea084062a5d6baacfb233b0378ec5c935cc5b6c686271edef
SHA512 f728c3f9fe0a20e9da1a3d6f5264710cfe75c43750d0ea33eb9822932a25ee6bc8042b44c9ef6b356301e7154c75d1aa9d723efcf80e28f67025f3885175912a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9516eb16b8427914d0883d3e176bae39
SHA1 c10650c29d20fb4d48a3227266f54ec61dedafe2
SHA256 d1ddd3544893817690f50cadce350218e9eda3f191d6121dffaec70cedc35d56
SHA512 edf9781ad9e0602abb74944fb4380dfa688fb06badc05437437baf42b57849ac2b83c1c97c6cccbbf8d7d365cd2eb4a3216ee0c4eb3f4353549baaada9d6280e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e979befa192bf76278d92f2ba030806f
SHA1 5a6c33d4bb14ece0d5c5fce3ac9cf27fba263a9c
SHA256 c37d70597e74b1e83e5a1f8c848951f59351dcd5d7ac278ff3c846697b40a4aa
SHA512 533935501fe91ea2d6f1550abffe763a01e6982523515608ccc8172c61fe3d0b229902e1f23e569d6d83fa192a3d712241fa415a4a0caf179dab7ae0efd19020

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c0d306e4e964d2691d34749c53c3c76
SHA1 1f740a8112a5ce146c98b6eeda93660ab998d50d
SHA256 e3070cfcba63cf7ba699f765072366814497ecb2102ca780168019eee5a500e2
SHA512 97e0cae85d49424e2d5a52bf6449f5392d5b2b6b1b7ed94e513fa338c87ec60eca568acfae20d5fb7c2644e5d6cd8aa6c619e833a08e884c71d83e0e783950d1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 61c1907f9c28aa1e70402f1d2ad4e272
SHA1 fb4c746b87c8a1b4864f1b47e342c713a2197693
SHA256 3ee75e22e0971fe8f6385512443211b517395d7c1c2b7a192e7d5a4076fd0633
SHA512 be93aa65c7914828f964e817e019a98907267c185f5576127a438c71703453416a209615ae424dcd379ffe412c0fe8eba9f82a552256ba49f3ae9b8b1e6b188f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c095c51289d9cd09bdfb83cf895a0780
SHA1 4aa8f67fe61cdeeca6d205733dd7bc1eba1d234b
SHA256 b9a779bc9189df199d3b3e4396cc499a645a98cacac660ecfcbca72155e631f5
SHA512 da9da2230a17a305a622e4eb3cbd7ee46d0fe38bbf60447242b8683eea63ede119782aee71ad61fd20f2e7b2150a63de280817f22db777eb2b604d2db3d2e1a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 68a77ceffbc90cb22d90ba9ddd3c0faa
SHA1 5a15ba1301ed21eee73c6df199825bce2d83b8a8
SHA256 62dd422d07366d3c4bae184a42d33a69d38774ee3c7aa011b3c85e0e2b2ef37d
SHA512 1c11d031d8f283ba781ef77d32a667cbd0b042620a4988c05bfc9427828b9cc24c1fc94a3d2d74d4f40566045aa85d1cdda3738c1b0ae1e85343c43ab0732e7f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cff455ad2367c6b4c42264fa3c2e2e2f
SHA1 96e458b45efafd294a91e638ab1d63aa2e29ce4e
SHA256 b5eb383dc452840df1494f0c2684de157af6e5b7eb5dd29c17894cb91d76352d
SHA512 c2ec9b3e19813928fc8617daa952fbb41367bfc699ff96249c3794027a2b46c673d4a48fb43e2efe0b505f39286419d94ea210372615a1058aabe82a3c28a316

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 81a7950058babe0c8f9ed02d8d7f2e27
SHA1 3b6d9e76e38471c6bfe6016db56ebe9f219d2c22
SHA256 826bae9bdeeaaed6cf7a5426b41129e3b9cc1ca640f735d772097632c273b183
SHA512 ded9b624a243494151449f03cf9340e8a69afef061834937a4082e0d14f4ee223ac8ad3ce217a1d19ebf509279fbc77088b3200bdcf4e687ebb9c1b82e3d0bea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4747695e73d37826050ba4b4f8938f2f
SHA1 69460b17644092a1dfc6b4011aa61e985bdd37f4
SHA256 fb0e41b786b404752fa5228490e574017693f9ad295dfd38a77ce61daa859564
SHA512 1985b6ea61c56dc5f9a13df70ab3023979341f97615301de8fe36b4b015624d08b2faf8dbd341988ac470eda4cad848c1c9caeb072239ae06e7df8b2ce612aa4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 51dcd6cd4b00f58d8a7ca09f9131ed46
SHA1 245158f83caccc9f3b83365a2046395425aa9d7f
SHA256 1320ae7fd516b48f32b4851d75a67b239f939486505caa9df98a82b60590a649
SHA512 43ead7be48b98349d7d5ed7f2a3a5debfbd91ec73cd7959ffb9974e3dbfea1da1fb66e873d36c8d0028c7bf0d7cff7214177ca696257010f799cf8801463cf98

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff3e5fac22a55ba9311d3449616eb658
SHA1 ae73968e0c92436c683be910f2c204ca00679673
SHA256 5b0a947a35acca8f152a773aea3d630d1d55609fa63e1ffb8cfb87dbd69b9280
SHA512 17122ce92c637eea01330de6460fc3e4bcbf8feee998055ab8ab6f5d45f2fa171fba46ec3103f6d4026343e628345557a32c0e75955c2c266d7f54ffde921be6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1e7be670da252a583d1f9c81e8525772
SHA1 e863987c2f8ee6f77c105a109d982d992678c542
SHA256 4c17388709b06f48baaa976e4b91d0dee65eef4c60329a1ac5149e88c7a4f994
SHA512 02ca95f2711a04229ea5fa81b348120dc6bfcf0715827acd77856d501b83055e74120cc97b0c4ede7000480c0cea0af04af46b54848a78281c1743b7da9a96ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 07ab1f28a4375a2b871e727d6810254c
SHA1 601d0bac9b67d89d78f70b43743e6f508f9bd6c1
SHA256 44cdc19d03ba6c1055f0c121458cd9e8e9ff516c5130a639d22e7eda47dc7811
SHA512 447015286d8e5069584c4d71ca30d6bae560742760584c2b9988f0596794b571e5baab1101a076b2de4703150aca869087cc4411f1f17784a03b78bcae95b991

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3db8ff9fd764a234b9d5b87687a68ac5
SHA1 dfc9a75d22b0e8a9dc0adf153b223bc524778ae1
SHA256 8f7de265da0aeb695042e67ca03b70648bc43d6179db595b322a429b905acfa0
SHA512 2de3e74cb0e527a5e4a671e5377589c99c53c4a0469c28110d229f967b9fbbd9b780ba435cdd4100ac302de7193b1bd998291bc592b094ef59ec7b4bf8044fd8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 69c2f78cbc8694cfd70b4a0cb5710cdf
SHA1 8b567b1b53399778be13e0f51afff3d253a73a59
SHA256 a86c8f12f9048de8fcde8866fb5fcceec733c030a93c537a6f3570c3dcbb03bb
SHA512 64bc26ce508ff27654c194ed00014208d811f40ec1dee04fddd6598e072f6517ec904799de3e80cca6f3ecd985aa19146e0fb1fa593393994287056c27c669b0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 7378b1568e240be6dd01597bc77505ba
SHA1 85a3be83e9c40adb1a1a2f09cf9d7585b1c008b8
SHA256 c17804e5defde2fb5084de725a04625fc1f22c032c1b54d3f10f2fbb5b55ae6b
SHA512 a2fcc681803b3ac6c5f13bbdedd376064d3c7ec0b01df0518e5fa1872f58034c7955a5d905d3dcf808751e1801965e2f6d69d5521fecbc708d097df3f79dad15

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a9cc6bd3d7de0586ed3c0f017f1d69c1
SHA1 db5d693273a8b3d2789cd256a830ec721c2f0144
SHA256 a205ab46ba8ae2d9837b5150b03519baa2a90c8b4259e179c2cb637e269eded8
SHA512 4f9c1a7cfa9cc01a18ac8a182326b50d60f8e2570110992e4add01283b74b6ac2bc0f4af99c930f6ef3fe2e31a9943eb7d1da2bb4a19787f2b2c62854c3cbd14

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f71d25ba3f0b0c22b7ba6d87838fb0bd
SHA1 0c2b22e2f3c28fcb75cb5fee0252d563f8162905
SHA256 4c1714af71d43ae513e49e2f14ed897fc6eba78a54ebd7c3822946aa92a15538
SHA512 a40166b160b9cb8be19e09f1b2af3330d04288e0a7a36217c9f1a086e497905ed3f350b0237a3bb4ffe531395460982c7c31cab7fe4d3c0c7bff00f5ab399d6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f9e9dd4929c75f7a1446bf6323034e15
SHA1 5051c843ad71807f9d1216de1a163c979e215bab
SHA256 1536240d209798d22c44e02fc6a5f1f6f8d75e8e5285b713359833fe7e605a8a
SHA512 2a4508dc2aca7cf0d8b7742de3d5945e274c1b45c1fd3ab469c3879c779c8cf83976b0d26728ab2bd92765beb1404cfb54ab3b61c236b57dd27f5588eff666e9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8b32da7e12df710d33beb68ce550af14
SHA1 0949cd2ab49a3fff798b660acf21b38f5fa7ae70
SHA256 5f26322fdddb3a1e81d96c334776a82d2c82ec8df75d8cf57a42e04b6c99c406
SHA512 393fa12ff40e89d2100d52263f0ad4b70d03a4f8747cb10d2caf51afb1ab6061635727cddb7fa57bc03fac3f030fd8a4939465094331cd3869095d0a09b80d55

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ce75c78592bedee0a78c8544645948ff
SHA1 b8c130543ff4a68569590a7a74f5f93bb4108641
SHA256 303aa42842778d16d7ed2b8bcbb19687c00f0cdf8cb68288b487d12d026ec429
SHA512 17fd2b9babf7b45326cdf98157325530270da35fb8f92516788ccf85295bce33f91e913a5cbe1782912a10aebc15f99e850b14481055490d50bd5dc2edc23ea6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f0d8be866ca529107934547b408ab406
SHA1 3e54362dbef387e804418e6dd5365c84f0eb84ff
SHA256 b5f1365dd584df8a38416a8e7e65bdfe321482d9f9fd28cf1b822c2b6d10202d
SHA512 bc6471d5ed1c4f3138cf8db054bae80d2d54de5c7f373404ca353422d4b906a042c5eae25cf11f0b9255c874b7c39fcf0941252dd7f1fc1cc3fc37b907e73e92

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 d2018fb1fbdd3670e44dff4921218f83
SHA1 6343d70064804ef8b57e793983568c329ae33653
SHA256 8fcedc8e90f028d4c1443179b827bcf6b532f7ab71fcd0acdd3e726dbe521aac
SHA512 c1807bb56e993c0f784a433e42ccae0de364e21946416a98744f3f7f6e39883177e273a96e39dd299da88dd7fbd984b9a2dd0948ee0a96587b28d91f7687d6a9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ca851b774004684e2056454c65292a0
SHA1 be98341fa4cd91d33795074d4755e1ef521b5e54
SHA256 d9d2a91d59aec51beabffdd2aa42b07b908860b800869acf7f6e98b26bc93963
SHA512 b80cfc6979294f5678ad5c224b3c8c752ac4280ca6caebeb003fb607b09ca2a6f9a4b83c5708972de37553d12cf0d103d59bf043ed8fb56a99b2bd6363281837

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 86e2c2126f9c2d8d059e1b7c6e0a9009
SHA1 804e1ccb3fd53499d0ba1a3ba1bda7ecf1af7bbd
SHA256 287359e472e34f87074b031c2def02283a5ffe38b551c38f7b30d8519c123ff5
SHA512 29ecfb060c3cf1a9792e7f215e1fb8664945994affbc68bfba0c7c4d05c05813f928e9ff7ccad47366437a612a50b2d475ed1c55b56c5027759b5dccdf16be55

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-29 07:21

Reported

2024-10-29 07:25

Platform

win10v2004-20241007-en

Max time kernel

132s

Max time network

139s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Koalageddon-2.0.1.msi

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Koalageddon\runtime\legal\java.base\aes.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.security.sasl\COPYRIGHT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\material-ripple-desktop-1.3.0-c98fbd81cc22afec5722db468c90bdd2.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\jna-platform-5.6.0-3c34526c4f2243e5d1d7caceb9243cd.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\lib\tzdb.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ktor-serialization-jvm-2.2.3-c18decefc63735a117973b85c58582.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-debug-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ui-desktop-1.3.0-a7e94e2d777927f3ad9a25ad39acfba2.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.base\asm.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ktor-client-content-negotiation-jvm-2.2.3-4a96a800692683a511d683fd9290.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\tinylog-impl-2.6.0-8726c27d582d10eb1d365cdeb0c5524.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\Koalageddon.cfg C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\kotlin-stdlib-1.8.0-952dbd9391b7c09ee33321daff5d583.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\runtime-saveable-desktop-1.3.0-9042e5cee2f7d84106def62343a8877.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.desktop\mesa3d.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\ucrtbase.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\fontmanager.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\security\java.security C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.xml\bcel.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\animation-desktop-1.3.0-6ed1e4ad7942e528b3f2af8cf36d32d.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\kodein-di-framework-compose-jvm-7.18.0-d971578ee18e2e4a27be0f364679d.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-localization-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\instrument.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-processthreads-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\jsound.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-file-l1-2-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\server\jvm.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\SwtJavaFx-1.1-7d5354a35e5b72de6f6f961a3d59a739.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\Updates-1.0-86b3949080a86834369406e68bcfaed.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.sql\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ktor-client-cio-jvm-2.2.3-cd51e71fc629067977f84d156ad776d.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\lib\psfontj2d.properties C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\prefs.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\koalageddon-jvm-2.0.1.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ui-util-desktop-1.3.0-8493905dc83f28d88ab0bc5efc673cb.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-util-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\asn-one-0.4.0-d3153e6fec8296ebfbc8936fdcef775b.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ui-unit-desktop-1.3.0-fa0f4cc64687b48417c78a5bf14718.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\appdirs-1.2.1-accf8bf9c4a91aee4c715d66240d4.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\security\java.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.xml\xalan.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\jzlib-1.1.3-386d3714fef534d21175d8885ae48bf7.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\eddsa-0.3.0-ee7de3b6f19de76a6e465efc978f669.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\lib\fontconfig.bfc C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.desktop\colorimaging.md C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-core-timezone-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\runtime-desktop-1.3.0-54ac464446fef98e10ecdf8b20442cc7.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-math-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\kotlinx-serialization-json-jvm-1.4.1-9cd33c9b12c371a5d8934c97466eb70.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\Executor-3.0-4867e75d7efe8952a836ee63449.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\jimage.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ui-geometry-desktop-1.3.0-a0d6ff9ba67c3f65211665b139bcf5c.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\management.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\kodein-di-jvm-7.18.0-26df9a79e768686def3c0e922a815a2.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\icudtl.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.desktop\COPYRIGHT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ktor-io-jvm-2.2.3-f181111aac9f2f3c61bc8bec63d379.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.logging\COPYRIGHT C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\security\policy\unlimited\default_local.policy C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\bin\api-ms-win-crt-heap-l1-1-0.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\app\ByteUtilities-1.0-2d2583acbdb74f5ed6981b74188115e.jar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\conf\net.properties C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\Koalageddon\runtime\legal\java.naming\COPYRIGHT C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e58459f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI48AD.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\JpARPPRODUCTICON C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\icon_1862387937 C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58459f.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI461C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{C71B00F0-5060-3665-A444-1BFFD31FA5F7} C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\JpARPPRODUCTICON C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\icon_1862387937 C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5845a1.msi C:\Windows\system32\msiexec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F00B17C060556634A44B1FF3DF15A7F\DefaultFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\ProductName = "Koalageddon" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0F00B17C060556634A44B1FF3DF15A7F C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\PackageCode = "EFEAD4423A6F1324DB76D9F43705B59D" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\ProductIcon = "C:\\Windows\\Installer\\{C71B00F0-5060-3665-A444-1BFFD31FA5F7}\\JpARPPRODUCTICON" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\550FE40B7A8BE324E8F68353EA49C3E4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\550FE40B7A8BE324E8F68353EA49C3E4\0F00B17C060556634A44B1FF3DF15A7F C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\Version = "33554433" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\PackageName = "Koalageddon-2.0.1.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0F00B17C060556634A44B1FF3DF15A7F\SourceList\Media C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Koalageddon-2.0.1.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C176E2F35D42DE163AA34D6A3BE06359 C

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 8B69D4A55E1C28D518CB971940095B43 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3E4D28334EE103FBAF077ED852E44C05

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI4DD.tmp

MD5 4fdd16752561cf585fed1506914d73e0
SHA1 f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256 aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA512 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

C:\Users\Admin\AppData\Local\Temp\MSI56B.tmp

MD5 e76ab52d50197baddbc0d921e1d8eea5
SHA1 3789e237ad3b07ef43f4014e99099a0b43b1392d
SHA256 6e3dae02524f00ee37f33123f7fac943ed2a8617988ec4a667fcddb7764c634c
SHA512 f21b9b45a3b8b079c26568962559d56377fe0cbefde287f4fb763c8fd85df72220858bca598dcbaaa47c0fa23ea9c4ed90375a40d6a55ca062dc373cfbe80c6e

C:\Windows\Installer\MSI461C.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Program Files\Koalageddon\runtime\legal\java.prefs\LICENSE

MD5 16989bab922811e28b64ac30449a5d05
SHA1 51ab20e8c19ee570bf6c496ec7346b7cf17bd04a
SHA256 86e0516b888276a492b19f9a84f5a866ed36925fae1510b3a94a0b6213e69192
SHA512 86571f127a6755a7339a9ed06e458c8dc5898e528de89e369a13c183711831af0646474986bae6573bc5155058d5f38348d6bfdeb3fd9318e98e0bf7916e6608

C:\Program Files\Koalageddon\runtime\legal\jdk.unsupported\COPYRIGHT

MD5 4586c3797f538d41b7b2e30e8afebbc9
SHA1 3419ebac878fa53a9f0ff1617045ddaafb43dce0
SHA256 7afb3a2dc57cb16223dddc970e0b464311e5311484c793abf9327a19ef629018
SHA512 f2c722ae80d2c0dcdb30a6993864eb90b85be5311261012d4585c6595579582d1b37323613f5417d189adcd096fa948e0378c1e6c59761bf94d65c0a5c2f2fd3

C:\Program Files\Koalageddon\Koalageddon.exe

MD5 f3fee249c9335225e3af98f11d805f34
SHA1 1d5065a559c156c11caf81ebfa9f3366caba76b2
SHA256 edfc0e68e302b33410c0bcddca6bd2112f0816861cc9360e22b80c0004852e24
SHA512 f0652631f55e2530ff6e4b5462a48df7109a1969f14af8c9778b413fea84a0113e30c9281ff772921a981d45e8dcb9150d141cbc9b33d0fb98d3fec7a62e4896

C:\Config.Msi\e5845a0.rbs

MD5 58768c732cb5986d895b1be15b9b6031
SHA1 b825f2cfa6059bc220d30a37db7658a6a50935a5
SHA256 a6feffa8905590866a49e70563cc8c6584e8315feed9db992278ee4410c561b6
SHA512 dd1a9b0edd8c6d24f5b09e11d0ad69bfb86313c8aaf8841832a368c3e72aecc19e9c06fe475959f4dd33da05d67d45b6f7eea39a3adf98218bad23b07972da07

C:\Windows\Installer\e58459f.msi

MD5 155295f8dbaae190dd34adadecfb302e
SHA1 c720229eb480dadd40649a2447b3e618a83d568c
SHA256 793a6b5980872bc0c16c53ee550f860b90e8955fbbf2f0bd15734e05e9b4c3b8
SHA512 cd6d4405bf387faa538426a2cfefdecd4c7f3a649f4cfce1eab85cea22a345f304525d222a48785528b7e19f83b76a536a1895e3f32ea8153d93ddae29850dd7

\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{328074be-f288-4c9a-96b0-e671041863c3}_OnDiskSnapshotProp

MD5 acc2e69e652425c4679255c42f15f8e0
SHA1 661d77c8166cb31a34c2eb3c61750966e5f0abe0
SHA256 2b72e4c75fb9b10fbb984cacea7714b5d40250b0eff1da0da3ba82f75c81d10b
SHA512 e9c8c287d594f7fe28325070e70b9c3baac86e29562ca0e9dd4116e819ae9e309dc2cd7075b74338681da4de031d5d84d22f4ce55cc55251eaa402532d593d28

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 509d64717dac5fc0a470a299f8ef79bf
SHA1 6fd2eb4a006327a3415d3bd4385f130869167a15
SHA256 0a4bbbeea3e8238fde32e48eee2d2eb5d159498e2ce8a916d399807a016db267
SHA512 55d0cd0d8b0fd4ebbb449edfa510a666bdcd8968f0bfbb19fdc3e806c68aec1cf6bbf3e78b860741f6f149f463f331cd7d0d57d42bb4c911945063681f68df8b