gh0strat | 092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2345pic_x64.msi
Size

79.4MB
MD5

fe984489b63aa7cd7aee6c48fe69e08d
SHA1

b5cac8c66311b7601e0ef2a1d134bf06a8079497
SHA256

092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060
SHA512

806872b46c843727d4a980e46fef0a662115a6429868e74c8889d9363323008797c5b11ad54bb524709cb26087a8bec42b0051f701af4766ee7227068a7a0e92
SSDEEP

1572864:NmsJ8LVVmCjLbWQVZq/5u3dOdYMBWkAhIo/qQXAbJqWOm9uUQerttNG2MZ7dE:ojyCjLLZq/5ukpBVMWchl5erttNXMZ7S

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2644-110-0x000000002BB10000-0x000000002BCCD000-memory.dmp	purplefox_rootkit
behavioral2/memory/2644-112-0x000000002BB10000-0x000000002BCCD000-memory.dmp	purplefox_rootkit
behavioral2/memory/2644-113-0x000000002BB10000-0x000000002BCCD000-memory.dmp	purplefox_rootkit
behavioral2/memory/2644-114-0x000000002BB10000-0x000000002BCCD000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/2644-110-0x000000002BB10000-0x000000002BCCD000-memory.dmp	family_gh0strat
behavioral2/memory/2644-112-0x000000002BB10000-0x000000002BCCD000-memory.dmp	family_gh0strat
behavioral2/memory/2644-113-0x000000002BB10000-0x000000002BCCD000-memory.dmp	family_gh0strat
behavioral2/memory/2644-114-0x000000002BB10000-0x000000002BCCD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	aAvapbvtIRjv.exe
File opened (read-only)	\??\L:	aAvapbvtIRjv.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	aAvapbvtIRjv.exe
File opened (read-only)	\??\U:	aAvapbvtIRjv.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	aAvapbvtIRjv.exe
File opened (read-only)	\??\W:	aAvapbvtIRjv.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	aAvapbvtIRjv.exe
File opened (read-only)	\??\R:	aAvapbvtIRjv.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	aAvapbvtIRjv.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	aAvapbvtIRjv.exe
File opened (read-only)	\??\J:	aAvapbvtIRjv.exe
File opened (read-only)	\??\I:	aAvapbvtIRjv.exe
File opened (read-only)	\??\Y:	aAvapbvtIRjv.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	aAvapbvtIRjv.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	aAvapbvtIRjv.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	aAvapbvtIRjv.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	aAvapbvtIRjv.exe
File opened (read-only)	\??\K:	aAvapbvtIRjv.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	aAvapbvtIRjv.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jnSNQNClfnFm.exe.log	jnSNQNClfnFm.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log	jnSNQNClfnFm.exe
File created	C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs	aAvapbvtIRjv.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log	jnSNQNClfnFm.exe
File created	C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe	msiexec.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer	aAvapbvtIRjv.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log	jnSNQNClfnFm.exe
File created	C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{944047DE-2AC8-485B-B376-DA72238E3394}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB381.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b0f3.msi	msiexec.exe
File created	C:\Windows\Installer\e57b0f1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b0f1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
4228	wBtkOfXYmrXB.exe
2748	aAvapbvtIRjv.exe
1756	2345pic_x64.exe
2704	jnSNQNClfnFm.exe
2204	jnSNQNClfnFm.exe
3052	jnSNQNClfnFm.exe
3172	aAvapbvtIRjv.exe
2644	aAvapbvtIRjv.exe

Loads dropped DLL 5 IoCs

pid	Process
1756	2345pic_x64.exe
1756	2345pic_x64.exe
1756	2345pic_x64.exe
1756	2345pic_x64.exe
1756	2345pic_x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1288	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wBtkOfXYmrXB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAvapbvtIRjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2345pic_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAvapbvtIRjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAvapbvtIRjv.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aAvapbvtIRjv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	aAvapbvtIRjv.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Version = "16973827"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\ProductName = "EnableMagneticOverseer"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\PackageName = "2345pic_x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\PackageCode = "4FD2201DFC0C4BE40B0948F4609DD271"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4152	msiexec.exe
4152	msiexec.exe
2140	powershell.exe
2140	powershell.exe
2140	powershell.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe
2748	aAvapbvtIRjv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1288	msiexec.exe
Token: SeSecurityPrivilege	4152	msiexec.exe
Token: SeCreateTokenPrivilege	1288	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1288	msiexec.exe
Token: SeLockMemoryPrivilege	1288	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1288	msiexec.exe
Token: SeMachineAccountPrivilege	1288	msiexec.exe
Token: SeTcbPrivilege	1288	msiexec.exe
Token: SeSecurityPrivilege	1288	msiexec.exe
Token: SeTakeOwnershipPrivilege	1288	msiexec.exe
Token: SeLoadDriverPrivilege	1288	msiexec.exe
Token: SeSystemProfilePrivilege	1288	msiexec.exe
Token: SeSystemtimePrivilege	1288	msiexec.exe
Token: SeProfSingleProcessPrivilege	1288	msiexec.exe
Token: SeIncBasePriorityPrivilege	1288	msiexec.exe
Token: SeCreatePagefilePrivilege	1288	msiexec.exe
Token: SeCreatePermanentPrivilege	1288	msiexec.exe
Token: SeBackupPrivilege	1288	msiexec.exe
Token: SeRestorePrivilege	1288	msiexec.exe
Token: SeShutdownPrivilege	1288	msiexec.exe
Token: SeDebugPrivilege	1288	msiexec.exe
Token: SeAuditPrivilege	1288	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1288	msiexec.exe
Token: SeChangeNotifyPrivilege	1288	msiexec.exe
Token: SeRemoteShutdownPrivilege	1288	msiexec.exe
Token: SeUndockPrivilege	1288	msiexec.exe
Token: SeSyncAgentPrivilege	1288	msiexec.exe
Token: SeEnableDelegationPrivilege	1288	msiexec.exe
Token: SeManageVolumePrivilege	1288	msiexec.exe
Token: SeImpersonatePrivilege	1288	msiexec.exe
Token: SeCreateGlobalPrivilege	1288	msiexec.exe
Token: SeBackupPrivilege	3436	vssvc.exe
Token: SeRestorePrivilege	3436	vssvc.exe
Token: SeAuditPrivilege	3436	vssvc.exe
Token: SeBackupPrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeRestorePrivilege	4228	wBtkOfXYmrXB.exe
Token: 35	4228	wBtkOfXYmrXB.exe
Token: SeSecurityPrivilege	4228	wBtkOfXYmrXB.exe
Token: SeSecurityPrivilege	4228	wBtkOfXYmrXB.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeBackupPrivilege	2440	srtasks.exe
Token: SeRestorePrivilege	2440	srtasks.exe
Token: SeSecurityPrivilege	2440	srtasks.exe
Token: SeTakeOwnershipPrivilege	2440	srtasks.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe
Token: SeRestorePrivilege	4152	msiexec.exe
Token: SeTakeOwnershipPrivilege	4152	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1288	msiexec.exe
1288	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 4152 wrote to memory of 2440	4152	msiexec.exe	103
PID 4152 wrote to memory of 2440	4152	msiexec.exe	103
PID 4152 wrote to memory of 4948	4152	msiexec.exe	105
PID 4152 wrote to memory of 4948	4152	msiexec.exe	105
PID 1420 wrote to memory of 4228	1420	cmd.exe	110
PID 1420 wrote to memory of 4228	1420	cmd.exe	110
PID 1420 wrote to memory of 4228	1420	cmd.exe	110
PID 3052 wrote to memory of 3172	3052	jnSNQNClfnFm.exe	125
PID 3052 wrote to memory of 3172	3052	jnSNQNClfnFm.exe	125
PID 3052 wrote to memory of 3172	3052	jnSNQNClfnFm.exe	125
PID 3172 wrote to memory of 2644	3172	aAvapbvtIRjv.exe	127
PID 3172 wrote to memory of 2644	3172	aAvapbvtIRjv.exe	127
PID 3172 wrote to memory of 2644	3172	aAvapbvtIRjv.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2345pic_x64.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1288

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4152
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2440
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 97BD6BCC314B99253285F4884BC83808 E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  PID:4948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnableMagneticOverseer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2140
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1420
  - - C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe
      "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4228
- - C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
    "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 182 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2748
- - C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe
    "C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3436

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:988

C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:2704

C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2204

C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3052
- C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
  "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 250 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3172
- - C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
    "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 132 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b0f2.rbs

Filesize
7KB

MD5
851800007bcc185617169b7108985d08

SHA1
3e1194c3ced3e68c5153e77d6cd305fdc275e51f

SHA256
5f5807c2d168ad29e650497dac77bec86e8679cd8e44b8baf0f776545a83a743

SHA512
5db93a3dff7ab69bf7fda5cdbe4cf4b6c4c8e326c4765400252d598ee9b007b1d3ad10232a931dfeda6f3ac1a65f5dd827a9d64779d374c84d2176ceffdacb78

Download Submit
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe

Filesize
3.2MB

MD5
90a521d21169049fdf1a244fc2989377

SHA1
e9b0db47e89683444ba886fa8091167e160f6b30

SHA256
7dd65fb863051edda07d0f84c65c36cd7388aa28464eb3f6c541f73c9f195f41

SHA512
e20e25cf49489861dcb00cb4b38f9c96b26b016b55a9b92ab082ef422db98dad3936b6918b65f1874ba4fe1a0208e8bae701aaf3d7e3bdcca3f046eb0826f8dc

Download Submit
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs

Filesize
2KB

MD5
1e0499cb02d625084bc87bdc378c766f

SHA1
4a28d0d6b3f69ab3254a08be8a102bf5690d661f

SHA256
0a3a48ab6d2e8cb621cef3949557ee289d566f788e99d1091fb1a4fa838273b7

SHA512
37b147378920a187bb9d18ef930d9e86d12b238657e794398f32065b77211c165a6c680421d44742508d3bdbd0143431b0c37cc05056e9ce5ad1fc54727ff370

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log

Filesize
735B

MD5
44c1b875e1bb492c30aa7bc1317fba57

SHA1
0803604b28f7870f8792859d1efef2a0b87a324f

SHA256
ac86018ab18725249a1140067821018df2032fec848bbb75c1ecd5c7b2a46ef7

SHA512
6cab19eb8ccd2c55bf73bbecb8d5810390461f5a30e18d4197831299935b3a3a2ee3dea7818b3516eb4ef5c980980a0ed928dddc5742a1fadda3c3195f019359

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log

Filesize
266B

MD5
78ba3045635f88667722f75e6289387f

SHA1
b7ebaeed05218fff81d35eccfe0de248bc93c601

SHA256
2ae899c3350e5bb5ab31dddcb5ae93fdd41e84bb40e74e24e3097c709ea237aa

SHA512
ad9a74f959d48246b740bd71cca2a3936c7408e0330635575a2f8121c0e2f12ab7901ccb09a46ca9cea5814fa4cf1a790adb29cca656d72b7f7b55ac4ddfd548

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log

Filesize
422B

MD5
7d0612a70d69edd1df3406459ac03232

SHA1
c8daa712a3afc6654a7ef2cc77df971d37713882

SHA256
74f9fb307bb56a6d10fbdaf4b1718501440c5483c5c833dc5f0081a15b984eed

SHA512
158d84ea02828a2b5229738fe5beb5cbc396b42500c641b22c68d95c2248f858a82101afe39d9ed69dc9d676c4f9b4b599ebc9bc18f084589fb17c0f309697ed

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log

Filesize
588B

MD5
4af729173f774e3081b019332e07ff0d

SHA1
6e589a16f7384563deb9a2894f2c5b1034a769a5

SHA256
64ee1509e402811d28928e85b7c9754007cea8fdf5f1ce22947e06ff821ecd32

SHA512
2243f99b3b2af86720ed7bec26b44a87bb98092e87f2e0f5db0d04c264881b890e81f8e392bc0e9244cfbdfc625cf05965d5a7b16545aa96ca034c932690b3bb

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml

Filesize
437B

MD5
5bb0d373e349c5b338e75bb61087c8a7

SHA1
7f1ef7fdfd8be7d238dbda9a8742abd0e584e788

SHA256
82c7224a57ffe8384766daf2c00acb148d9ca79db5cb2bc222ec9f385bcd966c

SHA512
f887e41966eda84cafb7e003f946116be2d9dcc8fe1578050f296771ff8735fee06730de5cd1c7408148d91b61f5c87515c1b53440191e5a31f08317c6758a49

Download Submit
C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg

Filesize
2.4MB

MD5
5ac34b87f21ae7fedf4dc629181decf0

SHA1
3890201e28d44a46b6e810b5bc5eddfec78d92b9

SHA256
ffc5b747ee4183aa7b298e7e296981d19321c208ae40b0052f1965033da5ebb4

SHA512
fbfee20bf2795f2e67ef24a1add342d61c131226ab74638447c5be70f4acd0ad9e51db1f58e69e4785446e2af71208a729636c0a79db1415712e67ebad8c2eda

Download Submit
C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qs2ybkid.vsa.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuDDFE.tmp\FileInfo.dll

Filesize
624KB

MD5
cc7eab4f83339cca63f763114ca04c6c

SHA1
4da526e8b270dc16865813801dc5bcda8162c09d

SHA256
a1c9c3b3bc8e75aa91f639da10835210e81aeb7fb5db79ac0703e1594e516b5b

SHA512
d1df9bdb61dcc95e579adf4891c000feee83f9f4a3f82debca617fb62afff16707707681c2f2655aa02756873d5251db74d5b843ec56c3e12ab1120355360ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuDDFE.tmp\RCWidgetPlugin.dll

Filesize
2.4MB

MD5
2f2ae26fd88c512ac0feb39fa42ee894

SHA1
ac50a5fd61933bdd2a54e6503e39438f05af3304

SHA256
9117cafe403e445a291141ee898845799a165c383d3dfcf76c1870f66782e6b1

SHA512
b919244cd08118a2258cb062e5ce3a4626d82ed0ca3600a018bdb97962b9f96d57d1a08d338fd41fbae4af72debf7840707f67d442e53ec8a15cb8002ee725e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuDDFE.tmp\System.dll

Filesize
27KB

MD5
a568feaa357f44dd50c5e447fa8ee1b2

SHA1
5c765fad342b756d5ea522087c6f7567b5f3ed57

SHA256
57947a15ad3215185c7e15a5f0da393570845a13ab7b184a07fcefbf97537e48

SHA512
7c8c36c0123de839e677beeba65c1af56c5e85d8f1ff2c94950aed33e026dff3fbda8c49859012862110117977c928b814c0d91c477583a2b8f83d73f3cdf174

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsuDDFE.tmp\libcurl_x86.dll

Filesize
2.1MB

MD5
a26e75c0407c87786eea42febdb32532

SHA1
27e52fdca023cb8f031cd55ac37965d93f7f7da7

SHA256
635f988beb849c6510f54f681387bf810c2266bd27834c5a9c160cbfe6df44d4

SHA512
fdd9760442579ad2a3df4f31464f9e66bc19a4390fa1c81afb516cce817097b5324024f712d9c1bf1a11ad30324f5a8aa83c72a732e1197e8804ab806d3859e6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jnSNQNClfnFm.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
29ab2405da6a28eb5104a8bf44b8ca2d

SHA1
a482916d624545586dfea12c72616bcdca6ac530

SHA256
e2010c978618dab7de24d46c1d29b4a8b0f02f04f7970027df12d8600d11e68c

SHA512
492e9332cc002be84ac0c97b10be221b77525dc4527830322dc81111ac06cd7c638b2d3e404be04860b3b1729391d40c558c18d720db1f49b703a9ccf7c94e28

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6c6b3dba-b0d5-4a40-88f9-ca9ec0fa82a1}_OnDiskSnapshotProp

Filesize
6KB

MD5
764ee0e690f16f76d810691bd205a55b

SHA1
25393403ec1eac9ef99aba7c804701cf17497f3b

SHA256
4150a142f9e660dfaab6361094dd8cea7a30a4e81c943e1ef7f4890944fca194

SHA512
d5555f4620aa609e671db27520d6eebf4e7460c2a6880392a2d8c0f962a2eea8e5f2258cec9b4af624e27a3d37cec7d22bfe41df2e5888334c72ecd15da5e9f1

Download Submit
memory/2140-15-0x0000017C992C0000-0x0000017C992E2000-memory.dmp

Filesize
136KB

Download
memory/2644-109-0x0000000029F00000-0x0000000029F4D000-memory.dmp

Filesize
308KB

Download
memory/2644-110-0x000000002BB10000-0x000000002BCCD000-memory.dmp

Filesize
1.7MB

Download
memory/2644-112-0x000000002BB10000-0x000000002BCCD000-memory.dmp

Filesize
1.7MB

Download
memory/2644-113-0x000000002BB10000-0x000000002BCCD000-memory.dmp

Filesize
1.7MB

Download
memory/2644-114-0x000000002BB10000-0x000000002BCCD000-memory.dmp

Filesize
1.7MB

Download
memory/2704-73-0x0000000000140000-0x0000000000216000-memory.dmp

Filesize
856KB

Download
memory/2748-38-0x0000000029A40000-0x0000000029A6F000-memory.dmp

Filesize
188KB

Download