gh0strat | a7fbb8d1e5ae771f51d6c24137d6d8f8b59a4306f8124591c68b69f72c22c2ea

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-11-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2345pic_x64.msi
Size

79.4MB
MD5

fe984489b63aa7cd7aee6c48fe69e08d
SHA1

b5cac8c66311b7601e0ef2a1d134bf06a8079497
SHA256

092ff5eeddfd265d8f37c5a9afbf7c3018ba65fcd0dd59c0237f7e04d1915060
SHA512

806872b46c843727d4a980e46fef0a662115a6429868e74c8889d9363323008797c5b11ad54bb524709cb26087a8bec42b0051f701af4766ee7227068a7a0e92
SSDEEP

1572864:NmsJ8LVVmCjLbWQVZq/5u3dOdYMBWkAhIo/qQXAbJqWOm9uUQerttNG2MZ7dE:ojyCjLLZq/5ukpBVMWchl5erttNXMZ7S

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/1796-110-0x000000002BF30000-0x000000002C0ED000-memory.dmp	purplefox_rootkit
behavioral2/memory/1796-112-0x000000002BF30000-0x000000002C0ED000-memory.dmp	purplefox_rootkit
behavioral2/memory/1796-113-0x000000002BF30000-0x000000002C0ED000-memory.dmp	purplefox_rootkit
behavioral2/memory/1796-114-0x000000002BF30000-0x000000002C0ED000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/1796-110-0x000000002BF30000-0x000000002C0ED000-memory.dmp	family_gh0strat
behavioral2/memory/1796-112-0x000000002BF30000-0x000000002C0ED000-memory.dmp	family_gh0strat
behavioral2/memory/1796-113-0x000000002BF30000-0x000000002C0ED000-memory.dmp	family_gh0strat
behavioral2/memory/1796-114-0x000000002BF30000-0x000000002C0ED000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1056	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	aAvapbvtIRjv.exe
File opened (read-only)	\??\Z:	aAvapbvtIRjv.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	aAvapbvtIRjv.exe
File opened (read-only)	\??\L:	aAvapbvtIRjv.exe
File opened (read-only)	\??\W:	aAvapbvtIRjv.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	aAvapbvtIRjv.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	aAvapbvtIRjv.exe
File opened (read-only)	\??\Y:	aAvapbvtIRjv.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	aAvapbvtIRjv.exe
File opened (read-only)	\??\M:	aAvapbvtIRjv.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	aAvapbvtIRjv.exe
File opened (read-only)	\??\J:	aAvapbvtIRjv.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	aAvapbvtIRjv.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	aAvapbvtIRjv.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	aAvapbvtIRjv.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	aAvapbvtIRjv.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\P:	aAvapbvtIRjv.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	aAvapbvtIRjv.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	aAvapbvtIRjv.exe
File opened (read-only)	\??\S:	aAvapbvtIRjv.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	aAvapbvtIRjv.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jnSNQNClfnFm.exe.log	jnSNQNClfnFm.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe	msiexec.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs	aAvapbvtIRjv.exe
File created	C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg	msiexec.exe
File created	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml	wBtkOfXYmrXB.exe
File created	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log	jnSNQNClfnFm.exe
File created	C:\Program Files\EnableMagneticOverseer\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe	wBtkOfXYmrXB.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer	aAvapbvtIRjv.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log	jnSNQNClfnFm.exe
File opened for modification	C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log	jnSNQNClfnFm.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e581700.msi	msiexec.exe
File created	C:\Windows\Installer\e5816fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5816fe.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{944047DE-2AC8-485B-B376-DA72238E3394}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1921.tmp	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
2776	wBtkOfXYmrXB.exe
4776	aAvapbvtIRjv.exe
3948	2345pic_x64.exe
2292	jnSNQNClfnFm.exe
4240	jnSNQNClfnFm.exe
3908	jnSNQNClfnFm.exe
3500	aAvapbvtIRjv.exe
1796	aAvapbvtIRjv.exe

Loads dropped DLL 5 IoCs

pid	Process
3948	2345pic_x64.exe
3948	2345pic_x64.exe
3948	2345pic_x64.exe
3948	2345pic_x64.exe
3948	2345pic_x64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2040	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2345pic_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAvapbvtIRjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAvapbvtIRjv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wBtkOfXYmrXB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aAvapbvtIRjv.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	aAvapbvtIRjv.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	aAvapbvtIRjv.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Version = "16973827"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1EC50D645954B34429904554B396BE7B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\PackageName = "2345pic_x64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\ProductName = "EnableMagneticOverseer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\PackageCode = "4FD2201DFC0C4BE40B0948F4609DD271"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\ED7404498CA2B5843B67AD2732E83349\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\ED7404498CA2B5843B67AD2732E83349\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2044	msiexec.exe
2044	msiexec.exe
1056	powershell.exe
1056	powershell.exe
1056	powershell.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe
4776	aAvapbvtIRjv.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2044	msiexec.exe
Token: SeCreateTokenPrivilege	2040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2040	msiexec.exe
Token: SeLockMemoryPrivilege	2040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2040	msiexec.exe
Token: SeMachineAccountPrivilege	2040	msiexec.exe
Token: SeTcbPrivilege	2040	msiexec.exe
Token: SeSecurityPrivilege	2040	msiexec.exe
Token: SeTakeOwnershipPrivilege	2040	msiexec.exe
Token: SeLoadDriverPrivilege	2040	msiexec.exe
Token: SeSystemProfilePrivilege	2040	msiexec.exe
Token: SeSystemtimePrivilege	2040	msiexec.exe
Token: SeProfSingleProcessPrivilege	2040	msiexec.exe
Token: SeIncBasePriorityPrivilege	2040	msiexec.exe
Token: SeCreatePagefilePrivilege	2040	msiexec.exe
Token: SeCreatePermanentPrivilege	2040	msiexec.exe
Token: SeBackupPrivilege	2040	msiexec.exe
Token: SeRestorePrivilege	2040	msiexec.exe
Token: SeShutdownPrivilege	2040	msiexec.exe
Token: SeDebugPrivilege	2040	msiexec.exe
Token: SeAuditPrivilege	2040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2040	msiexec.exe
Token: SeChangeNotifyPrivilege	2040	msiexec.exe
Token: SeRemoteShutdownPrivilege	2040	msiexec.exe
Token: SeUndockPrivilege	2040	msiexec.exe
Token: SeSyncAgentPrivilege	2040	msiexec.exe
Token: SeEnableDelegationPrivilege	2040	msiexec.exe
Token: SeManageVolumePrivilege	2040	msiexec.exe
Token: SeImpersonatePrivilege	2040	msiexec.exe
Token: SeCreateGlobalPrivilege	2040	msiexec.exe
Token: SeBackupPrivilege	2560	vssvc.exe
Token: SeRestorePrivilege	2560	vssvc.exe
Token: SeAuditPrivilege	2560	vssvc.exe
Token: SeBackupPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeRestorePrivilege	2776	wBtkOfXYmrXB.exe
Token: 35	2776	wBtkOfXYmrXB.exe
Token: SeSecurityPrivilege	2776	wBtkOfXYmrXB.exe
Token: SeSecurityPrivilege	2776	wBtkOfXYmrXB.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2040	msiexec.exe
2040	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 4328	2044	msiexec.exe	104
PID 2044 wrote to memory of 4328	2044	msiexec.exe	104
PID 2044 wrote to memory of 3676	2044	msiexec.exe	107
PID 2044 wrote to memory of 3676	2044	msiexec.exe	107
PID 3676 wrote to memory of 1056	3676	MsiExec.exe	108
PID 3676 wrote to memory of 1056	3676	MsiExec.exe	108
PID 3676 wrote to memory of 1536	3676	MsiExec.exe	110
PID 3676 wrote to memory of 1536	3676	MsiExec.exe	110
PID 1536 wrote to memory of 2776	1536	cmd.exe	112
PID 1536 wrote to memory of 2776	1536	cmd.exe	112
PID 1536 wrote to memory of 2776	1536	cmd.exe	112
PID 3676 wrote to memory of 4776	3676	MsiExec.exe	114
PID 3676 wrote to memory of 4776	3676	MsiExec.exe	114
PID 3676 wrote to memory of 4776	3676	MsiExec.exe	114
PID 3676 wrote to memory of 3948	3676	MsiExec.exe	115
PID 3676 wrote to memory of 3948	3676	MsiExec.exe	115
PID 3676 wrote to memory of 3948	3676	MsiExec.exe	115
PID 3908 wrote to memory of 3500	3908	jnSNQNClfnFm.exe	126
PID 3908 wrote to memory of 3500	3908	jnSNQNClfnFm.exe	126
PID 3908 wrote to memory of 3500	3908	jnSNQNClfnFm.exe	126
PID 3500 wrote to memory of 1796	3500	aAvapbvtIRjv.exe	128
PID 3500 wrote to memory of 1796	3500	aAvapbvtIRjv.exe	128
PID 3500 wrote to memory of 1796	3500	aAvapbvtIRjv.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2345pic_x64.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4328
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E81C7C33664124994C6310CA5C81DA5C E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3676
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnableMagneticOverseer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1056
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe
      "C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe" x "C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg" -o"C:\Program Files\EnableMagneticOverseer\" -phZJcWScQuNgsiGBeBDtN -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:2776
- - C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
    "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 182 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4776
- - C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe
    "C:\Program Files\EnableMagneticOverseer\2345pic_x64.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:4824

C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:2292

C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4240

C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe
"C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3908
- C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
  "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 250 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3500
- - C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe
    "C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe" -number 132 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5816ff.rbs

Filesize
7KB

MD5
9576ff03215cda1627adc0c3c662e5d4

SHA1
28230bfd9b5e279619e73d5c9886352a94f01a12

SHA256
a090c2a77419a9b2b2a07d10d663439912bdf7f6908af69ea3636497045f8064

SHA512
368b4c7cd05f87784197afbb121104694e9d31940e922e4a82ad6d8a7843e102e6022965bf3aeaa7bcb3c7f76c993f378bcb7dae26ede828d7724488f1f66655

Download Submit
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.exe

Filesize
3.2MB

MD5
90a521d21169049fdf1a244fc2989377

SHA1
e9b0db47e89683444ba886fa8091167e160f6b30

SHA256
7dd65fb863051edda07d0f84c65c36cd7388aa28464eb3f6c541f73c9f195f41

SHA512
e20e25cf49489861dcb00cb4b38f9c96b26b016b55a9b92ab082ef422db98dad3936b6918b65f1874ba4fe1a0208e8bae701aaf3d7e3bdcca3f046eb0826f8dc

Download Submit
C:\Program Files\EnableMagneticOverseer\aAvapbvtIRjv.vbs

Filesize
2KB

MD5
1e0499cb02d625084bc87bdc378c766f

SHA1
4a28d0d6b3f69ab3254a08be8a102bf5690d661f

SHA256
0a3a48ab6d2e8cb621cef3949557ee289d566f788e99d1091fb1a4fa838273b7

SHA512
37b147378920a187bb9d18ef930d9e86d12b238657e794398f32065b77211c165a6c680421d44742508d3bdbd0143431b0c37cc05056e9ce5ad1fc54727ff370

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log

Filesize
735B

MD5
660e8665ae1b071343335eb581314e21

SHA1
02c9189241e097311efda4de2c942a9a3be76a47

SHA256
9771c0333ed08be0b39aa67be85cbb7c1ca411f67477488fceec98a2cee68187

SHA512
1ff2205160d01e2c3120c17767888ac644ee67b86f96bd918c92b6e8dd835b17a8d942c22141baeeeb80da85274ff07079aa77f01fb4cfba65bdb7a534e69a11

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log

Filesize
266B

MD5
850f01dcd573e85bc6c5d1e7187fa80a

SHA1
d8debd2f9b2727c96d3c2aaa01b47c5f785506c8

SHA256
3d6f347551284f02aab80c54465c89201d4d191834c5e7fa77fe265da31ad8a7

SHA512
8e65fe30fd29b5cb7a3e50d0001b7e885ece11d69e4eb7ab80f1304b648ed03d9c49b68a93df9b9c0a4c9d138cfcf3d62737050e463d59fa1bb8ab9e48a86d0e

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log

Filesize
422B

MD5
2959de81ab0b492454d9730c79e7897c

SHA1
49fe6dbfad88f3b8c81c34f8848478f3cbfb5c09

SHA256
bf0c04df710fe7e299647087e72368f35353ebc32bb0b7f91a90b7a15668a1ab

SHA512
f5bc583461ce2313475dee01a8415b573ee984492ee537a0ed71e8c507de408936795c5ef572f8eb9b155dc1893d4b1da9697a84b28f5b45911a40570db803dd

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.wrapper.log

Filesize
588B

MD5
6614431dd4f94a7ca1d907fa4c06cb72

SHA1
0fcce458c6af35907488334b6dc7759968d4f940

SHA256
b6af5414031523a92854f3347021ff349c6b5c5728be38ddadbb987cc119ce9a

SHA512
87abe6e494529d86dd5fe8c072f9316bd3b7255040a2d9c37ee98f39059d746858277e9f74b0d0be0765a830337529b5ac1c836ab8c354b16294ae48f7b26402

Download Submit
C:\Program Files\EnableMagneticOverseer\jnSNQNClfnFm.xml

Filesize
437B

MD5
5bb0d373e349c5b338e75bb61087c8a7

SHA1
7f1ef7fdfd8be7d238dbda9a8742abd0e584e788

SHA256
82c7224a57ffe8384766daf2c00acb148d9ca79db5cb2bc222ec9f385bcd966c

SHA512
f887e41966eda84cafb7e003f946116be2d9dcc8fe1578050f296771ff8735fee06730de5cd1c7408148d91b61f5c87515c1b53440191e5a31f08317c6758a49

Download Submit
C:\Program Files\EnableMagneticOverseer\oFRhddqMXWXkbbeDGqHg

Filesize
2.4MB

MD5
5ac34b87f21ae7fedf4dc629181decf0

SHA1
3890201e28d44a46b6e810b5bc5eddfec78d92b9

SHA256
ffc5b747ee4183aa7b298e7e296981d19321c208ae40b0052f1965033da5ebb4

SHA512
fbfee20bf2795f2e67ef24a1add342d61c131226ab74638447c5be70f4acd0ad9e51db1f58e69e4785446e2af71208a729636c0a79db1415712e67ebad8c2eda

Download Submit
C:\Program Files\EnableMagneticOverseer\wBtkOfXYmrXB.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5jfdqinn.zuy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4553.tmp\FileInfo.dll

Filesize
624KB

MD5
cc7eab4f83339cca63f763114ca04c6c

SHA1
4da526e8b270dc16865813801dc5bcda8162c09d

SHA256
a1c9c3b3bc8e75aa91f639da10835210e81aeb7fb5db79ac0703e1594e516b5b

SHA512
d1df9bdb61dcc95e579adf4891c000feee83f9f4a3f82debca617fb62afff16707707681c2f2655aa02756873d5251db74d5b843ec56c3e12ab1120355360ef0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4553.tmp\RCWidgetPlugin.dll

Filesize
2.4MB

MD5
2f2ae26fd88c512ac0feb39fa42ee894

SHA1
ac50a5fd61933bdd2a54e6503e39438f05af3304

SHA256
9117cafe403e445a291141ee898845799a165c383d3dfcf76c1870f66782e6b1

SHA512
b919244cd08118a2258cb062e5ce3a4626d82ed0ca3600a018bdb97962b9f96d57d1a08d338fd41fbae4af72debf7840707f67d442e53ec8a15cb8002ee725e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4553.tmp\System.dll

Filesize
27KB

MD5
a568feaa357f44dd50c5e447fa8ee1b2

SHA1
5c765fad342b756d5ea522087c6f7567b5f3ed57

SHA256
57947a15ad3215185c7e15a5f0da393570845a13ab7b184a07fcefbf97537e48

SHA512
7c8c36c0123de839e677beeba65c1af56c5e85d8f1ff2c94950aed33e026dff3fbda8c49859012862110117977c928b814c0d91c477583a2b8f83d73f3cdf174

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf4553.tmp\libcurl_x86.dll

Filesize
2.1MB

MD5
a26e75c0407c87786eea42febdb32532

SHA1
27e52fdca023cb8f031cd55ac37965d93f7f7da7

SHA256
635f988beb849c6510f54f681387bf810c2266bd27834c5a9c160cbfe6df44d4

SHA512
fdd9760442579ad2a3df4f31464f9e66bc19a4390fa1c81afb516cce817097b5324024f712d9c1bf1a11ad30324f5a8aa83c72a732e1197e8804ab806d3859e6

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\jnSNQNClfnFm.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
dd46643394bc878f081f0281c208bc51

SHA1
a3bb62f082cacdb5ccc0815b2d36cc582a6adb10

SHA256
27dc776bf5f56ff2ecd0d0bcd2f9835ed31a1903138140591d0f150c7c4cf6f3

SHA512
197e5af5b90055a633782b6cd894c43cd43496795ee14f8bc9570475ba8fcd6ca94b3f41a40fb0ff4016693ba44dc71f75fce72e8a08154cf5d9e5ee723a56cb

Download Submit
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{611fdbc0-b75a-4562-978e-50efe7acd374}_OnDiskSnapshotProp

Filesize
6KB

MD5
069508f3c7a40a26fb268a117d040846

SHA1
bbf5c782a1fce0e35f53841e966c507e3eb58633

SHA256
db56b7a9be342066be0f7ff44a02a0aeadec68c13587733d42b79cf8b20d28b4

SHA512
04b83c0ef0833d17054a432c7c5838b53a28b432df8c3e50a8ea0b60f5775f9f2f9f7e4632a0ce350f12357e8fb7f81364db9374236d648f9c506ac18e8139ef

Download Submit
memory/1056-22-0x000001A9FF7B0000-0x000001A9FF7D2000-memory.dmp

Filesize
136KB

Download
memory/1796-109-0x000000002A300000-0x000000002A34D000-memory.dmp

Filesize
308KB

Download
memory/1796-110-0x000000002BF30000-0x000000002C0ED000-memory.dmp

Filesize
1.7MB

Download
memory/1796-112-0x000000002BF30000-0x000000002C0ED000-memory.dmp

Filesize
1.7MB

Download
memory/1796-113-0x000000002BF30000-0x000000002C0ED000-memory.dmp

Filesize
1.7MB

Download
memory/1796-114-0x000000002BF30000-0x000000002C0ED000-memory.dmp

Filesize
1.7MB

Download
memory/2292-60-0x00000000005E0000-0x00000000006B6000-memory.dmp

Filesize
856KB

Download
memory/4776-39-0x0000000029B80000-0x0000000029BAF000-memory.dmp

Filesize
188KB

Download