gh0strat | e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323

Analysis

max time kernel
5s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
16-11-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi
Size

37.8MB
MD5

1eb0c7fbfca2f95b76189279eadb9228
SHA1

ef89821dff0b19fb6bac92808f0e42fdd88eb7c7
SHA256

e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323
SHA512

d22f351cbaa2ac225ff9c472c0404098a332bc4de1ca29465d5e6189e3420b2107e7cf6c087dcde0bf05a39668f751484a72386e7055e63be6ba355fea3e4e7e
SSDEEP

786432:ouZ/E3Y4OJSMSsNuicJ6AEJX9WQnItNe4mzSllmeALf:RMYTJG5EtJnGNe4mzSfn

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4040-131-0x000000002C2E0000-0x000000002C49C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4040-134-0x000000002C2E0000-0x000000002C49C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4040-133-0x000000002C2E0000-0x000000002C49C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4040-135-0x000000002C2E0000-0x000000002C49C000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4040-131-0x000000002C2E0000-0x000000002C49C000-memory.dmp	family_gh0strat
behavioral2/memory/4040-134-0x000000002C2E0000-0x000000002C49C000-memory.dmp	family_gh0strat
behavioral2/memory/4040-133-0x000000002C2E0000-0x000000002C49C000-memory.dmp	family_gh0strat
behavioral2/memory/4040-135-0x000000002C2E0000-0x000000002C49C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4424	powershell.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1528	msiexec.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4136	PING.EXE
4168	cmd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4136	PING.EXE

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1528	msiexec.exe
Token: SeSecurityPrivilege	3620	msiexec.exe
Token: SeCreateTokenPrivilege	1528	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1528	msiexec.exe
Token: SeLockMemoryPrivilege	1528	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1528	msiexec.exe
Token: SeMachineAccountPrivilege	1528	msiexec.exe
Token: SeTcbPrivilege	1528	msiexec.exe
Token: SeSecurityPrivilege	1528	msiexec.exe
Token: SeTakeOwnershipPrivilege	1528	msiexec.exe
Token: SeLoadDriverPrivilege	1528	msiexec.exe
Token: SeSystemProfilePrivilege	1528	msiexec.exe
Token: SeSystemtimePrivilege	1528	msiexec.exe
Token: SeProfSingleProcessPrivilege	1528	msiexec.exe
Token: SeIncBasePriorityPrivilege	1528	msiexec.exe
Token: SeCreatePagefilePrivilege	1528	msiexec.exe
Token: SeCreatePermanentPrivilege	1528	msiexec.exe
Token: SeBackupPrivilege	1528	msiexec.exe
Token: SeRestorePrivilege	1528	msiexec.exe
Token: SeShutdownPrivilege	1528	msiexec.exe
Token: SeDebugPrivilege	1528	msiexec.exe
Token: SeAuditPrivilege	1528	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1528	msiexec.exe
Token: SeChangeNotifyPrivilege	1528	msiexec.exe
Token: SeRemoteShutdownPrivilege	1528	msiexec.exe
Token: SeUndockPrivilege	1528	msiexec.exe
Token: SeSyncAgentPrivilege	1528	msiexec.exe
Token: SeEnableDelegationPrivilege	1528	msiexec.exe
Token: SeManageVolumePrivilege	1528	msiexec.exe
Token: SeImpersonatePrivilege	1528	msiexec.exe
Token: SeCreateGlobalPrivilege	1528	msiexec.exe
Token: SeBackupPrivilege	4468	vssvc.exe
Token: SeRestorePrivilege	4468	vssvc.exe
Token: SeAuditPrivilege	4468	vssvc.exe
Token: SeBackupPrivilege	3620	msiexec.exe
Token: SeRestorePrivilege	3620	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1528	msiexec.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3620
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3820
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4EB3F3AEE0CC0ADB270B0B124E2FE9CA E Global\MSI0000
  2⤵
  PID:2820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:4424
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    PID:4168
  - - C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
      "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y
      4⤵
      PID:2716
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:4136
  - - C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
      "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y
      4⤵
      PID:3692
- - C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
    "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 110 -file file3 -mode mode3
    3⤵
    PID:3496
- - C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
    "C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe"
    3⤵
    PID:3300

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4468

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs"
1⤵
PID:4796

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" install
1⤵
PID:1904

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2336

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" start
1⤵
PID:3664

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"
1⤵
PID:2464
- C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
  "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 201 -file file3 -mode mode3
  2⤵
  PID:1792
- - C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
    "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 62 -file file3 -mode mode3
    3⤵
    PID:4040

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f118.rbs

Filesize
8KB

MD5
c01bde10715281a1731bb3ee6ef3de6a

SHA1
13bf9b0de18d2dd33b821c08aa30b7eca0fcf06e

SHA256
c11916efd9888110f9ce1b8d12af440c691a0e3c0f3392d1ff968bbe04d3eff9

SHA512
55912f5504c8edca51a2177aad2eecdeebccd94ae28a84b53bb6ae8a00bffdf42c2a790341e86f0a04684b0bdd6f68c6bec0571575136e20375f60407c8a3f4b

Download Submit
C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW

Filesize
1.5MB

MD5
3833fb3821f72c1ed7afd41df3e485c5

SHA1
5a2224f9c26e4d9e1e406ecc8a18c2dfb4400ba2

SHA256
d4dd1cf01cc90001906f73290d3e2ddbb3c29f3d6fba25b68e07498d8072fe7f

SHA512
8ec522441c166d4a04604a44b617f8848c6f203c8975702b242180dadc6a7bf5c8e1e0c6f4f742d29058baaeb499d0b64eca0fb90762b7f0224b9c19da7ed19a

Download Submit
C:\Program Files\UpgradeValiantSupervisor\MOELauncherSetup_V0TKW.exe

Filesize
35.6MB

MD5
f0b4afeb9a9582a84c04d33b4f9c93e5

SHA1
0b9229e8e3879fc4d1310ba493280894cac1f259

SHA256
d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9

SHA512
d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51

Download Submit
C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

Filesize
280B

MD5
c9d4b9bac2f0dd4fdde0d584569a6e19

SHA1
ec3f7db5916ed216e70f54cd02ef637f3375ddcf

SHA256
b4a0468756dd9cb04626c092938d0a95a798cf824bbb6b5f4b8925642a8dfc5f

SHA512
2f196329d353b3af762831db9cb65baa87cd31fa355f9b25c4b7e05245780166300be4a9f556234c8ecfacb95f788c0be6a50fea6043350868062d786ddb3cf9

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

Filesize
443B

MD5
8168d3f2cc278a7b1989cb30b1db8fcc

SHA1
73723de99cd003e6fecbebe22b25c23688f6cd4e

SHA256
d1803239cf1ae035277b41a52c5e3396c5de0faff1161d066c4c54ea2e9e227f

SHA512
5dcfc55c50c77b012c699bb490767a1433191937f665cc8ed52a77202f1ce13ef71b520e0a336f64d541fe668fa3bddd53c2a72348097c24ceb01cbc6bd5cb4e

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

Filesize
507B

MD5
de70b3b0802d080b12bce271710272be

SHA1
c0ef78df98ad8dcc55882242a69641908949b608

SHA256
d058e7854ead100812f561f9ce62741cd553f79fab6bdedc77d7791ff0d0b6ce

SHA512
8a93a6a16172c3f691552a9ddad7eb93567399695c112ae0f183f98902c46f604937dd98d852600057ce558bbccb8c72b55e8f971cde5a85d9435db0efeff252

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

Filesize
753B

MD5
d36cd9f7b53aa5e872c0b5066bdb0207

SHA1
7538cdc707b11e87cfa9a773f5e014e9e2072cce

SHA256
4cc337fe7351cd04ce337e960b32defd137b53ab80967c3991a94e2421702806

SHA512
09fc4b45b53deb499453dbb758daa40ca4db3c885195e46ba65d887e4bf484f122997014ca3aa43393ed3bba72ec9dd13b6c229997f0080b00127876f330da9f

Download Submit
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml

Filesize
436B

MD5
3f54f113618979895a594867928e7a97

SHA1
37a21073b03c367d0c067761c814c23b15e44bd6

SHA256
d35e118f96d6b43194147d2e4e3d41fd73c81d83ba60d6070215547dd4b228ae

SHA512
664b6cc1ea0d02cf16a127bef3f5f61eedcdab60553c72d1f49058736f852184419ac28c9fc720d7e50312f9b439a90b5c246e98c313d5a9ec932dba5c0bfb8b

Download Submit
C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe

Filesize
1.0MB

MD5
f90ddf18d65bb3153bcdfdc4856ce2a5

SHA1
611376391f17207d60ca8c2ec81354933f8dac45

SHA256
62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce

SHA512
f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

Download Submit
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

Filesize
2.1MB

MD5
124b1390f39511fa043e99578d4fad57

SHA1
9f2e13afe318878167328104b6710ad53f1f168b

SHA256
f65559e20b9473aa23450850ac2a0a6d6045a8987236db6ff9b2b3e448e569e9

SHA512
eb0d19da7f3e775ca6e36f0c51f7a83116a16b6096dd0c5e42ef23a4cdcf2cea805e928092c2adc6c78138455b2b2fb7f62dfe287ead2fb3ee7dd0e86f16c9ac

Download Submit
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs

Filesize
2KB

MD5
31cb7c228337b05b262877c9d1d31f40

SHA1
c67ef4beb96061c1bdf53334e125dde65d079e2a

SHA256
f3acc593d2324d95131363105f89f5e97a0d251a997eab95486b8f0ffe76baee

SHA512
fda05de734d8dadd6250687bdd9e74a1ee833f860ddb296faac2e7c1251cd2a346e31e68590d6694ab504982815482b888b9328ab5248a431d6ae9df30997be8

Download Submit
C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD

Filesize
1.5MB

MD5
7dae674c54e91c0389acc2bba94104fa

SHA1
3104b569de1d4086bc9a691e0c99399920ee6475

SHA256
605d7822ebc5196145cd4a01510b85dcac29fdfff6c48cab892f3dd10c749a9b

SHA512
6e896a29b736c09fbe7abe6e21653f4c9f2e6c26ee4790d371b45935bc075ee865534b9dabf78c2fb2432de2ae6087d4277cf6297fd0eb6e1474ff6d92a0616f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp1141.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaygpyy4.jhp.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57f117.msi

Filesize
37.8MB

MD5
1eb0c7fbfca2f95b76189279eadb9228

SHA1
ef89821dff0b19fb6bac92808f0e42fdd88eb7c7

SHA256
e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323

SHA512
d22f351cbaa2ac225ff9c472c0404098a332bc4de1ca29465d5e6189e3420b2107e7cf6c087dcde0bf05a39668f751484a72386e7055e63be6ba355fea3e4e7e

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
c5a17d5f0cac4ecfae0aa0daab3f672f

SHA1
1658ac7a8f2220cb639d8e80116a4fcb9fab2fa2

SHA256
9afd0449c372075470b16f98ccf888cbcd446c81c5c4b63136a9ff88f5981025

SHA512
4be00026665cc9607dc8c3b31e91cffe4a4f8b35516c2f3ed244e8b1054e5eb9138ed6dc4cea128126d576ec3a0f533d3242338b3caae079fad981eb349d3abe

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6ed272e6-feb3-4a1f-b022-325f3ee5e0d4}_OnDiskSnapshotProp

Filesize
6KB

MD5
030c33729308c4774b24c9b8939b2cd0

SHA1
e9bb4bce771714f7e8a1149d853141e48c55dacd

SHA256
b81505171aa7b78bdb4af5bcdcac0c06c61fe7e16dff97548348eb26db8c8cc9

SHA512
684ac3bc35b532c16b0a93cfa0a0d08c68015918bf1715e576251fdbb21a5bf06a3bdf121341a28df3b0077da531e34c5fcb40ec252d1a83e5729133716dd4d7

Download Submit
memory/1904-77-0x0000000000530000-0x0000000000606000-memory.dmp

Filesize
856KB

Download
memory/3300-54-0x000002AC3DD90000-0x000002AC3DE92000-memory.dmp

Filesize
1.0MB

Download
memory/3300-70-0x000002AC3FD00000-0x000002AC3FD0A000-memory.dmp

Filesize
40KB

Download
memory/3300-98-0x000002AC5C690000-0x000002AC5C6C8000-memory.dmp

Filesize
224KB

Download
memory/3300-92-0x000002AC594B0000-0x000002AC594C2000-memory.dmp

Filesize
72KB

Download
memory/3300-97-0x000002AC59F30000-0x000002AC59F38000-memory.dmp

Filesize
32KB

Download
memory/3300-106-0x000002AC5CA20000-0x000002AC5CA46000-memory.dmp

Filesize
152KB

Download
memory/3300-99-0x000002AC59F60000-0x000002AC59F6E000-memory.dmp

Filesize
56KB

Download
memory/3300-76-0x000002AC59BB0000-0x000002AC59C6A000-memory.dmp

Filesize
744KB

Download
memory/3300-93-0x000002AC59510000-0x000002AC5954C000-memory.dmp

Filesize
240KB

Download
memory/3496-68-0x000000002A210000-0x000000002A23F000-memory.dmp

Filesize
188KB

Download
memory/4040-130-0x000000002A6C0000-0x000000002A70D000-memory.dmp

Filesize
308KB

Download
memory/4040-131-0x000000002C2E0000-0x000000002C49C000-memory.dmp

Filesize
1.7MB

Download
memory/4040-134-0x000000002C2E0000-0x000000002C49C000-memory.dmp

Filesize
1.7MB

Download
memory/4040-133-0x000000002C2E0000-0x000000002C49C000-memory.dmp

Filesize
1.7MB

Download
memory/4040-135-0x000000002C2E0000-0x000000002C49C000-memory.dmp

Filesize
1.7MB

Download
memory/4424-22-0x00000269E1620000-0x00000269E1642000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads