Malware Analysis Report

2024-12-07 13:44

Sample ID 241116-qwd4csxenf
Target e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi.vir
SHA256 e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323
Tags
discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323

Threat Level: Known bad

The file e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Gh0strat

PurpleFox

Detect PurpleFox Rootkit

Gh0st RAT payload

Gh0strat family

Purplefox family

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Executes dropped EXE

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Installer Packages

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Runs ping.exe

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-16 13:36

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-16 13:36

Reported

2024-11-16 13:39

Platform

win7-20240903-en

Max time kernel

121s

Max time network

123s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\UpgradeValiantSupervisor\VAEeuoHuQuOLljROMdYRVrWysOrkCm C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\MOELauncherSetup_V0TKW.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\VAEeuoHuQuOLljROMdYRVrWysOrkCm C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f770139.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770139.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77013a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI213.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77013c.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77013a.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b08a919c2c38db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Version = "84410373" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F40D3C9F0B2AFBA4AAD1FA0B9B8BA863 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DFF86025C7A5F5543BC7555DD9EB9568 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F40D3C9F0B2AFBA4AAD1FA0B9B8BA863\DFF86025C7A5F5543BC7555DD9EB9568 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\PackageName = "e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DFF86025C7A5F5543BC7555DD9EB9568\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\ProductName = "UpgradeValiantSupervisor" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\PackageCode = "034EDA160E21BFF4487E3C8D30FD36D5" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A
N/A N/A C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Token: 35 N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Token: 35 N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2408 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2408 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2408 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2408 wrote to memory of 2900 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2900 wrote to memory of 1188 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1188 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1188 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2900 wrote to memory of 1548 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 1548 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2900 wrote to memory of 1548 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1548 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
PID 1548 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
PID 1548 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
PID 1548 wrote to memory of 2044 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
PID 1548 wrote to memory of 1244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1548 wrote to memory of 1244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1548 wrote to memory of 1244 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1548 wrote to memory of 592 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
PID 1548 wrote to memory of 592 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
PID 1548 wrote to memory of 592 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
PID 1548 wrote to memory of 592 N/A C:\Windows\System32\cmd.exe C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 2900 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
PID 2900 wrote to memory of 2404 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
PID 2900 wrote to memory of 2404 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
PID 2900 wrote to memory of 2404 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
PID 2404 wrote to memory of 2508 N/A C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe C:\Windows\system32\WerFault.exe
PID 2404 wrote to memory of 2508 N/A C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe C:\Windows\system32\WerFault.exe
PID 2404 wrote to memory of 2508 N/A C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe C:\Windows\system32\WerFault.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C4" "0000000000000594"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 15D0C9DC1847F322A412425671DC0E89 M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y

C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe

"C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe

"C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 110 -file file3 -mode mode3

C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe

"C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2404 -s 632

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp

Files

memory/2900-12-0x0000000000200000-0x0000000000210000-memory.dmp

memory/1188-18-0x00000000022B0000-0x00000000022B8000-memory.dmp

memory/1188-17-0x000000001B4A0000-0x000000001B782000-memory.dmp

C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW

MD5 3833fb3821f72c1ed7afd41df3e485c5
SHA1 5a2224f9c26e4d9e1e406ecc8a18c2dfb4400ba2
SHA256 d4dd1cf01cc90001906f73290d3e2ddbb3c29f3d6fba25b68e07498d8072fe7f
SHA512 8ec522441c166d4a04604a44b617f8848c6f203c8975702b242180dadc6a7bf5c8e1e0c6f4f742d29058baaeb499d0b64eca0fb90762b7f0224b9c19da7ed19a

C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD

MD5 7dae674c54e91c0389acc2bba94104fa
SHA1 3104b569de1d4086bc9a691e0c99399920ee6475
SHA256 605d7822ebc5196145cd4a01510b85dcac29fdfff6c48cab892f3dd10c749a9b
SHA512 6e896a29b736c09fbe7abe6e21653f4c9f2e6c26ee4790d371b45935bc075ee865534b9dabf78c2fb2432de2ae6087d4277cf6297fd0eb6e1474ff6d92a0616f

C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe

MD5 124b1390f39511fa043e99578d4fad57
SHA1 9f2e13afe318878167328104b6710ad53f1f168b
SHA256 f65559e20b9473aa23450850ac2a0a6d6045a8987236db6ff9b2b3e448e569e9
SHA512 eb0d19da7f3e775ca6e36f0c51f7a83116a16b6096dd0c5e42ef23a4cdcf2cea805e928092c2adc6c78138455b2b2fb7f62dfe287ead2fb3ee7dd0e86f16c9ac

C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe

MD5 f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1 611376391f17207d60ca8c2ec81354933f8dac45
SHA256 62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512 f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

C:\Config.Msi\f77013b.rbs

MD5 a5dda40cac4aec2b9eb1d60f1d121b70
SHA1 e54d7bba93efc5dcf1eb007309f30a1af4319e4a
SHA256 4580d3b5ce1e75d568ab8b5607fba49a4323e68665db4711d0a6be145a7a3148
SHA512 a977474d01cb256e90dd15baf22ce99fde3fa67ee318543774c7e84f5a6a21d6a7cc5a36b37a2e2fd5e0154aa38499c32e983424736ee6185b51cc301bf05318

C:\Windows\Installer\f770139.msi

MD5 1eb0c7fbfca2f95b76189279eadb9228
SHA1 ef89821dff0b19fb6bac92808f0e42fdd88eb7c7
SHA256 e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323
SHA512 d22f351cbaa2ac225ff9c472c0404098a332bc4de1ca29465d5e6189e3420b2107e7cf6c087dcde0bf05a39668f751484a72386e7055e63be6ba355fea3e4e7e

memory/2404-58-0x0000000000A00000-0x0000000000B02000-memory.dmp

memory/2960-59-0x00000000003D0000-0x00000000003FF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-16 13:36

Reported

2024-11-16 13:39

Platform

win10v2004-20241007-en

Max time kernel

5s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 4EB3F3AEE0CC0ADB270B0B124E2FE9CA E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y

C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe

"C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe

"C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 110 -file file3 -mode mode3

C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe

"C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs"

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" install

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" start

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 201 -file file3 -mode mode3

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 62 -file file3 -mode mode3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 dsfgdg5641rfe.icu udp
HK 38.47.221.100:80 dsfgdg5641rfe.icu tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 100.221.47.38.in-addr.arpa udp
HK 118.107.29.131:13000 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 131.29.107.118.in-addr.arpa udp
US 8.8.8.8:53 fgh523fg4juty.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 35.218.47.38.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaygpyy4.jhp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4424-22-0x00000269E1620000-0x00000269E1642000-memory.dmp

C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW

MD5 3833fb3821f72c1ed7afd41df3e485c5
SHA1 5a2224f9c26e4d9e1e406ecc8a18c2dfb4400ba2
SHA256 d4dd1cf01cc90001906f73290d3e2ddbb3c29f3d6fba25b68e07498d8072fe7f
SHA512 8ec522441c166d4a04604a44b617f8848c6f203c8975702b242180dadc6a7bf5c8e1e0c6f4f742d29058baaeb499d0b64eca0fb90762b7f0224b9c19da7ed19a

C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD

MD5 7dae674c54e91c0389acc2bba94104fa
SHA1 3104b569de1d4086bc9a691e0c99399920ee6475
SHA256 605d7822ebc5196145cd4a01510b85dcac29fdfff6c48cab892f3dd10c749a9b
SHA512 6e896a29b736c09fbe7abe6e21653f4c9f2e6c26ee4790d371b45935bc075ee865534b9dabf78c2fb2432de2ae6087d4277cf6297fd0eb6e1474ff6d92a0616f

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe

MD5 124b1390f39511fa043e99578d4fad57
SHA1 9f2e13afe318878167328104b6710ad53f1f168b
SHA256 f65559e20b9473aa23450850ac2a0a6d6045a8987236db6ff9b2b3e448e569e9
SHA512 eb0d19da7f3e775ca6e36f0c51f7a83116a16b6096dd0c5e42ef23a4cdcf2cea805e928092c2adc6c78138455b2b2fb7f62dfe287ead2fb3ee7dd0e86f16c9ac

C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe

MD5 f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1 611376391f17207d60ca8c2ec81354933f8dac45
SHA256 62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512 f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

memory/3300-54-0x000002AC3DD90000-0x000002AC3DE92000-memory.dmp

C:\Windows\Installer\e57f117.msi

MD5 1eb0c7fbfca2f95b76189279eadb9228
SHA1 ef89821dff0b19fb6bac92808f0e42fdd88eb7c7
SHA256 e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323
SHA512 d22f351cbaa2ac225ff9c472c0404098a332bc4de1ca29465d5e6189e3420b2107e7cf6c087dcde0bf05a39668f751484a72386e7055e63be6ba355fea3e4e7e

C:\Config.Msi\e57f118.rbs

MD5 c01bde10715281a1731bb3ee6ef3de6a
SHA1 13bf9b0de18d2dd33b821c08aa30b7eca0fcf06e
SHA256 c11916efd9888110f9ce1b8d12af440c691a0e3c0f3392d1ff968bbe04d3eff9
SHA512 55912f5504c8edca51a2177aad2eecdeebccd94ae28a84b53bb6ae8a00bffdf42c2a790341e86f0a04684b0bdd6f68c6bec0571575136e20375f60407c8a3f4b

memory/3496-68-0x000000002A210000-0x000000002A23F000-memory.dmp

memory/3300-70-0x000002AC3FD00000-0x000002AC3FD0A000-memory.dmp

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\UpgradeValiantSupervisor\MOELauncherSetup_V0TKW.exe

MD5 f0b4afeb9a9582a84c04d33b4f9c93e5
SHA1 0b9229e8e3879fc4d1310ba493280894cac1f259
SHA256 d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9
SHA512 d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51

C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs

MD5 31cb7c228337b05b262877c9d1d31f40
SHA1 c67ef4beb96061c1bdf53334e125dde65d079e2a
SHA256 f3acc593d2324d95131363105f89f5e97a0d251a997eab95486b8f0ffe76baee
SHA512 fda05de734d8dadd6250687bdd9e74a1ee833f860ddb296faac2e7c1251cd2a346e31e68590d6694ab504982815482b888b9328ab5248a431d6ae9df30997be8

memory/3300-76-0x000002AC59BB0000-0x000002AC59C6A000-memory.dmp

memory/1904-77-0x0000000000530000-0x0000000000606000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp1141.tmp

MD5 a10f31fa140f2608ff150125f3687920
SHA1 ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA256 28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512 cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml

MD5 3f54f113618979895a594867928e7a97
SHA1 37a21073b03c367d0c067761c814c23b15e44bd6
SHA256 d35e118f96d6b43194147d2e4e3d41fd73c81d83ba60d6070215547dd4b228ae
SHA512 664b6cc1ea0d02cf16a127bef3f5f61eedcdab60553c72d1f49058736f852184419ac28c9fc720d7e50312f9b439a90b5c246e98c313d5a9ec932dba5c0bfb8b

memory/3300-93-0x000002AC59510000-0x000002AC5954C000-memory.dmp

memory/3300-92-0x000002AC594B0000-0x000002AC594C2000-memory.dmp

memory/3300-97-0x000002AC59F30000-0x000002AC59F38000-memory.dmp

memory/3300-99-0x000002AC59F60000-0x000002AC59F6E000-memory.dmp

memory/3300-98-0x000002AC5C690000-0x000002AC5C6C8000-memory.dmp

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 c5a17d5f0cac4ecfae0aa0daab3f672f
SHA1 1658ac7a8f2220cb639d8e80116a4fcb9fab2fa2
SHA256 9afd0449c372075470b16f98ccf888cbcd446c81c5c4b63136a9ff88f5981025
SHA512 4be00026665cc9607dc8c3b31e91cffe4a4f8b35516c2f3ed244e8b1054e5eb9138ed6dc4cea128126d576ec3a0f533d3242338b3caae079fad981eb349d3abe

\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6ed272e6-feb3-4a1f-b022-325f3ee5e0d4}_OnDiskSnapshotProp

MD5 030c33729308c4774b24c9b8939b2cd0
SHA1 e9bb4bce771714f7e8a1149d853141e48c55dacd
SHA256 b81505171aa7b78bdb4af5bcdcac0c06c61fe7e16dff97548348eb26db8c8cc9
SHA512 684ac3bc35b532c16b0a93cfa0a0d08c68015918bf1715e576251fdbb21a5bf06a3bdf121341a28df3b0077da531e34c5fcb40ec252d1a83e5729133716dd4d7

memory/3300-106-0x000002AC5CA20000-0x000002AC5CA46000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

MD5 c9d4b9bac2f0dd4fdde0d584569a6e19
SHA1 ec3f7db5916ed216e70f54cd02ef637f3375ddcf
SHA256 b4a0468756dd9cb04626c092938d0a95a798cf824bbb6b5f4b8925642a8dfc5f
SHA512 2f196329d353b3af762831db9cb65baa87cd31fa355f9b25c4b7e05245780166300be4a9f556234c8ecfacb95f788c0be6a50fea6043350868062d786ddb3cf9

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

MD5 de70b3b0802d080b12bce271710272be
SHA1 c0ef78df98ad8dcc55882242a69641908949b608
SHA256 d058e7854ead100812f561f9ce62741cd553f79fab6bdedc77d7791ff0d0b6ce
SHA512 8a93a6a16172c3f691552a9ddad7eb93567399695c112ae0f183f98902c46f604937dd98d852600057ce558bbccb8c72b55e8f971cde5a85d9435db0efeff252

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

MD5 d36cd9f7b53aa5e872c0b5066bdb0207
SHA1 7538cdc707b11e87cfa9a773f5e014e9e2072cce
SHA256 4cc337fe7351cd04ce337e960b32defd137b53ab80967c3991a94e2421702806
SHA512 09fc4b45b53deb499453dbb758daa40ca4db3c885195e46ba65d887e4bf484f122997014ca3aa43393ed3bba72ec9dd13b6c229997f0080b00127876f330da9f

C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log

MD5 8168d3f2cc278a7b1989cb30b1db8fcc
SHA1 73723de99cd003e6fecbebe22b25c23688f6cd4e
SHA256 d1803239cf1ae035277b41a52c5e3396c5de0faff1161d066c4c54ea2e9e227f
SHA512 5dcfc55c50c77b012c699bb490767a1433191937f665cc8ed52a77202f1ce13ef71b520e0a336f64d541fe668fa3bddd53c2a72348097c24ceb01cbc6bd5cb4e

memory/4040-130-0x000000002A6C0000-0x000000002A70D000-memory.dmp

memory/4040-131-0x000000002C2E0000-0x000000002C49C000-memory.dmp

memory/4040-134-0x000000002C2E0000-0x000000002C49C000-memory.dmp

memory/4040-133-0x000000002C2E0000-0x000000002C49C000-memory.dmp

memory/4040-135-0x000000002C2E0000-0x000000002C49C000-memory.dmp