Analysis Overview
SHA256
e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323
Threat Level: Known bad
The file e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi.vir was found to be: Known bad.
Malicious Activity Summary
Gh0strat
PurpleFox
Detect PurpleFox Rootkit
Gh0st RAT payload
Gh0strat family
Purplefox family
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Drops file in System32 directory
Drops file in Program Files directory
Drops file in Windows directory
Executes dropped EXE
System Location Discovery: System Language Discovery
System Network Configuration Discovery: Internet Connection Discovery
Event Triggered Execution: Installer Packages
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Runs ping.exe
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-16 13:36
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-16 13:36
Reported
2024-11-16 13:39
Platform
win7-20240903-en
Max time kernel
121s
Max time network
123s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\VAEeuoHuQuOLljROMdYRVrWysOrkCm | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\MOELauncherSetup_V0TKW.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | C:\Windows\system32\MsiExec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\VAEeuoHuQuOLljROMdYRVrWysOrkCm | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | C:\Windows\system32\MsiExec.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File opened for modification | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| File created | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f770139.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f770139.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f77013a.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI213.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f77013c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77013a.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = b08a919c2c38db01 | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Version = "84410373" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F40D3C9F0B2AFBA4AAD1FA0B9B8BA863 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DFF86025C7A5F5543BC7555DD9EB9568 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F40D3C9F0B2AFBA4AAD1FA0B9B8BA863\DFF86025C7A5F5543BC7555DD9EB9568 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\PackageName = "e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DFF86025C7A5F5543BC7555DD9EB9568\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\ProductName = "UpgradeValiantSupervisor" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\PackageCode = "034EDA160E21BFF4487E3C8D30FD36D5" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\DFF86025C7A5F5543BC7555DD9EB9568\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| N/A | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Token: 35 | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Token: 35 | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C4" "0000000000000594"
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 15D0C9DC1847F322A412425671DC0E89 M Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor','C:\Program Files','C:\Program Files'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y
C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
"C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
"C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 110 -file file3 -mode mode3
C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
"C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2404 -s 632
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | im.qq.com | udp |
Files
memory/2900-12-0x0000000000200000-0x0000000000210000-memory.dmp
memory/1188-18-0x00000000022B0000-0x00000000022B8000-memory.dmp
memory/1188-17-0x000000001B4A0000-0x000000001B782000-memory.dmp
C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW
| MD5 | 3833fb3821f72c1ed7afd41df3e485c5 |
| SHA1 | 5a2224f9c26e4d9e1e406ecc8a18c2dfb4400ba2 |
| SHA256 | d4dd1cf01cc90001906f73290d3e2ddbb3c29f3d6fba25b68e07498d8072fe7f |
| SHA512 | 8ec522441c166d4a04604a44b617f8848c6f203c8975702b242180dadc6a7bf5c8e1e0c6f4f742d29058baaeb499d0b64eca0fb90762b7f0224b9c19da7ed19a |
C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD
| MD5 | 7dae674c54e91c0389acc2bba94104fa |
| SHA1 | 3104b569de1d4086bc9a691e0c99399920ee6475 |
| SHA256 | 605d7822ebc5196145cd4a01510b85dcac29fdfff6c48cab892f3dd10c749a9b |
| SHA512 | 6e896a29b736c09fbe7abe6e21653f4c9f2e6c26ee4790d371b45935bc075ee865534b9dabf78c2fb2432de2ae6087d4277cf6297fd0eb6e1474ff6d92a0616f |
C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe
| MD5 | 124b1390f39511fa043e99578d4fad57 |
| SHA1 | 9f2e13afe318878167328104b6710ad53f1f168b |
| SHA256 | f65559e20b9473aa23450850ac2a0a6d6045a8987236db6ff9b2b3e448e569e9 |
| SHA512 | eb0d19da7f3e775ca6e36f0c51f7a83116a16b6096dd0c5e42ef23a4cdcf2cea805e928092c2adc6c78138455b2b2fb7f62dfe287ead2fb3ee7dd0e86f16c9ac |
C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
| MD5 | f90ddf18d65bb3153bcdfdc4856ce2a5 |
| SHA1 | 611376391f17207d60ca8c2ec81354933f8dac45 |
| SHA256 | 62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce |
| SHA512 | f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316 |
C:\Config.Msi\f77013b.rbs
| MD5 | a5dda40cac4aec2b9eb1d60f1d121b70 |
| SHA1 | e54d7bba93efc5dcf1eb007309f30a1af4319e4a |
| SHA256 | 4580d3b5ce1e75d568ab8b5607fba49a4323e68665db4711d0a6be145a7a3148 |
| SHA512 | a977474d01cb256e90dd15baf22ce99fde3fa67ee318543774c7e84f5a6a21d6a7cc5a36b37a2e2fd5e0154aa38499c32e983424736ee6185b51cc301bf05318 |
C:\Windows\Installer\f770139.msi
| MD5 | 1eb0c7fbfca2f95b76189279eadb9228 |
| SHA1 | ef89821dff0b19fb6bac92808f0e42fdd88eb7c7 |
| SHA256 | e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323 |
| SHA512 | d22f351cbaa2ac225ff9c472c0404098a332bc4de1ca29465d5e6189e3420b2107e7cf6c087dcde0bf05a39668f751484a72386e7055e63be6ba355fea3e4e7e |
memory/2404-58-0x0000000000A00000-0x0000000000B02000-memory.dmp
memory/2960-59-0x00000000003D0000-0x00000000003FF000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-16 13:36
Reported
2024-11-16 13:39
Platform
win10v2004-20241007-en
Max time kernel
5s
Max time network
152s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 4EB3F3AEE0CC0ADB270B0B124E2FE9CA E Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor','C:\Program Files','C:\Program Files'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y
C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
"C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"44087mU[5d*Fa.9tO{bb" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
"C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe" x "C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_YeIgTCQVJGErbtEGGiDlTxgCffkbDZ.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"04434k+1^Z$HJ^mp6+xz" -y
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 110 -file file3 -mode mode3
C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
"C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs"
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" install
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" start
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 201 -file file3 -mode mode3
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 62 -file file3 -mode mode3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | im.qq.com | udp |
| US | 8.8.8.8:53 | dsfgdg5641rfe.icu | udp |
| HK | 38.47.221.100:80 | dsfgdg5641rfe.icu | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.221.47.38.in-addr.arpa | udp |
| HK | 118.107.29.131:13000 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.29.107.118.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fgh523fg4juty.cyou | udp |
| HK | 38.47.218.35:18999 | fgh523fg4juty.cyou | tcp |
| US | 8.8.8.8:53 | 107.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.218.47.38.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kaygpyy4.jhp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4424-22-0x00000269E1620000-0x00000269E1642000-memory.dmp
C:\Program Files\UpgradeValiantSupervisor\NExERxptCnfNovdPQUVKIftjqvLPvD.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\UpgradeValiantSupervisor\FRHCPRDSCKpKTwMdXJauvGnbrrBSLW
| MD5 | 3833fb3821f72c1ed7afd41df3e485c5 |
| SHA1 | 5a2224f9c26e4d9e1e406ecc8a18c2dfb4400ba2 |
| SHA256 | d4dd1cf01cc90001906f73290d3e2ddbb3c29f3d6fba25b68e07498d8072fe7f |
| SHA512 | 8ec522441c166d4a04604a44b617f8848c6f203c8975702b242180dadc6a7bf5c8e1e0c6f4f742d29058baaeb499d0b64eca0fb90762b7f0224b9c19da7ed19a |
C:\Program Files\UpgradeValiantSupervisor\jJdRJSuAKBvtXRTgfinkngKoulBasD
| MD5 | 7dae674c54e91c0389acc2bba94104fa |
| SHA1 | 3104b569de1d4086bc9a691e0c99399920ee6475 |
| SHA256 | 605d7822ebc5196145cd4a01510b85dcac29fdfff6c48cab892f3dd10c749a9b |
| SHA512 | 6e896a29b736c09fbe7abe6e21653f4c9f2e6c26ee4790d371b45935bc075ee865534b9dabf78c2fb2432de2ae6087d4277cf6297fd0eb6e1474ff6d92a0616f |
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe
| MD5 | 124b1390f39511fa043e99578d4fad57 |
| SHA1 | 9f2e13afe318878167328104b6710ad53f1f168b |
| SHA256 | f65559e20b9473aa23450850ac2a0a6d6045a8987236db6ff9b2b3e448e569e9 |
| SHA512 | eb0d19da7f3e775ca6e36f0c51f7a83116a16b6096dd0c5e42ef23a4cdcf2cea805e928092c2adc6c78138455b2b2fb7f62dfe287ead2fb3ee7dd0e86f16c9ac |
C:\Program Files\UpgradeValiantSupervisor\WhatsApp1.exe
| MD5 | f90ddf18d65bb3153bcdfdc4856ce2a5 |
| SHA1 | 611376391f17207d60ca8c2ec81354933f8dac45 |
| SHA256 | 62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce |
| SHA512 | f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316 |
memory/3300-54-0x000002AC3DD90000-0x000002AC3DE92000-memory.dmp
C:\Windows\Installer\e57f117.msi
| MD5 | 1eb0c7fbfca2f95b76189279eadb9228 |
| SHA1 | ef89821dff0b19fb6bac92808f0e42fdd88eb7c7 |
| SHA256 | e1fb8b47f237c56c9409de2cd1e04c49a0da76f1b2f62341d97394463f96d323 |
| SHA512 | d22f351cbaa2ac225ff9c472c0404098a332bc4de1ca29465d5e6189e3420b2107e7cf6c087dcde0bf05a39668f751484a72386e7055e63be6ba355fea3e4e7e |
C:\Config.Msi\e57f118.rbs
| MD5 | c01bde10715281a1731bb3ee6ef3de6a |
| SHA1 | 13bf9b0de18d2dd33b821c08aa30b7eca0fcf06e |
| SHA256 | c11916efd9888110f9ce1b8d12af440c691a0e3c0f3392d1ff968bbe04d3eff9 |
| SHA512 | 55912f5504c8edca51a2177aad2eecdeebccd94ae28a84b53bb6ae8a00bffdf42c2a790341e86f0a04684b0bdd6f68c6bec0571575136e20375f60407c8a3f4b |
memory/3496-68-0x000000002A210000-0x000000002A23F000-memory.dmp
memory/3300-70-0x000002AC3FD00000-0x000002AC3FD0A000-memory.dmp
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe
| MD5 | d305d506c0095df8af223ac7d91ca327 |
| SHA1 | 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a |
| SHA256 | 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66 |
| SHA512 | 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796 |
C:\Program Files\UpgradeValiantSupervisor\MOELauncherSetup_V0TKW.exe
| MD5 | f0b4afeb9a9582a84c04d33b4f9c93e5 |
| SHA1 | 0b9229e8e3879fc4d1310ba493280894cac1f259 |
| SHA256 | d71c5c27f6e68be09e40921321a2c6d3b95f65787c33dcc2d66e6939a798a3c9 |
| SHA512 | d4c3593590a5574bbfc1270d3aca3b419ea5126735206b5e2104e42fda961844ba90073ebacd917b9b0152c103670d1a64b88c76b03b358feae73794418abe51 |
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs
| MD5 | 31cb7c228337b05b262877c9d1d31f40 |
| SHA1 | c67ef4beb96061c1bdf53334e125dde65d079e2a |
| SHA256 | f3acc593d2324d95131363105f89f5e97a0d251a997eab95486b8f0ffe76baee |
| SHA512 | fda05de734d8dadd6250687bdd9e74a1ee833f860ddb296faac2e7c1251cd2a346e31e68590d6694ab504982815482b888b9328ab5248a431d6ae9df30997be8 |
memory/3300-76-0x000002AC59BB0000-0x000002AC59C6A000-memory.dmp
memory/1904-77-0x0000000000530000-0x0000000000606000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tmp1141.tmp
| MD5 | a10f31fa140f2608ff150125f3687920 |
| SHA1 | ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b |
| SHA256 | 28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6 |
| SHA512 | cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12 |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml
| MD5 | 3f54f113618979895a594867928e7a97 |
| SHA1 | 37a21073b03c367d0c067761c814c23b15e44bd6 |
| SHA256 | d35e118f96d6b43194147d2e4e3d41fd73c81d83ba60d6070215547dd4b228ae |
| SHA512 | 664b6cc1ea0d02cf16a127bef3f5f61eedcdab60553c72d1f49058736f852184419ac28c9fc720d7e50312f9b439a90b5c246e98c313d5a9ec932dba5c0bfb8b |
memory/3300-93-0x000002AC59510000-0x000002AC5954C000-memory.dmp
memory/3300-92-0x000002AC594B0000-0x000002AC594C2000-memory.dmp
memory/3300-97-0x000002AC59F30000-0x000002AC59F38000-memory.dmp
memory/3300-99-0x000002AC59F60000-0x000002AC59F6E000-memory.dmp
memory/3300-98-0x000002AC5C690000-0x000002AC5C6C8000-memory.dmp
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | c5a17d5f0cac4ecfae0aa0daab3f672f |
| SHA1 | 1658ac7a8f2220cb639d8e80116a4fcb9fab2fa2 |
| SHA256 | 9afd0449c372075470b16f98ccf888cbcd446c81c5c4b63136a9ff88f5981025 |
| SHA512 | 4be00026665cc9607dc8c3b31e91cffe4a4f8b35516c2f3ed244e8b1054e5eb9138ed6dc4cea128126d576ec3a0f533d3242338b3caae079fad981eb349d3abe |
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{6ed272e6-feb3-4a1f-b022-325f3ee5e0d4}_OnDiskSnapshotProp
| MD5 | 030c33729308c4774b24c9b8939b2cd0 |
| SHA1 | e9bb4bce771714f7e8a1149d853141e48c55dacd |
| SHA256 | b81505171aa7b78bdb4af5bcdcac0c06c61fe7e16dff97548348eb26db8c8cc9 |
| SHA512 | 684ac3bc35b532c16b0a93cfa0a0d08c68015918bf1715e576251fdbb21a5bf06a3bdf121341a28df3b0077da531e34c5fcb40ec252d1a83e5729133716dd4d7 |
memory/3300-106-0x000002AC5CA20000-0x000002AC5CA46000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log
| MD5 | 122cf3c4f3452a55a92edee78316e071 |
| SHA1 | f2caa36d483076c92d17224cf92e260516b3cbbf |
| SHA256 | 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0 |
| SHA512 | c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log
| MD5 | c9d4b9bac2f0dd4fdde0d584569a6e19 |
| SHA1 | ec3f7db5916ed216e70f54cd02ef637f3375ddcf |
| SHA256 | b4a0468756dd9cb04626c092938d0a95a798cf824bbb6b5f4b8925642a8dfc5f |
| SHA512 | 2f196329d353b3af762831db9cb65baa87cd31fa355f9b25c4b7e05245780166300be4a9f556234c8ecfacb95f788c0be6a50fea6043350868062d786ddb3cf9 |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log
| MD5 | de70b3b0802d080b12bce271710272be |
| SHA1 | c0ef78df98ad8dcc55882242a69641908949b608 |
| SHA256 | d058e7854ead100812f561f9ce62741cd553f79fab6bdedc77d7791ff0d0b6ce |
| SHA512 | 8a93a6a16172c3f691552a9ddad7eb93567399695c112ae0f183f98902c46f604937dd98d852600057ce558bbccb8c72b55e8f971cde5a85d9435db0efeff252 |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log
| MD5 | d36cd9f7b53aa5e872c0b5066bdb0207 |
| SHA1 | 7538cdc707b11e87cfa9a773f5e014e9e2072cce |
| SHA256 | 4cc337fe7351cd04ce337e960b32defd137b53ab80967c3991a94e2421702806 |
| SHA512 | 09fc4b45b53deb499453dbb758daa40ca4db3c885195e46ba65d887e4bf484f122997014ca3aa43393ed3bba72ec9dd13b6c229997f0080b00127876f330da9f |
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log
| MD5 | 8168d3f2cc278a7b1989cb30b1db8fcc |
| SHA1 | 73723de99cd003e6fecbebe22b25c23688f6cd4e |
| SHA256 | d1803239cf1ae035277b41a52c5e3396c5de0faff1161d066c4c54ea2e9e227f |
| SHA512 | 5dcfc55c50c77b012c699bb490767a1433191937f665cc8ed52a77202f1ce13ef71b520e0a336f64d541fe668fa3bddd53c2a72348097c24ceb01cbc6bd5cb4e |
memory/4040-130-0x000000002A6C0000-0x000000002A70D000-memory.dmp
memory/4040-131-0x000000002C2E0000-0x000000002C49C000-memory.dmp
memory/4040-134-0x000000002C2E0000-0x000000002C49C000-memory.dmp
memory/4040-133-0x000000002C2E0000-0x000000002C49C000-memory.dmp
memory/4040-135-0x000000002C2E0000-0x000000002C49C000-memory.dmp