gh0strat | 4defef20d0c620fcc1743147f44a244fa7c61b484a5ca5cfb8f60e99e970a7a2

Analysis

max time kernel
150s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

kugou_yinyue-X64.msi
Size

115.7MB
MD5

8264ac335dd2c9b6f3c22826833eef9a
SHA1

6b45e44fb10381e96e5cba2004bfbc08a3eec3cd
SHA256

4defef20d0c620fcc1743147f44a244fa7c61b484a5ca5cfb8f60e99e970a7a2
SHA512

1a65be0f908edabe532232193cab034921065ff4fb898637b1c82a17d29874335758c93f779b7666384c0d6e6fe4eb46b5a6882986d6b742dd1a8be0e1df2fbb
SSDEEP

3145728:rydOHVo966Gx85U9YwMWYA2/8JZVtG37GDOUaDZjfFSfho:0H1GxkcBrYt/8J8SarDZ7FSfu

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2224-251-0x000000002BCF0000-0x000000002BEAD000-memory.dmp	purplefox_rootkit
behavioral2/memory/2224-253-0x000000002BCF0000-0x000000002BEAD000-memory.dmp	purplefox_rootkit
behavioral2/memory/2224-254-0x000000002BCF0000-0x000000002BEAD000-memory.dmp	purplefox_rootkit
behavioral2/memory/2224-255-0x000000002BCF0000-0x000000002BEAD000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/2224-251-0x000000002BCF0000-0x000000002BEAD000-memory.dmp	family_gh0strat
behavioral2/memory/2224-253-0x000000002BCF0000-0x000000002BEAD000-memory.dmp	family_gh0strat
behavioral2/memory/2224-254-0x000000002BCF0000-0x000000002BEAD000-memory.dmp	family_gh0strat
behavioral2/memory/2224-255-0x000000002BCF0000-0x000000002BEAD000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5044	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	YbAWjEbpulWw.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	YbAWjEbpulWw.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	YbAWjEbpulWw.exe
File opened (read-only)	\??\N:	YbAWjEbpulWw.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	YbAWjEbpulWw.exe
File opened (read-only)	\??\T:	YbAWjEbpulWw.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	YbAWjEbpulWw.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	YbAWjEbpulWw.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	YbAWjEbpulWw.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	YbAWjEbpulWw.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	YbAWjEbpulWw.exe
File opened (read-only)	\??\R:	YbAWjEbpulWw.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	YbAWjEbpulWw.exe
File opened (read-only)	\??\L:	YbAWjEbpulWw.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	YbAWjEbpulWw.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	YbAWjEbpulWw.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	YbAWjEbpulWw.exe
File opened (read-only)	\??\W:	YbAWjEbpulWw.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	YbAWjEbpulWw.exe
File opened (read-only)	\??\U:	YbAWjEbpulWw.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	YbAWjEbpulWw.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yINMOeuVvrtK.exe.log	yINMOeuVvrtK.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe	UsfWMVCzYNmv.exe
File created	C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.vbs	YbAWjEbpulWw.exe
File opened for modification	C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe	UsfWMVCzYNmv.exe
File opened for modification	C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log	yINMOeuVvrtK.exe
File opened for modification	C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log	yINMOeuVvrtK.exe
File created	C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.xml	UsfWMVCzYNmv.exe
File opened for modification	C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.xml	UsfWMVCzYNmv.exe
File created	C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe	UsfWMVCzYNmv.exe
File created	C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe	UsfWMVCzYNmv.exe
File opened for modification	C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log	yINMOeuVvrtK.exe
File created	C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe	msiexec.exe
File created	C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw	UsfWMVCzYNmv.exe
File created	C:\Program Files\DeployDeterminedRetailer\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw	UsfWMVCzYNmv.exe
File opened for modification	C:\Program Files\DeployDeterminedRetailer	YbAWjEbpulWw.exe
File created	C:\Program Files\DeployDeterminedRetailer\kugou11131.exe	msiexec.exe
File created	C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e583f46.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{800F15D9-CFD7-460A-83A0-E92BF852D3C2}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI439C.tmp	msiexec.exe
File created	C:\Windows\Installer\e583f48.msi	msiexec.exe
File created	C:\Windows\Installer\e583f46.msi	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
4748	UsfWMVCzYNmv.exe
5060	YbAWjEbpulWw.exe
2068	kugou11131.exe
912	yINMOeuVvrtK.exe
908	yINMOeuVvrtK.exe
716	yINMOeuVvrtK.exe
548	YbAWjEbpulWw.exe
2224	YbAWjEbpulWw.exe

Loads dropped DLL 4 IoCs

pid	Process
2068	kugou11131.exe
2068	kugou11131.exe
2068	kugou11131.exe
2068	kugou11131.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4396	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UsfWMVCzYNmv.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YbAWjEbpulWw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kugou11131.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YbAWjEbpulWw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	YbAWjEbpulWw.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	YbAWjEbpulWw.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	YbAWjEbpulWw.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\PackageName = "kugou_yinyue-X64.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B111F7821E44204F86D3FB2C9D25454\9D51F0087DFCA064380A9EB28F253D2C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9D51F0087DFCA064380A9EB28F253D2C	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\PackageCode = "2B31C87B8EF03FF46879ADE5DD5B9979"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\ProductName = "DeployDeterminedRetailer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Version = "151388165"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9D51F0087DFCA064380A9EB28F253D2C\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B111F7821E44204F86D3FB2C9D25454	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3972	msiexec.exe
3972	msiexec.exe
5044	powershell.exe
5044	powershell.exe
5044	powershell.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe
5060	YbAWjEbpulWw.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4396	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4396	msiexec.exe
Token: SeSecurityPrivilege	3972	msiexec.exe
Token: SeCreateTokenPrivilege	4396	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4396	msiexec.exe
Token: SeLockMemoryPrivilege	4396	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4396	msiexec.exe
Token: SeMachineAccountPrivilege	4396	msiexec.exe
Token: SeTcbPrivilege	4396	msiexec.exe
Token: SeSecurityPrivilege	4396	msiexec.exe
Token: SeTakeOwnershipPrivilege	4396	msiexec.exe
Token: SeLoadDriverPrivilege	4396	msiexec.exe
Token: SeSystemProfilePrivilege	4396	msiexec.exe
Token: SeSystemtimePrivilege	4396	msiexec.exe
Token: SeProfSingleProcessPrivilege	4396	msiexec.exe
Token: SeIncBasePriorityPrivilege	4396	msiexec.exe
Token: SeCreatePagefilePrivilege	4396	msiexec.exe
Token: SeCreatePermanentPrivilege	4396	msiexec.exe
Token: SeBackupPrivilege	4396	msiexec.exe
Token: SeRestorePrivilege	4396	msiexec.exe
Token: SeShutdownPrivilege	4396	msiexec.exe
Token: SeDebugPrivilege	4396	msiexec.exe
Token: SeAuditPrivilege	4396	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4396	msiexec.exe
Token: SeChangeNotifyPrivilege	4396	msiexec.exe
Token: SeRemoteShutdownPrivilege	4396	msiexec.exe
Token: SeUndockPrivilege	4396	msiexec.exe
Token: SeSyncAgentPrivilege	4396	msiexec.exe
Token: SeEnableDelegationPrivilege	4396	msiexec.exe
Token: SeManageVolumePrivilege	4396	msiexec.exe
Token: SeImpersonatePrivilege	4396	msiexec.exe
Token: SeCreateGlobalPrivilege	4396	msiexec.exe
Token: SeBackupPrivilege	2936	vssvc.exe
Token: SeRestorePrivilege	2936	vssvc.exe
Token: SeAuditPrivilege	2936	vssvc.exe
Token: SeBackupPrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeRestorePrivilege	4748	UsfWMVCzYNmv.exe
Token: 35	4748	UsfWMVCzYNmv.exe
Token: SeSecurityPrivilege	4748	UsfWMVCzYNmv.exe
Token: SeSecurityPrivilege	4748	UsfWMVCzYNmv.exe
Token: SeBackupPrivilege	648	srtasks.exe
Token: SeRestorePrivilege	648	srtasks.exe
Token: SeSecurityPrivilege	648	srtasks.exe
Token: SeTakeOwnershipPrivilege	648	srtasks.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe
Token: SeRestorePrivilege	3972	msiexec.exe
Token: SeTakeOwnershipPrivilege	3972	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4396	msiexec.exe
4396	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2068	kugou11131.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 3972 wrote to memory of 648	3972	msiexec.exe	106
PID 3972 wrote to memory of 648	3972	msiexec.exe	106
PID 3972 wrote to memory of 2092	3972	msiexec.exe	109
PID 3972 wrote to memory of 2092	3972	msiexec.exe	109
PID 2092 wrote to memory of 5044	2092	MsiExec.exe	110
PID 2092 wrote to memory of 5044	2092	MsiExec.exe	110
PID 2092 wrote to memory of 1264	2092	MsiExec.exe	112
PID 2092 wrote to memory of 1264	2092	MsiExec.exe	112
PID 1264 wrote to memory of 4748	1264	cmd.exe	114
PID 1264 wrote to memory of 4748	1264	cmd.exe	114
PID 1264 wrote to memory of 4748	1264	cmd.exe	114
PID 2092 wrote to memory of 5060	2092	MsiExec.exe	116
PID 2092 wrote to memory of 5060	2092	MsiExec.exe	116
PID 2092 wrote to memory of 5060	2092	MsiExec.exe	116
PID 2092 wrote to memory of 2068	2092	MsiExec.exe	117
PID 2092 wrote to memory of 2068	2092	MsiExec.exe	117
PID 2092 wrote to memory of 2068	2092	MsiExec.exe	117
PID 716 wrote to memory of 548	716	yINMOeuVvrtK.exe	125
PID 716 wrote to memory of 548	716	yINMOeuVvrtK.exe	125
PID 716 wrote to memory of 548	716	yINMOeuVvrtK.exe	125
PID 548 wrote to memory of 2224	548	YbAWjEbpulWw.exe	127
PID 548 wrote to memory of 2224	548	YbAWjEbpulWw.exe	127
PID 548 wrote to memory of 2224	548	YbAWjEbpulWw.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kugou_yinyue-X64.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4396

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3972
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:648
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 96A3A90B08492D6C8F735AAA493B819D E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DeployDeterminedRetailer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5044
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe" x "C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE" -o"C:\Program Files\DeployDeterminedRetailer\" -pkYpyaRvRcFdTfVUfUNOC -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1264
  - - C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
      "C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe" x "C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE" -o"C:\Program Files\DeployDeterminedRetailer\" -pkYpyaRvRcFdTfVUfUNOC -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4748
- - C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
    "C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe" -number 289 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:5060
- - C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
    "C:\Program Files\DeployDeterminedRetailer\kugou11131.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2068

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:1632

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe
"C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:912

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe
"C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:908

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe
"C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:716
- C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
  "C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe" -number 149 -file file3 -mode mode3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:548
- - C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
    "C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe" -number 62 -file file3 -mode mode3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583f47.rbs

Filesize
7KB

MD5
79403a2b4509a4c89e1ced15466a36f8

SHA1
0efba7758ee523f0837fa27167118ea60cda4e6f

SHA256
c3f05e1fd8e277a91b509dccee81a085e0de0f79bbed2083b7067eef8a15b3f4

SHA512
c5b08ddeb1f66547af5e041d95a393f9d04b9719e5e6aa8e3607b07029c5bdb7019f268a9c8ed8d34822700018d2c4184272b1be0155439fa7b57c87a676344e

Download Submit
C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE

Filesize
1.5MB

MD5
f97e41d5d36b59621dba93d7727cb67b

SHA1
b2e9e34874a9cb8c61fc276b9d77a0e1cb0532f0

SHA256
a85e5b6d77e5ddc9f00155f1cda319508c92c8e21c16bd99cfc87b15ae774174

SHA512
c8de402c10fb3505a7ef7b7ec8039f03b5810e6c38d7b2969865148f0a1ed21e798f386aae9ca2cb1655184accac39169d59cc7e6662ffa213c7a0edc4cd8c67

Download Submit
C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe

Filesize
2.1MB

MD5
13c482a12d740c8fc27b23038fa097d4

SHA1
4c0d85646dfa60d3dbe9bab472fe1ef3ae8da957

SHA256
f12ea05152c21c0de7b9f81b9e9004a40ee7f3c4cf7b63b7918d53c74a1219a6

SHA512
73a1df4797a092de6b5fbede88a96d593ba34198f32f44eb390e223ebd0df988e114a7caa19de723b15698fcf884943f004a2d35d4bbd3c2ae18155594e74bbf

Download Submit
C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.vbs

Filesize
2KB

MD5
356d0af8d51ae7f16002536c0434f660

SHA1
fe1e6c649951f3fe679777665eb30337913bdc4d

SHA256
d8ffa54ce41ca565e0a70aeeafe73655c8121c8e3d103db58e295cb340530b8c

SHA512
268ac9057da999a76f8bea43f2c6d6ad824cf9a9d87d7de2ed4bbf5826d211cd84f37005633dff601bf0d56b1afdd88731d98a121cd372016f799b92bda7666c

Download Submit
C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log

Filesize
296B

MD5
973fc3a9f5457f02a4039d048370d755

SHA1
7bd7319d3b461f59dbbe05f317e46e83628ff300

SHA256
c8b7443589164be258a5d1e1697d0df185cc43cbee7215149dcbd9148eac7a41

SHA512
a4e25e557ac39f6d61d9e6f96d08cab2521a6023fad55ee024f776f73c098148d59d77d354f267c756e8b0770b89c54b1d43ecca6980b6746fe5696dcb3ca762

Download Submit
C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log

Filesize
467B

MD5
283ad5c7efac45c4b6364aa07baa0b92

SHA1
3bffdc887396f60006c76915a8b33fd19ec16dbe

SHA256
de56012f3f3a4511a3e53e95697f865a58b58e06e58f78cebdc30431ddb99d5e

SHA512
677d2803869fd9625e751435d364cac61577956ddd8a0d769a80aacbe93f00f8e949587691ee2c49dc61ff986234dcce57e465a4356364a038fcda288f98cb89

Download Submit
C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log

Filesize
648B

MD5
14fe43e1516e676bbc442b037b5e9e23

SHA1
3229844e3a67bcb4abebbd9740576019db9cbd0d

SHA256
8f21a55879c706a3420a8ba3bdd9e87e9e20dcd6ae4a4314465744fbb393ac32

SHA512
e7cbea631c2ad42d4ebf1d8eb67d64ed15ed863e3379da9508c5b260f41d3a0089ad06aeff786a406767990f11ced8c833d7cee889368ab976b67f123e3ead2a

Download Submit
C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log

Filesize
797B

MD5
eb44b1970e0c7e5296ad15620330471d

SHA1
e8dd24852696b16ba18063c66dd22cf0d6eea0e3

SHA256
e22a1da7765601ba86ff72662ee45fd37d3ba2062400359b44f4b0101ca221e7

SHA512
b9fb0ae06ff27b6473955c29eae0305ee3e7b82eaac8711bcbb05bf40f6b769d52682e206ce460ba3c7dd454efff74b660c44f3fc154a47d1b62d55966feb2b1

Download Submit
C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.xml

Filesize
462B

MD5
80f071c1613d7880de16db74f25032b3

SHA1
c47536a65da37af688ed63f2f39c5b21fc09a4a6

SHA256
62e2cd96cf9208a576ab674db3503d8d3b83f0d26382c14dabb9071be878e894

SHA512
1e30378ff3baf8f74661b12f7ce193645528daa5815b59d48e36994c8b9c630c6e43ca06fc47a21318b76ff9b04d5224f48f2986dd6eb4b9d37268f74f5f7702

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdmjz0ck.g3t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst73E4.tmp\System.dll

Filesize
40KB

MD5
88513dbed3a5bba74d020b0d56ae587a

SHA1
f0f4f6f7e5e423ad1918ea553aa9e5c2ca75370a

SHA256
cbce0c9051e6f4724070186feb71255e01f606f6f0d2ca1d2fcbc8c942d8e11f

SHA512
6a61e4700c286202741cb344b4f6851573084b2dd78639f642252a9d5bcc35734fc7daa9d4e5d083577a0d4887d5a4a20ac04100b178205269fe13eb9d7393a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst73E4.tmp\isx.dll

Filesize
1.4MB

MD5
c65109a207007208ef83b48de15d1145

SHA1
d76057c4e67f850c2100c31c1222618efeed146b

SHA256
4aaffbd45bc8d3498c76f78dba9b95f920367af37020e382099961437e89d071

SHA512
b2c34bfb1ff5b3272780e9d2f89ff09e2146daa783f3a860aa30cac06b28c6063f2349cc30dd20e154565ad1e6310cd45d33e683f336c8f4905ebd15e5543370

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst73E4.tmp\kgskin.dll

Filesize
524KB

MD5
5a671b81a0d59cd5192b1861b65f2543

SHA1
f679af0550a31a5cfbaa1b055cfaf2396027e391

SHA256
5c7b02317096c5fe6fcfe173711e06aeb288c916e97a2abfe5939907744e0d97

SHA512
6d76a6ac670e147335760a03288c6fc7e99c18611edfa859f4e76027bd937ac0a650479bdd2d09f9b94bb56bc81e3d292a42769c763971ff9a24d9566d22b442

Download Submit
C:\Users\Admin\AppData\Local\Temp\nst73E4.tmp\svg.dll

Filesize
3.3MB

MD5
f7b407c2c1600587cb6e5679a93250fb

SHA1
00b0cbedff910b4016cb957d6043eadb99575dd0

SHA256
3ca02f89d98b7781c242b60029ddeb4f6b8610b624c0b70c6347a50b49f59024

SHA512
428ae534ea6af1986f596b4a38b45926d2fe19cab09544fcc601a0a615e1ac45129e4eb88ac58489694b6b0c1a22514003eac5fdd0a7497cc719c1e047ad6624

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yINMOeuVvrtK.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
35a5bad57a1549b28a84abb72ee59055

SHA1
0a2b9a50ad4b24b2dd3f21cd8fa6bc51b0a7a6c3

SHA256
b2e3a2b053c235a8b0682d812a5241166ef908ec9ada34e0fb0e12a2e5c2cb27

SHA512
224b0ba559bba236bf91d9e1b1d4acfd4da66600d412d900201e8e43769172f7104f6aaaec81cb00c44c732a64d4eaa6a1d5fdff02a72e85e739242fcec496a5

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2c4c9041-537f-4726-869e-844a5ce4ca0d}_OnDiskSnapshotProp

Filesize
6KB

MD5
df130406c4e7a9cb447fcffdb7a61ba6

SHA1
78385bbb7e133ad93c56318d9b84725368dee508

SHA256
f2630656385eab737dd67b1720d5a39d7a9a8762ece641f658fc57c8b59e1eba

SHA512
fc8ee2249854987d9f9a0b664f5561ff4b67839ee9801d773c50a8df46f40ef196fadd9cc4c04f9855b2530a33598434c839fdec1e8e7bd0eb173c811ee4b356

Download Submit
memory/912-66-0x00000000007C0000-0x0000000000896000-memory.dmp

Filesize
856KB

Download
memory/2224-250-0x000000002B870000-0x000000002B8BD000-memory.dmp

Filesize
308KB

Download
memory/2224-251-0x000000002BCF0000-0x000000002BEAD000-memory.dmp

Filesize
1.7MB

Download
memory/2224-253-0x000000002BCF0000-0x000000002BEAD000-memory.dmp

Filesize
1.7MB

Download
memory/2224-254-0x000000002BCF0000-0x000000002BEAD000-memory.dmp

Filesize
1.7MB

Download
memory/2224-255-0x000000002BCF0000-0x000000002BEAD000-memory.dmp

Filesize
1.7MB

Download
memory/5044-22-0x0000018A73F60000-0x0000018A73F82000-memory.dmp

Filesize
136KB

Download
memory/5060-41-0x000000002A040000-0x000000002A06F000-memory.dmp

Filesize
188KB

Download