Malware Analysis Report

2024-12-07 13:56

Sample ID 241118-lpr97atgqq
Target Firefox_huohu-X64.msi.vir
SHA256 0aa00ca752764f9721879a56838d67777c008bef2c040d630d91b25e14687575
Tags
discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0aa00ca752764f9721879a56838d67777c008bef2c040d630d91b25e14687575

Threat Level: Known bad

The file Firefox_huohu-X64.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Purplefox family

Gh0strat

Gh0st RAT payload

Gh0strat family

PurpleFox

Detect PurpleFox Rootkit

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Loads dropped DLL

Event Triggered Execution: Installer Packages

Enumerates physical storage devices

System Network Configuration Discovery: Internet Connection Discovery

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 09:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 09:42

Reported

2024-11-18 09:45

Platform

win7-20240903-en

Max time kernel

120s

Max time network

123s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Firefox_huohu-X64.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\2_iSeiWroKLIBt.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\2_iSeiWroKLIBt.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.vbs C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\nCwFdlWQriESwgzBGBmGkKSUAZWlSU C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.xml C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.xml C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe C:\Windows\system32\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDEAC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76dd96.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76dd93.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76dd93.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76dd94.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76dd94.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0b96b519e39db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\PackageName = "Firefox_huohu-X64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\PackageCode = "3627251E5EF768842A40F504531667A5" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\Version = "17367045" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6B835E147A3D2814C844C173D567645D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6B835E147A3D2814C844C173D567645D\5A4B62B8F0C0F5A4AA8F1E23F100F89A C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A4B62B8F0C0F5A4AA8F1E23F100F89A C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\ProductName = "FacilitateLivelyTrader" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A4B62B8F0C0F5A4AA8F1E23F100F89A\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\Net C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: 35 N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: 35 N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2088 wrote to memory of 1876 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2088 wrote to memory of 1876 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2088 wrote to memory of 1876 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2088 wrote to memory of 1876 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2088 wrote to memory of 1876 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1876 wrote to memory of 300 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 300 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 300 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1876 wrote to memory of 1948 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1876 wrote to memory of 1948 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1876 wrote to memory of 1948 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1948 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1948 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1948 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1948 wrote to memory of 1912 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1948 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1948 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1948 wrote to memory of 1712 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1948 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1948 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1948 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1948 wrote to memory of 2812 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1876 wrote to memory of 3016 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 1876 wrote to memory of 3016 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 1876 wrote to memory of 3016 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 1876 wrote to memory of 3016 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 1876 wrote to memory of 1400 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe
PID 1876 wrote to memory of 1400 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe
PID 1876 wrote to memory of 1400 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe
PID 1876 wrote to memory of 1400 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe
PID 1400 wrote to memory of 1920 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe
PID 1400 wrote to memory of 1920 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe
PID 1400 wrote to memory of 1920 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe
PID 1400 wrote to memory of 1920 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe
PID 1400 wrote to memory of 1920 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe
PID 1400 wrote to memory of 1920 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe
PID 1400 wrote to memory of 1920 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Firefox_huohu-X64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000059C" "00000000000003B8"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 71C0BA746EC233511C15AD0E4271CFDB M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\FacilitateLivelyTrader'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe" x "C:\Program Files\FacilitateLivelyTrader\nCwFdlWQriESwgzBGBmGkKSUAZWlSU" -o"C:\Program Files\FacilitateLivelyTrader\" -p"36908^{A*neaZ}Bl.=vm" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe" x "C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK" -x!1_iSeiWroKLIBt.exe -o"C:\Program Files\FacilitateLivelyTrader\" -p"66052?wI56S:MGE)D:q}" -y

C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe

"C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe" x "C:\Program Files\FacilitateLivelyTrader\nCwFdlWQriESwgzBGBmGkKSUAZWlSU" -o"C:\Program Files\FacilitateLivelyTrader\" -p"36908^{A*neaZ}Bl.=vm" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe

"C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe" x "C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK" -x!1_iSeiWroKLIBt.exe -o"C:\Program Files\FacilitateLivelyTrader\" -p"66052?wI56S:MGE)D:q}" -y

C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe

"C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe" -number 182 -file file3 -mode mode3

C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe

"C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe"

C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe

.\setup.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp

Files

memory/1876-12-0x0000000000200000-0x0000000000210000-memory.dmp

memory/300-17-0x000000001B570000-0x000000001B852000-memory.dmp

memory/300-18-0x0000000002300000-0x0000000002308000-memory.dmp

C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\FacilitateLivelyTrader\nCwFdlWQriESwgzBGBmGkKSUAZWlSU

MD5 5ce7742a647a882a26bd7abcbd61e5b5
SHA1 19255ad462c274c9d308f1deedc1fa36876ded66
SHA256 3e2a3e66e710dcdc1ec4f1709fcc6d707d8eb80b1e264a37463b243b9cb0bfbe
SHA512 ee506fcfb7c340cf931743a21452353038f94a1b752b8003352b4b34bc85bae80bbf97d1adcd6d53bd7f65512352e93f86e8de1bebcab808ba0f8f903c18401c

C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK

MD5 962fd52d66d725f2050c39d645df3a7a
SHA1 25fdb580cbd6f272d5eff3534d0b30d6812f2612
SHA256 ca5b528d55cb88ca9579a4bb4e548b5b5b5c246a95c477ca77e01c427b400cab
SHA512 cf966c612f06ed468d4313c5b925b22b72039aeef7949c896d5ddc7f05c4818aa2d49836d40a6bf8e0de5519566124c329bcc4e0846f55ee097bf15187c19588

C:\Program Files\FacilitateLivelyTrader\2_iSeiWroKLIBt.exe

MD5 11ca5e4f6a371395d45aad01aee5a439
SHA1 5f090f754164cdad4f5416d0c5a0310da609f407
SHA256 d7f9881401ac68cdfb410ec8be47bdc698d1215144f9d51bfec5f9d085166e21
SHA512 15292f5c94e1ecb0d3534759b97d5124cf3916ba52c12b97ef8f5e58c33be3006bd5e1981f233c8d69f9a07fd470fdcc073b7653cc4438c39282120ac387128c

C:\Config.Msi\f76dd95.rbs

MD5 62deba2123ab38a00f1c17e35efd87a0
SHA1 8ce541e56937ef21c37531540380ea4400139426
SHA256 9e5dba0b7f1900762448ad9417a73451a23d84c755914a0e65006eb13a2c278c
SHA512 2c63b70dc7f42fa89140d380ba11139bd04d129bfbc5346a36244f6966d4567919a88359e8923aa6201254fe8b347587624b098eaa4c863611c0492d223acc3d

memory/3016-122-0x0000000000710000-0x000000000073F000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS8755D4F6\setup.exe

MD5 a550c0d09394744b4ea1da92f82884c1
SHA1 6dc4acc070467f73461a50bd37666999ff612dac
SHA256 f4fa18a1f310f124430844d276c3f0fa46f69582b67ec50aa2fa0cd2860208ed
SHA512 0ac11bbc5efe3a734176f1b990e7c473251994203595612e6ff1354b0204153e3e762d2b3ad5d936ca294341d022639f1120633f54bf200ae15bed8c5edbb233

\Users\Admin\AppData\Local\Temp\nst8C8.tmp\System.dll

MD5 b361682fa5e6a1906e754cfa08aa8d90
SHA1 c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256 b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA512 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

C:\Users\Admin\AppData\Local\Temp\7zS8755D4F6\core\distribution\setup.ini

MD5 f4a91ae38239ad45b535a0abe3a5a8d8
SHA1 81c2d123964a2d344e20d363722bd89fdea89a96
SHA256 63a573475810f03ab2c6eb8af2a767ed13ed0ff2b6ea66cb72f43b6f3fbe7567
SHA512 75e9cc2c826c6965c00dceb8c6e4e9b12636efc2c9a9814e29143885ebdb805180f1188907257fb8013a53091708d4f260c241d284a6182a865668c6b05e3d7e

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 09:42

Reported

2024-11-18 09:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

152s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Firefox_huohu-X64.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\T: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\R: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\V: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\U: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\W: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\Y: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\I: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\O: C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wMzzBEfykyNn.exe.log C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.vbs C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.wrapper.log C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.xml C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\nCwFdlWQriESwgzBGBmGkKSUAZWlSU C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\2_iSeiWroKLIBt.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\2_iSeiWroKLIBt.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.wrapper.log C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.xml C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
File opened for modification C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.wrapper.log C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8B26B4A5-0C0F-4A5F-AAF8-E1321F008FA9} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC13D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57bf89.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57bf87.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57bf87.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6B835E147A3D2814C844C173D567645D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6B835E147A3D2814C844C173D567645D\5A4B62B8F0C0F5A4AA8F1E23F100F89A C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\PackageName = "Firefox_huohu-X64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A4B62B8F0C0F5A4AA8F1E23F100F89A C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\ProductName = "FacilitateLivelyTrader" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5A4B62B8F0C0F5A4AA8F1E23F100F89A\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\PackageCode = "3627251E5EF768842A40F504531667A5" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\Version = "17367045" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5A4B62B8F0C0F5A4AA8F1E23F100F89A C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A
N/A N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: 35 N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: 35 N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 3528 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 5064 wrote to memory of 3528 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 5064 wrote to memory of 1904 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 5064 wrote to memory of 1904 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1904 wrote to memory of 3156 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 3156 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1904 wrote to memory of 2484 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1904 wrote to memory of 2484 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2484 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 2484 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 2484 wrote to memory of 4508 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 2484 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2484 wrote to memory of 4496 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2484 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 2484 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 2484 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe
PID 1904 wrote to memory of 1128 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 1904 wrote to memory of 1128 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 1904 wrote to memory of 1128 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 1904 wrote to memory of 1484 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe
PID 1904 wrote to memory of 1484 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe
PID 1904 wrote to memory of 1484 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe
PID 1484 wrote to memory of 1428 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe
PID 1484 wrote to memory of 1428 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe
PID 1484 wrote to memory of 1428 N/A C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe
PID 720 wrote to memory of 4336 N/A C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 720 wrote to memory of 4336 N/A C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 720 wrote to memory of 4336 N/A C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 4336 wrote to memory of 2212 N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 4336 wrote to memory of 2212 N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe
PID 4336 wrote to memory of 2212 N/A C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Firefox_huohu-X64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 8A12991074450FB72F128D434A4C0091 E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\FacilitateLivelyTrader'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe" x "C:\Program Files\FacilitateLivelyTrader\nCwFdlWQriESwgzBGBmGkKSUAZWlSU" -o"C:\Program Files\FacilitateLivelyTrader\" -p"36908^{A*neaZ}Bl.=vm" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe" x "C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK" -x!1_iSeiWroKLIBt.exe -o"C:\Program Files\FacilitateLivelyTrader\" -p"66052?wI56S:MGE)D:q}" -y

C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe

"C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe" x "C:\Program Files\FacilitateLivelyTrader\nCwFdlWQriESwgzBGBmGkKSUAZWlSU" -o"C:\Program Files\FacilitateLivelyTrader\" -p"36908^{A*neaZ}Bl.=vm" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe

"C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe" x "C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK" -x!1_iSeiWroKLIBt.exe -o"C:\Program Files\FacilitateLivelyTrader\" -p"66052?wI56S:MGE)D:q}" -y

C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe

"C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe" -number 182 -file file3 -mode mode3

C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe

"C:\Program Files\FacilitateLivelyTrader\Firefox64_116.0.3.8627.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.vbs"

C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe

"C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe" install

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe

.\setup.exe

C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe

"C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe" start

C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe

"C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe"

C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe

"C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe" -number 134 -file file3 -mode mode3

C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe

"C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.exe" -number 62 -file file3 -mode mode3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 fgfdg5631gfd.icu udp
HK 38.47.221.103:80 fgfdg5631gfd.icu tcp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 103.221.47.38.in-addr.arpa udp
HK 47.242.9.172:10200 tcp
US 8.8.8.8:53 172.9.242.47.in-addr.arpa udp
US 8.8.8.8:53 qweay.shop udp
US 8.8.8.8:53 qweaq.shop udp
US 148.178.21.107:29130 qweaq.shop tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 qweay.shop udp
US 148.178.21.107:29130 qweaq.shop tcp
US 8.8.8.8:53 qweay.shop udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 148.178.21.107:29130 qweaq.shop tcp
US 8.8.8.8:53 qweay.shop udp
US 148.178.21.107:29130 qweaq.shop tcp
US 8.8.8.8:53 qweay.shop udp
US 148.178.21.107:29130 qweaq.shop tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wzoqx22m.csi.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3156-22-0x00000286FE3B0000-0x00000286FE3D2000-memory.dmp

C:\Program Files\FacilitateLivelyTrader\maijEnyzzzNSfcTGbjNbJzJStElLTR.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\FacilitateLivelyTrader\nCwFdlWQriESwgzBGBmGkKSUAZWlSU

MD5 5ce7742a647a882a26bd7abcbd61e5b5
SHA1 19255ad462c274c9d308f1deedc1fa36876ded66
SHA256 3e2a3e66e710dcdc1ec4f1709fcc6d707d8eb80b1e264a37463b243b9cb0bfbe
SHA512 ee506fcfb7c340cf931743a21452353038f94a1b752b8003352b4b34bc85bae80bbf97d1adcd6d53bd7f65512352e93f86e8de1bebcab808ba0f8f903c18401c

C:\Program Files\FacilitateLivelyTrader\VublDMXMdQDxkVcGJXeKmSKZaTZMsK

MD5 962fd52d66d725f2050c39d645df3a7a
SHA1 25fdb580cbd6f272d5eff3534d0b30d6812f2612
SHA256 ca5b528d55cb88ca9579a4bb4e548b5b5b5c246a95c477ca77e01c427b400cab
SHA512 cf966c612f06ed468d4313c5b925b22b72039aeef7949c896d5ddc7f05c4818aa2d49836d40a6bf8e0de5519566124c329bcc4e0846f55ee097bf15187c19588

C:\Program Files\FacilitateLivelyTrader\2_iSeiWroKLIBt.exe

MD5 11ca5e4f6a371395d45aad01aee5a439
SHA1 5f090f754164cdad4f5416d0c5a0310da609f407
SHA256 d7f9881401ac68cdfb410ec8be47bdc698d1215144f9d51bfec5f9d085166e21
SHA512 15292f5c94e1ecb0d3534759b97d5124cf3916ba52c12b97ef8f5e58c33be3006bd5e1981f233c8d69f9a07fd470fdcc073b7653cc4438c39282120ac387128c

C:\Config.Msi\e57bf88.rbs

MD5 b811a96fb4b4465ea7d1593e6e45d830
SHA1 4e4f0222c0925380dec814ee40ee003fedc3ff16
SHA256 6b5685ba7551e7cdb3ea76cb73937dca0d272ce6dc3ecda1437d212861beb88c
SHA512 de957d304f1d19a5afb4ffbff3d78c5e205b9e7fb6a98ada96a4bb710c9fe414f2b60d2ad891bf2aaa971de4d0b3a8709be9b877f8f22973b20c25a1c5ca37e3

memory/1128-131-0x000000002A140000-0x000000002A16F000-memory.dmp

C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\FacilitateLivelyTrader\iSeiWroKLIBt.vbs

MD5 de8712bf13847fb630555769726116f7
SHA1 a547bc9fc77066afe37d19fb5a35edd98ec0b012
SHA256 855bbe1152822f0afdc34dfeb35fd7240284831bff48b84d9c25861b160ecb62
SHA512 ffd403eafd7c9820ad083dfdad813311a06dc88f8bb837821d2eb04fc01df914a9c455a5bb5be9d4c549525c595ae684e6eec3d8b88f6ffe17f24d76df334e0e

memory/2532-143-0x0000000000350000-0x0000000000426000-memory.dmp

C:\Program Files\FacilitateLivelyTrader\wMzzBEfykyNn.xml

MD5 572605e7f179a3b6184a0767b86c6220
SHA1 80c8c77d7e8f140a57006dd9a391f9d8643bc15b
SHA256 5a7d4da6b6c9465a80378897ad81801aa53e762c541900d80e9fb9474126b2a8
SHA512 df6474b785e0a2891ca6426262cafac0935390555b70a2659371fde1a9149ae9064296b34ea047bce711ddf03b3546f23f4760bc96a8b86b3c0b3bc74542d8a1

\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{06e1a32b-353b-465b-855a-2b3ceae979cd}_OnDiskSnapshotProp

MD5 aaa801214c08577194555127de5f3385
SHA1 30e66049cdf3f79e068948eb603c66bb0b81b99a
SHA256 9ec0ee07a04c4f8d6b8844bc95c34e1a53da1f4ae2c93ec10ce5c8627d22a3e6
SHA512 fab0ae32e09e5a097cab45945ee48ef3c91de0d0842074960b42330542b9bbf811e1cfb892ba5ffd239d7b4463c793a347def338dd1b96f14e74d5739d05c2bb

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 1c14a20858d44bc34a9427609e8a2555
SHA1 cefa6c1999bfca73e4cb955a29a4d3eca3d53d90
SHA256 5800a4e6b408eeab324be687449e1738372cd5ece220ff204453931c7a460653
SHA512 fbe8ab126acf60b9f12d58530f9c0090316fcb61fbb19ff44c532557a86673313b9f6818ac1e7b86f03644df1e55e082afcc51e756b95eaa4220297f2820ef7b

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\setup.exe

MD5 a550c0d09394744b4ea1da92f82884c1
SHA1 6dc4acc070467f73461a50bd37666999ff612dac
SHA256 f4fa18a1f310f124430844d276c3f0fa46f69582b67ec50aa2fa0cd2860208ed
SHA512 0ac11bbc5efe3a734176f1b990e7c473251994203595612e6ff1354b0204153e3e762d2b3ad5d936ca294341d022639f1120633f54bf200ae15bed8c5edbb233

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\System.dll

MD5 b361682fa5e6a1906e754cfa08aa8d90
SHA1 c6701aee0c866565de1b7c1f81fd88da56b395d3
SHA256 b711c4f17690421c9dc8ddb9ed5a9ddc539b3a28f11e19c851e25dcfc7701c04
SHA512 2778f91c9bcf83277d26c71118a1ccb0fb3ce50e89729f14f4915bc65dd48503a77b1e5118ce774dea72f5ce3cc8681eb9ca3c55cf90e9f61a177101ba192ae9

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\distribution\setup.ini

MD5 f4a91ae38239ad45b535a0abe3a5a8d8
SHA1 81c2d123964a2d344e20d363722bd89fdea89a96
SHA256 63a573475810f03ab2c6eb8af2a767ed13ed0ff2b6ea66cb72f43b6f3fbe7567
SHA512 75e9cc2c826c6965c00dceb8c6e4e9b12636efc2c9a9814e29143885ebdb805180f1188907257fb8013a53091708d4f260c241d284a6182a865668c6b05e3d7e

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\UAC.dll

MD5 d23b256e9c12fe37d984bae5017c5f8c
SHA1 fd698b58a563816b2260bbc50d7f864b33523121
SHA256 ec6a56d981892bf251df1439bea425a5f6c7e1c7312d44bedd5e2957f270338c
SHA512 13f284821324ffaeadafd3651f64d896186f47cf9a68735642cf37b37de777dba197067fbccd3a7411b5dc7976e510439253bd24c9be1d36c0a59d924c17ae8e

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\components.ini

MD5 c9b5d86a9a0f014293b24a0922837564
SHA1 3cc73b4a30a1a0bfdc6812bbd17994f53eb5db2a
SHA256 775c85f3552754ad3794b88c0cb6d6fc43d412cd9a87a4b9e847386a5bd0a9c4
SHA512 790f365afbe4c5a37dbb56443d38f0c439eadca002e4001d373d6db8c1d80c4adacf3749e9d210cd0316381682fbbc46616a3fa36581c7ea6f5ce69119944b62

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\options.ini

MD5 6c40dfcecaf73b5b7989199a26546bac
SHA1 8d8aa70248bbb68765d57576f874b48be0ffd45f
SHA256 d85e7b11129ebbbf6e688be0b876d3be3f95572065d9c02373e94cb1e403c189
SHA512 5c14d7faa1af83bbe343010a160962184a01ff7737084f941c0140af3afe3a254922309d4e21b92a6c6e619e4f2466b5b4ab72db4f4edf2d2ed0e10a386398fa

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\components.ini

MD5 851954d52a30834dff4e94328e8a4bb4
SHA1 92602f766daef3cbbf1409b8d266b7241ad19504
SHA256 055cbebc3404ded41fc2fe3d467fa51c05bb615c92dc0e61d794046e53929ece
SHA512 a9fd91dc4e0c595538a205d415f7daef2c189757929c62c575ca02d44531f9cf603b29b705a47574142a2d7f48e8ed088401b62ae36c1b104520d01c638abd1f

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\extensions.ini

MD5 b1d0ab0984b9877b1266a385eb60e889
SHA1 a4d4aaca88dc430f10a48fd06d42a07dc91e245b
SHA256 8ec2945ebfafba668663f7964c3b5818462822664c5f56cf4c1ad849bc959f5a
SHA512 963d56bbc97518a88588b9833f9efdcc9b3109c2bfa704f94d79cbc0cc8f021feac646214e7575d9185588481a35a587a421d582c50c49fc7cf2b754e0a1232b

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\AccessibleMarshal.dll

MD5 9fe0822dce87aee092123ff90ec5b10b
SHA1 31da40f39973dd9e377981222093248e650f54f7
SHA256 a1d5f9df942886f0ed615f36639bcaad3bfa04ab10e29c52ff1a006394278a37
SHA512 56c46c174337384c14c7ea7763324cb646d1af2ceb79f415159651eb8f3886fe341687bfa4f89f0e32267c9a6bc31fec9e4b817b3e129defdffff0d39cd24835

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\mozavcodec.dll

MD5 96ce53fce3b2e04345dd7f5804ee6593
SHA1 3e02462a022e046641e1044b329f3e0c7510c0d2
SHA256 1b28b8de5241eac35294d24b24c460928678b629e966a2c1fd330f5bf24405f8
SHA512 17ef133d8b49203c1b6d374f5b0d0b923b497e96f7ff2eaf092fbc460c7451b9edaf9822a539972c047f6d691a7580751bf0a73e57abebd8bce32f39a883af3f

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\minidump-analyzer.exe

MD5 f9fec031ae0cafc881b51a22718cc0cb
SHA1 a757cf97a9cfc7f1657af278648a9c48c6570ac1
SHA256 ff664677e75e7cf47ac948b8540a2e85c49a588784015083d949fdd48682f17f
SHA512 f506a105255d537241f49a99a3849e51a53feabf0b28dad4934121b069db3817b85e094445f723052f1d0f045a34ace7f4a67cc3506ef9482e60b43a26f4cdda

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\maintenanceservice_installer.exe

MD5 e31766a23452c2bbcda4dd4937291ee7
SHA1 a94ab3877969f498a0799c0f8a13a773684d6ec4
SHA256 4d2b97e27f63c5c18f50e4c0f4f2139bec608ae0817b075bc72c139f7e9bdb12
SHA512 673039292e7b3c48eea89d608370b2fa8a9ae0402b69c60c5c2de4f638f6b2bf0d10b8d865b9b77e768f287fa3232e3137b270cbd24a97918bc3b8ed88524186

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\maintenanceservice.exe

MD5 7b8fa8330a512ed135ef890827172752
SHA1 2ec1bf53c23ec09999b3e104c4b708764c68dc43
SHA256 43d545c099b5c484de18bce7974ca13f7a425bc2219673aed5bf7eb7f0a0923a
SHA512 a72ef03856bf6ca108e93360d5764c5fb172f917c9a6bb227e6d15fe57a23419c741a8314347b2ef60edb38561b3e22c57199c26fc53e691009e05053e93d833

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\locale.ini

MD5 da1806830e4bf755e4d56396824ae588
SHA1 ab84caeeb37b44a22bc6f84e8a00efbe10e3e932
SHA256 77623c899841afb52c717540d9a9ebf5af1171648549fefc52f91d1a4655a8b1
SHA512 58a4e6f6721b3105cc49e602541ea15b42ed59998d7c51ee1b6be865842f2384c2ead4b2405ff1129add39781c06d8aa4c57d12eb3d9ef35b3651a5827a47c79

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\libGLESv2.dll

MD5 929e9af2648d82b3ae4162b4000cd275
SHA1 92dab75d5807b897ea5930c16ca3a068a35db883
SHA256 1ea51907bc01e31404856b42d7f1b65b7bb772e53f593b9b5968926e111b1d7b
SHA512 dd56efc752e5ddb52b96d75cb7c9bd8d9d0707d5793a2d0ac6015b20f35be05418fcd475a35672d999fb1c34120317a0439a55b614a34a3a6b541a22c67e97a2

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\libEGL.dll

MD5 8483f291be080b0354ae5051b24fdc2d
SHA1 5431a93fa20c0c2f9d19fa9bce0308cbbaaad22a
SHA256 98547c765f5dfaf65d201ae06d11052883e699419b39ecaa9934e2847e778b61
SHA512 05b7462f60cd2a5e3c79efa290d1dec38db38945a7718a57b6afe62bbb5286ab67af3bd0730d71c0c6e39ad6dd175501db91f4b893f481a4b868ad48c5763d6d

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\lgpllibs.dll

MD5 6225bbd385ef9c916af4a3a0f1a58505
SHA1 1ad305ae577e5af4ba536b68379d0d7b4f56066f
SHA256 3688374995cd81982e1faf3f63cce7b1ad9abd7d1df7cfbd27b23842b98cb786
SHA512 48cc085d65db54535a195950a9696951530487529d48b0d44678792c36ee8e2f4f3d6ff283702ed0a1dfbc92f67e081d151d0a9c781d1553a5654119a9c610d2

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\ipcclientcerts.dll

MD5 a5c533ebd26dcefe5d30b96b7dd8bef2
SHA1 1d1f942fae5bf68026ff64ba1886fb8a5d4ecdb4
SHA256 ebe3b1148bd2ed81a75f46f4e3fc1e58690d4582121ea62f8842962e433d8c46
SHA512 4a0a95eadf73fe02cba8de88f8677763b633c3141b1a74e667f51b2f245288e186f9d2066c35b6cf2d16ee5b0e64a4483a29d9f699c12977bed60fab45c300f3

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\freebl3.dll

MD5 2306f56a09b071fbe7baf41bca7eb930
SHA1 edcf0421289b19670afadd333176b88d28ee579a
SHA256 10ea2e4acc20a132659ef4267cb747d431960a44d64e7b79c3d96e967d292882
SHA512 93fa8e478490f56e5385cd3098e21570cf0ee61ab5b7e264a8f22f8f1fd0b44e3ecfa1651be482d894bdfc81a5af43e3340e55533b6be942a94f2d57af3b19ae

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\firefox.VisualElementsManifest.xml

MD5 0aa43576f0420593451b10ab3b7582ec
SHA1 b5f535932053591c7678faa1cd7cc3a7de680d0d
SHA256 3b25ae142729ed15f3a10ebce2621bfa07fda5e4d76850763987a064122f7ae6
SHA512 6efb63c66f60e039cf99bfaf2e107c3c5ed4b6f319f3d5e4ef9316c1f26298b90d33c60b48b03699059d28b835fbc589417ac955fc45a2bc4c116a5200dfdc32

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\firefox.exe.sig

MD5 4486b67e85cdc4f360f026104a03b280
SHA1 967cc510e4870aa171d54f12246368e3749f0b7b
SHA256 623de9298c1915e8f65086366b57cc990dcee4834befb72d42124de4c2e0e968
SHA512 b15b4dd109ffca372f78ac793b0681c534e686218408c049f033fc0c66849b0de910cefe8279576819d1e5a3917f7dac77f27a0a0b414cdcebc8a89b645e3ed8

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\firefox.exe

MD5 d1cc73370b9ef7d74e6d9fd9248cd687
SHA1 ac1faa1891aac31e41eb9a50a406a594eac6b122
SHA256 15d0da786c4688286c18bf000a8da077fcb465fbd629453d34d5fef8a768b268
SHA512 e2e54f2ebd9ed523872d14302ecbfe25a4cd31a9fd4437c91e830ca3758440197a3a2216bf97a590966aa836435eaa907069a2928cd31561dbc1839867574433

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\dependentlibs.list

MD5 35da5601932b6ade92ec29951942ec1f
SHA1 4d0b52b709c3e25b50dd53dfab9337ef8958d1ca
SHA256 3da3fa240910cc0aed83b17a81c87251a6bc6cf5db5be9e71a3e01d7b7d88f86
SHA512 0bd4ae8932d6f2d7bb1655b13f66fc24a858a17993be9354921406e63372242661a3bb52010445173fb856d4e5f98fcfbd44a155fe0760feca8cc65bebd777c0

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\defaultagent_localized.ini

MD5 6b8366e99f4f5afa096ed09e6302b1cb
SHA1 87b8812add3be344e66eb46d3dac82d00ac1c0f8
SHA256 128cf21bd719e6cf0e7ea28cef0abbbdb435486ce2fe4439cf4d886468bb2efb
SHA512 177c5394ca4fda89760d838868d5c0bfae7b66a61fbe652ffd766ff84a637427e533bb280e562003400b4710c66dc6be10f3e8a31ee4e1eb37ff87032a2c12d5

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\defaultagent.ini

MD5 88d7d32ad20bf89bb7785bd07c638e17
SHA1 2bd40f0b69c2edc64ab6b7e6dd2e7ca6a6fea6f6
SHA256 5cf0660a8f2624433c8c1022f93ff3c94c5611ccbc93118ee053566590eb53f4
SHA512 7bb3328ce42e7bb546a2192ade1e8e153408912f3582c27dc0c5cbe1c2d807365aaf4206c3ceab6cb3d6c34d3155125cb7509dbf800ecf70ab35f8a64f764010

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\default-browser-agent.exe

MD5 1062fbdb576a65bb2403425bd7a27dc4
SHA1 4c001ea71e6b40ce09febd514995c59c048e12ae
SHA256 413378414740d5f436754c1bb31e62cf8ef49e8cefe763c54698a68cde60d37f
SHA512 6351a09411e4e3bb74356a7586e4f674b955b87c3fea16be9d4b281ca7559ea192d789e1b599e9a428dc8ec52d5f81e28e7125d5bf924965921238160b792032

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\d3dcompiler_47.dll

MD5 9b1148a147fc307a501e8c540048991c
SHA1 7bbdf247051937141121ae6132b0d4f2458ae7b1
SHA256 21df5696011156fe64f2dff47c8ed5e90817021f91f70b6d9707fd58cd1b0b81
SHA512 e06185401efcf84d2be23c0afefd241eef89414f68133c99cbc67d55d865ca9aec24f94b735afcbb5975fa2f2e56118a8a980f1473ebd248b265dee477111ee5

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\crashreporter.ini

MD5 2729d0ef7b3e813c05869c6ca93c1dc3
SHA1 437ad9e279fae1baf6b51949e1a3dff67689e6ea
SHA256 eef52444c7e11e5f7f2215b21492f9bbf66657f2dc65bbbb0fbd1ed6c192075d
SHA512 79095934f45e78ebc15baa30c7c47a0a2bac15a469ddb9b3071ff0ec8a8e4eee74c66cea2c2fc59b20e19dff64de5304cda6ae81d8e455647d6cc125d9d5b3d0

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\crashreporter.exe

MD5 cca022ca68cc85efae5ea079d2d1abce
SHA1 e424e0f364cc06ce83585e4c9e805d83cceca7f5
SHA256 b8bcab3368634fccef68e00ae45112be394f27d7fd118e13dbbf2d97522ce6cb
SHA512 6d4f11dda573fd4eecfa9cc867a556ec21792238209d1b1f2f9d6c7a0c7a9afe8366b8936580ba4a7a4a28b2ad029071070e0cee562e801be6dcdb2c79ab35f8

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\application.ini

MD5 06bba781a9f340a9dac0dc2423dc1ca3
SHA1 034a50847b1a1cc9ceb907bbf8280db286c32a1b
SHA256 2b112c14cdd7808611307ea0f10b78ac50fcb7671b0f698827ed4749450fa91e
SHA512 424df2d8cd07e874d9d17a80bad84e34283f176a151d66aa810f1dfe402cd7ca45260feb10fcbfec2297568e10fa4e505f9e19b25669f595fe61eb252fe328e1

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-utility-l1-1-0.dll

MD5 dbc27d384679916ba76316fb5e972ea6
SHA1 fb9f021f2220c852f6ff4ea94e8577368f0616a4
SHA256 dd14133adf5c534539298422f6c4b52739f80aca8c5a85ca8c966dea9964ceb1
SHA512 cc0d8c56749ccb9d007b6d3f5c4a8f1d4e368bb81446ebcd7cc7b40399bbd56d0acaba588ca172ecb7472a8cbddbd4c366ffa38094a832f6d7e343b813ba565e

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-time-l1-1-0.dll

MD5 1d48a3189a55b632798f0e859628b0fb
SHA1 61569a8e4f37adc353986d83efc90dc043cdc673
SHA256 b56bc94e8539603dd2f0fea2f25efd17966315067442507db4bffafcbc2955b0
SHA512 47f329102b703bfbb1ebaeb5203d1c8404a0c912019193c93d150a95bb0c5ba8dc101ac56d3283285f9f91239fc64a66a5357afe428a919b0be7194bada1f64f

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-string-l1-1-0.dll

MD5 9b79965f06fd756a5efde11e8d373108
SHA1 3b9de8bf6b912f19f7742ad34a875cbe2b5ffa50
SHA256 1a916c0db285deb02c0b9df4d08dad5ea95700a6a812ea067bd637a91101a9f6
SHA512 7d4155c00d65c3554e90575178a80d20dc7c80d543c4b5c4c3f508f0811482515638fe513e291b82f958b4d7a63c9876be4e368557b07ff062961197ed4286fb

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-stdio-l1-1-0.dll

MD5 55b2eb7f17f82b2096e94bca9d2db901
SHA1 44d85f1b1134ee7a609165e9c142188c0f0b17e0
SHA256 f9d3f380023a4c45e74170fe69b32bca506ee1e1fbe670d965d5b50c616da0cb
SHA512 0cf0770f5965a83f546253decfa967d8f85c340b5f6ea220d3caa14245f3cdb37c53bf8d3da6c35297b22a3fa88e7621202634f6b3649d7d9c166a221d3456a5

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-runtime-l1-1-0.dll

MD5 f1a23c251fcbb7041496352ec9bcffbe
SHA1 be4a00642ec82465bc7b3d0cc07d4e8df72094e8
SHA256 d899c2f061952b3b97ab9cdbca2450290b0f005909ddd243ed0f4c511d32c198
SHA512 31f8c5cd3b6e153073e2e2edf0ca8072d0f787784f1611a57219349c1d57d6798a3adbd6942b0f16cef781634dd8691a5ec0b506df21b24cb70aee5523a03fd9

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-process-l1-1-0.dll

MD5 074b81a625fb68159431bb556d28fab5
SHA1 20f8ead66d548cfa861bc366bb1250ced165be24
SHA256 3af38920e767bd9ebc08f88eaf2d08c748a267c7ec60eab41c49b3f282a4cf65
SHA512 36388c3effa0d94cf626decaa1da427801cc5607a2106abdadf92252c6f6fd2ce5bf0802f5d0a4245a1ffdb4481464c99d60510cf95e83ebaf17bd3d6acbc3dc

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-private-l1-1-0.dll

MD5 d76e7aaecb3d1ca9948c31bdae52eb9d
SHA1 142a2bb0084faa2a25d0028846921545f09d9ae9
SHA256 785c49fd9f99c6eb636d78887aa186233e9304921dd835dee8f72e2609ff65c4
SHA512 52da403286659cf201c72fa0ab3c506ade86c7e2fef679f35876a5cec4aee97afbc5bb13a259c51efb8706f6ae7f5a6a3800176b89f424b6a4e9f3d5b8289620

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-multibyte-l1-1-0.dll

MD5 b5c8af5badcdefd8812af4f63364fe2b
SHA1 750678935010a83e2d83769445f0d249e4568a8d
SHA256 7101b3dff525ea47b7a40dd96544c944ae400447df7a6acd07363b6d7968b889
SHA512 a2a8d08d658f5ed368f9fb556bfb13b897f31e9540bfdfff6567826614d6c5f0d64bd08fec66c63e74d852ab6b083294e187507e83f2bc284dfb7ca5c86ae047

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-math-l1-1-0.dll

MD5 a6a3d6d11d623e16866f38185853facd
SHA1 fbeadd1e9016908ecce5753de1d435d6fcf3d0b5
SHA256 a768339f0b03674735404248a039ec8591fcba6ff61a3c6812414537badd23b0
SHA512 abbf32ceb35e5ec6c1562f9f3b2652b96b7dbd97bfc08d918f987c0ec0503e8390dd697476b2a2389f0172cd8cf16029fd2ec5f32a9ba3688bf2ebeefb081b2c

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-locale-l1-1-0.dll

MD5 dd8176e132eedea3322443046ac35ca2
SHA1 d13587c7cc52b2c6fbcaa548c8ed2c771a260769
SHA256 2eb96422375f1a7b687115b132a4005d2e7d3d5dc091fb0eb22a6471e712848e
SHA512 77cb8c44c8cc8dd29997fba4424407579ac91176482db3cf7bc37e1f9f6aa4c4f5ba14862d2f3a9c05d1fdd7ca5a043b5f566bd0e9a9e1ed837da9c11803b253

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-heap-l1-1-0.dll

MD5 8906279245f7385b189a6b0b67df2d7c
SHA1 fcf03d9043a2daafe8e28dee0b130513677227e4
SHA256 f5183b8d7462c01031992267fe85680ab9c5b279bedc0b25ab219f7c2184766f
SHA512 67cac89ae58cc715976107f3bdf279b1e78945afd07e6f657e076d78e92ee1a98e3e7b8feae295af5ce35e00c804f3f53a890895badb1eed32377d85c21672b9

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 972544ade7e32bfdeb28b39bc734cdee
SHA1 87816f4afabbdec0ec2cfeb417748398505c5aa9
SHA256 7102f8d9d0f3f689129d7fe071b234077fba4dd3687071d1e2aeaa137b123f86
SHA512 5e1131b405e0c7a255b1c51073aff99e2d5c0d28fd3e55cabc04d463758a575a954008ea1ba5b4e2b345b49af448b93ad21dfc4a01573b3cb6e7256d9ecceef1

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-environment-l1-1-0.dll

MD5 7a859e91fdcf78a584ac93aa85371bc9
SHA1 1fa9d9cad7cc26808e697373c1f5f32aaf59d6b7
SHA256 b7ee468f5b6c650dada7db3ad9e115a0e97135b3df095c3220dfd22ba277b607
SHA512 a368f21eca765afca86e03d59cf953500770f4a5bff8b86b2ac53f1b5174c627e061ce9a1f781dc56506774e0d0b09725e9698d4dc2d3a59e93da7ef3d900887

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-convert-l1-1-0.dll

MD5 4ec4790281017e616af632da1dc624e1
SHA1 342b15c5d3e34ab4ac0b9904b95d0d5b074447b7
SHA256 5cf5bbb861608131b5f560cbf34a3292c80886b7c75357acc779e0bf98e16639
SHA512 80c4e20d37eff29c7577b2d0ed67539a9c2c228edb48ab05d72648a6ed38f5ff537715c130342beb0e3ef16eb11179b9b484303354a026bda3a86d5414d24e69

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-crt-conio-l1-1-0.dll

MD5 fa770bcd70208a479bde8086d02c22da
SHA1 28ee5f3ce3732a55ca60aee781212f117c6f3b26
SHA256 e677497c1baefffb33a17d22a99b76b7fa7ae7a0c84e12fda27d9be5c3d104cf
SHA512 f8d81e350cebdba5afb579a072bad7986691e9f3d4c9febca8756b807301782ee6eb5ba16b045cfa29b6e4f4696e0554c718d36d4e64431f46d1e4b1f42dc2b8

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-core-timezone-l1-1-0.dll

MD5 91a2ae3c4eb79cf748e15a58108409ad
SHA1 d402b9df99723ea26a141bfc640d78eaf0b0111b
SHA256 b0eda99eabd32fefecc478fd9fe7439a3f646a864fdab4ec3c1f18574b5f8b34
SHA512 8527af610c1e2101b6f336a142b1a85ac9c19bb3af4ad4a245cfb6fd602dc185da0f7803358067099475102f3a8f10a834dc75b56d3e6ded2ed833c00ad217ed

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-core-synch-l1-2-0.dll

MD5 e86cfc5e1147c25972a5eefed7be989f
SHA1 0075091c0b1f2809393c5b8b5921586bdd389b29
SHA256 72c639d1afda32a65143bcbe016fe5d8b46d17924f5f5190eb04efe954c1199a
SHA512 ea58a8d5aa587b7f5bde74b4d394921902412617100ed161a7e0bef6b3c91c5dae657065ea7805a152dd76992997017e070f5415ef120812b0d61a401aa8c110

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-core-processthreads-l1-1-1.dll

MD5 7e8b61d27a9d04e28d4dae0bfa0902ed
SHA1 861a7b31022915f26fb49c79ac357c65782c9f4b
SHA256 1ef06c600c451e66e744b2ca356b7f4b7b88ba2f52ec7795858d21525848ac8c
SHA512 1c5b35026937b45beb76cb8d79334a306342c57a8e36cc15d633458582fc8f7d9ab70ace7a92144288c6c017f33ecfc20477a04432619b40a21c9cda8d249f6d

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-core-localization-l1-2-0.dll

MD5 1ed0b196ab58edb58fcf84e1739c63ce
SHA1 ac7d6c77629bdee1df7e380cc9559e09d51d75b7
SHA256 8664222823e122fca724620fd8b72187fc5336c737d891d3cef85f4f533b8de2
SHA512 e1fa7f14f39c97aaa3104f3e13098626b5f7cfd665ba52dcb2312a329639aaf5083a9177e4686d11c4213e28acc40e2c027988074b6cc13c5016d5c5e9ef897b

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-core-file-l2-1-0.dll

MD5 721b60b85094851c06d572f0bd5d88cd
SHA1 4d0ee4d717aeb9c35da8621a545d3e2b9f19b4e7
SHA256 dac867476caa42ff8df8f5dfe869ffd56a18dadee17d47889afb69ed6519afbf
SHA512 430a91fcecde4c8cc4ac7eb9b4c6619243ab244ee88c34c9e93ca918e54bd42b08aca8ea4475d4c0f5fa95241e4aacb3206cbae863e92d15528c8e7c9f45601b

C:\Users\Admin\AppData\Local\Temp\7zSCC506AD7\core\api-ms-win-core-file-l1-2-0.dll

MD5 5a72a803df2b425d5aaff21f0f064011
SHA1 4b31963d981c07a7ab2a0d1a706067c539c55ec5
SHA256 629e52ba4e2dca91b10ef7729a1722888e01284eed7dda6030d0a1ec46c94086
SHA512 bf44997c405c2ba80100eb0f2ff7304938fc69e4d7ae3eac52b3c236c3188e80c9f18bda226b5f4fde0112320e74c198ad985f9ffd7cea99aca22980c39c7f69

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\InstallOptions.dll

MD5 fd249bc508706f04a18e0bc0afddec82
SHA1 b94efda9f41c89fc6120ed385867125d03f28bea
SHA256 c34f095e200db420ce9af5489c3e392be285e43c3f4c9fbe34686b1f0a1531ad
SHA512 c820c06ad5ae21101602d9e7864fed9b470b25fa9a0ee025d05e72697d88c7e03cbee7ad476f4e3d5b6e467248b8ad1fefa2710c76011e2156b85068961404ba

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\ioSpecial.ini

MD5 44390c7ca94508fb0ea0cfb5e0ceb7c3
SHA1 5dafbf57e40d391bda292207c65cc5717e495a94
SHA256 4b06c47aad1fd799a80499415c47b6c2d374a785f50aade787007b6d7a451656
SHA512 04c16e06b561c906d37b67cfe16f144e70ac799e9efd585801e7f7bf6d734b52eafc778b79b98ed43a454a2dfc5f5f478beef58f4f0a4084b11b9e5bb8c0339c

C:\Users\Admin\AppData\Local\Temp\nswEFDF.tmp\modern-wizard.bmp

MD5 49ff8ad8f51875597f3e919e8770c24c
SHA1 1e840ce0f68281e312317bcbdbc10fdfcd3959c3
SHA256 76da716588b8e51e36ee7a674cd873a8069e27fef73851d1e190face5a67fc66
SHA512 dcf29bbef46b1bd8d9f6c6221955ab06da23bc6661c603c188ce34fed80984a3b6d2006ab38b49aa9d1908d714cc0f40e63b6230244e4d4a0c9baebbbda1ddb1

memory/2212-563-0x000000002A2D0000-0x000000002A31D000-memory.dmp

memory/2212-564-0x000000002BED0000-0x000000002C08D000-memory.dmp

memory/2212-566-0x000000002BED0000-0x000000002C08D000-memory.dmp

memory/2212-567-0x000000002BED0000-0x000000002C08D000-memory.dmp

memory/2212-568-0x000000002BED0000-0x000000002C08D000-memory.dmp