gh0strat | 39f3450dc1503693b8b8ecc736a66cb63674b77ea50ee68a52624209f6193081

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 13:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

luoma2.msi
Size

2.0MB
MD5

44933b8bcf9994f8d5088dbfd75bd781
SHA1

4daeed4b62ec79ce1416ad7f62107db4525aeedc
SHA256

2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da
SHA512

e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec
SSDEEP

49152:JxB+M1DwJ9AQNvKbJ917NIe87J3ZbBjqrDvytoqjaxP:J7+EUJeQNvKb/75oZU/vyjad

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/732-103-0x000000002BD00000-0x000000002BEBB000-memory.dmp	purplefox_rootkit
behavioral2/memory/732-106-0x000000002BD00000-0x000000002BEBB000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/732-103-0x000000002BD00000-0x000000002BEBB000-memory.dmp	family_gh0strat
behavioral2/memory/732-106-0x000000002BD00000-0x000000002BEBB000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2216	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\Z:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\E:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\U:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\X:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\M:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\I:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\P:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\W:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\Y:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\V:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QQKDRgdHxLyo.exe.log	QQKDRgdHxLyo.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\PrepareUpliftingProducer	BiEzaHFZmGAK.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.vbs	BiEzaHFZmGAK.exe
File created	C:\Program Files\PrepareUpliftingProducer\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe	MsiExec.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log	QQKDRgdHxLyo.exe
File created	C:\Program Files\PrepareUpliftingProducer\igc964.dll	msiexec.exe
File created	C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe	MsiExec.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log	QQKDRgdHxLyo.exe
File created	C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS	msiexec.exe
File created	C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe	msiexec.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log	QQKDRgdHxLyo.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9470.tmp	msiexec.exe
File created	C:\Windows\Installer\e5793c6.msi	msiexec.exe
File created	C:\Windows\Installer\e5793c4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5793c4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{133ABF1E-4251-4602-B018-8E7A949FE705}	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
1860	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
3408	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
4716	BiEzaHFZmGAK.exe
4988	QQKDRgdHxLyo.exe
4516	QQKDRgdHxLyo.exe
3456	QQKDRgdHxLyo.exe
3304	BiEzaHFZmGAK.exe
732	BiEzaHFZmGAK.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1104	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiEzaHFZmGAK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiEzaHFZmGAK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiEzaHFZmGAK.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4548	cmd.exe
3276	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BiEzaHFZmGAK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	BiEzaHFZmGAK.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9DCD9B5D536DF1248A8093D390D4367B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\PackageName = "luoma2.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1FBA331152420640B81E8A749F97E50\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1FBA331152420640B81E8A749F97E50	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Version = "151322630"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\ProductName = "PrepareUpliftingProducer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\PackageCode = "C0AED81ADD9AA43409DE1BF6F7A6C17A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9DCD9B5D536DF1248A8093D390D4367B\E1FBA331152420640B81E8A749F97E50	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3276	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	msiexec.exe
3392	msiexec.exe
2216	powershell.exe
2216	powershell.exe
2216	powershell.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe
4716	BiEzaHFZmGAK.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1104	msiexec.exe
Token: SeSecurityPrivilege	3392	msiexec.exe
Token: SeCreateTokenPrivilege	1104	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1104	msiexec.exe
Token: SeLockMemoryPrivilege	1104	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1104	msiexec.exe
Token: SeMachineAccountPrivilege	1104	msiexec.exe
Token: SeTcbPrivilege	1104	msiexec.exe
Token: SeSecurityPrivilege	1104	msiexec.exe
Token: SeTakeOwnershipPrivilege	1104	msiexec.exe
Token: SeLoadDriverPrivilege	1104	msiexec.exe
Token: SeSystemProfilePrivilege	1104	msiexec.exe
Token: SeSystemtimePrivilege	1104	msiexec.exe
Token: SeProfSingleProcessPrivilege	1104	msiexec.exe
Token: SeIncBasePriorityPrivilege	1104	msiexec.exe
Token: SeCreatePagefilePrivilege	1104	msiexec.exe
Token: SeCreatePermanentPrivilege	1104	msiexec.exe
Token: SeBackupPrivilege	1104	msiexec.exe
Token: SeRestorePrivilege	1104	msiexec.exe
Token: SeShutdownPrivilege	1104	msiexec.exe
Token: SeDebugPrivilege	1104	msiexec.exe
Token: SeAuditPrivilege	1104	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1104	msiexec.exe
Token: SeChangeNotifyPrivilege	1104	msiexec.exe
Token: SeRemoteShutdownPrivilege	1104	msiexec.exe
Token: SeUndockPrivilege	1104	msiexec.exe
Token: SeSyncAgentPrivilege	1104	msiexec.exe
Token: SeEnableDelegationPrivilege	1104	msiexec.exe
Token: SeManageVolumePrivilege	1104	msiexec.exe
Token: SeImpersonatePrivilege	1104	msiexec.exe
Token: SeCreateGlobalPrivilege	1104	msiexec.exe
Token: SeBackupPrivilege	1632	vssvc.exe
Token: SeRestorePrivilege	1632	vssvc.exe
Token: SeAuditPrivilege	1632	vssvc.exe
Token: SeBackupPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeBackupPrivilege	2236	srtasks.exe
Token: SeRestorePrivilege	2236	srtasks.exe
Token: SeSecurityPrivilege	2236	srtasks.exe
Token: SeTakeOwnershipPrivilege	2236	srtasks.exe
Token: SeBackupPrivilege	2236	srtasks.exe
Token: SeRestorePrivilege	2236	srtasks.exe
Token: SeSecurityPrivilege	2236	srtasks.exe
Token: SeTakeOwnershipPrivilege	2236	srtasks.exe
Token: SeRestorePrivilege	1860	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: 35	1860	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	1860	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	1860	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeRestorePrivilege	3408	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: 35	3408	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	3408	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	3408	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1104	msiexec.exe
1104	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 2236	3392	msiexec.exe	92
PID 3392 wrote to memory of 2236	3392	msiexec.exe	92
PID 3392 wrote to memory of 2808	3392	msiexec.exe	94
PID 3392 wrote to memory of 2808	3392	msiexec.exe	94
PID 2808 wrote to memory of 2216	2808	MsiExec.exe	95
PID 2808 wrote to memory of 2216	2808	MsiExec.exe	95
PID 2808 wrote to memory of 4548	2808	MsiExec.exe	99
PID 2808 wrote to memory of 4548	2808	MsiExec.exe	99
PID 4548 wrote to memory of 1860	4548	cmd.exe	101
PID 4548 wrote to memory of 1860	4548	cmd.exe	101
PID 4548 wrote to memory of 1860	4548	cmd.exe	101
PID 4548 wrote to memory of 3276	4548	cmd.exe	102
PID 4548 wrote to memory of 3276	4548	cmd.exe	102
PID 4548 wrote to memory of 3408	4548	cmd.exe	104
PID 4548 wrote to memory of 3408	4548	cmd.exe	104
PID 4548 wrote to memory of 3408	4548	cmd.exe	104
PID 2808 wrote to memory of 4716	2808	MsiExec.exe	106
PID 2808 wrote to memory of 4716	2808	MsiExec.exe	106
PID 2808 wrote to memory of 4716	2808	MsiExec.exe	106
PID 3456 wrote to memory of 3304	3456	QQKDRgdHxLyo.exe	115
PID 3456 wrote to memory of 3304	3456	QQKDRgdHxLyo.exe	115
PID 3456 wrote to memory of 3304	3456	QQKDRgdHxLyo.exe	115
PID 3304 wrote to memory of 732	3304	BiEzaHFZmGAK.exe	117
PID 3304 wrote to memory of 732	3304	BiEzaHFZmGAK.exe	117
PID 3304 wrote to memory of 732	3304	BiEzaHFZmGAK.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\luoma2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 61E837C55DE46DDC1DB0817BDF61AE96 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PrepareUpliftingProducer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2216
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:4548
  - - C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
      "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1860
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3276
  - - C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
      "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3408
- - C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe
    "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 254 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1632

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:628

C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe
"C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:4988

C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe
"C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4516

C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe
"C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3456
- C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe
  "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 154 -file file3 -mode mode3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe
    "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 62 -file file3 -mode mode3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5793c5.rbs

Filesize
7KB

MD5
8e79a2c0d4673d773d07e5860a04e865

SHA1
c4b5fb3f7393ee2abc978d13422baa070fc5bdd9

SHA256
a86b4189fe351e7faf0aaa3571245c9f688451fc32c7616760d1500d9d5b1c65

SHA512
ce8a988c363f8bb6e81a0eb400d71d42af9e35d43d301b3c72dec2bedf2bec4222c06a477d3a0baee5eae1d523cc1b817f60beee1ab880e079e058e073881c2c

Download Submit
C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe

Filesize
2.1MB

MD5
cbfd19024613960afbca2592c254797c

SHA1
498f21770764974008a04e3c1e013112b07a440b

SHA256
e836bac2f7e08d68df29e1fbaba53d51bad7d7b304d3f8721ac9687275aec97a

SHA512
98a162f7e6146e9973e4075867289627e2290ebd73745ccea701b7a28e2b112854ab90604d7ff16f207d91160181992e655bb7ea30ac58d9f7696bdad9a7d101

Download Submit
C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK

Filesize
465KB

MD5
c99ea1e7ca21ecb00df889b6d2026b3b

SHA1
a1bcdc38c6ee89226768548a7f8bc2df3f22dbe2

SHA256
81a7be797cea8b559a6ed7e8660cf46c3f6accaf57bb5635724c177ae0968a8c

SHA512
6df9212e0cfc1486c21eda6e4d6b6efa9c487729f12d3f20d0c64c28a8fdf1feaddfbe3681066f2254f979117d347eaceef3496ff1df079f8dfeed7a21c73e32

Download Submit
C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.vbs

Filesize
2KB

MD5
1794a4eef350a53cbc87bbca7e3af2b6

SHA1
495952b0948cf2f7508973a75a926c9fe66ee0dc

SHA256
55bd213261f59a5a5dee55f9569396a8d8f102eb2ef9297e1b0901fc99e02351

SHA512
7f6149327a96859581de20a4cd569243f7f4b5d179cd43d2f823e03393c09a5b3c95abd76dfb5c47340889bc369096bf4f62ad6cf988ef2e30b31b0b0f2c9f00

Download Submit
C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg

Filesize
1.5MB

MD5
c2ddc9c1c68f17bcabe6d453bdedd54d

SHA1
1f9a8a688498fccfba10beb74366de6aca5d8f71

SHA256
a4d8817a8152b7f4b4ab0d194e35ab4fb49bf4d567bd23e1ec359af29543c41b

SHA512
3d464130d1ef6fcf13a6f7623c4fd507f7053aa8fcff8d7e7ff1f47b7fb85999c3d1119b49fcaa2a96efd587d609150f0f529f2fe36e66bc2c0ad9e89f5ada9a

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log

Filesize
282B

MD5
7fc37e1bacc7468f1e9c942cc5ca31fe

SHA1
9fe6712c18691c978df5949cfa1960a2b5124586

SHA256
4370ddbce1e87880707f6f75906103142061cdeb9e23f9b5bd04e7fc8c6e78e4

SHA512
fb82a17f5d2bd98460f0784470f614dabcf01242a49cc3b12896f1362d5e0c28f228be0daddbf665c89fa0d5d165322566ac08fa87713dfa8f2f09532aa26cc0

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log

Filesize
446B

MD5
698ed4f47751512585e88c2bd38be270

SHA1
9f3d165f6b4b24a46eb26e16a7443297d2a325be

SHA256
914b0a92fab3e0150b731a33ce5fc1963dde17bf617dc20fc55cf28eb5279dd3

SHA512
dfdc922aeb4f23d951e99fc166309a873fdbfb8f9641a1d18b3ec15138c907717bfe8f2dd9a114452c6f0e150dc8a8a4b44e13313c2defcec333f4e6ce1c7db8

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log

Filesize
510B

MD5
cefdbb45bb8da19c8452f8194cd5580e

SHA1
8f9d1bd34bd48a77aab8cfdc8d690833c87f2bd0

SHA256
ee7ce1d4215c955c5e2b27f7c7bd3c58f9f45cac88b2f4d69e77b9ddd01722e6

SHA512
d724f6a5cf6de92d175c9d57042e5f1023134a910790d34ebed2db8d93c359c1f0c512d9c60fd47e619cde658c9e03f3a7b2a397a0d5c2bb26633dac8533d758

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log

Filesize
674B

MD5
2dd0e3bb68d759b75f257e6266890d9a

SHA1
057b99a03e363a4567df06f6af5abd6bea713962

SHA256
d3aa691dae1186121ace5e798d213f1a6eee162636ec44190b92513172881a7c

SHA512
7f86048fa51e4b0c0d85478fdcbf0e361fd3b8407c8ec35c65dfc2ad1a9c206bd21e95ee3a9875863c04d47255006e6d72c9078da6a402a7a70d635265daadbe

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml

Filesize
435B

MD5
72e8bdb8f89079396577a01b50872d45

SHA1
f231f9747f36ad95a0aa5eaccc7fc91a623ed5a0

SHA256
d50f97f5db588f56dd4121709500a98cf26ca153d3fd5fbeae07d6a582c4e1f7

SHA512
933403795499d6ef6b04cd4a5c21002b634e660480aa4fd7602ebce5db616e8acda5e9ba5b443757b0b2ad2fb9b666f3e2d33c08cee2a3d138a0841fba6e664e

Download Submit
C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS

Filesize
1.5MB

MD5
4bf1d9c71a407d753fbe43603baa740b

SHA1
7bda556251c6aafb215df4b8dc9d1dc35e805b4a

SHA256
afb17b50d2c8f3e2412ad64977860d595fa8b67691714306fd371264065d19d7

SHA512
50a35c209a525f5c87ae94da25722ae385a57107d1738ac3f8a55bf1c9df4a9e42d9784c119d4d44d590592b824c09d6d97ec9ce6de424cdb09e0116e5c75d93

Download Submit
C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cwhfe0os.aud.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e5793c4.msi

Filesize
2.0MB

MD5
44933b8bcf9994f8d5088dbfd75bd781

SHA1
4daeed4b62ec79ce1416ad7f62107db4525aeedc

SHA256
2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da

SHA512
e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QQKDRgdHxLyo.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
798d0a7f2eddea184a6e934c9c5dc557

SHA1
3a6fbb72e78eedce3be1e007bcf5c1f4e9c3c8e7

SHA256
f6127a868ef62dda54594f7775344fce6442123648f37c12012785f566c9ac83

SHA512
d4a49bca02c5801ce6d0ca0f3e14c31e4b57ac068d4ac1ca0bffec65f832ef72a69f2741db13b21932769ca719ed0ac916753fdec66593e8c60ec3bc77e3e5ed

Download Submit
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b7af6ae9-ffc7-4559-867c-07dbeb04ceb0}_OnDiskSnapshotProp

Filesize
6KB

MD5
27cf1954bec7217aebf24bb17ed574b4

SHA1
71f429f40dc68b065ce129b8d3aa3853c5d26785

SHA256
2a0270eb18a0327ed879d58b1ea703e589e3b3748c36a85852505740c7c82cce

SHA512
c6434521d8e46490dc4ee5cfcbc2b2dac8f4ef5d49b76d01c3901f1c9d9745f48c62c30593a19a25b77ea5e3eaf6f31cf7a36903e506e5241ba5371f9f03101c

Download Submit
memory/732-101-0x000000002A000000-0x000000002A04D000-memory.dmp

Filesize
308KB

Download
memory/732-103-0x000000002BD00000-0x000000002BEBB000-memory.dmp

Filesize
1.7MB

Download
memory/732-106-0x000000002BD00000-0x000000002BEBB000-memory.dmp

Filesize
1.7MB

Download
memory/2216-13-0x00000266EA650000-0x00000266EA672000-memory.dmp

Filesize
136KB

Download
memory/4716-65-0x000000002A840000-0x000000002A86F000-memory.dmp

Filesize
188KB

Download
memory/4988-71-0x00000000000F0000-0x00000000001C6000-memory.dmp

Filesize
856KB

Download