gh0strat | 39f3450dc1503693b8b8ecc736a66cb63674b77ea50ee68a52624209f6193081

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 13:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

luoma2.msi
Size

2.0MB
MD5

44933b8bcf9994f8d5088dbfd75bd781
SHA1

4daeed4b62ec79ce1416ad7f62107db4525aeedc
SHA256

2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da
SHA512

e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec
SSDEEP

49152:JxB+M1DwJ9AQNvKbJ917NIe87J3ZbBjqrDvytoqjaxP:J7+EUJeQNvKb/75oZU/vyjad

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 2 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2756-104-0x000000002B950000-0x000000002BB0B000-memory.dmp	purplefox_rootkit
behavioral2/memory/2756-107-0x000000002B950000-0x000000002BB0B000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 2 IoCs

resource	yara_rule
behavioral2/memory/2756-104-0x000000002B950000-0x000000002BB0B000-memory.dmp	family_gh0strat
behavioral2/memory/2756-107-0x000000002B950000-0x000000002BB0B000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4640	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\K:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\S:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\O:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\Q:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\N:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\U:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\M:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\V:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\X:	BiEzaHFZmGAK.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	BiEzaHFZmGAK.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QQKDRgdHxLyo.exe.log	QQKDRgdHxLyo.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe	MsiExec.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log	QQKDRgdHxLyo.exe
File created	C:\Program Files\PrepareUpliftingProducer\igc964.dll	msiexec.exe
File created	C:\Program Files\PrepareUpliftingProducer\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe	msiexec.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log	QQKDRgdHxLyo.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe	MsiExec.exe
File created	C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.vbs	BiEzaHFZmGAK.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log	QQKDRgdHxLyo.exe
File created	C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS	msiexec.exe
File created	C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File created	C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
File opened for modification	C:\Program Files\PrepareUpliftingProducer	BiEzaHFZmGAK.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{133ABF1E-4251-4602-B018-8E7A949FE705}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD60.tmp	msiexec.exe
File created	C:\Windows\Installer\e57dca6.msi	msiexec.exe
File created	C:\Windows\Installer\e57dca4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dca4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
1840	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
4936	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
676	BiEzaHFZmGAK.exe
3892	QQKDRgdHxLyo.exe
4780	QQKDRgdHxLyo.exe
3792	QQKDRgdHxLyo.exe
1432	BiEzaHFZmGAK.exe
2756	BiEzaHFZmGAK.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
8	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiEzaHFZmGAK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiEzaHFZmGAK.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BiEzaHFZmGAK.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1640	cmd.exe
2436	PING.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	BiEzaHFZmGAK.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	BiEzaHFZmGAK.exe

Modifies data under HKEY_USERS 56 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9DCD9B5D536DF1248A8093D390D4367B	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Media	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1FBA331152420640B81E8A749F97E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\ProductName = "PrepareUpliftingProducer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Version = "151322630"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\PackageCode = "C0AED81ADD9AA43409DE1BF6F7A6C17A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\SourceList\PackageName = "luoma2.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E1FBA331152420640B81E8A749F97E50\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E1FBA331152420640B81E8A749F97E50\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9DCD9B5D536DF1248A8093D390D4367B\E1FBA331152420640B81E8A749F97E50	msiexec.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2436	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1516	msiexec.exe
1516	msiexec.exe
4640	powershell.exe
4640	powershell.exe
4640	powershell.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe
676	BiEzaHFZmGAK.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	8	msiexec.exe
Token: SeIncreaseQuotaPrivilege	8	msiexec.exe
Token: SeSecurityPrivilege	1516	msiexec.exe
Token: SeCreateTokenPrivilege	8	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	8	msiexec.exe
Token: SeLockMemoryPrivilege	8	msiexec.exe
Token: SeIncreaseQuotaPrivilege	8	msiexec.exe
Token: SeMachineAccountPrivilege	8	msiexec.exe
Token: SeTcbPrivilege	8	msiexec.exe
Token: SeSecurityPrivilege	8	msiexec.exe
Token: SeTakeOwnershipPrivilege	8	msiexec.exe
Token: SeLoadDriverPrivilege	8	msiexec.exe
Token: SeSystemProfilePrivilege	8	msiexec.exe
Token: SeSystemtimePrivilege	8	msiexec.exe
Token: SeProfSingleProcessPrivilege	8	msiexec.exe
Token: SeIncBasePriorityPrivilege	8	msiexec.exe
Token: SeCreatePagefilePrivilege	8	msiexec.exe
Token: SeCreatePermanentPrivilege	8	msiexec.exe
Token: SeBackupPrivilege	8	msiexec.exe
Token: SeRestorePrivilege	8	msiexec.exe
Token: SeShutdownPrivilege	8	msiexec.exe
Token: SeDebugPrivilege	8	msiexec.exe
Token: SeAuditPrivilege	8	msiexec.exe
Token: SeSystemEnvironmentPrivilege	8	msiexec.exe
Token: SeChangeNotifyPrivilege	8	msiexec.exe
Token: SeRemoteShutdownPrivilege	8	msiexec.exe
Token: SeUndockPrivilege	8	msiexec.exe
Token: SeSyncAgentPrivilege	8	msiexec.exe
Token: SeEnableDelegationPrivilege	8	msiexec.exe
Token: SeManageVolumePrivilege	8	msiexec.exe
Token: SeImpersonatePrivilege	8	msiexec.exe
Token: SeCreateGlobalPrivilege	8	msiexec.exe
Token: SeBackupPrivilege	4484	vssvc.exe
Token: SeRestorePrivilege	4484	vssvc.exe
Token: SeAuditPrivilege	4484	vssvc.exe
Token: SeBackupPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeBackupPrivilege	2300	srtasks.exe
Token: SeRestorePrivilege	2300	srtasks.exe
Token: SeSecurityPrivilege	2300	srtasks.exe
Token: SeTakeOwnershipPrivilege	2300	srtasks.exe
Token: SeDebugPrivilege	4640	powershell.exe
Token: SeBackupPrivilege	2300	srtasks.exe
Token: SeRestorePrivilege	2300	srtasks.exe
Token: SeSecurityPrivilege	2300	srtasks.exe
Token: SeTakeOwnershipPrivilege	2300	srtasks.exe
Token: SeRestorePrivilege	1840	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: 35	1840	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	1840	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	1840	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeRestorePrivilege	4936	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: 35	4936	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	4936	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeSecurityPrivilege	4936	wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
8	msiexec.exe
8	msiexec.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1516 wrote to memory of 2300	1516	msiexec.exe	92
PID 1516 wrote to memory of 2300	1516	msiexec.exe	92
PID 1516 wrote to memory of 2816	1516	msiexec.exe	96
PID 1516 wrote to memory of 2816	1516	msiexec.exe	96
PID 2816 wrote to memory of 4640	2816	MsiExec.exe	97
PID 2816 wrote to memory of 4640	2816	MsiExec.exe	97
PID 2816 wrote to memory of 1640	2816	MsiExec.exe	99
PID 2816 wrote to memory of 1640	2816	MsiExec.exe	99
PID 1640 wrote to memory of 1840	1640	cmd.exe	101
PID 1640 wrote to memory of 1840	1640	cmd.exe	101
PID 1640 wrote to memory of 1840	1640	cmd.exe	101
PID 1640 wrote to memory of 2436	1640	cmd.exe	102
PID 1640 wrote to memory of 2436	1640	cmd.exe	102
PID 1640 wrote to memory of 4936	1640	cmd.exe	104
PID 1640 wrote to memory of 4936	1640	cmd.exe	104
PID 1640 wrote to memory of 4936	1640	cmd.exe	104
PID 2816 wrote to memory of 676	2816	MsiExec.exe	106
PID 2816 wrote to memory of 676	2816	MsiExec.exe	106
PID 2816 wrote to memory of 676	2816	MsiExec.exe	106
PID 3792 wrote to memory of 1432	3792	QQKDRgdHxLyo.exe	115
PID 3792 wrote to memory of 1432	3792	QQKDRgdHxLyo.exe	115
PID 3792 wrote to memory of 1432	3792	QQKDRgdHxLyo.exe	115
PID 1432 wrote to memory of 2756	1432	BiEzaHFZmGAK.exe	117
PID 1432 wrote to memory of 2756	1432	BiEzaHFZmGAK.exe	117
PID 1432 wrote to memory of 2756	1432	BiEzaHFZmGAK.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\luoma2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:8

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2300
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0B471AAE80F3DF32D84DF74DB44C2E8B E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PrepareUpliftingProducer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4640
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Suspicious use of WriteProcessMemory
    PID:1640
  - - C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
      "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS" -o"C:\Program Files\PrepareUpliftingProducer\" -p"08603ofn={DHx}m7~1j8" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\system32\PING.EXE
      ping 127.0.0.1 -n 2
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2436
  - - C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe
      "C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe" x "C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg" -x!1_BiEzaHFZmGAK.exe -o"C:\Program Files\PrepareUpliftingProducer\" -p"71633}[lV%g5Os!px;&}" -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:4936
- - C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe
    "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 254 -file file3 -mode mode3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:676

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:1620

C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe
"C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:3892

C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe
"C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4780

C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe
"C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe
  "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 154 -file file3 -mode mode3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe
    "C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.exe" -number 62 -file file3 -mode mode3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57dca5.rbs

Filesize
7KB

MD5
c527815a519a5501b3b360a1450bc3f6

SHA1
4a1cd8ae65101646eab1d4bfd2b6b436897c8ac9

SHA256
75c3850bcee8817e0981d9de695ec04f4a795b1121fb44b88e0be96452a691bf

SHA512
97294a8c1acd8c1396fb033aba9575a08803f045e036aa46f52a1eb28d47f4702f7a48283a1029b162c45ff2284758e6b883e3097af32833f45dbff8a27bd6e5

Download Submit
C:\Program Files\PrepareUpliftingProducer\2_BiEzaHFZmGAK.exe

Filesize
2.1MB

MD5
cbfd19024613960afbca2592c254797c

SHA1
498f21770764974008a04e3c1e013112b07a440b

SHA256
e836bac2f7e08d68df29e1fbaba53d51bad7d7b304d3f8721ac9687275aec97a

SHA512
98a162f7e6146e9973e4075867289627e2290ebd73745ccea701b7a28e2b112854ab90604d7ff16f207d91160181992e655bb7ea30ac58d9f7696bdad9a7d101

Download Submit
C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK

Filesize
465KB

MD5
c99ea1e7ca21ecb00df889b6d2026b3b

SHA1
a1bcdc38c6ee89226768548a7f8bc2df3f22dbe2

SHA256
81a7be797cea8b559a6ed7e8660cf46c3f6accaf57bb5635724c177ae0968a8c

SHA512
6df9212e0cfc1486c21eda6e4d6b6efa9c487729f12d3f20d0c64c28a8fdf1feaddfbe3681066f2254f979117d347eaceef3496ff1df079f8dfeed7a21c73e32

Download Submit
C:\Program Files\PrepareUpliftingProducer\BiEzaHFZmGAK.vbs

Filesize
2KB

MD5
1794a4eef350a53cbc87bbca7e3af2b6

SHA1
495952b0948cf2f7508973a75a926c9fe66ee0dc

SHA256
55bd213261f59a5a5dee55f9569396a8d8f102eb2ef9297e1b0901fc99e02351

SHA512
7f6149327a96859581de20a4cd569243f7f4b5d179cd43d2f823e03393c09a5b3c95abd76dfb5c47340889bc369096bf4f62ad6cf988ef2e30b31b0b0f2c9f00

Download Submit
C:\Program Files\PrepareUpliftingProducer\ICmLTllVpvaKCYPUzvtlZfGsINoXSg

Filesize
1.5MB

MD5
c2ddc9c1c68f17bcabe6d453bdedd54d

SHA1
1f9a8a688498fccfba10beb74366de6aca5d8f71

SHA256
a4d8817a8152b7f4b4ab0d194e35ab4fb49bf4d567bd23e1ec359af29543c41b

SHA512
3d464130d1ef6fcf13a6f7623c4fd507f7053aa8fcff8d7e7ff1f47b7fb85999c3d1119b49fcaa2a96efd587d609150f0f529f2fe36e66bc2c0ad9e89f5ada9a

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log

Filesize
282B

MD5
42f3160f404dbc1c6c6ff4f321a27195

SHA1
4a16f6de6afb16c0145f229ef304ae8ad000fd58

SHA256
d8d2772a241680a1ee5f23fc55f92026a68ae3e61f95796c7083fba207ff96db

SHA512
fae90f61b7b21cd8c929a92738b3c3512a0cab3d9b675d289c78f45b08219ab09d24d491d4f7629ed80cd2c5d71055f5531b08c09d32e0c10739fb57762b9409

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log

Filesize
446B

MD5
e41fea3821a3182e91834ee90cf7ad3e

SHA1
135341f1feef1dadf1edf61b270eb7a8d0fccf1c

SHA256
095261662b69125387272b250d18328cebe69c67ee197383eb46653a0affcb1d

SHA512
d61105d8b0d610563287f2cc79483d27cb3515c22597cbd7f0faa25e5cfd43ac3bdca2f5710b2630571b66f522a4cee252b479dc55b36d15d83165167d154a7c

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log

Filesize
620B

MD5
638f3fea446236ec66780aef4fa84767

SHA1
0888bb6e4ad1d4714ec6b41a690ba142d1b21aa3

SHA256
d7678e13e007cdc1462ed4d0c8a02e2daa4128788cfe71e7e4eb5b28757f00f5

SHA512
c4680acbfea0309dc097d35aad29aa1d33772d2e117b6611bae3389035ffbb9e5543df23c52cad6cb8ab245e359e32034c0202574e696d91becdad631696bbc5

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.wrapper.log

Filesize
757B

MD5
69c81836f85a5a2ce5aed8bdf1856c82

SHA1
01a36958a55605a440b6cbc0f9bda076af580b76

SHA256
01a7df2534f4a52c5d91c1b5d7fc290b9933f5cda026d1058700d44363481a6a

SHA512
1c3c84fa389f57d43b37c3e86e42c538dfcc1618b7135838e18a7364c767d48f2a85cfea2e81dac2c55cd7352e2f426cd81b8489a2e6210f4e8aace3b9483142

Download Submit
C:\Program Files\PrepareUpliftingProducer\QQKDRgdHxLyo.xml

Filesize
435B

MD5
72e8bdb8f89079396577a01b50872d45

SHA1
f231f9747f36ad95a0aa5eaccc7fc91a623ed5a0

SHA256
d50f97f5db588f56dd4121709500a98cf26ca153d3fd5fbeae07d6a582c4e1f7

SHA512
933403795499d6ef6b04cd4a5c21002b634e660480aa4fd7602ebce5db616e8acda5e9ba5b443757b0b2ad2fb9b666f3e2d33c08cee2a3d138a0841fba6e664e

Download Submit
C:\Program Files\PrepareUpliftingProducer\oUAjvJMuhtZcwuATiyrgMIdqUMwcPS

Filesize
1.5MB

MD5
4bf1d9c71a407d753fbe43603baa740b

SHA1
7bda556251c6aafb215df4b8dc9d1dc35e805b4a

SHA256
afb17b50d2c8f3e2412ad64977860d595fa8b67691714306fd371264065d19d7

SHA512
50a35c209a525f5c87ae94da25722ae385a57107d1738ac3f8a55bf1c9df4a9e42d9784c119d4d44d590592b824c09d6d97ec9ce6de424cdb09e0116e5c75d93

Download Submit
C:\Program Files\PrepareUpliftingProducer\wLxfLvsDsJpMqOBEALZlYBVFnNtsOO.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rmfsr0xo.isr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57dca4.msi

Filesize
2.0MB

MD5
44933b8bcf9994f8d5088dbfd75bd781

SHA1
4daeed4b62ec79ce1416ad7f62107db4525aeedc

SHA256
2f77174a331482149dbb2a31cc57aebac7b7466ddbb309e40003c45bfad2e9da

SHA512
e4c7297b7054960652090d5efabf9407a359ee547bea64ba9d6ddef325278c9f930be004ea1eccb11bf3aa10f3a4a61c1abf629f4a07c668864eb1acedec2aec

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QQKDRgdHxLyo.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
576e69d32df0b6c0461786e5e3872491

SHA1
5e04b30ae31305251d2b94c7c74b44d46e1768ec

SHA256
6bf75b6b80e77fa81940b4cdcd9cbeeccfcd98e677e2d1f4cb90d70dd6d42732

SHA512
37af823cae70fb17642eb10964443ad2a496d98be7c73b5264ba31a53ac4f5e75fcb78a3c0f48c7c598916e978752587c16fd97f14043f8480048ad3267543a6

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0384f9d6-3f18-4e7b-9a50-25f0588347ce}_OnDiskSnapshotProp

Filesize
6KB

MD5
0f968b2a5f713c2f123b0ace6c966941

SHA1
9cfefd5d51753cd6d5e8f139392017d16e652398

SHA256
330fb74ed79353b8fdbbe5c277f7265439c1edac12ef36eeab01eaa8106019db

SHA512
85d006c4112da5826f83d621111ec370429239d94752f33b7dacadd60d04c7fccce76b38bf3da6052615da686bee43ede286aba476c9a6ac299fba8ca808c943

Download Submit
memory/676-65-0x0000000029980000-0x00000000299AF000-memory.dmp

Filesize
188KB

Download
memory/2756-102-0x0000000029C40000-0x0000000029C8D000-memory.dmp

Filesize
308KB

Download
memory/2756-104-0x000000002B950000-0x000000002BB0B000-memory.dmp

Filesize
1.7MB

Download
memory/2756-107-0x000000002B950000-0x000000002BB0B000-memory.dmp

Filesize
1.7MB

Download
memory/3892-71-0x0000000000EE0000-0x0000000000FB6000-memory.dmp

Filesize
856KB

Download
memory/4640-20-0x00000299476B0000-0x00000299476D2000-memory.dmp

Filesize
136KB

Download