gh0strat | 54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-11-2024 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d.msi
Size

46.2MB
MD5

2487e36f76cc09ec67842ca4a2529408
SHA1

4b2ce72751d5263d8632857bc8cd305ae53179b0
SHA256

54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d
SHA512

899a5a707e243e3571c003d43455bb6d876e658899493b935600375efc50ce1908eb64a45bc3762df398b5bded473f207e0484a91b4f8916f08b4ead9ef64edf
SSDEEP

786432:z7zPJlZQwSNnfIS3sLxnbna9eVpfQjFaYDYQVGB5c74FTnW0bNg6ojGRUSIITKty:Tr3SOxDa9eVU7DYKGBW74Q0fz2aMy

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4732-80-0x000000002C170000-0x000000002C32D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4732-82-0x000000002C170000-0x000000002C32D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4732-83-0x000000002C170000-0x000000002C32D000-memory.dmp	purplefox_rootkit
behavioral2/memory/4732-84-0x000000002C170000-0x000000002C32D000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4732-80-0x000000002C170000-0x000000002C32D000-memory.dmp	family_gh0strat
behavioral2/memory/4732-82-0x000000002C170000-0x000000002C32D000-memory.dmp	family_gh0strat
behavioral2/memory/4732-83-0x000000002C170000-0x000000002C32D000-memory.dmp	family_gh0strat
behavioral2/memory/4732-84-0x000000002C170000-0x000000002C32D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
620	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	kTQQNujsYZyY.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	kTQQNujsYZyY.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	kTQQNujsYZyY.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	kTQQNujsYZyY.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	kTQQNujsYZyY.exe
File opened (read-only)	\??\J:	kTQQNujsYZyY.exe
File opened (read-only)	\??\Z:	kTQQNujsYZyY.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	kTQQNujsYZyY.exe
File opened (read-only)	\??\H:	kTQQNujsYZyY.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	kTQQNujsYZyY.exe
File opened (read-only)	\??\X:	kTQQNujsYZyY.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	kTQQNujsYZyY.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	kTQQNujsYZyY.exe
File opened (read-only)	\??\O:	kTQQNujsYZyY.exe
File opened (read-only)	\??\P:	kTQQNujsYZyY.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	kTQQNujsYZyY.exe
File opened (read-only)	\??\K:	kTQQNujsYZyY.exe
File opened (read-only)	\??\L:	kTQQNujsYZyY.exe
File opened (read-only)	\??\S:	kTQQNujsYZyY.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Program Files directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\NetworkDirectVuetify\2_kTQQNujsYZyY.exe	qXarwvaJOuckZgu.exe
File created	C:\Program Files\NetworkDirectVuetify\tsetup.exe	msiexec.exe
File created	C:\Program Files\NetworkDirectVuetify\MmyEbCsTTmYtkzo	qXarwvaJOuckZgu.exe
File created	C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY	qXarwvaJOuckZgu.exe
File opened for modification	C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY	qXarwvaJOuckZgu.exe
File created	C:\Program Files\NetworkDirectVuetify\kMOpfcRzxaYH.exe	qXarwvaJOuckZgu.exe
File created	C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe	MsiExec.exe
File opened for modification	C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe	MsiExec.exe
File opened for modification	C:\Program Files\NetworkDirectVuetify	kTQQNujsYZyY.exe
File created	C:\Program Files\NetworkDirectVuetify\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\NetworkDirectVuetify\2_kTQQNujsYZyY.exe	qXarwvaJOuckZgu.exe
File opened for modification	C:\Program Files\NetworkDirectVuetify\kMOpfcRzxaYH.exe	qXarwvaJOuckZgu.exe
File created	C:\Program Files\NetworkDirectVuetify\UZucQvhtuIqsMFE	msiexec.exe
File opened for modification	C:\Program Files\NetworkDirectVuetify\MmyEbCsTTmYtkzo	qXarwvaJOuckZgu.exe
File created	C:\Program Files\NetworkDirectVuetify\wegame.exe	MsiExec.exe
File created	C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B641BEF-73B5-4EC0-A2F5-2773A55C510B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23D.tmp	msiexec.exe
File created	C:\Windows\Installer\e5800e7.msi	msiexec.exe
File created	C:\Windows\Installer\e5800e5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5800e5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 8 IoCs

pid	Process
456	qXarwvaJOuckZgu.exe
1844	qXarwvaJOuckZgu.exe
380	kTQQNujsYZyY.exe
4328	tsetup.exe
2056	kMOpfcRzxaYH.exe
4484	wegame.exe
4768	tsetup.tmp
4732	kTQQNujsYZyY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
708	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wegame.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kTQQNujsYZyY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qXarwvaJOuckZgu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qXarwvaJOuckZgu.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kTQQNujsYZyY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	kMOpfcRzxaYH.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tsetup.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	kTQQNujsYZyY.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	kTQQNujsYZyY.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1908	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	kTQQNujsYZyY.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	wegame.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	kTQQNujsYZyY.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	wegame.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	kTQQNujsYZyY.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	wegame.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	kTQQNujsYZyY.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\SourceList	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FEB146B55B370CE42A5F72375AC515B0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\PackageCode = "35090D8B825D59B408A937E55D8FD07E"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\Version = "67371017"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C39599399185B24887B1AC09167C995	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\SourceList\PackageName = "54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6C39599399185B24887B1AC09167C995\FEB146B55B370CE42A5F72375AC515B0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\FEB146B55B370CE42A5F72375AC515B0\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\ProductName = "NetworkDirectVuetify"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\FEB146B55B370CE42A5F72375AC515B0\AdvertiseFlags = "388"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3268	msiexec.exe
3268	msiexec.exe
620	powershell.exe
620	powershell.exe
620	powershell.exe
380	kTQQNujsYZyY.exe
380	kTQQNujsYZyY.exe
4484	wegame.exe
4484	wegame.exe
4484	wegame.exe
4484	wegame.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe
4732	kTQQNujsYZyY.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	708	msiexec.exe
Token: SeSecurityPrivilege	3268	msiexec.exe
Token: SeCreateTokenPrivilege	708	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	708	msiexec.exe
Token: SeLockMemoryPrivilege	708	msiexec.exe
Token: SeIncreaseQuotaPrivilege	708	msiexec.exe
Token: SeMachineAccountPrivilege	708	msiexec.exe
Token: SeTcbPrivilege	708	msiexec.exe
Token: SeSecurityPrivilege	708	msiexec.exe
Token: SeTakeOwnershipPrivilege	708	msiexec.exe
Token: SeLoadDriverPrivilege	708	msiexec.exe
Token: SeSystemProfilePrivilege	708	msiexec.exe
Token: SeSystemtimePrivilege	708	msiexec.exe
Token: SeProfSingleProcessPrivilege	708	msiexec.exe
Token: SeIncBasePriorityPrivilege	708	msiexec.exe
Token: SeCreatePagefilePrivilege	708	msiexec.exe
Token: SeCreatePermanentPrivilege	708	msiexec.exe
Token: SeBackupPrivilege	708	msiexec.exe
Token: SeRestorePrivilege	708	msiexec.exe
Token: SeShutdownPrivilege	708	msiexec.exe
Token: SeDebugPrivilege	708	msiexec.exe
Token: SeAuditPrivilege	708	msiexec.exe
Token: SeSystemEnvironmentPrivilege	708	msiexec.exe
Token: SeChangeNotifyPrivilege	708	msiexec.exe
Token: SeRemoteShutdownPrivilege	708	msiexec.exe
Token: SeUndockPrivilege	708	msiexec.exe
Token: SeSyncAgentPrivilege	708	msiexec.exe
Token: SeEnableDelegationPrivilege	708	msiexec.exe
Token: SeManageVolumePrivilege	708	msiexec.exe
Token: SeImpersonatePrivilege	708	msiexec.exe
Token: SeCreateGlobalPrivilege	708	msiexec.exe
Token: SeBackupPrivilege	3520	vssvc.exe
Token: SeRestorePrivilege	3520	vssvc.exe
Token: SeAuditPrivilege	3520	vssvc.exe
Token: SeBackupPrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeBackupPrivilege	4668	srtasks.exe
Token: SeRestorePrivilege	4668	srtasks.exe
Token: SeSecurityPrivilege	4668	srtasks.exe
Token: SeTakeOwnershipPrivilege	4668	srtasks.exe
Token: SeBackupPrivilege	4668	srtasks.exe
Token: SeRestorePrivilege	4668	srtasks.exe
Token: SeSecurityPrivilege	4668	srtasks.exe
Token: SeTakeOwnershipPrivilege	4668	srtasks.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe
Token: SeRestorePrivilege	3268	msiexec.exe
Token: SeTakeOwnershipPrivilege	3268	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
708	msiexec.exe
708	msiexec.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4668	3268	msiexec.exe	95
PID 3268 wrote to memory of 4668	3268	msiexec.exe	95
PID 3268 wrote to memory of 5068	3268	msiexec.exe	97
PID 3268 wrote to memory of 5068	3268	msiexec.exe	97
PID 5068 wrote to memory of 620	5068	MsiExec.exe	98
PID 5068 wrote to memory of 620	5068	MsiExec.exe	98
PID 5068 wrote to memory of 456	5068	MsiExec.exe	100
PID 5068 wrote to memory of 456	5068	MsiExec.exe	100
PID 5068 wrote to memory of 456	5068	MsiExec.exe	100
PID 5068 wrote to memory of 1844	5068	MsiExec.exe	102
PID 5068 wrote to memory of 1844	5068	MsiExec.exe	102
PID 5068 wrote to memory of 1844	5068	MsiExec.exe	102
PID 5068 wrote to memory of 380	5068	MsiExec.exe	104
PID 5068 wrote to memory of 380	5068	MsiExec.exe	104
PID 5068 wrote to memory of 380	5068	MsiExec.exe	104
PID 5068 wrote to memory of 4328	5068	MsiExec.exe	106
PID 5068 wrote to memory of 4328	5068	MsiExec.exe	106
PID 5068 wrote to memory of 4328	5068	MsiExec.exe	106
PID 2056 wrote to memory of 4484	2056	kMOpfcRzxaYH.exe	108
PID 2056 wrote to memory of 4484	2056	kMOpfcRzxaYH.exe	108
PID 2056 wrote to memory of 4484	2056	kMOpfcRzxaYH.exe	108
PID 5068 wrote to memory of 1908	5068	MsiExec.exe	110
PID 5068 wrote to memory of 1908	5068	MsiExec.exe	110
PID 4328 wrote to memory of 4768	4328	tsetup.exe	112
PID 4328 wrote to memory of 4768	4328	tsetup.exe	112
PID 4328 wrote to memory of 4768	4328	tsetup.exe	112
PID 4484 wrote to memory of 4732	4484	wegame.exe	113
PID 4484 wrote to memory of 4732	4484	wegame.exe	113
PID 4484 wrote to memory of 4732	4484	wegame.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:708

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3268
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4668
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E17A871E624524C09F43711705A08F49 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:5068
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\NetworkDirectVuetify','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:620
- - C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe
    "C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe" x "C:\Program Files\NetworkDirectVuetify\UZucQvhtuIqsMFE." "C:\Program Files\NetworkDirectVuetify\" -p"34204U3$J+" -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:456
- - C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe
    "C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe" x "C:\Program Files\NetworkDirectVuetify\MmyEbCsTTmYtkzo." -x"1_kTQQNujsYZyY.exe" -x"sss" -x"1_ICreQbOyZSZhTvR.exe" -x"1_" -x"1_" -x"sa" "C:\Program Files\NetworkDirectVuetify\" -p"35784V_QPi" -y
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1844
- - C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe
    "C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe" -nbg 268
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:380
- - C:\Program Files\NetworkDirectVuetify\tsetup.exe
    "C:\Program Files\NetworkDirectVuetify\tsetup.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Users\Admin\AppData\Local\Temp\is-E5CNP.tmp\tsetup.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-E5CNP.tmp\tsetup.tmp" /SL5="$D0252,44246395,814592,C:\Program Files\NetworkDirectVuetify\tsetup.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4768
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
    3⤵
    - Kills process with taskkill
    PID:1908

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3520

C:\Program Files\NetworkDirectVuetify\kMOpfcRzxaYH.exe
"C:\Program Files\NetworkDirectVuetify\kMOpfcRzxaYH.exe" -nbg 102
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Program Files\NetworkDirectVuetify\wegame.exe
  "C:\Program Files\NetworkDirectVuetify\kMOpfcRzxaYH.exe" -nbg 102
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe
    "C:\Program Files\NetworkDirectVuetify\kTQQNujsYZyY.exe" -nbg 72
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:4732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:4488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5800e6.rbs

Filesize
8KB

MD5
4213bd31a8dd2dee3b7666df7cecfd1e

SHA1
059c0e21a364af62564b2321a61dd9d3edf26249

SHA256
e71ddf66811f72453415714c66304c4706a4e580da55521ae45aa4ece870520c

SHA512
a0ece443f58a61c4df630955a56c2f30d4331aab7601551693e14a7a93b2f8f8bbab74ab6e441c58b5902c0935a575652d95d0853471b0d911693bf3d5bdda95

Download Submit
C:\Program Files\NetworkDirectVuetify\2_kTQQNujsYZyY.exe

Filesize
6.2MB

MD5
ebf139534eeae3ce3af174148033b1af

SHA1
ed99757cdf9703fc7d966634f58bde38d2ac60ee

SHA256
98c1a416e33e3ac554645b742ca83ef046016e5fe2abacf7fd44a8511fca7585

SHA512
22ee8c2f09e15793bb1841732df19c1885592ca8a1653d5171228c0ad8bea48836a78c0279c3d428bda86133f75321d6603b7db067adb4e950e5fb9806301b78

Download Submit
C:\Program Files\NetworkDirectVuetify\MmyEbCsTTmYtkzo

Filesize
3.1MB

MD5
9c86b7e50a47e1b9d56cae41364f129e

SHA1
989ece30f5a16b608b0dbc3e24ea8c6701f72ead

SHA256
a900eacd2dfedc17187a596c4e8544bc8e068d6291d2986d3d41ab00fe763e13

SHA512
73f49ef3cbd2abc7c5d6dc26f56275b2ac75941e4d0f0378620492322e5846ecfcb0e17c6f1495dea901a968050ed6b22ffa2842e45b67f0fb4d51be69b2a063

Download Submit
C:\Program Files\NetworkDirectVuetify\UZucQvhtuIqsMFE

Filesize
3.1MB

MD5
f4ba04158afd7ec631016e2a6b1f5bbe

SHA1
1695078b8313da1ec2317d7f2206aaa87152a35d

SHA256
d749a1d77c9bcf3c34e63f0351644fc62009c5abe5746b9e8d7e05ba3554eb1d

SHA512
dc16b88fcbef730f91a808e54ba2ce3bb1b4cb63a775e8066e640165180185db8fa2188be53d8b4b93923b2e4dc97c924a1d192c3adaffdf688261cd2872da01

Download Submit
C:\Program Files\NetworkDirectVuetify\kMOpfcRzxaYH.exe

Filesize
1.0MB

MD5
5831e9e77179c55d1f08ab5a0900cf36

SHA1
a75af16800b3d25e6ea63f75fdbe7b258d2b34a1

SHA256
62b96c419e1a403eb367304d0c8ff4f6856e8922a296dcafd5c7515746ebe143

SHA512
a046a809514f96ab8a23fcbc9de92221f1e91f984f985548c744881cf8f2cc8a408b498dfe0acf501ffc0155a5dfc60e364785f086f77bd1b7d48a13add9cd61

Download Submit
C:\Program Files\NetworkDirectVuetify\qXarwvaJOuckZgu.exe

Filesize
751KB

MD5
47deb5b92f2734d37df538f8738fd658

SHA1
633abf89e926e3762b33ff05a9d11fc206f08631

SHA256
6e4152ab6a60788a725bc98df2f5832cfbaf4adfa983f4a17107db89d3be490f

SHA512
e2bb727d97bde6e7f5c17d4ac37df6703cdc9aad3b4ee5c1a54fb773e22a4262ef44ba0b4d3dc39454f0f73ad7e7b72cf1883633570b3226281a93c0f32e5761

Download Submit
C:\Program Files\NetworkDirectVuetify\tsetup.exe

Filesize
43.1MB

MD5
8a53cf72375f6899082463c36422d411

SHA1
161d9d3b21bf0d9a9790b92013ec76c6d839af06

SHA256
1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65

SHA512
daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_zp5x0wxa.am1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-E5CNP.tmp\tsetup.tmp

Filesize
3.0MB

MD5
d90927477dbf0725af0a10e151c184c4

SHA1
4cd69b23ee9c1efe9bd539f0fef841a09a4a773e

SHA256
43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029

SHA512
bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98

Download Submit
C:\Windows\Installer\e5800e5.msi

Filesize
46.2MB

MD5
2487e36f76cc09ec67842ca4a2529408

SHA1
4b2ce72751d5263d8632857bc8cd305ae53179b0

SHA256
54c5645bb279b088510d7da2cfbf7d9cd762b07985151433a9a92e4f5f5bf37d

SHA512
899a5a707e243e3571c003d43455bb6d876e658899493b935600375efc50ce1908eb64a45bc3762df398b5bded473f207e0484a91b4f8916f08b4ead9ef64edf

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
599ab9dba895f996b2c00d7ce3b88bb1

SHA1
140f25a1912442aacad700596d9170ba906b9df3

SHA256
a98f29dbfeca560599c8ee234dfa0a5206f868af9b3fcbb0af9940b71d5c009d

SHA512
2fd5edbb2f24b7960887d95602d76689454214457bb986cbb52301a7d52bab0fef9895473e8ae78c7d1a10c45c913cc681c7a07f23a1eb10c2ee1345eadcf338

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{631c5ec9-d783-4503-9864-77e1c096590c}_OnDiskSnapshotProp

Filesize
6KB

MD5
245995ef6b7d86a11c9f6f9a6b25f02f

SHA1
70d091aaabcd3f54594b7831083f95758f9f56d1

SHA256
7576be006f56ddbe38351f9014e5bd32adaca002a4cc19ed9cd481da6912fd4f

SHA512
51a163d322b1a9e5be88e576772087f8c67934f2bfe47b5ddd11b106a347da151187f86eb25bd6a2224f42d786c4a771cd5139e8fd7529b1627ded271ba3f5ab

Download Submit
memory/380-51-0x000000002A410000-0x000000002A43A000-memory.dmp

Filesize
168KB

Download
memory/620-19-0x000001C657570000-0x000001C657592000-memory.dmp

Filesize
136KB

Download
memory/4328-57-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4328-79-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/4732-78-0x000000002BD10000-0x000000002BD54000-memory.dmp

Filesize
272KB

Download
memory/4732-80-0x000000002C170000-0x000000002C32D000-memory.dmp

Filesize
1.7MB

Download
memory/4732-82-0x000000002C170000-0x000000002C32D000-memory.dmp

Filesize
1.7MB

Download
memory/4732-83-0x000000002C170000-0x000000002C32D000-memory.dmp

Filesize
1.7MB

Download
memory/4732-84-0x000000002C170000-0x000000002C32D000-memory.dmp

Filesize
1.7MB

Download
memory/4768-85-0x0000000000400000-0x0000000000710000-memory.dmp

Filesize
3.1MB

Download