hijackloader | bb405f39df5d194629428425c29d3214a44aa4a65c49705f84aa537c7ad78043

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28/02/2025, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SForceSetup.exe
Size

65.4MB
MD5

e19b379aa011e29475b52fa032be6fb1
SHA1

5e667d088d0a35a5ef6b303aa44d91182cf2f77d
SHA256

fc917a43cd242a370ba5a80e3fc5cc6c3e8dd0e7b68148452e1df864c4a2492e
SHA512

c4c61eb548dbf6c98a23a1f0dd4b72aa82156cd10e9934ff786a3ae4dc4f5d6c8ad1e2610c944498eb53e0f0fd14dd12a6a3a769bdf16518ce39efaccad7124d
SSDEEP

1572864:mji/jrpWcvi/jrpWQsyGADgl5AQllPnu19xKSkJAoM8Md9lZmP0UMG:mO/O/syG6glTlPnu8SkOoMTlsP08

Score

10^/10

hijackloader discovery loader

Malware Config

Signatures

Detects HijackLoader (aka IDAT Loader) 1 IoCs

resource	yara_rule
behavioral1/files/0x00050000000195e4-311.dat	family_hijackloader

HijackLoader
HijackLoader is a multistage loader first seen in 2023.
loader hijackloader
Hijackloader family
hijackloader

Executes dropped EXE 8 IoCs

pid	Process
948	MSICDCA.tmp
1356	MSICF24.tmp
1676	RTLogReceiver.exe
992	StrikeAssistant.exe
2100	RTLogReceiver.exe
2240	StrikeAssistant.tmp
544	StrikeAssistant.exe
1660	StrikeAssistant.tmp

Loads dropped DLL 26 IoCs

pid	Process
2676	MsiExec.exe
2676	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2188	MsiExec.exe
2680	msiexec.exe
1676	RTLogReceiver.exe
1676	RTLogReceiver.exe
1676	RTLogReceiver.exe
2100	RTLogReceiver.exe
2100	RTLogReceiver.exe
992	StrikeAssistant.exe
2240	StrikeAssistant.tmp
544	StrikeAssistant.exe
1660	StrikeAssistant.tmp
2188	MsiExec.exe
2712	cmd.exe
2712	cmd.exe
1152	ToolBeacon_3.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	1104	msiexec.exe
5	2680	msiexec.exe
9	2188	MsiExec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	SForceSetup.exe
File opened (read-only)	\??\J:	SForceSetup.exe
File opened (read-only)	\??\L:	SForceSetup.exe
File opened (read-only)	\??\M:	SForceSetup.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	SForceSetup.exe
File opened (read-only)	\??\G:	SForceSetup.exe
File opened (read-only)	\??\H:	SForceSetup.exe
File opened (read-only)	\??\Y:	SForceSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	SForceSetup.exe
File opened (read-only)	\??\B:	SForceSetup.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	SForceSetup.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	SForceSetup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	SForceSetup.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	SForceSetup.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	SForceSetup.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	SForceSetup.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	SForceSetup.exe
File opened (read-only)	\??\E:	SForceSetup.exe
File opened (read-only)	\??\W:	SForceSetup.exe
File opened (read-only)	\??\X:	SForceSetup.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2712	2100	RTLogReceiver.exe	45

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\SF Studios\Strike\StrikeAssistant.exe	msiexec.exe
File created	C:\Program Files\SF Studios\Strike\StrikePrerequisites.exe	msiexec.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC79D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC80B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDCA.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIC299.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICDB9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF24.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76bf2a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC16F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC569.tmp	msiexec.exe
File created	C:\Windows\Installer\f76bf2d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC307.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC3C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC616.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICC21.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICCED.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76bf2d.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE850.tmp	msiexec.exe
File created	C:\Windows\Installer\f76bf2a.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSICF24.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RTLogReceiver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RTLogReceiver.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrikeAssistant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SForceSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrikeAssistant.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrikeAssistant.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	StrikeAssistant.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Modifies system certificate store 2 TTPs 4 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	SForceSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SForceSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SForceSetup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	SForceSetup.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2676	MsiExec.exe
2188	MsiExec.exe
2680	msiexec.exe
2680	msiexec.exe
1676	RTLogReceiver.exe
1356	MSICF24.tmp
2100	RTLogReceiver.exe
2100	RTLogReceiver.exe
1660	StrikeAssistant.tmp
1660	StrikeAssistant.tmp
2712	cmd.exe
2712	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2100	RTLogReceiver.exe
2712	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2680	msiexec.exe
Token: SeTakeOwnershipPrivilege	2680	msiexec.exe
Token: SeSecurityPrivilege	2680	msiexec.exe
Token: SeCreateTokenPrivilege	2972	SForceSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2972	SForceSetup.exe
Token: SeLockMemoryPrivilege	2972	SForceSetup.exe
Token: SeIncreaseQuotaPrivilege	2972	SForceSetup.exe
Token: SeMachineAccountPrivilege	2972	SForceSetup.exe
Token: SeTcbPrivilege	2972	SForceSetup.exe
Token: SeSecurityPrivilege	2972	SForceSetup.exe
Token: SeTakeOwnershipPrivilege	2972	SForceSetup.exe
Token: SeLoadDriverPrivilege	2972	SForceSetup.exe
Token: SeSystemProfilePrivilege	2972	SForceSetup.exe
Token: SeSystemtimePrivilege	2972	SForceSetup.exe
Token: SeProfSingleProcessPrivilege	2972	SForceSetup.exe
Token: SeIncBasePriorityPrivilege	2972	SForceSetup.exe
Token: SeCreatePagefilePrivilege	2972	SForceSetup.exe
Token: SeCreatePermanentPrivilege	2972	SForceSetup.exe
Token: SeBackupPrivilege	2972	SForceSetup.exe
Token: SeRestorePrivilege	2972	SForceSetup.exe
Token: SeShutdownPrivilege	2972	SForceSetup.exe
Token: SeDebugPrivilege	2972	SForceSetup.exe
Token: SeAuditPrivilege	2972	SForceSetup.exe
Token: SeSystemEnvironmentPrivilege	2972	SForceSetup.exe
Token: SeChangeNotifyPrivilege	2972	SForceSetup.exe
Token: SeRemoteShutdownPrivilege	2972	SForceSetup.exe
Token: SeUndockPrivilege	2972	SForceSetup.exe
Token: SeSyncAgentPrivilege	2972	SForceSetup.exe
Token: SeEnableDelegationPrivilege	2972	SForceSetup.exe
Token: SeManageVolumePrivilege	2972	SForceSetup.exe
Token: SeImpersonatePrivilege	2972	SForceSetup.exe
Token: SeCreateGlobalPrivilege	2972	SForceSetup.exe
Token: SeCreateTokenPrivilege	2972	SForceSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2972	SForceSetup.exe
Token: SeLockMemoryPrivilege	2972	SForceSetup.exe
Token: SeIncreaseQuotaPrivilege	2972	SForceSetup.exe
Token: SeMachineAccountPrivilege	2972	SForceSetup.exe
Token: SeTcbPrivilege	2972	SForceSetup.exe
Token: SeSecurityPrivilege	2972	SForceSetup.exe
Token: SeTakeOwnershipPrivilege	2972	SForceSetup.exe
Token: SeLoadDriverPrivilege	2972	SForceSetup.exe
Token: SeSystemProfilePrivilege	2972	SForceSetup.exe
Token: SeSystemtimePrivilege	2972	SForceSetup.exe
Token: SeProfSingleProcessPrivilege	2972	SForceSetup.exe
Token: SeIncBasePriorityPrivilege	2972	SForceSetup.exe
Token: SeCreatePagefilePrivilege	2972	SForceSetup.exe
Token: SeCreatePermanentPrivilege	2972	SForceSetup.exe
Token: SeBackupPrivilege	2972	SForceSetup.exe
Token: SeRestorePrivilege	2972	SForceSetup.exe
Token: SeShutdownPrivilege	2972	SForceSetup.exe
Token: SeDebugPrivilege	2972	SForceSetup.exe
Token: SeAuditPrivilege	2972	SForceSetup.exe
Token: SeSystemEnvironmentPrivilege	2972	SForceSetup.exe
Token: SeChangeNotifyPrivilege	2972	SForceSetup.exe
Token: SeRemoteShutdownPrivilege	2972	SForceSetup.exe
Token: SeUndockPrivilege	2972	SForceSetup.exe
Token: SeSyncAgentPrivilege	2972	SForceSetup.exe
Token: SeEnableDelegationPrivilege	2972	SForceSetup.exe
Token: SeManageVolumePrivilege	2972	SForceSetup.exe
Token: SeImpersonatePrivilege	2972	SForceSetup.exe
Token: SeCreateGlobalPrivilege	2972	SForceSetup.exe
Token: SeCreateTokenPrivilege	2972	SForceSetup.exe
Token: SeAssignPrimaryTokenPrivilege	2972	SForceSetup.exe
Token: SeLockMemoryPrivilege	2972	SForceSetup.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
2972	SForceSetup.exe
1104	msiexec.exe
1660	StrikeAssistant.tmp
1104	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2680 wrote to memory of 2676	2680	msiexec.exe	31
PID 2680 wrote to memory of 2676	2680	msiexec.exe	31
PID 2680 wrote to memory of 2676	2680	msiexec.exe	31
PID 2680 wrote to memory of 2676	2680	msiexec.exe	31
PID 2680 wrote to memory of 2676	2680	msiexec.exe	31
PID 2680 wrote to memory of 2676	2680	msiexec.exe	31
PID 2680 wrote to memory of 2676	2680	msiexec.exe	31
PID 2972 wrote to memory of 1104	2972	SForceSetup.exe	33
PID 2972 wrote to memory of 1104	2972	SForceSetup.exe	33
PID 2972 wrote to memory of 1104	2972	SForceSetup.exe	33
PID 2972 wrote to memory of 1104	2972	SForceSetup.exe	33
PID 2972 wrote to memory of 1104	2972	SForceSetup.exe	33
PID 2972 wrote to memory of 1104	2972	SForceSetup.exe	33
PID 2972 wrote to memory of 1104	2972	SForceSetup.exe	33
PID 2680 wrote to memory of 2188	2680	msiexec.exe	37
PID 2680 wrote to memory of 2188	2680	msiexec.exe	37
PID 2680 wrote to memory of 2188	2680	msiexec.exe	37
PID 2680 wrote to memory of 2188	2680	msiexec.exe	37
PID 2680 wrote to memory of 2188	2680	msiexec.exe	37
PID 2680 wrote to memory of 2188	2680	msiexec.exe	37
PID 2680 wrote to memory of 2188	2680	msiexec.exe	37
PID 2680 wrote to memory of 948	2680	msiexec.exe	39
PID 2680 wrote to memory of 948	2680	msiexec.exe	39
PID 2680 wrote to memory of 948	2680	msiexec.exe	39
PID 2680 wrote to memory of 1356	2680	msiexec.exe	40
PID 2680 wrote to memory of 1356	2680	msiexec.exe	40
PID 2680 wrote to memory of 1356	2680	msiexec.exe	40
PID 2680 wrote to memory of 1356	2680	msiexec.exe	40
PID 2680 wrote to memory of 1356	2680	msiexec.exe	40
PID 2680 wrote to memory of 1356	2680	msiexec.exe	40
PID 2680 wrote to memory of 1356	2680	msiexec.exe	40
PID 948 wrote to memory of 1676	948	MSICDCA.tmp	41
PID 948 wrote to memory of 1676	948	MSICDCA.tmp	41
PID 948 wrote to memory of 1676	948	MSICDCA.tmp	41
PID 948 wrote to memory of 1676	948	MSICDCA.tmp	41
PID 1676 wrote to memory of 2100	1676	RTLogReceiver.exe	43
PID 1676 wrote to memory of 2100	1676	RTLogReceiver.exe	43
PID 1676 wrote to memory of 2100	1676	RTLogReceiver.exe	43
PID 1676 wrote to memory of 2100	1676	RTLogReceiver.exe	43
PID 992 wrote to memory of 2240	992	StrikeAssistant.exe	44
PID 992 wrote to memory of 2240	992	StrikeAssistant.exe	44
PID 992 wrote to memory of 2240	992	StrikeAssistant.exe	44
PID 992 wrote to memory of 2240	992	StrikeAssistant.exe	44
PID 992 wrote to memory of 2240	992	StrikeAssistant.exe	44
PID 992 wrote to memory of 2240	992	StrikeAssistant.exe	44
PID 992 wrote to memory of 2240	992	StrikeAssistant.exe	44
PID 2100 wrote to memory of 2712	2100	RTLogReceiver.exe	45
PID 2100 wrote to memory of 2712	2100	RTLogReceiver.exe	45
PID 2100 wrote to memory of 2712	2100	RTLogReceiver.exe	45
PID 2100 wrote to memory of 2712	2100	RTLogReceiver.exe	45
PID 2240 wrote to memory of 544	2240	StrikeAssistant.tmp	47
PID 2240 wrote to memory of 544	2240	StrikeAssistant.tmp	47
PID 2240 wrote to memory of 544	2240	StrikeAssistant.tmp	47
PID 2240 wrote to memory of 544	2240	StrikeAssistant.tmp	47
PID 544 wrote to memory of 1660	544	StrikeAssistant.exe	48
PID 544 wrote to memory of 1660	544	StrikeAssistant.exe	48
PID 544 wrote to memory of 1660	544	StrikeAssistant.exe	48
PID 544 wrote to memory of 1660	544	StrikeAssistant.exe	48
PID 544 wrote to memory of 1660	544	StrikeAssistant.exe	48
PID 544 wrote to memory of 1660	544	StrikeAssistant.exe	48
PID 544 wrote to memory of 1660	544	StrikeAssistant.exe	48
PID 1660 wrote to memory of 2928	1660	StrikeAssistant.tmp	49
PID 1660 wrote to memory of 2928	1660	StrikeAssistant.tmp	49
PID 1660 wrote to memory of 2928	1660	StrikeAssistant.tmp	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SForceSetup.exe
"C:\Users\Admin\AppData\Local\Temp\SForceSetup.exe"
1⤵
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\SF Studios\Strike 1.0.0\install\Strike.x64.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\SForceSetup.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1740489295 "
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:1104

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Loads dropped DLL
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 241B53D9CEE1BAC1FC46C7421CC42203 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7DFC49FC99D990331763A58E7594E14E
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2188
- C:\Windows\Installer\MSICDCA.tmp
  "C:\Windows\Installer\MSICDCA.tmp"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:948
- - C:\Users\Admin\AppData\Local\Temp\Rhizopod\RTLogReceiver.exe
    "C:\Users\Admin\AppData\Local\Temp\Rhizopod\RTLogReceiver.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1676
  - - C:\Users\Admin\AppData\Roaming\systemWatcher_v3\RTLogReceiver.exe
      C:\Users\Admin\AppData\Roaming\systemWatcher_v3\RTLogReceiver.exe
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\SysWOW64\cmd.exe
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:2712
      - C:\Users\Admin\AppData\Local\Temp\ToolBeacon_3.exe
        
        C:\Users\Admin\AppData\Local\Temp\ToolBeacon_3.exe
        6⤵
        Loads dropped DLL
        
        PID:1152
- C:\Windows\Installer\MSICF24.tmp
  "C:\Windows\Installer\MSICF24.tmp" "C:\Program Files\SF Studios\Strike\StrikeAssistant.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1356

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2864

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "000000000000059C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:572

C:\Program Files\SF Studios\Strike\StrikeAssistant.exe
"C:\Program Files\SF Studios\Strike\StrikeAssistant.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:992
- C:\Users\Admin\AppData\Local\Temp\is-QLUBL.tmp\StrikeAssistant.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-QLUBL.tmp\StrikeAssistant.tmp" /SL5="$1101F6,10574003,121344,C:\Program Files\SF Studios\Strike\StrikeAssistant.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Program Files\SF Studios\Strike\StrikeAssistant.exe
    "C:\Program Files\SF Studios\Strike\StrikeAssistant.exe" /verysilent /password=31g1o
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:544
  - - C:\Users\Admin\AppData\Local\Temp\is-6TD4D.tmp\StrikeAssistant.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-6TD4D.tmp\StrikeAssistant.tmp" /SL5="$70218,10574003,121344,C:\Program Files\SF Studios\Strike\StrikeAssistant.exe" /verysilent /password=31g1o
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:1660
    - - C:\Windows\SysWOW64\msiexec.exe
        
        "msiexec.exe" -i "C:\Users\Admin\AppData\Local\Temp\is-O3JAS.tmp\Java.msi" -qn
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76bf2e.rbs

Filesize
1KB

MD5
aa1ba182720e7c2cb3334a98cc930ac9

SHA1
51e456e061766e499f500bea2ef632d920ee1d4f

SHA256
7c46cdaa59748a35d08f5aca455b546c595ad1417d1e6f946367ac57aedadd99

SHA512
582d8348cd7cc178a6c392fb11294186e8ede7e0f27cd3134bfae395a09e9d1ac5fefbe9c5b066017b27e6a8469746371f8bcadcafd83f65116cbfcc4e38d2b3

Download Submit
C:\Program Files\SF Studios\Strike\StrikeAssistant.exe

Filesize
10.5MB

MD5
b6d2b51d3391834b707e155a93e80fed

SHA1
758e502c2f7c5bb2e4824a6217852a3012005070

SHA256
9bdd6089f70e9569c6c1158184fe815b9babda33211f67d058248a3ce6c9b49c

SHA512
21fd9876365b2c20bdd964fbf73daa10f54b929b2ceb39220e9c3d0b2795b20d468718266e3868a850da6043879e8a43528604669a84d312c01e66da78e9f035

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
71KB

MD5
83142242e97b8953c386f988aa694e4a

SHA1
833ed12fc15b356136dcdd27c61a50f59c5c7d50

SHA256
d72761e1a334a754ce8250e3af7ea4bf25301040929fd88cf9e50b4a9197d755

SHA512
bb6da177bd16d163f377d9b4c63f6d535804137887684c113cc2f643ceab4f34338c06b5a29213c23d375e95d22ef417eac928822dfb3688ce9e2de9d5242d10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4f6afb265c785e0f3b2b3d13955db43d

SHA1
fd62fca12150cf43498bb5d73cf27906a3f7461c

SHA256
a37b8ec033f859bd43e1f8ffc9d5d21181b7aa2ef04edb38d3fe4d3622224a47

SHA512
00107275c460c0aa16c341d1202b36cecfdcf9b669810b4cd9de4b71829c5ed4375ed3c9e5f264251b93dd041f1d5971f6373d084d9b4cd57b5a26f51bbe6ee6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
317bdb42dea509acecebf2d9c17e4dae

SHA1
a01129d74cfb99466bb837c7de337ad1f92d7513

SHA256
acf666812b9a71a230b7251de2d02277aad8c7135addf3588c02ca6c1f8eea52

SHA512
87aaa3864774b727823037255bf4fc74c3ab9e17b9bfe3540af5425b4de24c21fa92f5400225af6a544774896046a355fd64daacf516f2baa07c8e94bfaa5d97

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67bccea84512a1c62dbce056\1.0.0\tracking.ini

Filesize
84B

MD5
fe7b61b234899a0b8d11f8395a499966

SHA1
d09ec65d35bf31444cb10a12c26de67e4987177d

SHA256
ee81c36ada11f00bc518d8a33c2a815b186083a104f5bb721e16ad471e40cde7

SHA512
9204fb83ec45431a9eb0bb58c5f671ce0ef331efd0ad5b09ef2e14aac4feebf4ba85d7e505e202222262047dbf6d6ce19cf158a892340251b84fc895cee95e61

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67bccea84512a1c62dbce056\1.0.0\tracking.ini

Filesize
84B

MD5
901dce98c300319145e8d8ad4438327b

SHA1
7ae004dfdee7c3e0094a8ae1a38019e1e6535b7e

SHA256
62d5b90659eb6f1fa5be3c91395e184f10833a8e7adad9c80c9319c2d9e04b71

SHA512
a5a55ced5266a84a18397253fdd21d521965e6e5c761cb42b1ccedfaadcf82c36e2bdabba3f2387552b297f4cfb713c86fc42b23305810fd556428ee81111be7

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\67bccea84512a1c62dbce056\1.0.0\{68706E55-4E75-4AE0-8F08-6469A331BCB7}.session

Filesize
4KB

MD5
a0abbc2bbe5a75483dcbcfbd02aefa73

SHA1
abbc207ce7aa726e9b2fa00484fcfa803acd9844

SHA256
38bdf4402f86bf13e2992c9e70fc71b423f629dfe045705a3936df34733b33a6

SHA512
8769cce78c9e20e746b572558d0c105868325353ff7b8a7ef79791793df2af6aae7d55a0d47a0f798841b609e000bd1b89245aa9a0e48ac8ef03b7e1e04b4925

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9E35.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA022.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA090.tmp

Filesize
1.1MB

MD5
58c6476771f68f57661d0f6533cb70ef

SHA1
8080de39939f0a8f1e0c529cca30bf38b0e6abf2

SHA256
7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f

SHA512
2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhizopod\RTLogReceiver.exe

Filesize
216KB

MD5
38840d6bf71bcb609130ecdecd05b04c

SHA1
35a4a172ce8965f9d4b7a3dc000b1766acd74440

SHA256
edfff9609d930828a1c28ab4d78368ffa3e8bc34d5f47e588e70b7f6c1680fe6

SHA512
e9a9c1b41870254477a4302c7bea79ca0eea84a6b273f5edfbb2e829c500acbe2b10b7e96e2b707e231f7d488a37bc1b21ca6ad778128f9320f021b1e4c71940

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhizopod\cajeput.ai

Filesize
67KB

MD5
c8274e7a1e54ab9e65ff450476b2ae7b

SHA1
be4ddaeacc3d34631776107c4250fa93b44e676f

SHA256
bae570ad275e43dd5e5d5c45aeeeb4167af6528898d69d3594af3626f1f3df5b

SHA512
2510b387cc1dcb8bbd99aa3deb149fc0ea5fbdd30c698af1c3b9469ec4f16049ceda08e9d556a83bfc5026c27818d2dfb6b059256259c2f0376ac0e31de326f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhizopod\orpine.tar.gz

Filesize
4.3MB

MD5
8f7319af4316410a641a126c995714fd

SHA1
214abfe350b1f53b6d8baa5834aed4a54876fe7f

SHA256
382454c9b9d528d5cde26ea08880330af36d934ea432369158ea79af2d4da67c

SHA512
477b1a8fa1135084b439b421640ef59f55dc135daf93e46b7a2eda6b58fb65686b3e39bc16b2007be0bb56dd410b331a830fd025c098f451f3bb0d1ea7a4763a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhizopod\rtl280.bpl

Filesize
12.3MB

MD5
fcdf410c77a83f042590c29280b39f52

SHA1
c702ff6526e509b22c5659e6f7eeee1a38909a9e

SHA256
08941c5fa519f9dffba137a2a4844e9063ed71bc0c881fb7643e67fb3e3ddb0a

SHA512
bc68982570c27c859d1eaa06191058d23889d10f25279eb2e8130af715a50e3fe1b0b7aceb5d64e90f7e102ba3aa4bdc6c2c7705bab4bd55e24d5f5884211fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhizopod\vcl280.bpl

Filesize
4.0MB

MD5
41f745514ccc1b9796d4f081f4f208b0

SHA1
028e2fa926e53717e7965654a8394f7cdbe4fa5b

SHA256
1e366b8288e06ef4511d987e8cc4a7f44e2757f99e1d6f03dedfb046b04ee8a4

SHA512
fe08e1c626989758e26a9bbcd1a815c462396fb3145723609ad0e6b7dcbe66ec6133acc13cea428dfb9a6660984e4cad2cc3035b4d341bd5a4fddc88f7266870

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9E57.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9F56.tmp

Filesize
183KB

MD5
109cab5505f5e065b63d01361467a83b

SHA1
4ed78955b9272a9ed689b51bf2bf4a86a25e53fc

SHA256
ea6b7f51e85835c09259d9475a7d246c3e764ad67c449673f9dc97172c351673

SHA512
753a6da5d6889dd52f40208e37f2b8c185805ef81148682b269fff5aa84a46d710fe0ebfe05bce625da2e801e1c26745998a41266fa36bf47bc088a224d730cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\c935f832

Filesize
5.4MB

MD5
895d9ae3f5dd9bc9b33e495d4b070b7d

SHA1
6b6815a56437c12303245c192401bd12a156ed24

SHA256
3337d17e25be00ec480a4c194552ee3c93ed193e0e303bc5020f3961deca397c

SHA512
ed60f0cd45da15f773f108bbe4ec0b439bd325b0b29a152966472cef23c61e112b41c7347762dd5cc3ab7303c1bcae4c10b285a2c26b971bea278a5d8bde0d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-O3JAS.tmp\Java.msi

Filesize
10.9MB

MD5
1b6a2ecfecd443c796287edae03412ca

SHA1
f840c647b654b1eec98671717522ebf37b76d329

SHA256
281889135258fbb445150a4cc6aa730449c19909a9e795b1eec2b39d474894d4

SHA512
c87c539410d513ebfa36ca6da8bbe787509790e3eb87604fc2d2d0bdf9b5812bcfbe358549d98c43b720a8dde0d9512e628b20ee2a5fe5071c4f68e5b4099118

Download Submit
C:\Users\Admin\AppData\Roaming\SF Studios\Strike 1.0.0\install\Strike.x64.msi

Filesize
12.8MB

MD5
1ba830c405756533e7675ad7694d4b5e

SHA1
bc84326d094b7b8ece7dcadcb035f953fb63119f

SHA256
9a99725176c41c5397fa6fdbe37c4ef75ae8fa48833efea027d6e3bc07d9f9d5

SHA512
50f7a2acb905af624ca9ea25d6de9744c972fc950138a327242a97b590153830bee2129a27abc05d4503a394a8f613e9b1424c44c6dbd8a8dab71aeae91d6312

Download Submit
C:\Users\Admin\AppData\Roaming\SF Studios\Strike 1.0.0\install\Strike1.cab

Filesize
36.3MB

MD5
dd71e57ad8613cdafbc9689cab8675d9

SHA1
7e0514211d091f829d9fd702b59eb23577b7f4cd

SHA256
1beea256784ae64734a3a8d17e8f07d91501b8b40727380386ac214800529c98

SHA512
1d343d0fca6d6e6682ef2b2717b6f50d0a1ecb2064637a3dc24a658af2c048602d788dcb29ace9ea5f2530034d213d97a978a05a5a54679d742937a33d98c992

Download Submit
C:\Windows\Installer\MSIC16F.tmp

Filesize
1.0MB

MD5
806e65956064190d6154d5de5cc96a5e

SHA1
f2fa1b10dec6f4166b79e710d81147c9028c4198

SHA256
17f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8

SHA512
ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f

Download Submit
C:\Windows\Installer\MSIC80B.tmp

Filesize
835KB

MD5
3fe648959c7496beb28a3638fcc2e944

SHA1
6c73ebcdf517e2b30ad90f046f50f9e64c7a636c

SHA256
e6d18685b2e231f9166909764c3b90bbc3c51f30736d18873166e5dc9133e290

SHA512
1be58c011987b67396e052d32b6b3576823d612e4e678a18641a55fb6159b32e106cadeeebc22f179aa07902e1bbf517cc10d1ebf7233bf68fe198de3f20bca2

Download Submit
C:\Windows\Installer\MSICF24.tmp

Filesize
404KB

MD5
f9bae6c70bcb6b029c7da5c54fe6d5c2

SHA1
24b7186a4d4b9187561ace5b35c3bc86132891b8

SHA256
0bcaec25d9840cbd4e0270e2679e1a28be25e995153c339c646da2933a21ac66

SHA512
c335b1623af57e58e219853460f8ed9cb7717fbf17209caec8396866004bf0a0512a8308e2377871fccff1d3d5169ba4054a879c9383a192aefb30a309689647

Download Submit
\Users\Admin\AppData\Local\Temp\is-N5VGF.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-QLUBL.tmp\StrikeAssistant.tmp

Filesize
1.1MB

MD5
90fc739c83cd19766acb562c66a7d0e2

SHA1
451f385a53d5fed15e7649e7891e05f231ef549a

SHA256
821bd11693bf4b4b2b9f3c196036e1f4902abd95fb26873ea6c43e123b8c9431

SHA512
4cb11ad48b7585ef1b70fac9e3c25610b2f64a16358cd51e32adcb0b17a6ab1c934aeb10adaa8e9ddf69b2e2f1d18fe2e87b49b39f89b05ea13aa3205e41296c

Download Submit
\Windows\Installer\MSICDCA.tmp

Filesize
8.2MB

MD5
6d4274f7b0ce245e587a5268f13dfbe4

SHA1
55b02e546d95f1d2ef84c1bbc2977813cfccfcce

SHA256
b480fec95b84980e88e0e5958873b7194029ffbaa78369cfe5c0e4d64849fb32

SHA512
f991f6beb57b55309466b8c180bce3c21c89c570ba427e57e081fb68c6c81fac10f601c8cfcf57300964888aa577c88ee07e6a4377aa89e20289436654636169

Download Submit
memory/544-393-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/544-435-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/992-408-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/992-358-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1152-496-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/1152-495-0x000007FFFFFD9000-0x000007FFFFFDA000-memory.dmp

Filesize
4KB

Download
memory/1152-498-0x0000000000160000-0x0000000000475000-memory.dmp

Filesize
3.1MB

Download
memory/1152-497-0x0000000000160000-0x0000000000475000-memory.dmp

Filesize
3.1MB

Download
memory/1356-353-0x00000000000B0000-0x00000000000B2000-memory.dmp

Filesize
8KB

Download
memory/1660-433-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/1676-361-0x0000000077B30000-0x0000000077CD9000-memory.dmp

Filesize
1.7MB

Download
memory/1676-371-0x0000000000DE0000-0x0000000000E18000-memory.dmp

Filesize
224KB

Download
memory/1676-357-0x0000000072F60000-0x00000000730D4000-memory.dmp

Filesize
1.5MB

Download
memory/1676-373-0x0000000050CB0000-0x00000000510C2000-memory.dmp

Filesize
4.1MB

Download
memory/1676-372-0x0000000050050000-0x0000000050CA7000-memory.dmp

Filesize
12.3MB

Download
memory/2100-386-0x0000000072DE0000-0x0000000072F54000-memory.dmp

Filesize
1.5MB

Download
memory/2100-429-0x0000000050CB0000-0x00000000510C2000-memory.dmp

Filesize
4.1MB

Download
memory/2100-387-0x0000000077B30000-0x0000000077CD9000-memory.dmp

Filesize
1.7MB

Download
memory/2100-428-0x0000000050050000-0x0000000050CA7000-memory.dmp

Filesize
12.3MB

Download
memory/2100-427-0x0000000000DB0000-0x0000000000DE8000-memory.dmp

Filesize
224KB

Download
memory/2100-425-0x0000000072DE0000-0x0000000072F54000-memory.dmp

Filesize
1.5MB

Download
memory/2240-398-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/2712-436-0x0000000077B30000-0x0000000077CD9000-memory.dmp

Filesize
1.7MB

Download
memory/2712-492-0x0000000072DE0000-0x0000000072F54000-memory.dmp

Filesize
1.5MB

Download
memory/2972-0-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2972-137-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download