gh0strat | 2c12e2073d0b50369b0b10ebbdb8bf8357fbf7cdca3f97b0b84192339b846c25

Resubmissions

19-07-2024 08:22

240719-j929savcmd 6

19-07-2024 08:14

240719-j5fj8a1clk 10

19-07-2024 08:08

240719-j1lknstgpb 6

Analysis

max time kernel
150s
max time network
141s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
19-07-2024 08:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gooleo.msi
Size

87.8MB
MD5

e651816dd9240300cf9bd9c565e3b869
SHA1

a4bc6e8f6516f3d549195887d7095b9496ae52f9
SHA256

2c12e2073d0b50369b0b10ebbdb8bf8357fbf7cdca3f97b0b84192339b846c25
SHA512

90646a020b0ea67c912f999690382a44f5649c5f3c2a4a7c060aced6a9a71533b92c04d948db8bafd717dd295ad19bb85a71d73ef86a62613e65053323b108b8
SSDEEP

1572864:MKSA0Q9ilL4UxQUoim6casSZrcBsCWpuFg9O/jAaWFFDp+chVF1luEbtYio0z8+U:MbVQ92TQUooc3Uw2F9HHluEbtpoOKd3

Score

10^/10

gh0strat execution persistence privilege_escalation rat upx

Malware Config

Signatures

Gh0st RAT payload 3 IoCs

resource	yara_rule
behavioral1/memory/2652-497-0x0000000005070000-0x00000000058DF000-memory.dmp	family_gh0strat
behavioral1/memory/1852-920-0x0000000005EA0000-0x000000000670F000-memory.dmp	family_gh0strat
behavioral1/memory/1852-935-0x0000000006710000-0x0000000006F7F000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

UPX packed file 19 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1308-374-0x0000000003020000-0x00000000030AA000-memory.dmp	upx
behavioral1/memory/2652-387-0x0000000000E10000-0x0000000000E9A000-memory.dmp	upx
behavioral1/memory/2652-389-0x0000000000E10000-0x0000000000E9A000-memory.dmp	upx
behavioral1/memory/2652-390-0x0000000002D30000-0x0000000002D63000-memory.dmp	upx
behavioral1/memory/2652-447-0x0000000004590000-0x0000000004DFF000-memory.dmp	upx
behavioral1/memory/2652-458-0x0000000005070000-0x00000000058DF000-memory.dmp	upx
behavioral1/memory/2652-497-0x0000000005070000-0x00000000058DF000-memory.dmp	upx
behavioral1/memory/1852-533-0x00000000028B0000-0x00000000028E9000-memory.dmp	upx
behavioral1/memory/1852-536-0x00000000028B0000-0x00000000028E9000-memory.dmp	upx
behavioral1/memory/1852-746-0x00000000028B0000-0x00000000028E9000-memory.dmp	upx
behavioral1/memory/2652-754-0x0000000000E10000-0x0000000000E9A000-memory.dmp	upx
behavioral1/memory/4984-755-0x0000000002130000-0x0000000002169000-memory.dmp	upx
behavioral1/memory/4984-758-0x0000000002130000-0x0000000002169000-memory.dmp	upx
behavioral1/memory/1852-813-0x0000000006710000-0x0000000006F7F000-memory.dmp	upx
behavioral1/memory/1852-814-0x0000000005EA0000-0x000000000670F000-memory.dmp	upx
behavioral1/memory/1852-920-0x0000000005EA0000-0x000000000670F000-memory.dmp	upx
behavioral1/memory/1852-935-0x0000000006710000-0x0000000006F7F000-memory.dmp	upx
behavioral1/memory/2192-979-0x0000000003A10000-0x0000000003A9A000-memory.dmp	upx
behavioral1/memory/2192-1059-0x0000000003A10000-0x0000000003A9A000-memory.dmp	upx

Adds Run key to start application 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	_QQMusicKA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	_QQMusicKA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	TaskLoad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	_QQMusicKA.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	TaskLoad.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	TaskLoad.exe
File opened (read-only)	\??\U:	TaskLoad.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	TaskLoad.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	TaskLoad.exe
File opened (read-only)	\??\W:	TaskLoad.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	TaskLoad.exe
File opened (read-only)	\??\Q:	TaskLoad.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	TaskLoad.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	TaskLoad.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	TaskLoad.exe
File opened (read-only)	\??\X:	TaskLoad.exe
File opened (read-only)	\??\Z:	TaskLoad.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	TaskLoad.exe
File opened (read-only)	\??\O:	TaskLoad.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	TaskLoad.exe
File opened (read-only)	\??\I:	TaskLoad.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	TaskLoad.exe
File opened (read-only)	\??\H:	TaskLoad.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Defenderr\xfKH3A7ONV\WS_Log.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfKH3A7ONV\FourierTransformLib8.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfKH3A7ONV\ImageRestoreLib8.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfKH3A7ONV\wavelet_3_8.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfKH3A7ONV\dll1.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfKH3A7ONV\libcef.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfKH3A7ONV\xfKH3A7ONV.exe	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfKH3A7ONV\WS_Log.dll	MsiExec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57ce0e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICF47.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{13A5BCD1-56BB-4290-90FC-9B59AC6F1C74}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICFD5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID1F9.tmp	msiexec.exe
File created	C:\Windows\Installer\{13A5BCD1-56BB-4290-90FC-9B59AC6F1C74}\PublicDocumentsFolderappR_1.exe	msiexec.exe
File created	C:\Windows\Installer\e57ce0e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICE8B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{13A5BCD1-56BB-4290-90FC-9B59AC6F1C74}\PublicDocumentsFolderappR_1.exe	msiexec.exe

Executes dropped EXE 5 IoCs

pid	Process
1308	xfKH3A7ONV.exe
2652	TaskLoad.exe
1852	_QQMusicKA.exe
4984	_QQMusicKA.exe
2192	TaskLoad.exe

Loads dropped DLL 25 IoCs

pid	Process
96	MsiExec.exe
96	MsiExec.exe
96	MsiExec.exe
96	MsiExec.exe
96	MsiExec.exe
96	MsiExec.exe
96	MsiExec.exe
3976	MsiExec.exe
3976	MsiExec.exe
3976	MsiExec.exe
1308	xfKH3A7ONV.exe
1308	xfKH3A7ONV.exe
1308	xfKH3A7ONV.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
1852	_QQMusicKA.exe
1852	_QQMusicKA.exe
1852	_QQMusicKA.exe
4984	_QQMusicKA.exe
4984	_QQMusicKA.exe
4984	_QQMusicKA.exe
2192	TaskLoad.exe
2192	TaskLoad.exe
2192	TaskLoad.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
380	Powershell.exe
4556	Powershell.exe
4220	Powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

pid	Process
3308	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
5040	1308	WerFault.exe	85

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_QEMU&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TaskLoad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TaskLoad.exe

Kills process with taskkill 20 IoCs

evasion

pid	Process
2360	taskkill.exe
1428	taskkill.exe
8	taskkill.exe
3160	taskkill.exe
4956	taskkill.exe
5076	taskkill.exe
4428	taskkill.exe
1940	taskkill.exe
3264	taskkill.exe
692	taskkill.exe
5116	taskkill.exe
4408	taskkill.exe
5024	taskkill.exe
4480	taskkill.exe
5012	taskkill.exe
1084	taskkill.exe
3360	taskkill.exe
3964	taskkill.exe
380	taskkill.exe
3560	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\ManisORRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\QQMusic.exe"	rundll32.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	Powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b\52C64B7E	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	_QQMusicKA.exe
Key created	\REGISTRY\USER\.DEFAULT\V	_QQMusicKA.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Win8DpiScaling = "1"	_QQMusicKA.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	Powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\KeyNamereg = "KeyValue"	TaskLoad.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	_QQMusicKA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	Powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	_QQMusicKA.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	Powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2BF9676-5F8F-435C-97EB-11607A5BEDF7} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000007d6b0a7eb4d9da01	_QQMusicKA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	Powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	Powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{23170F69-40C1-278A-1000-000100020000} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 01000000000000007d6b0a7eb4d9da01	_QQMusicKA.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	Powershell.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{596AB062-B4D2-4215-9F74-E9109B0A8153} {000214E4-0000-0000-C000-000000000046} 0xFFFF = 010000000000000011e2007eb4d9da01	_QQMusicKA.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\CORCentRun = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\system\\MiniStorPlay.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\KeyNamereg = "KeyValue"	_QQMusicKA.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	Powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run\LOWORCAPP = "C:\\Users\\Public\\Documents\\RECSLLE.BIN\\WallPaper.exe"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	Powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	Powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	Powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	Powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4580	msiexec.exe
4580	msiexec.exe
1308	xfKH3A7ONV.exe
1308	xfKH3A7ONV.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe
2652	TaskLoad.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3308	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3308	msiexec.exe
Token: SeSecurityPrivilege	4580	msiexec.exe
Token: SeCreateTokenPrivilege	3308	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3308	msiexec.exe
Token: SeLockMemoryPrivilege	3308	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3308	msiexec.exe
Token: SeMachineAccountPrivilege	3308	msiexec.exe
Token: SeTcbPrivilege	3308	msiexec.exe
Token: SeSecurityPrivilege	3308	msiexec.exe
Token: SeTakeOwnershipPrivilege	3308	msiexec.exe
Token: SeLoadDriverPrivilege	3308	msiexec.exe
Token: SeSystemProfilePrivilege	3308	msiexec.exe
Token: SeSystemtimePrivilege	3308	msiexec.exe
Token: SeProfSingleProcessPrivilege	3308	msiexec.exe
Token: SeIncBasePriorityPrivilege	3308	msiexec.exe
Token: SeCreatePagefilePrivilege	3308	msiexec.exe
Token: SeCreatePermanentPrivilege	3308	msiexec.exe
Token: SeBackupPrivilege	3308	msiexec.exe
Token: SeRestorePrivilege	3308	msiexec.exe
Token: SeShutdownPrivilege	3308	msiexec.exe
Token: SeDebugPrivilege	3308	msiexec.exe
Token: SeAuditPrivilege	3308	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3308	msiexec.exe
Token: SeChangeNotifyPrivilege	3308	msiexec.exe
Token: SeRemoteShutdownPrivilege	3308	msiexec.exe
Token: SeUndockPrivilege	3308	msiexec.exe
Token: SeSyncAgentPrivilege	3308	msiexec.exe
Token: SeEnableDelegationPrivilege	3308	msiexec.exe
Token: SeManageVolumePrivilege	3308	msiexec.exe
Token: SeImpersonatePrivilege	3308	msiexec.exe
Token: SeCreateGlobalPrivilege	3308	msiexec.exe
Token: SeCreateTokenPrivilege	3308	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3308	msiexec.exe
Token: SeLockMemoryPrivilege	3308	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3308	msiexec.exe
Token: SeMachineAccountPrivilege	3308	msiexec.exe
Token: SeTcbPrivilege	3308	msiexec.exe
Token: SeSecurityPrivilege	3308	msiexec.exe
Token: SeTakeOwnershipPrivilege	3308	msiexec.exe
Token: SeLoadDriverPrivilege	3308	msiexec.exe
Token: SeSystemProfilePrivilege	3308	msiexec.exe
Token: SeSystemtimePrivilege	3308	msiexec.exe
Token: SeProfSingleProcessPrivilege	3308	msiexec.exe
Token: SeIncBasePriorityPrivilege	3308	msiexec.exe
Token: SeCreatePagefilePrivilege	3308	msiexec.exe
Token: SeCreatePermanentPrivilege	3308	msiexec.exe
Token: SeBackupPrivilege	3308	msiexec.exe
Token: SeRestorePrivilege	3308	msiexec.exe
Token: SeShutdownPrivilege	3308	msiexec.exe
Token: SeDebugPrivilege	3308	msiexec.exe
Token: SeAuditPrivilege	3308	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3308	msiexec.exe
Token: SeChangeNotifyPrivilege	3308	msiexec.exe
Token: SeRemoteShutdownPrivilege	3308	msiexec.exe
Token: SeUndockPrivilege	3308	msiexec.exe
Token: SeSyncAgentPrivilege	3308	msiexec.exe
Token: SeEnableDelegationPrivilege	3308	msiexec.exe
Token: SeManageVolumePrivilege	3308	msiexec.exe
Token: SeImpersonatePrivilege	3308	msiexec.exe
Token: SeCreateGlobalPrivilege	3308	msiexec.exe
Token: SeCreateTokenPrivilege	3308	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3308	msiexec.exe
Token: SeLockMemoryPrivilege	3308	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3308	msiexec.exe
3308	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4580 wrote to memory of 96	4580	msiexec.exe	75
PID 4580 wrote to memory of 96	4580	msiexec.exe	75
PID 4580 wrote to memory of 96	4580	msiexec.exe	75
PID 4580 wrote to memory of 2584	4580	msiexec.exe	79
PID 4580 wrote to memory of 2584	4580	msiexec.exe	79
PID 4580 wrote to memory of 3976	4580	msiexec.exe	81
PID 4580 wrote to memory of 3976	4580	msiexec.exe	81
PID 4580 wrote to memory of 3976	4580	msiexec.exe	81
PID 4580 wrote to memory of 4196	4580	msiexec.exe	82
PID 4580 wrote to memory of 4196	4580	msiexec.exe	82
PID 4580 wrote to memory of 4196	4580	msiexec.exe	82
PID 4196 wrote to memory of 1308	4196	MsiExec.exe	85
PID 4196 wrote to memory of 1308	4196	MsiExec.exe	85
PID 4196 wrote to memory of 1308	4196	MsiExec.exe	85
PID 1308 wrote to memory of 2652	1308	xfKH3A7ONV.exe	87
PID 1308 wrote to memory of 2652	1308	xfKH3A7ONV.exe	87
PID 1308 wrote to memory of 2652	1308	xfKH3A7ONV.exe	87
PID 2652 wrote to memory of 380	2652	TaskLoad.exe	90
PID 2652 wrote to memory of 380	2652	TaskLoad.exe	90
PID 2652 wrote to memory of 380	2652	TaskLoad.exe	90
PID 2652 wrote to memory of 1852	2652	TaskLoad.exe	92
PID 2652 wrote to memory of 1852	2652	TaskLoad.exe	92
PID 2652 wrote to memory of 1852	2652	TaskLoad.exe	92
PID 1852 wrote to memory of 4984	1852	_QQMusicKA.exe	93
PID 1852 wrote to memory of 4984	1852	_QQMusicKA.exe	93
PID 1852 wrote to memory of 4984	1852	_QQMusicKA.exe	93
PID 1852 wrote to memory of 4228	1852	_QQMusicKA.exe	94
PID 1852 wrote to memory of 4228	1852	_QQMusicKA.exe	94
PID 1852 wrote to memory of 4228	1852	_QQMusicKA.exe	94
PID 1852 wrote to memory of 4732	1852	_QQMusicKA.exe	95
PID 1852 wrote to memory of 4732	1852	_QQMusicKA.exe	95
PID 1852 wrote to memory of 4732	1852	_QQMusicKA.exe	95
PID 1852 wrote to memory of 596	1852	_QQMusicKA.exe	96
PID 1852 wrote to memory of 596	1852	_QQMusicKA.exe	96
PID 1852 wrote to memory of 596	1852	_QQMusicKA.exe	96
PID 1852 wrote to memory of 4656	1852	_QQMusicKA.exe	97
PID 1852 wrote to memory of 4656	1852	_QQMusicKA.exe	97
PID 1852 wrote to memory of 4656	1852	_QQMusicKA.exe	97
PID 1852 wrote to memory of 1084	1852	_QQMusicKA.exe	98
PID 1852 wrote to memory of 1084	1852	_QQMusicKA.exe	98
PID 1852 wrote to memory of 1084	1852	_QQMusicKA.exe	98
PID 2652 wrote to memory of 2192	2652	TaskLoad.exe	100
PID 2652 wrote to memory of 2192	2652	TaskLoad.exe	100
PID 2652 wrote to memory of 2192	2652	TaskLoad.exe	100
PID 1852 wrote to memory of 4556	1852	_QQMusicKA.exe	101
PID 1852 wrote to memory of 4556	1852	_QQMusicKA.exe	101
PID 1852 wrote to memory of 4556	1852	_QQMusicKA.exe	101
PID 1852 wrote to memory of 4220	1852	_QQMusicKA.exe	102
PID 1852 wrote to memory of 4220	1852	_QQMusicKA.exe	102
PID 1852 wrote to memory of 4220	1852	_QQMusicKA.exe	102
PID 1852 wrote to memory of 4480	1852	_QQMusicKA.exe	105
PID 1852 wrote to memory of 4480	1852	_QQMusicKA.exe	105
PID 1852 wrote to memory of 4480	1852	_QQMusicKA.exe	105
PID 1852 wrote to memory of 1428	1852	_QQMusicKA.exe	107
PID 1852 wrote to memory of 1428	1852	_QQMusicKA.exe	107
PID 1852 wrote to memory of 1428	1852	_QQMusicKA.exe	107
PID 1852 wrote to memory of 8	1852	_QQMusicKA.exe	109
PID 1852 wrote to memory of 8	1852	_QQMusicKA.exe	109
PID 1852 wrote to memory of 8	1852	_QQMusicKA.exe	109
PID 1852 wrote to memory of 3160	1852	_QQMusicKA.exe	111
PID 1852 wrote to memory of 3160	1852	_QQMusicKA.exe	111
PID 1852 wrote to memory of 3160	1852	_QQMusicKA.exe	111
PID 1852 wrote to memory of 3264	1852	_QQMusicKA.exe	113
PID 1852 wrote to memory of 3264	1852	_QQMusicKA.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gooleo.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3308

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4580
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C23078EC7A4D2E6603CE1C11F086C7C C
  2⤵
  - Loads dropped DLL
  PID:96
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2584
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 49050D2526EECA2A9A27B79A31190A6F
  2⤵
  - Loads dropped DLL
  PID:3976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2BE1C6EAD2522F11225803A873B9A812 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Program Files\Windows Defenderr\xfKH3A7ONV\xfKH3A7ONV.exe
    "C:\Program Files\Windows Defenderr\xfKH3A7ONV\xfKH3A7ONV.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1308
  - - C:\Users\Public\Documents\TaskLoad.exe
      C:\Users\Public\Documents\TaskLoad.exe
      4⤵
      Adds Run key to start application
      Enumerates connected drives
      Executes dropped EXE
      Loads dropped DLL
      Checks processor information in registry
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2652
    - - C:\Windows\SysWOW64\WindowsPowershell\v1.0\Powershell.exe
        
        "C:\Windows\System32\WindowsPowershell\v1.0\Powershell.exe" -Command "Set-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming","C:\Users\Admin\AppData\Local","C:\ProgramData","C:\Users\Public\Documents""
        5⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:380
    - - C:\ProgramData\{23E67M23G87K-3Y7W3S7U-2M6M3G8Y-3K7G2Y7E}\_QQMusicKA.exe
        
        "C:\ProgramData\{23E67M23G87K-3Y7W3S7U-2M6M3G8Y-3K7G2Y7E}\_QQMusicKA.exe"
        5⤵
        Adds Run key to start application
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        Suspicious use of WriteProcessMemory
        
        PID:1852
      - C:\ProgramData\{23E67M23G87K-3Y7W3S7U-2M6M3G8Y-3K7G2Y7E}\_QQMusicKA.exe
        
        "C:\ProgramData\{23E67M23G87K-3Y7W3S7U-2M6M3G8Y-3K7G2Y7E}\_QQMusicKA.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4984
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSectionEx C:\Users\Admin\AppData\Roaming\apple\Runinf.inf ,DefaultInstall,,32
        6⤵
        Adds Run key to start application
        Modifies data under HKEY_USERS
        
        PID:4228
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSectionEx C:\Users\Admin\AppData\Roaming\apple\Runinf.inf ,DefaultInstall,,32
        6⤵
        Adds Run key to start application
        Modifies data under HKEY_USERS
        
        PID:4732
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSectionEx C:\Users\Admin\AppData\Roaming\apple\Runinf.inf ,DefaultInstall,,32
        6⤵
        Adds Run key to start application
        Modifies data under HKEY_USERS
        
        PID:596
      - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" advpack.dll,LaunchINFSectionEx C:\Users\Admin\AppData\Roaming\apple\Runinf.inf ,DefaultInstall,,32
        6⤵
        Adds Run key to start application
        Modifies data under HKEY_USERS
        
        PID:4656
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:1084
      - C:\Windows\SysWOW64\WindowsPowershell\v1.0\Powershell.exe
        
        "C:\Windows\System32\WindowsPowershell\v1.0\Powershell.exe" -Command "Set-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming","C:\Users\Admin\AppData\Local","C:\ProgramData","C:\Users\Public\Documents""
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:4556
      - C:\Windows\SysWOW64\WindowsPowershell\v1.0\Powershell.exe
        
        "C:\Windows\System32\WindowsPowershell\v1.0\Powershell.exe" -Command "Set-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming","C:\Users\Admin\AppData\Local","C:\ProgramData","C:\Users\Public\Documents""
        6⤵
        Command and Scripting Interpreter: PowerShell
        Modifies data under HKEY_USERS
        
        PID:4220
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:4480
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:1428
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:8
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:3160
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:3264
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:692
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:4956
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:5012
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:5076
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:3360
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:3964
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:4428
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:5116
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:380
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:4408
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:5024
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:1940
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:2360
      - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /t /im QQPCTray.exe
        6⤵
        Kills process with taskkill
        
        PID:3560
    - - C:\Users\Public\Documents\TaskLoad.exe
        
        "C:\Users\Public\Documents\TaskLoad.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2192
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1308 -s 640
      4⤵
      Program crash
      PID:5040

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57ce0f.rbs

Filesize
52KB

MD5
8f9fbaa00115a988461feeb063be1c6d

SHA1
ac7588cba7afda3ff269e4f2b7f04359d3b17646

SHA256
8f1c18ce670414dc0e367476da91c7c588f96a0983f1338497009b3320123d50

SHA512
551a622c2717597b7ad4fad0448df3a91b0638cda78bd31c87a073f36cc062be6f66f0012ffdef86eb5928a7ba3ebc587bc93f4f3957a250281a564c55ef5912

Download Submit
C:\Config.Msi\e57ce10.rbf

Filesize
2KB

MD5
032abec41c43374fa6b1a7ed0cb5779d

SHA1
52fe50364ec292f02e4ceacf3130453cf6d30122

SHA256
0dd6e94f92bec032a975b5cf7e8acc27cb3a26e59e512885ab4b66c32c2dc7ad

SHA512
b53b9001409e8e1bd6a2a845ca6bc9489596000b1396e55eee67ed09fc447cce0302d7c2db71e23b331dd5baab61317901ac245bdb28bcd966069125678bcdaa

Download Submit
C:\ProgramData\1

Filesize
2.0MB

MD5
faf4a129b091a57c3ff694dc721d4f3b

SHA1
7430935f501164b46b99766ed9ab68da0db50c24

SHA256
b1d13ed7409ca47f47d200f6b26d8da6a07e645ef49ddc9a28486f46bb8c41e7

SHA512
0103d9bfa27c809f978a2ac805e5eb59e07f0f0eef8aecf2713d8af1bff0d54fbc24043435cb67f550d5afdd6f0a2bc5c0026b6e920efe2ad21b619bbfbb0583

Download Submit
C:\ProgramData\11

Filesize
84KB

MD5
97a2b445c8eac7f3b1edd94d67d2e768

SHA1
6c1ec795b0abf5fc8b9e4189f87a425624a28dc5

SHA256
452b3537cc4fc77acd5821ecdd33ae372e460a7b571f708fd91a6258d69c0149

SHA512
3d1eb3d8b1c56ae5b8d5c82380af4544457bc40c9fc6d6fbbdafc8b4f3d53fda2cbddad5aa983a207a708c596da2f00c1c7305093d3b575f6405d8dd064600a5

Download Submit
C:\ProgramData\12

Filesize
92KB

MD5
e61e00f904f561ec9e6574ddec3bb65a

SHA1
6458b901d065848b44988bff89b8e7933a43d7fc

SHA256
25bff93e68ed9086a8effd7c79e01fca7d3ab228b158acd57ebf583d0054e364

SHA512
06ee9b0b36de98cceafa938cab3f6523be42a869d4e28ffbb1dcbdcee363eeedbf320923653cc90450d0fb8d14cbaf74768acbe78c7177747f2a637103d043ac

Download Submit
C:\ProgramData\15

Filesize
978KB

MD5
8e945aaf7128bb3db83e51f3c2356637

SHA1
bcc64335efc63cb46e14cc330e105520391e2b00

SHA256
4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

SHA512
150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

Download Submit
C:\ProgramData\2

Filesize
80KB

MD5
b874ff17621f408640d95b411e573e55

SHA1
9abd7ec752fabc0b2266ca8b80ba8750a235e910

SHA256
3aee565192cd07dde0f38bcde06bad6de492049bcfd2c99e0fcb8cc3fc9b23ac

SHA512
62f81ebd60e134c95612d9dfa5e222a1bdd258d21a33f6ab3e02d7de7bba82b8b5b0177e44592748a3b0e262a18b8c74f50e5e8e6f3772e858843456d9d1469b

Download Submit
C:\ProgramData\4

Filesize
340KB

MD5
7daf9edc6f8f2b2b69bb9367cb99abbd

SHA1
ad05e73f713758350db5f7d6a283f0132a7fd47c

SHA256
2f3c6b44e994efb2f4e8edf5801580df5c74c7984287b62e0602af3c6818e81b

SHA512
dd48bd1a2578239b3820e32cf64fe50181b0e3ac75d8aa881d44424104c1ea251d1f996299f5a651bc58caed40f54c91d318a926e37c17655f592315ac56f16b

Download Submit
C:\ProgramData\YYcecccccdbe.ini

Filesize
56B

MD5
7ce2216b4527ad40a5c9e8b9cfab454b

SHA1
9f2cf1df7eef763bc1194a833f713ade077e35e9

SHA256
149d6fda62fe7fc624d959a8794ff5e6cc1fdbb720d4d2280a810e8067ccfcb0

SHA512
148a2c38c5ea7f229692a57783a70930a97ec4b006048d5cb45accf78e13b7318477b1b3c798d2db6cb194e88e2c9f9c61eaa6cec155d07632e0302be1d8a647

Download Submit
C:\ProgramData\a10

Filesize
36KB

MD5
f0284892937a97caa61afcd3b6ddb6d4

SHA1
f3c308e7e4aaa96919882994cdd21cc9f939cabd

SHA256
2514913f8a6f4671a058304651289b0babe47d81c044212b3140ed1c1b643b09

SHA512
058845e0a9a5892a69f24f3a77086e3f9546493ad40a0e5359aed05cf8882a9f3d7aee0449648d5cb76e51530af3e46af59a9b196cc92318334116c92dde4171

Download Submit
C:\ProgramData\a3

Filesize
14B

MD5
0d59c87827537cdd7727d1f0e4d6cce4

SHA1
6067300c20740cf2899d519382f36c453d9b7fca

SHA256
270a9ca2cc8d07c58e43466e95a8aedc7bde468b7b5c0c37845cad5f0d2ab6d2

SHA512
324aca54d36574f1a3d7ade872bc5d4bca8b6ae78817cefcf6fe74af51e90f67a808757eb3c84d65c2a8c8e0322cad8b30c83f29e0011c374fd114122ae92d7a

Download Submit
C:\ProgramData\a5

Filesize
56B

MD5
6f10d76e583b39191028ab57f8edbed9

SHA1
fbaa6e99f3a88d1e4cd606ca45debed661135c1d

SHA256
847f6e3577892365fadc94648eabdde48b9660590ba109e8387a9cb984aee476

SHA512
17a2f133b321fb9ac992e03da4ada3b3e5f1e507c7656d287ea00efddc50885c9ea9f337dd6b8cd52015060b4f0f4fc7832a7a3603ed5a3b498d8da47916743c

Download Submit
C:\ProgramData\a6

Filesize
200KB

MD5
078c21b8c91b86999427aa349cf5decf

SHA1
b939376eaebcf6994890db24ddcb2380c1925188

SHA256
ed2c6bc3e77a404b8cf61176844ad19c1fdcae19881206631e3f0831a4bd919a

SHA512
a006a36fdcaf4c2403238475163553ba2fe7783fea200f28df46ea980a3907d2b24c854153b45b730195a133fcb28f60c157f33c865ea286ad8c354981cf5885

Download Submit
C:\ProgramData\a7

Filesize
497KB

MD5
c8cf4eb512fadb813f69c3184e4bf44d

SHA1
492576912c7c0a224881ea45035a4a9270cd44f2

SHA256
678b89a2ca82b0b7803e36601bd6216c7687c4102de7071676390f2c252cb1fb

SHA512
006665dcf7cd8ad83f8b5c06c2ec9367ee8caa01c3c1cb9502bd540ac9940d103b84f6620ef8b5aa8e78fbe268994c0d8da5fa7ba550e1c8bd038fd1e43d39dc

Download Submit
C:\ProgramData\a8

Filesize
21KB

MD5
da08e194f9a7045dbb19f6e5d5d7f609

SHA1
7884062382bf1e7911f7e74198ca9fecec159c61

SHA256
9bd52ec7e7750500de33df995fcc7e68ed1da70d125579cf76ae8f787577ef75

SHA512
46720cd0677064b00a9e253953b8b6cd5141a99d0090ff0d7c4a24b830ca621878bcdfec3c56880f940662bd78f408782231bdd3cb370e06dadfee71e3e2b2b0

Download Submit
C:\ProgramData\a9

Filesize
13KB

MD5
37aa892a6f35bcbe9b01f0a424f5d4f6

SHA1
e5d60e43a8e0a4b7371bd736e21b1a59546774af

SHA256
6feeb95115d7d8a51403996fee1ad219a52151662d3a01a2d17cfb77dbd51f3b

SHA512
a5d5ac494cba18bb5b2582310416dc2e146732ba4f2eddab6611393d61ac0ae839bacae0da1e85f0965575e6d6284b1180e2e3adb924f1e19d2d7586d2abbd83

Download Submit
C:\ProgramData\{23E67M23G87K-3Y7W3S7U-2M6M3G8Y-3K7G2Y7E}\vcruntime140.dll

Filesize
78KB

MD5
1b171f9a428c44acf85f89989007c328

SHA1
6f25a874d6cbf8158cb7c491dcedaa81ceaebbae

SHA256
9d02e952396bdff3abfe5654e07b7a713c84268a225e11ed9a3bf338ed1e424c

SHA512
99a06770eea07f36abc4ae0cecb2ae13c3acb362b38b731c3baed045bf76ea6b61efe4089cd2efac27701e9443388322365bdb039cd388987b24d4a43c973bd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6CB4.tmp

Filesize
588KB

MD5
a9941233b9415b479d3b4f3732161eab

SHA1
cb2d99af52b3b1c712943b13e45d85c80c732e57

SHA256
ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2

SHA512
cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2u0w3ahg.qdp.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\_2

Filesize
362KB

MD5
1b6bc40c6c5fbd9032ee3779057efe86

SHA1
9fa7737b2c1d792ee76b587cece5b7831e684b11

SHA256
b163b5e667bcaac3c682940889abd56280983ee2c5936924e1182aa80f867f87

SHA512
295603b80684fee2b646048392398fc3a4f4f58f6fbbcbc1dbe76819bd5a4cc5cdc0f2ed9374334babf23928448fc38b154c115a07646fe278481cb921028703

Download Submit
C:\Users\Admin\AppData\Local\_2.DLL

Filesize
344KB

MD5
27bfaff47dce732f5e1bada41b756612

SHA1
33efd88e7ce656e01939b48ad2ff513fa29b9699

SHA256
ab27ae2fa1ee803f1d7269b674a4825ef7f70badfe8b9e7456b2ce6235fe9b56

SHA512
057ce5a8e47a59ec2d98581bb5e6568c2968709c87adcb7aa761cfa0ff07ea1706ca74f4c0fffef0eb92cdfdadf6dafa8664e3c69ed9d94deb423a1b0b6c1da1

Download Submit
C:\Users\Admin\AppData\Roaming\Consys21.png

Filesize
319KB

MD5
059afc1c343329409574a6e7a2952246

SHA1
9a5c2c1e8ef822907a58732d674194e2ae89d52c

SHA256
6cb8d7f52b605312920ef6dd7cc17e72a291d924a967b924ccf81dd118d7f8e4

SHA512
bc847cf20d009a5e7560f040978447817b3c6ca4a94e255c824b0820ab4fbcc1edca818b19d754a5b062236a25966fabb5d52f11abf5cbe5bc5936d9abe8fd06

Download Submit
C:\Users\Admin\AppData\Roaming\apple\Runlnk.lnk

Filesize
854B

MD5
a2bfeb3ba4879bd61b20ac5d9865dc79

SHA1
395aa3a98634ceab03e37d30a7ab84a54623c78f

SHA256
a05185740c597b99fc3768a02a095c97cfc4a52ebe892d9d8b61493959ad1951

SHA512
1016222486c08c28b555473a1276b684dcb1355274722e42d6c3427893167792283b151e3d4687422eec9b9895e3cf2a2a02c547714748b36831eb785ba74133

Download Submit
C:\Users\Admin\AppData\Roaming\chormeui\chomeui.exe

Filesize
1.3MB

MD5
84ba3c0d3d383c2676810494a7b5d4d4

SHA1
51dc4edee8e6d061dddf557861655079bb568308

SHA256
1dce1e3cef651f20cad4f096997407db5b5837b60a52b0abb8ad4c087b6a02e0

SHA512
6246e29c25c45258a2f244cb31991202d1b57e9309521296787b90d1662b3e9dd14d27cdd5557fbab39b66e18bbb63c9bf346091d0bf2dcfc798745ce030d079

Download Submit
C:\Users\Admin\AppData\Roaming\install.ini

Filesize
47B

MD5
c6b92dd6631be4719db3e258fc834151

SHA1
17e2de7b48bb373705e44c50c0e70f435743860e

SHA256
1e170289b158d70bff755b7d4f842833dd139afce297ae581b11a93cc2c52681

SHA512
841d7aae253d7efa8db7e1ce210aa1a4cfc55e251b5905ef08f0a64a68f643558e69f10a7a95bdb0124483056a676d7a2536a32c491169e78f32f7e8819be227

Download Submit
C:\Users\Public\Documents\RECSLLE.BIN\system\QQMusic.exe

Filesize
623KB

MD5
d9746c8d55bed7b372ccef704f96ddda

SHA1
61c6b8ba9108fc7617264bb7d58e163457946e5b

SHA256
afbfea15784c32277edf9d4c985d210c5c46baef46db1c6bed2d2a964d2b70fd

SHA512
e00d687bd7cee039c6eddddab2b89e26136f842bda19630de53220f3459a73a4bd2ba0c76267b977e265d7cdf98d21cd94d327fa143477a427ccd0a5fd57910e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
26.0MB

MD5
a7c5bb2ef32386b2fc8a66b6d28c3a7c

SHA1
8032e6c6d096c9e0b5b4fd9f09a07166b3c1e44b

SHA256
b87436840a0ec10de9d3bf81f9aa763bcc6cd2f1ecfefa107b0f2b6936091975

SHA512
d1baea64d0190ac5ad541a59e76160e058ec9ab8015c9881ee150b239432112f114518577825c23b2941063e20095b2de626b135f0cf5489e7d87d0779b9950a

Download Submit
\??\Volume{38fd360b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{511d5d86-3321-4ec9-933e-5d4fa9c986a9}_OnDiskSnapshotProp

Filesize
5KB

MD5
103b0f2fd046aa29a80fba4fe676281d

SHA1
fbcd587010bb8c7bd39b8a9e0e5b4f1493eddff9

SHA256
da54bb4acbce18dabc3a5b4b0d29855bc1224c132c327e36f32ae2efaca6ff49

SHA512
4f13b1ee2e4dc9ceb1f6eb9c1aef2296b615a51e9ed9501e2cd8fc67f6a56eed7c75eaccb96fb08695d5c6b396bcc318988bac5d0eb05d3f51f0c4729ae120a9

Download Submit
\ProgramData\{23E67M23G87K-3Y7W3S7U-2M6M3G8Y-3K7G2Y7E}\QQMusic.dll

Filesize
92KB

MD5
3c99d99f288e5a9268f433993d17b235

SHA1
4e35aa2f729d1d1d82a75793a8d68e0ff5f2b180

SHA256
87772b03954d1d77c2667646a7a77d83719b714479df4e436b454192015eddb1

SHA512
239b4d0657c0fc631200a2a27f0f63e15af3823b39c3f14c2ca45e4e92c32ba998b334eee557466a1122e982fa104ce449ae946c4c1734b685c3c671473e6283

Download Submit
memory/380-641-0x0000000009840000-0x0000000009873000-memory.dmp

Filesize
204KB

Download
memory/380-519-0x0000000007900000-0x0000000007966000-memory.dmp

Filesize
408KB

Download
memory/380-894-0x0000000009CF0000-0x0000000009CF8000-memory.dmp

Filesize
32KB

Download
memory/380-889-0x0000000009D00000-0x0000000009D1A000-memory.dmp

Filesize
104KB

Download
memory/380-649-0x0000000009D60000-0x0000000009DF4000-memory.dmp

Filesize
592KB

Download
memory/380-515-0x00000000071E0000-0x0000000007216000-memory.dmp

Filesize
216KB

Download
memory/380-517-0x0000000007970000-0x0000000007F98000-memory.dmp

Filesize
6.2MB

Download
memory/380-648-0x0000000009B80000-0x0000000009C25000-memory.dmp

Filesize
660KB

Download
memory/380-518-0x00000000080E0000-0x0000000008102000-memory.dmp

Filesize
136KB

Download
memory/380-642-0x0000000072BC0000-0x0000000072C0B000-memory.dmp

Filesize
300KB

Download
memory/380-520-0x0000000008180000-0x00000000081E6000-memory.dmp

Filesize
408KB

Download
memory/380-521-0x00000000081F0000-0x0000000008540000-memory.dmp

Filesize
3.3MB

Download
memory/380-523-0x00000000086C0000-0x000000000870B000-memory.dmp

Filesize
300KB

Download
memory/380-522-0x0000000008560000-0x000000000857C000-memory.dmp

Filesize
112KB

Download
memory/380-524-0x0000000008990000-0x0000000008A06000-memory.dmp

Filesize
472KB

Download
memory/380-643-0x0000000009820000-0x000000000983E000-memory.dmp

Filesize
120KB

Download
memory/1308-374-0x0000000003020000-0x00000000030AA000-memory.dmp

Filesize
552KB

Download
memory/1852-514-0x0000000002130000-0x0000000002186000-memory.dmp

Filesize
344KB

Download
memory/1852-935-0x0000000006710000-0x0000000006F7F000-memory.dmp

Filesize
8.4MB

Download
memory/1852-920-0x0000000005EA0000-0x000000000670F000-memory.dmp

Filesize
8.4MB

Download
memory/1852-533-0x00000000028B0000-0x00000000028E9000-memory.dmp

Filesize
228KB

Download
memory/1852-536-0x00000000028B0000-0x00000000028E9000-memory.dmp

Filesize
228KB

Download
memory/1852-814-0x0000000005EA0000-0x000000000670F000-memory.dmp

Filesize
8.4MB

Download
memory/1852-746-0x00000000028B0000-0x00000000028E9000-memory.dmp

Filesize
228KB

Download
memory/1852-813-0x0000000006710000-0x0000000006F7F000-memory.dmp

Filesize
8.4MB

Download
memory/2192-1059-0x0000000003A10000-0x0000000003A9A000-memory.dmp

Filesize
552KB

Download
memory/2192-979-0x0000000003A10000-0x0000000003A9A000-memory.dmp

Filesize
552KB

Download
memory/2652-389-0x0000000000E10000-0x0000000000E9A000-memory.dmp

Filesize
552KB

Download
memory/2652-754-0x0000000000E10000-0x0000000000E9A000-memory.dmp

Filesize
552KB

Download
memory/2652-447-0x0000000004590000-0x0000000004DFF000-memory.dmp

Filesize
8.4MB

Download
memory/2652-390-0x0000000002D30000-0x0000000002D63000-memory.dmp

Filesize
204KB

Download
memory/2652-458-0x0000000005070000-0x00000000058DF000-memory.dmp

Filesize
8.4MB

Download
memory/2652-387-0x0000000000E10000-0x0000000000E9A000-memory.dmp

Filesize
552KB

Download
memory/2652-497-0x0000000005070000-0x00000000058DF000-memory.dmp

Filesize
8.4MB

Download
memory/4220-974-0x0000000072BC0000-0x0000000072C0B000-memory.dmp

Filesize
300KB

Download
memory/4556-1054-0x0000000072BC0000-0x0000000072C0B000-memory.dmp

Filesize
300KB

Download
memory/4984-542-0x0000000002000000-0x0000000002056000-memory.dmp

Filesize
344KB

Download
memory/4984-758-0x0000000002130000-0x0000000002169000-memory.dmp

Filesize
228KB

Download
memory/4984-755-0x0000000002130000-0x0000000002169000-memory.dmp

Filesize
228KB

Download