gh0strat | d8848c1a3b8c464f20a99142a7e319ac9c580768e888a52404c17cefae497606

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 08:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chromestup翻译插件.msi
Size

2.6MB
MD5

75a1688aca4c2641659f060d86f6b612
SHA1

a1740d536b654d4a381c9089ce51dd2026efa819
SHA256

e7dcdf225c0edd20c920d918b05dab323ce787aae54768cd15ad406ac26e2ae9
SHA512

ce7169ac22f21c1010ea60eef8be106beae453929907d3beee8fd245fe7ec51e635846c6f8af4d80d2cd8a533bf994ae2490a3ed9b48467a009798b849baa80c
SSDEEP

49152:0FvHELEfBtQTIoWd4rUXs6kA+h5N3IaaLoWNAxOiZowguCIFVx0K5xU:0FveQQE5SBGkpIaavAQag67x0K5xU

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 6 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2560-87-0x000000002BEE0000-0x000000002C09C000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-89-0x000000002BEE0000-0x000000002C09C000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-90-0x000000002BEE0000-0x000000002C09C000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-91-0x000000002BEE0000-0x000000002C09C000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-93-0x000000002BEE0000-0x000000002C09C000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-95-0x000000002BEE0000-0x000000002C09C000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 6 IoCs

resource	yara_rule
behavioral2/memory/2560-87-0x000000002BEE0000-0x000000002C09C000-memory.dmp	family_gh0strat
behavioral2/memory/2560-89-0x000000002BEE0000-0x000000002C09C000-memory.dmp	family_gh0strat
behavioral2/memory/2560-90-0x000000002BEE0000-0x000000002C09C000-memory.dmp	family_gh0strat
behavioral2/memory/2560-91-0x000000002BEE0000-0x000000002C09C000-memory.dmp	family_gh0strat
behavioral2/memory/2560-93-0x000000002BEE0000-0x000000002C09C000-memory.dmp	family_gh0strat
behavioral2/memory/2560-95-0x000000002BEE0000-0x000000002C09C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1892	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	qDrRguPncUTJ.exe
File opened (read-only)	\??\P:	qDrRguPncUTJ.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	qDrRguPncUTJ.exe
File opened (read-only)	\??\H:	qDrRguPncUTJ.exe
File opened (read-only)	\??\K:	qDrRguPncUTJ.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	qDrRguPncUTJ.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	qDrRguPncUTJ.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	qDrRguPncUTJ.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	qDrRguPncUTJ.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	qDrRguPncUTJ.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	qDrRguPncUTJ.exe
File opened (read-only)	\??\O:	qDrRguPncUTJ.exe
File opened (read-only)	\??\S:	qDrRguPncUTJ.exe
File opened (read-only)	\??\J:	qDrRguPncUTJ.exe
File opened (read-only)	\??\M:	qDrRguPncUTJ.exe
File opened (read-only)	\??\U:	qDrRguPncUTJ.exe
File opened (read-only)	\??\Y:	qDrRguPncUTJ.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	qDrRguPncUTJ.exe
File opened (read-only)	\??\V:	qDrRguPncUTJ.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	qDrRguPncUTJ.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	qDrRguPncUTJ.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OpqmKKXicuhB.exe.log	OpqmKKXicuhB.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File created	C:\Program Files\SupportInspiringAnalyzer\valibclang2d.dll	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.vbs	qDrRguPncUTJ.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log	OpqmKKXicuhB.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log	OpqmKKXicuhB.exe
File created	C:\Program Files\SupportInspiringAnalyzer\igc964.dll	msiexec.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD	msiexec.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer	qDrRguPncUTJ.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log	OpqmKKXicuhB.exe
File created	C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml	MvUlJzZBELPG.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF647.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f4f1.msi	msiexec.exe
File created	C:\Windows\Installer\e57f4ef.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f4ef.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3EB6727B-D1EB-4374-B33D-8BA47CCA3202}	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
3180	MvUlJzZBELPG.exe
4132	qDrRguPncUTJ.exe
2072	OpqmKKXicuhB.exe
4280	OpqmKKXicuhB.exe
4104	OpqmKKXicuhB.exe
4448	qDrRguPncUTJ.exe
2560	qDrRguPncUTJ.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4348	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MvUlJzZBELPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qDrRguPncUTJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qDrRguPncUTJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qDrRguPncUTJ.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qDrRguPncUTJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qDrRguPncUTJ.exe

Modifies data under HKEY_USERS 59 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	qDrRguPncUTJ.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Version = "117506049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Clients = 3a0000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\PackageName = "Chromestup翻译插件.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7276BE3BE1D47343BD3B84AC7AC2320\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\ProductName = "SupportInspiringAnalyzer"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\PackageCode = "7ED114DDD5473FB4B927257371DB7C73"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24491C0B704EEA64697A08AA008DF996	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24491C0B704EEA64697A08AA008DF996\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3096	msiexec.exe
3096	msiexec.exe
1892	powershell.exe
1892	powershell.exe
1892	powershell.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe
4132	qDrRguPncUTJ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4348	msiexec.exe
Token: SeSecurityPrivilege	3096	msiexec.exe
Token: SeCreateTokenPrivilege	4348	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4348	msiexec.exe
Token: SeLockMemoryPrivilege	4348	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4348	msiexec.exe
Token: SeMachineAccountPrivilege	4348	msiexec.exe
Token: SeTcbPrivilege	4348	msiexec.exe
Token: SeSecurityPrivilege	4348	msiexec.exe
Token: SeTakeOwnershipPrivilege	4348	msiexec.exe
Token: SeLoadDriverPrivilege	4348	msiexec.exe
Token: SeSystemProfilePrivilege	4348	msiexec.exe
Token: SeSystemtimePrivilege	4348	msiexec.exe
Token: SeProfSingleProcessPrivilege	4348	msiexec.exe
Token: SeIncBasePriorityPrivilege	4348	msiexec.exe
Token: SeCreatePagefilePrivilege	4348	msiexec.exe
Token: SeCreatePermanentPrivilege	4348	msiexec.exe
Token: SeBackupPrivilege	4348	msiexec.exe
Token: SeRestorePrivilege	4348	msiexec.exe
Token: SeShutdownPrivilege	4348	msiexec.exe
Token: SeDebugPrivilege	4348	msiexec.exe
Token: SeAuditPrivilege	4348	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4348	msiexec.exe
Token: SeChangeNotifyPrivilege	4348	msiexec.exe
Token: SeRemoteShutdownPrivilege	4348	msiexec.exe
Token: SeUndockPrivilege	4348	msiexec.exe
Token: SeSyncAgentPrivilege	4348	msiexec.exe
Token: SeEnableDelegationPrivilege	4348	msiexec.exe
Token: SeManageVolumePrivilege	4348	msiexec.exe
Token: SeImpersonatePrivilege	4348	msiexec.exe
Token: SeCreateGlobalPrivilege	4348	msiexec.exe
Token: SeBackupPrivilege	1788	vssvc.exe
Token: SeRestorePrivilege	1788	vssvc.exe
Token: SeAuditPrivilege	1788	vssvc.exe
Token: SeBackupPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeRestorePrivilege	3180	MvUlJzZBELPG.exe
Token: 35	3180	MvUlJzZBELPG.exe
Token: SeSecurityPrivilege	3180	MvUlJzZBELPG.exe
Token: SeSecurityPrivilege	3180	MvUlJzZBELPG.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe
Token: SeRestorePrivilege	3096	msiexec.exe
Token: SeTakeOwnershipPrivilege	3096	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4348	msiexec.exe
4348	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3096 wrote to memory of 3612	3096	msiexec.exe	104
PID 3096 wrote to memory of 3612	3096	msiexec.exe	104
PID 3096 wrote to memory of 4224	3096	msiexec.exe	106
PID 3096 wrote to memory of 4224	3096	msiexec.exe	106
PID 4224 wrote to memory of 1892	4224	MsiExec.exe	107
PID 4224 wrote to memory of 1892	4224	MsiExec.exe	107
PID 4224 wrote to memory of 780	4224	MsiExec.exe	109
PID 4224 wrote to memory of 780	4224	MsiExec.exe	109
PID 780 wrote to memory of 3180	780	cmd.exe	111
PID 780 wrote to memory of 3180	780	cmd.exe	111
PID 780 wrote to memory of 3180	780	cmd.exe	111
PID 4224 wrote to memory of 4132	4224	MsiExec.exe	115
PID 4224 wrote to memory of 4132	4224	MsiExec.exe	115
PID 4224 wrote to memory of 4132	4224	MsiExec.exe	115
PID 4104 wrote to memory of 4448	4104	OpqmKKXicuhB.exe	125
PID 4104 wrote to memory of 4448	4104	OpqmKKXicuhB.exe	125
PID 4104 wrote to memory of 4448	4104	OpqmKKXicuhB.exe	125
PID 4448 wrote to memory of 2560	4448	qDrRguPncUTJ.exe	127
PID 4448 wrote to memory of 2560	4448	qDrRguPncUTJ.exe	127
PID 4448 wrote to memory of 2560	4448	qDrRguPncUTJ.exe	127

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chromestup翻译插件.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4348

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3096
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3612
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 427751080C718FEBEC2DE81D593CD60A E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4224
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SupportInspiringAnalyzer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1892
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe" x "C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD" -o"C:\Program Files\SupportInspiringAnalyzer\" -prcyZypXSeJJwJRguypsQ -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:780
  - - C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe
      "C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe" x "C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD" -o"C:\Program Files\SupportInspiringAnalyzer\" -prcyZypXSeJJwJRguypsQ -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3180
- - C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe
    "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe" -number 148 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:4132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1788

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:4144

C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe
"C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:2072

C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe
"C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4280

C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe
"C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe
  "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe" -number 200 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe
    "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe" -number 132 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f4f0.rbs

Filesize
7KB

MD5
7a81e970a31d40c7450ae22f58f9cee7

SHA1
943b4a3adc8e676864e75491b09611ca24b7bf30

SHA256
ea852ccd9c8a792c7905f4ef7f067e1265dcec87970dec18fda23beedf983f08

SHA512
8762a7fcc469c9327561557d822e7a3d052b91b05fc35fa816edca1656fd12963c3a2b1285d63f583e29daea9992b4bbf5cf23c7ee0598701d6b9d785c422155

Download Submit
C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD

Filesize
2.1MB

MD5
c7cdf5fa91fac8b086ba6edc3ae1b9ab

SHA1
368c29d03ed4d63dfccadc084f0a9bdc0d73d05a

SHA256
2cae8d7add88dee6f87be346aa29d0230d7e0b6e60d9a63bb93778151a7687c2

SHA512
eac0accda6562d66e328e8f0cf0b6e356ffc4436ab3bacd1eed8d0a80699db0491b97fd4c30dcc8976b10986f7d9810a334196297840543373836f0f19e4b9dc

Download Submit
C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log

Filesize
294B

MD5
f56d01439bc293693b0792276bf156ec

SHA1
768019df0d4d37f2e4b8d002644ee84363592f81

SHA256
e717b9061d27181c42ab284a278f3815cb03f05edf57d549890d8f853e37a62b

SHA512
c6b34d9e6dcd6aa66c4acbb093c3355a290d1d6707a491e5dcc53695270860e641885eb3d4745a87ec689b810163dc178b2f427bed4f307499dbb13214091179

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log

Filesize
464B

MD5
ef235cfc3bcf2c3a13496ab0adfec7e5

SHA1
1c8b48ec89ae85a1dd17b500725abf5b28f9c497

SHA256
36a9b3b45b523c20a30ecaf7def23c4761fcee88df0425ae0a29260e8670b851

SHA512
df7e6094cb045e69e1e1e0cc43d6388ede19b7fa15908f7e3ad5b775a5b9cab723681362991db3c24a86c618731f1fa756079f768792aafa04aea375093d045c

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log

Filesize
644B

MD5
d4a4adb721e25f9f67230fa25e4275e2

SHA1
2cb1599921f5f441fcd6abd16486fae9857a4e43

SHA256
96e3e281a48b69f906601ca11fdcfc1b0feb95b8235b35bfb9a11efcd30fd373

SHA512
bfc84584f8a430da6bfaeff31b94cef42f2cd41ca57614759abc4786413083e03f03f467b1cea982c5c89ceb8d576fb22f992d19f0466be8a8db33c29236f464

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log

Filesize
793B

MD5
18eef873d3e19c75aecde403a74bdf53

SHA1
ca76d72dc89d214f09863c3e5d7d53c4d3ae4fd4

SHA256
795f5a8244953d10a9865d3d1fad55904141ad6d50998badccf800bc326dca03

SHA512
ebf36b5959409d2e5705263e152e22ed2c3e2cb212a87973a1c9c0b0e5733d10ff45d944187c62ccca1f8c814da42c3d4f60b792cd4bd793d698ef1bf111919a

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml

Filesize
456B

MD5
baed84f9dd929bd51f8dd770db55c506

SHA1
39c11420cd8086b2d435e10e4a21ed1fe1209974

SHA256
a4b30bd638f0a34197ad88e070a4da7a832815ed658a33d7e1f17612e94711ae

SHA512
cf28a5e3dbd2c40f9eb9f04d9db2f53c0971450625e7963c6534c87ef6537c0b5b33cd31b6c65bf95b8ece39e9d896874c71df1fe810d998b37819b10d1f66ec

Download Submit
C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe

Filesize
2.8MB

MD5
b96aaab7556936945af7a07a91c79052

SHA1
b259e2d3e190fc0f52f3007303e3662eafc28d66

SHA256
e84b46614d3d41be225904cdcdeb1bb3fe57cb3c26b397591d803fb8e10546db

SHA512
e1c08a5ea793f7daadf3746d1bbae62d96637e4d00d39162803aaec140c60146bba6ff372221146416d7ad93fee51cf800b8e0626fb8ec355c6659104959502f

Download Submit
C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.vbs

Filesize
2KB

MD5
f39a87f4e499a4550c5c0d00a00a969c

SHA1
72112790467746176d087bc6cbe4b416e416fc4c

SHA256
c40c13aa84fc7a3d93bfb123cdb1cb965ca3b9143ff0a2d3f76b9541429207b1

SHA512
670462bb4ff9deb932aef82be73bfb6ac121867f41860988128dbdc2fdaced0b85cc13da1b975cc731dcc32606eaafcc5ab872d16e2f6ac56858761fe4679bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pqxke1mu.e4l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57f4ef.msi

Filesize
2.6MB

MD5
75a1688aca4c2641659f060d86f6b612

SHA1
a1740d536b654d4a381c9089ce51dd2026efa819

SHA256
e7dcdf225c0edd20c920d918b05dab323ce787aae54768cd15ad406ac26e2ae9

SHA512
ce7169ac22f21c1010ea60eef8be106beae453929907d3beee8fd245fe7ec51e635846c6f8af4d80d2cd8a533bf994ae2490a3ed9b48467a009798b849baa80c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OpqmKKXicuhB.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
26535109b672cff7b8bfc74870c39889

SHA1
df6e3a465d01b78844ec76488b843f598bc671e7

SHA256
c2254a4ca38417e7846f569250c6f41369fde28d2d30185af03b2efcd6897175

SHA512
d22f91d5f208cf57f8322801000b359e45187f925c255e4a1a0a5f6b081c8b3a570aff3ce2fcf00090142b390da44b4db80db69e57e90e4dc08944407485f37d

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1d557e21-5fec-4641-90ad-6d94b773b6ab}_OnDiskSnapshotProp

Filesize
6KB

MD5
0ab84d782565120638aa76b1f0587409

SHA1
d4e23782fd5d29e25a65bc8b338ac55e09a23a52

SHA256
1a013b49c08dbf99a2b10e8f2616afe8963f0084a725675c7ef8d6b328016c3b

SHA512
20d2e7b0417e77cfe42b11c293f633db17fdf3fa3481e9523b5c0aa5c3cb872ba65985ac88cd72e03cda4a22067a96a36790a0fbf747db3393b809cea738b53f

Download Submit
memory/1892-22-0x0000023E1A1E0000-0x0000023E1A202000-memory.dmp

Filesize
136KB

Download
memory/2072-58-0x0000000000E10000-0x0000000000EE6000-memory.dmp

Filesize
856KB

Download
memory/2560-86-0x000000002A2B0000-0x000000002A2FD000-memory.dmp

Filesize
308KB

Download
memory/2560-87-0x000000002BEE0000-0x000000002C09C000-memory.dmp

Filesize
1.7MB

Download
memory/2560-89-0x000000002BEE0000-0x000000002C09C000-memory.dmp

Filesize
1.7MB

Download
memory/2560-90-0x000000002BEE0000-0x000000002C09C000-memory.dmp

Filesize
1.7MB

Download
memory/2560-91-0x000000002BEE0000-0x000000002C09C000-memory.dmp

Filesize
1.7MB

Download
memory/2560-93-0x000000002BEE0000-0x000000002C09C000-memory.dmp

Filesize
1.7MB

Download
memory/2560-95-0x000000002BEE0000-0x000000002C09C000-memory.dmp

Filesize
1.7MB

Download
memory/4132-52-0x0000000029F80000-0x0000000029FAF000-memory.dmp

Filesize
188KB

Download