gh0strat | d8848c1a3b8c464f20a99142a7e319ac9c580768e888a52404c17cefae497606

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chromestup翻译插件.msi
Size

2.6MB
MD5

75a1688aca4c2641659f060d86f6b612
SHA1

a1740d536b654d4a381c9089ce51dd2026efa819
SHA256

e7dcdf225c0edd20c920d918b05dab323ce787aae54768cd15ad406ac26e2ae9
SHA512

ce7169ac22f21c1010ea60eef8be106beae453929907d3beee8fd245fe7ec51e635846c6f8af4d80d2cd8a533bf994ae2490a3ed9b48467a009798b849baa80c
SSDEEP

49152:0FvHELEfBtQTIoWd4rUXs6kA+h5N3IaaLoWNAxOiZowguCIFVx0K5xU:0FveQQE5SBGkpIaavAQag67x0K5xU

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/4940-87-0x000000002B8D0000-0x000000002BA8C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4940-89-0x000000002B8D0000-0x000000002BA8C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4940-90-0x000000002B8D0000-0x000000002BA8C000-memory.dmp	purplefox_rootkit
behavioral2/memory/4940-91-0x000000002B8D0000-0x000000002BA8C000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/4940-87-0x000000002B8D0000-0x000000002BA8C000-memory.dmp	family_gh0strat
behavioral2/memory/4940-89-0x000000002B8D0000-0x000000002BA8C000-memory.dmp	family_gh0strat
behavioral2/memory/4940-90-0x000000002B8D0000-0x000000002BA8C000-memory.dmp	family_gh0strat
behavioral2/memory/4940-91-0x000000002B8D0000-0x000000002BA8C000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3576	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	qDrRguPncUTJ.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	qDrRguPncUTJ.exe
File opened (read-only)	\??\P:	qDrRguPncUTJ.exe
File opened (read-only)	\??\Q:	qDrRguPncUTJ.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	qDrRguPncUTJ.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	qDrRguPncUTJ.exe
File opened (read-only)	\??\R:	qDrRguPncUTJ.exe
File opened (read-only)	\??\Z:	qDrRguPncUTJ.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	qDrRguPncUTJ.exe
File opened (read-only)	\??\N:	qDrRguPncUTJ.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	qDrRguPncUTJ.exe
File opened (read-only)	\??\X:	qDrRguPncUTJ.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	qDrRguPncUTJ.exe
File opened (read-only)	\??\E:	qDrRguPncUTJ.exe
File opened (read-only)	\??\I:	qDrRguPncUTJ.exe
File opened (read-only)	\??\M:	qDrRguPncUTJ.exe
File opened (read-only)	\??\W:	qDrRguPncUTJ.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	qDrRguPncUTJ.exe
File opened (read-only)	\??\U:	qDrRguPncUTJ.exe
File opened (read-only)	\??\Y:	qDrRguPncUTJ.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OpqmKKXicuhB.exe.log	OpqmKKXicuhB.exe

Drops file in Program Files directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer	qDrRguPncUTJ.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.vbs	qDrRguPncUTJ.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log	OpqmKKXicuhB.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log	OpqmKKXicuhB.exe
File created	C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\valibclang2d.dll	msiexec.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe	MvUlJzZBELPG.exe
File created	C:\Program Files\SupportInspiringAnalyzer\igc964.dll	msiexec.exe
File created	C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ	MvUlJzZBELPG.exe
File opened for modification	C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log	OpqmKKXicuhB.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{3EB6727B-D1EB-4374-B33D-8BA47CCA3202}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A28.tmp	msiexec.exe
File created	C:\Windows\Installer\e582920.msi	msiexec.exe
File created	C:\Windows\Installer\e58291e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58291e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
1452	MvUlJzZBELPG.exe
3032	qDrRguPncUTJ.exe
3432	OpqmKKXicuhB.exe
1456	OpqmKKXicuhB.exe
1824	OpqmKKXicuhB.exe
4016	qDrRguPncUTJ.exe
4940	qDrRguPncUTJ.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3980	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MvUlJzZBELPG.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qDrRguPncUTJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qDrRguPncUTJ.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	qDrRguPncUTJ.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	qDrRguPncUTJ.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	qDrRguPncUTJ.exe

Modifies data under HKEY_USERS 59 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	qDrRguPncUTJ.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\ProductName = "SupportInspiringAnalyzer"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\PackageName = "Chromestup翻译插件.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B7276BE3BE1D47343BD3B84AC7AC2320\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\PackageCode = "7ED114DDD5473FB4B927257371DB7C73"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Version = "117506049"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24491C0B704EEA64697A08AA008DF996	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\24491C0B704EEA64697A08AA008DF996\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B7276BE3BE1D47343BD3B84AC7AC2320\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4780	msiexec.exe
4780	msiexec.exe
3576	powershell.exe
3576	powershell.exe
3576	powershell.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe
3032	qDrRguPncUTJ.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3980	msiexec.exe
Token: SeSecurityPrivilege	4780	msiexec.exe
Token: SeCreateTokenPrivilege	3980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3980	msiexec.exe
Token: SeLockMemoryPrivilege	3980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3980	msiexec.exe
Token: SeMachineAccountPrivilege	3980	msiexec.exe
Token: SeTcbPrivilege	3980	msiexec.exe
Token: SeSecurityPrivilege	3980	msiexec.exe
Token: SeTakeOwnershipPrivilege	3980	msiexec.exe
Token: SeLoadDriverPrivilege	3980	msiexec.exe
Token: SeSystemProfilePrivilege	3980	msiexec.exe
Token: SeSystemtimePrivilege	3980	msiexec.exe
Token: SeProfSingleProcessPrivilege	3980	msiexec.exe
Token: SeIncBasePriorityPrivilege	3980	msiexec.exe
Token: SeCreatePagefilePrivilege	3980	msiexec.exe
Token: SeCreatePermanentPrivilege	3980	msiexec.exe
Token: SeBackupPrivilege	3980	msiexec.exe
Token: SeRestorePrivilege	3980	msiexec.exe
Token: SeShutdownPrivilege	3980	msiexec.exe
Token: SeDebugPrivilege	3980	msiexec.exe
Token: SeAuditPrivilege	3980	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3980	msiexec.exe
Token: SeChangeNotifyPrivilege	3980	msiexec.exe
Token: SeRemoteShutdownPrivilege	3980	msiexec.exe
Token: SeUndockPrivilege	3980	msiexec.exe
Token: SeSyncAgentPrivilege	3980	msiexec.exe
Token: SeEnableDelegationPrivilege	3980	msiexec.exe
Token: SeManageVolumePrivilege	3980	msiexec.exe
Token: SeImpersonatePrivilege	3980	msiexec.exe
Token: SeCreateGlobalPrivilege	3980	msiexec.exe
Token: SeBackupPrivilege	1380	vssvc.exe
Token: SeRestorePrivilege	1380	vssvc.exe
Token: SeAuditPrivilege	1380	vssvc.exe
Token: SeBackupPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeDebugPrivilege	3576	powershell.exe
Token: SeRestorePrivilege	1452	MvUlJzZBELPG.exe
Token: 35	1452	MvUlJzZBELPG.exe
Token: SeSecurityPrivilege	1452	MvUlJzZBELPG.exe
Token: SeSecurityPrivilege	1452	MvUlJzZBELPG.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe
Token: SeRestorePrivilege	4780	msiexec.exe
Token: SeTakeOwnershipPrivilege	4780	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3980	msiexec.exe
3980	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4780 wrote to memory of 1676	4780	msiexec.exe	99
PID 4780 wrote to memory of 1676	4780	msiexec.exe	99
PID 4780 wrote to memory of 4948	4780	msiexec.exe	101
PID 4780 wrote to memory of 4948	4780	msiexec.exe	101
PID 4948 wrote to memory of 3576	4948	MsiExec.exe	102
PID 4948 wrote to memory of 3576	4948	MsiExec.exe	102
PID 4948 wrote to memory of 2856	4948	MsiExec.exe	105
PID 4948 wrote to memory of 2856	4948	MsiExec.exe	105
PID 2856 wrote to memory of 1452	2856	cmd.exe	107
PID 2856 wrote to memory of 1452	2856	cmd.exe	107
PID 2856 wrote to memory of 1452	2856	cmd.exe	107
PID 4948 wrote to memory of 3032	4948	MsiExec.exe	111
PID 4948 wrote to memory of 3032	4948	MsiExec.exe	111
PID 4948 wrote to memory of 3032	4948	MsiExec.exe	111
PID 1824 wrote to memory of 4016	1824	OpqmKKXicuhB.exe	118
PID 1824 wrote to memory of 4016	1824	OpqmKKXicuhB.exe	118
PID 1824 wrote to memory of 4016	1824	OpqmKKXicuhB.exe	118
PID 4016 wrote to memory of 4940	4016	qDrRguPncUTJ.exe	119
PID 4016 wrote to memory of 4940	4016	qDrRguPncUTJ.exe	119
PID 4016 wrote to memory of 4940	4016	qDrRguPncUTJ.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Chromestup翻译插件.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1676
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E51DD2F55A5D99ADBDEC62CF4EC0EF2F E Global\MSI0000
  2⤵
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4948
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SupportInspiringAnalyzer'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3576
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe" x "C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD" -o"C:\Program Files\SupportInspiringAnalyzer\" -prcyZypXSeJJwJRguypsQ -y
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe
      "C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe" x "C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD" -o"C:\Program Files\SupportInspiringAnalyzer\" -prcyZypXSeJJwJRguypsQ -y
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:1452
- - C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe
    "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe" -number 148 -file file3 -mode mode3 -flag flag3
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3032

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1380

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:4080

C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe
"C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:3432

C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe
"C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1456

C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe
"C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe
  "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe" -number 200 -file file3 -mode mode3 -flag flag3
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4016
- - C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe
    "C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe" -number 132 -file file3 -mode mode3 -flag flag3
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58291f.rbs

Filesize
7KB

MD5
18290fffcfa0bf6f47ee0bd39950b143

SHA1
6e90b86b598609c417d5ca0f3a5ec8edbf519ecd

SHA256
980f743231098650f2576bbff1051d102db140e77e674fd0b071785733efbd2b

SHA512
119b566798ee2e799a243487a2baaab3a4104cd2de2db7d17d4485be338d5bbb2cb5486ba7bc7511cf7acbe094ee699c60bb94966a62d5140fcd28b5b5235921

Download Submit
C:\Program Files\SupportInspiringAnalyzer\FNMdVxXPbyhsDeODMFqD

Filesize
2.1MB

MD5
c7cdf5fa91fac8b086ba6edc3ae1b9ab

SHA1
368c29d03ed4d63dfccadc084f0a9bdc0d73d05a

SHA256
2cae8d7add88dee6f87be346aa29d0230d7e0b6e60d9a63bb93778151a7687c2

SHA512
eac0accda6562d66e328e8f0cf0b6e356ffc4436ab3bacd1eed8d0a80699db0491b97fd4c30dcc8976b10986f7d9810a334196297840543373836f0f19e4b9dc

Download Submit
C:\Program Files\SupportInspiringAnalyzer\MvUlJzZBELPG.exe

Filesize
577KB

MD5
c31c4b04558396c6fabab64dcf366534

SHA1
fa836d92edc577d6a17ded47641ba1938589b09a

SHA256
9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3

SHA512
814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.exe

Filesize
832KB

MD5
d305d506c0095df8af223ac7d91ca327

SHA1
679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a

SHA256
923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66

SHA512
94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log

Filesize
294B

MD5
f7403708e62c549d519bed86c0c69ada

SHA1
fae993de52fd1dc01bb77578b16b883ab148d473

SHA256
4619e4161d5d6ec6058a82d2db5746a1fbdb23e2cf443b50d3073f8e0f6f17f8

SHA512
797739818dbf1e2fcd53760612cdeec7f84eab4a5ab441ef4dd500aa769767c7575b896e570e1a7e476b2b541114d3f4c4b157ac83f94dfa2f68804d003ace5a

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log

Filesize
464B

MD5
dd51719b7774ef81496de3961ad2c201

SHA1
a662e15062eb3b17bee5352f21d94d9c520bd116

SHA256
156e76708989f3f7028969e42967df92d22b1295c3527279d1801500ad12cd3d

SHA512
a0b35fc6f37f026e6205bb8973423e28d19b692e00038ca13edd5d0a31eb9e9966c11ad294372df0b9296afd44a00a68b7028489e3d2522b172916ff62d80c74

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log

Filesize
528B

MD5
e8a68fd721d64a83cc604b6398b919a7

SHA1
69f877ea4af04876562affd5ee710ff2ea24370a

SHA256
977e406a5c19e338640236dd8feca2f485a80cca61f4f883f7a8cafcb1292881

SHA512
3e610e323b28660db1f14a35b97b59e54b56777a708d6232706df39d38d13904834c6d4c5edd0e18701befa7f5ce6fd4666e66222f8d974f5a5ba87a8bdec619

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.wrapper.log

Filesize
793B

MD5
1a70d16e8e1c5ad999c47ae732da50d5

SHA1
f23b9388b256e40396d2bfacb255a340b28c243d

SHA256
b8f44dcad6524ee4dff6442afa12a4feca002f5dba4fd5782a5087a621a8797c

SHA512
e339913d8e452060d24ed2f12d07f373d7e889a7f8df56bdb7081a289f988e35b58ec797917f5b889d37abe7b76f549c55af4f86e818b0699167ca0b45f3a191

Download Submit
C:\Program Files\SupportInspiringAnalyzer\OpqmKKXicuhB.xml

Filesize
456B

MD5
baed84f9dd929bd51f8dd770db55c506

SHA1
39c11420cd8086b2d435e10e4a21ed1fe1209974

SHA256
a4b30bd638f0a34197ad88e070a4da7a832815ed658a33d7e1f17612e94711ae

SHA512
cf28a5e3dbd2c40f9eb9f04d9db2f53c0971450625e7963c6534c87ef6537c0b5b33cd31b6c65bf95b8ece39e9d896874c71df1fe810d998b37819b10d1f66ec

Download Submit
C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.exe

Filesize
2.8MB

MD5
b96aaab7556936945af7a07a91c79052

SHA1
b259e2d3e190fc0f52f3007303e3662eafc28d66

SHA256
e84b46614d3d41be225904cdcdeb1bb3fe57cb3c26b397591d803fb8e10546db

SHA512
e1c08a5ea793f7daadf3746d1bbae62d96637e4d00d39162803aaec140c60146bba6ff372221146416d7ad93fee51cf800b8e0626fb8ec355c6659104959502f

Download Submit
C:\Program Files\SupportInspiringAnalyzer\qDrRguPncUTJ.vbs

Filesize
2KB

MD5
f39a87f4e499a4550c5c0d00a00a969c

SHA1
72112790467746176d087bc6cbe4b416e416fc4c

SHA256
c40c13aa84fc7a3d93bfb123cdb1cb965ca3b9143ff0a2d3f76b9541429207b1

SHA512
670462bb4ff9deb932aef82be73bfb6ac121867f41860988128dbdc2fdaced0b85cc13da1b975cc731dcc32606eaafcc5ab872d16e2f6ac56858761fe4679bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gw4efy2z.cst.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e58291e.msi

Filesize
2.6MB

MD5
75a1688aca4c2641659f060d86f6b612

SHA1
a1740d536b654d4a381c9089ce51dd2026efa819

SHA256
e7dcdf225c0edd20c920d918b05dab323ce787aae54768cd15ad406ac26e2ae9

SHA512
ce7169ac22f21c1010ea60eef8be106beae453929907d3beee8fd245fe7ec51e635846c6f8af4d80d2cd8a533bf994ae2490a3ed9b48467a009798b849baa80c

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\OpqmKKXicuhB.exe.log

Filesize
1KB

MD5
122cf3c4f3452a55a92edee78316e071

SHA1
f2caa36d483076c92d17224cf92e260516b3cbbf

SHA256
42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0

SHA512
c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
416a8aa5efcd1963a2ccd2a70ee05d25

SHA1
9f7144030e8e0ef3b11e1d3987efaf050ac8ed7f

SHA256
195d5d3d4d15b91c36164f92213d69b07a84ea5e2a9ecc610fd7f9e4dd75936e

SHA512
cb018e3391d2887904454e029b67a1cc4181db86380070ff2a6e8f28ce56b70890d8390007dcc15a4245db675b98dd747a4ff83afbfc4324eb6236f9a256c29c

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{001709ca-5e84-4c80-b875-e7554ba5d045}_OnDiskSnapshotProp

Filesize
6KB

MD5
a028197ee79c40d8f527f0aae4995e6b

SHA1
a0ab56afe0059af998a467d41c388413be7f08c2

SHA256
5aa4e235b39010058bb67e67be5ee1eba381d7e00731ecd263ab81772344d8ec

SHA512
7c5eb954abb4a015acb13ba8b27249a9ddca24f74778ed4dd78b50cf2550c62bbdf8ee2fbf2b83041c994a30d77d399e17738e64bc86feff7168f70b303335aa

Download Submit
memory/3032-51-0x0000000009B80000-0x0000000009BAF000-memory.dmp

Filesize
188KB

Download
memory/3432-58-0x0000000000030000-0x0000000000106000-memory.dmp

Filesize
856KB

Download
memory/3576-19-0x000001423C970000-0x000001423C992000-memory.dmp

Filesize
136KB

Download
memory/4940-86-0x0000000029CA0000-0x0000000029CED000-memory.dmp

Filesize
308KB

Download
memory/4940-87-0x000000002B8D0000-0x000000002BA8C000-memory.dmp

Filesize
1.7MB

Download
memory/4940-89-0x000000002B8D0000-0x000000002BA8C000-memory.dmp

Filesize
1.7MB

Download
memory/4940-90-0x000000002B8D0000-0x000000002BA8C000-memory.dmp

Filesize
1.7MB

Download
memory/4940-91-0x000000002B8D0000-0x000000002BA8C000-memory.dmp

Filesize
1.7MB

Download