Analysis Overview
SHA256
92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf
Threat Level: Known bad
The file 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi.vir was found to be: Known bad.
Malicious Activity Summary
Gh0st RAT payload
Gh0strat family
Gh0strat
Detect PurpleFox Rootkit
Purplefox family
PurpleFox
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Drops file in System32 directory
Executes dropped EXE
Drops file in Program Files directory
Drops file in Windows directory
Event Triggered Execution: Installer Packages
System Network Configuration Discovery: Internet Connection Discovery
System Location Discovery: System Language Discovery
Modifies registry class
Runs ping.exe
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 15:52
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 15:52
Reported
2024-11-09 15:55
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UhHKDmESOIjj.exe.log | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\NLGACUfhExiQgpFqVoxutQoGyuzRSw | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\bFchqPntlegL | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\tsetup.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\valibclang2d.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\bFchqPntlegL | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
| File opened for modification | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | N/A |
| File created | C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e57c575.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57c573.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57c573.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{E94DD97D-74C5-4066-895C-1E7D5A0698F5} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC803.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| N/A | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| N/A | N/A | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
| N/A | N/A | C:\Program Files\SustainSleekTutor\tsetup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp | N/A |
| N/A | N/A | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | N/A |
| N/A | N/A | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | N/A |
| N/A | N/A | C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe | N/A |
| N/A | N/A | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
| N/A | N/A | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\SustainSleekTutor\tsetup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings | C:\Windows\System32\MsiExec.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\PackageCode = "422D740D8F2748241AF491420E7509A6" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Version = "100794368" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\PackageName = "92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D79DD49E5C47660498C5E1D7A560895F\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\0D716B2B7A13A72439FD62E0DFA6E582\D79DD49E5C47660498C5E1D7A560895F | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\ProductName = "SustainSleekTutor" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D79DD49E5C47660498C5E1D7A560895F | C:\Windows\system32\msiexec.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Token: 35 | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Token: 35 | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 93850F45A0F39388974AA35B745D7B86 E Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\SustainSleekTutor','C:\Program Files','C:\Program Files'
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y
C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
"C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg" -o"C:\Program Files\SustainSleekTutor\" -p"10551gtm0S(>Gf#qrEw>" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
"C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe" x "C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf" -x!1_bFchqPntlegL.exe -x!sss -x!1_ZyhMwXBzCIJsXiZOsvVNAbbXEpqwBz.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\SustainSleekTutor\" -p"98858uC(.?=^~2>PRa?!" -y
C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 127 -file file3 -mode mode3
C:\Program Files\SustainSleekTutor\tsetup.exe
"C:\Program Files\SustainSleekTutor\tsetup.exe"
C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp" /SL5="$90254,44246395,814592,C:\Program Files\SustainSleekTutor\tsetup.exe"
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs"
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe
"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe" install
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe
"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe" start
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe
"C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe"
C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 291 -file file3 -mode mode3
C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe
"C:\Program Files\SustainSleekTutor\bFchqPntlegL.exe" -number 62 -file file3 -mode mode3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.197.219.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | im.qq.com | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dsfgdg5641rfe.icu | udp |
| HK | 38.47.221.100:80 | dsfgdg5641rfe.icu | tcp |
| US | 8.8.8.8:53 | 100.221.47.38.in-addr.arpa | udp |
| HK | 27.124.9.39:13000 | tcp | |
| US | 8.8.8.8:53 | 39.9.124.27.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
| US | 8.8.8.8:53 | fdg156fdg.cyou | udp |
| US | 8.8.8.8:53 | 24.73.42.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qdfbvccc.cyou | udp |
Files
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5db66f6d-1b08-4c43-ad0d-1134d7b40fd6}_OnDiskSnapshotProp
| MD5 | 741cc9fa046aa3cf7bc5b25d673cc020 |
| SHA1 | 8f5e74a98ae297478cad01d080e3bee7c33c1ed3 |
| SHA256 | 29cb9ef9b5b69660cf0d9507c3dcf656e934c3e97759d3aedb9b9aaa44443d23 |
| SHA512 | 341142bf85fc585d4cce410b0376fa269f9fbfd81c12d6e391d35dcdca60d8c7bc1aaffd069427349fdf3a16935e45e79955a08c09f8f59d8bcc5a9965f86fbe |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | aea754cf23c10ccdb392f09588ad0668 |
| SHA1 | f6da6f946194fd168561ed8c84942d0063da6b08 |
| SHA256 | 462fab7aa9a76c4fe2af092dc56ddf82937f15ab142d119bc6411ed9714aaf0c |
| SHA512 | 077a3a771f56337fe69881cfb8010891251e96422e80869a5689dd9b0831fd00418e92c282ee8671e4a1cd03f9003842f2db00f2e93a64cad72d436801bbc9a9 |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eclw0uin.tag.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2528-20-0x0000014B84D00000-0x0000014B84D22000-memory.dmp
C:\Program Files\SustainSleekTutor\xPrAcumKTQSTxOmHKUhvPkgyTZQeAF.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\SustainSleekTutor\lBktGjuuaOaTazRwJvXXhRyefRHhOg
| MD5 | 86e0062ac9e3c38a69470a57bb619533 |
| SHA1 | 7d04a283f51e145724e20a5925ee811a4645e5d9 |
| SHA256 | 42a64f04499a0836946073eb7bfc1cb67a98faa58d65eeb09fb6ac8fccc7f547 |
| SHA512 | aefc23fcf566748b60de0e95268f834cef3e4cfb1754b18e9ea2e1a867a764d027d43c68aad2b7c3f4520b3232fd50430c2b7fb4494dee223ac340a8c1e67794 |
C:\Program Files\SustainSleekTutor\NMnDkvvmlBOPWlKYckpqMpfXmIsbMf
| MD5 | 17f3ece27717fa4a5ad13f06e6c2846e |
| SHA1 | 47b8230c0f0dd0b8a451bd378203a0ec0aaa13f6 |
| SHA256 | f0217b72add9c431299fda7983e8a7c592f6b4cd5a1df5118208c19dc7251c86 |
| SHA512 | 998dcba619566edba18b2dcaefd8e86d1d6c09340c8004cf487d6944bb2a90b75231f2d3140162bcf0a161321d5febccf7d947d4752451424082f3cd06de9b7b |
C:\Program Files\SustainSleekTutor\2_bFchqPntlegL.exe
| MD5 | 90134a5b913cd5d9d993f6f58601740e |
| SHA1 | c6fc923eae06097227dab095633a0c47beba327a |
| SHA256 | 8462d6b3f1a8037f6f60412d3f4e0ecad89aaed3c10915ffa1e602c5ae8b0942 |
| SHA512 | 7385ebcce7e33efb3a9b26d9690d8a2a221bc05071bc499f313de2de8d31935dd0cdd366ac7baccd4004d9e1eb27a0471328785ad1acf325054fd036d4b9dd61 |
C:\Program Files\SustainSleekTutor\tsetup.exe
| MD5 | 8a53cf72375f6899082463c36422d411 |
| SHA1 | 161d9d3b21bf0d9a9790b92013ec76c6d839af06 |
| SHA256 | 1b31e3758c4b158143dc41c7c4617984d958760d8d7718e1e38492c67f6bbf65 |
| SHA512 | daadba04fb90002a2cb8e44c1b98d6bf702b9cfe33d3b6dc981c877e0a77c620f2538a2748f2fb4e88493e326cc45764c54dad659d8d2d018b74b24fd727a190 |
memory/1940-57-0x0000000000400000-0x00000000004D4000-memory.dmp
C:\Config.Msi\e57c574.rbs
| MD5 | 754ecc2c6d8ba122916ea37c313fa218 |
| SHA1 | b1603fc7ffa1cb67f3ab7062cbe94dbf4e9fc09c |
| SHA256 | 73f78d1cab0bd15fdc2286c2d6d19c77c2f685aa6daedeacbb79f4e162ceff92 |
| SHA512 | 72d7366517dbf1495dab8e5e5603a85243b0f236be89d393391cd9ef52830d7d59b70d568acc74f915ae79ed7e92c921acdbfa8118def74373c1a5a27c07d9be |
C:\Users\Admin\AppData\Local\Temp\is-74GFC.tmp\tsetup.tmp
| MD5 | d90927477dbf0725af0a10e151c184c4 |
| SHA1 | 4cd69b23ee9c1efe9bd539f0fef841a09a4a773e |
| SHA256 | 43182a0ae7e22cc7f9b8028dc71e82826c80e9ac265f8d2dfa08876bb41b7029 |
| SHA512 | bfbd62482e99127c1bf621a135b464b5f96b86adfcb9064660c0dc1052099643ea9485e1358a758ab466f19c97042dafccb781e157203ea51e43956e4b6f4f98 |
C:\Windows\Installer\e57c573.msi
| MD5 | 7ba3fd79c3ccfdb9f1a311a3f05a7d94 |
| SHA1 | c4115a8d08ce102bcb14ed00dad86e52e163c81c |
| SHA256 | 92553e176daf1cc411113c65eeec0fb2327100fc43356352787844ae85b78fdf |
| SHA512 | f491a16cc375d6756e2debed08e76f01c090ae52b16e7b3eeed2930e0eb8e47e56aada96b54a6dfaa212354d66ca92955a4fc39434a378429f54416f5043048c |
memory/2196-74-0x000000002A680000-0x000000002A6AF000-memory.dmp
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.exe
| MD5 | d305d506c0095df8af223ac7d91ca327 |
| SHA1 | 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a |
| SHA256 | 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66 |
| SHA512 | 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796 |
C:\Program Files\SustainSleekTutor\bFchqPntlegL.vbs
| MD5 | 615235ef40ac677be4c414e7dfb9ff53 |
| SHA1 | ef7cea67851aed94a5e14e9b907f366d1185e172 |
| SHA256 | 1a7dd87bb537e41f7742da7cbb9839523d905747aad4522f4a39932ba626a132 |
| SHA512 | c694a4cf03ce5587e164b4f31b141951b949281f8ba08a69178f56c290afbbbe139651a849f3436976ee7c29b6aa0408b60c7e529a44c8c4bc52aff0498ae89b |
memory/4160-80-0x0000000000DF0000-0x0000000000EC6000-memory.dmp
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.xml
| MD5 | a64dd3b12bb2c5bc00fb61a6c9ddcc8d |
| SHA1 | 27b65d6e3c47cefd0d21e9412185601d03a2756f |
| SHA256 | 73c03e24b2378cd1a660ac8127f44edae43ee31a73092afb88bd617b9638db9f |
| SHA512 | 8824bb6e846c9ee4e5ef3bf0373dcd0b513aa5f91d3858a5e34868b1f72f7052dc55776d0cd40154fe4f1dc160ea7d7324872e6e7e8a265db294e53f36878e39 |
memory/1940-88-0x0000000000400000-0x00000000004D4000-memory.dmp
memory/1448-89-0x0000000000400000-0x0000000000710000-memory.dmp
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\UhHKDmESOIjj.exe.log
| MD5 | 122cf3c4f3452a55a92edee78316e071 |
| SHA1 | f2caa36d483076c92d17224cf92e260516b3cbbf |
| SHA256 | 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0 |
| SHA512 | c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c |
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log
| MD5 | 8f0ebed5a85069167a43be2f421f370e |
| SHA1 | 47d5186604ff3a5074e4110c90ede6cfacfc8265 |
| SHA256 | c50ae0005964444763599bccd561747d95ec4090b5f303e1984a02377aa67afa |
| SHA512 | b32fecd7c8cb38bda53851974a4d26d518410efcf0231f5863452ddb95c2142b2ef1a57fb5f1fb77066bdc5b415fe7a26e658f3a0837215833405b27eacdcbab |
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log
| MD5 | 1226617303e471801147e17897fca124 |
| SHA1 | ef520fc7f9df305e5cda543d2e350896cfb2c533 |
| SHA256 | ae34bd6cdf1646e227df7c331005c391a512c091356589bdf076d2f62f59d4fd |
| SHA512 | 847070ae63d30bb2a1724d698131c623a41d4c0799c7b2bd18bfbe2c70c92275b7ddfe6228f437728a9651a767f0a20128deb7dc54d987dd7fd4c36742047748 |
C:\Program Files\SustainSleekTutor\UhHKDmESOIjj.wrapper.log
| MD5 | a3e45e19b3a9dd50e3183832d99125b9 |
| SHA1 | 70d612884e46fba3b6fa7353324f88274b94f4c5 |
| SHA256 | 923273eb24d176c913b6250b32bae91acd788e2d727b0a84fc5e56d1b3600429 |
| SHA512 | 4a7125e90fd7d83ac4eb17bb518155ed4e0f5e6567503a1ff22e9374b44f0a13998255afbfb4724516c6933ef4bfd6d4a2485915754ba6b406cebc598e0b0077 |
memory/5012-112-0x0000000029FD0000-0x000000002A01D000-memory.dmp
memory/1448-114-0x0000000000400000-0x0000000000710000-memory.dmp
memory/5012-116-0x000000002BBE0000-0x000000002BD9C000-memory.dmp
memory/5012-118-0x000000002BBE0000-0x000000002BD9C000-memory.dmp
memory/5012-119-0x000000002BBE0000-0x000000002BD9C000-memory.dmp
memory/5012-121-0x000000002BBE0000-0x000000002BD9C000-memory.dmp