Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-11-2024 04:28
Static task
static1
Behavioral task
behavioral1
Sample
fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d.msi
Resource
win10v2004-20241007-en
General
-
Target
fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d.msi
-
Size
242.2MB
-
MD5
4393f1aeb2effbba1df28ca5057e2182
-
SHA1
ca2985c1f08350363b1b62756035b2982b787ab6
-
SHA256
fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d
-
SHA512
3e655488342b8be0038049b8193da42481c4c2a868ca613f311095d656539d35f01c865a7cb44eb7227ca1ae1ad5b63199a6ba84644dd26506ce6256638d5ed7
-
SSDEEP
6291456:oLKBfaA+iLH02im/1aOUiWuXsiHDqzGw4w:oLWfadiL1B/1/UZucfzT4
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/2676-414-0x000000002C340000-0x000000002C4FC000-memory.dmp purplefox_rootkit behavioral2/memory/2676-416-0x000000002C340000-0x000000002C4FC000-memory.dmp purplefox_rootkit behavioral2/memory/2676-417-0x000000002C340000-0x000000002C4FC000-memory.dmp purplefox_rootkit behavioral2/memory/2676-418-0x000000002C340000-0x000000002C4FC000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/2676-414-0x000000002C340000-0x000000002C4FC000-memory.dmp family_gh0strat behavioral2/memory/2676-416-0x000000002C340000-0x000000002C4FC000-memory.dmp family_gh0strat behavioral2/memory/2676-417-0x000000002C340000-0x000000002C4FC000-memory.dmp family_gh0strat behavioral2/memory/2676-418-0x000000002C340000-0x000000002C4FC000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 5044 powershell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: ZhObbZwOavDN.exe File opened (read-only) \??\R: ZhObbZwOavDN.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\K: ZhObbZwOavDN.exe File opened (read-only) \??\U: ZhObbZwOavDN.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: ZhObbZwOavDN.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: ZhObbZwOavDN.exe File opened (read-only) \??\X: ZhObbZwOavDN.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: ZhObbZwOavDN.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: ZhObbZwOavDN.exe File opened (read-only) \??\L: ZhObbZwOavDN.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: ZhObbZwOavDN.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: ZhObbZwOavDN.exe File opened (read-only) \??\S: ZhObbZwOavDN.exe File opened (read-only) \??\H: ZhObbZwOavDN.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: ZhObbZwOavDN.exe File opened (read-only) \??\P: ZhObbZwOavDN.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: ZhObbZwOavDN.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: ZhObbZwOavDN.exe File opened (read-only) \??\W: ZhObbZwOavDN.exe File opened (read-only) \??\Z: ZhObbZwOavDN.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log QtrVrzdIjlZB.exe -
Drops file in Program Files directory 23 IoCs
description ioc Process File opened for modification C:\Program Files\UpgradeValiantSupervisor\yGaVQsKQWUJVupahxVGFYtDcnwNqlm QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe MsiExec.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log QtrVrzdIjlZB.exe File created C:\Program Files\UpgradeValiantSupervisor\valibclang2d.dll msiexec.exe File created C:\Program Files\UpgradeValiantSupervisor\yGaVQsKQWUJVupahxVGFYtDcnwNqlm QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe MsiExec.exe File created C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs ZhObbZwOavDN.exe File created C:\Program Files\UpgradeValiantSupervisor\XKYmrPWFxyBWJVhaoMMkJtrOmLOXqQ msiexec.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\lZUcUGIkCrHpRcYmglgTBsqAioyfvZ QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File created C:\Program Files\UpgradeValiantSupervisor\lZUcUGIkCrHpRcYmglgTBsqAioyfvZ QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File created C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.xml QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File created C:\Program Files\UpgradeValiantSupervisor\2_ZhObbZwOavDN.exe QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor ZhObbZwOavDN.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log QtrVrzdIjlZB.exe File created C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe msiexec.exe File created C:\Program Files\UpgradeValiantSupervisor\WPS_Setup_18608.exe msiexec.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.wrapper.log QtrVrzdIjlZB.exe File opened for modification C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIE128.tmp msiexec.exe File created C:\Windows\Installer\e57dc0a.msi msiexec.exe File created C:\Windows\Installer\e57dc08.msi msiexec.exe File opened for modification C:\Windows\Installer\e57dc08.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{88AA5570-0E18-495F-B64F-F23393779E85} msiexec.exe -
Executes dropped EXE 11 IoCs
pid Process 632 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe 2956 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe 1768 ZhObbZwOavDN.exe 2904 QtrVrzdIjlZB.exe 4752 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 4860 WPS_Setup_18608.exe 3548 QtrVrzdIjlZB.exe 1412 QtrVrzdIjlZB.exe 3432 ZhObbZwOavDN.exe 2676 ZhObbZwOavDN.exe -
Loads dropped DLL 20 IoCs
pid Process 4752 WPS_Setup_18608.exe 4752 WPS_Setup_18608.exe 4752 WPS_Setup_18608.exe 4752 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe 3504 WPS_Setup_18608.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1652 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WPS_Setup_18608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WPS_Setup_18608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WPS_Setup_18608.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZhObbZwOavDN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZhObbZwOavDN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ZhObbZwOavDN.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3012 cmd.exe 4212 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 ZhObbZwOavDN.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz ZhObbZwOavDN.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstallTime = "2024-11-15 04:30:01" WPS_Setup_18608.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\disableGlobalInfoCollect = "0" WPS_Setup_18608.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\reportAllInfoToDataWarehouse = "0" WPS_Setup_18608.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\FirstInstall = "1" WPS_Setup_18608.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software WPS_Setup_18608.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office WPS_Setup_18608.exe Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0 WPS_Setup_18608.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common WPS_Setup_18608.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\kingsoft\Office\6.0\Common\errorReport = "https://dpr.wps.cn/errorReport/up" WPS_Setup_18608.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\kingsoft WPS_Setup_18608.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\663075415D50ACD4285A53486C216113\0755AA8881E0F5946BF42F333977E958 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0755AA8881E0F5946BF42F333977E958\ProductFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\Version = "67567619" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\663075415D50ACD4285A53486C216113 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\SourceList\PackageName = "fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0755AA8881E0F5946BF42F333977E958 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\ProductName = "UpgradeValiantSupervisor" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\PackageCode = "EA06573DEACD0C0409E43EDA47C90475" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0755AA8881E0F5946BF42F333977E958\SourceList\Media msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 4212 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3504 WPS_Setup_18608.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4048 msiexec.exe 4048 msiexec.exe 5044 powershell.exe 5044 powershell.exe 5044 powershell.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe 1768 ZhObbZwOavDN.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3504 WPS_Setup_18608.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeSecurityPrivilege 4048 msiexec.exe Token: SeCreateTokenPrivilege 1652 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1652 msiexec.exe Token: SeLockMemoryPrivilege 1652 msiexec.exe Token: SeIncreaseQuotaPrivilege 1652 msiexec.exe Token: SeMachineAccountPrivilege 1652 msiexec.exe Token: SeTcbPrivilege 1652 msiexec.exe Token: SeSecurityPrivilege 1652 msiexec.exe Token: SeTakeOwnershipPrivilege 1652 msiexec.exe Token: SeLoadDriverPrivilege 1652 msiexec.exe Token: SeSystemProfilePrivilege 1652 msiexec.exe Token: SeSystemtimePrivilege 1652 msiexec.exe Token: SeProfSingleProcessPrivilege 1652 msiexec.exe Token: SeIncBasePriorityPrivilege 1652 msiexec.exe Token: SeCreatePagefilePrivilege 1652 msiexec.exe Token: SeCreatePermanentPrivilege 1652 msiexec.exe Token: SeBackupPrivilege 1652 msiexec.exe Token: SeRestorePrivilege 1652 msiexec.exe Token: SeShutdownPrivilege 1652 msiexec.exe Token: SeDebugPrivilege 1652 msiexec.exe Token: SeAuditPrivilege 1652 msiexec.exe Token: SeSystemEnvironmentPrivilege 1652 msiexec.exe Token: SeChangeNotifyPrivilege 1652 msiexec.exe Token: SeRemoteShutdownPrivilege 1652 msiexec.exe Token: SeUndockPrivilege 1652 msiexec.exe Token: SeSyncAgentPrivilege 1652 msiexec.exe Token: SeEnableDelegationPrivilege 1652 msiexec.exe Token: SeManageVolumePrivilege 1652 msiexec.exe Token: SeImpersonatePrivilege 1652 msiexec.exe Token: SeCreateGlobalPrivilege 1652 msiexec.exe Token: SeBackupPrivilege 1624 vssvc.exe Token: SeRestorePrivilege 1624 vssvc.exe Token: SeAuditPrivilege 1624 vssvc.exe Token: SeBackupPrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeTakeOwnershipPrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeTakeOwnershipPrivilege 4048 msiexec.exe Token: SeDebugPrivilege 5044 powershell.exe Token: SeRestorePrivilege 632 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Token: 35 632 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Token: SeSecurityPrivilege 632 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Token: SeSecurityPrivilege 632 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Token: SeRestorePrivilege 2956 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Token: 35 2956 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Token: SeSecurityPrivilege 2956 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Token: SeSecurityPrivilege 2956 QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe Token: SeDebugPrivilege 2904 QtrVrzdIjlZB.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeTakeOwnershipPrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeTakeOwnershipPrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeTakeOwnershipPrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeTakeOwnershipPrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeTakeOwnershipPrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe Token: SeTakeOwnershipPrivilege 4048 msiexec.exe Token: SeRestorePrivilege 4048 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1652 msiexec.exe 1652 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3504 WPS_Setup_18608.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 4048 wrote to memory of 3216 4048 msiexec.exe 97 PID 4048 wrote to memory of 3216 4048 msiexec.exe 97 PID 4048 wrote to memory of 2228 4048 msiexec.exe 99 PID 4048 wrote to memory of 2228 4048 msiexec.exe 99 PID 2228 wrote to memory of 5044 2228 MsiExec.exe 100 PID 2228 wrote to memory of 5044 2228 MsiExec.exe 100 PID 2228 wrote to memory of 3012 2228 MsiExec.exe 102 PID 2228 wrote to memory of 3012 2228 MsiExec.exe 102 PID 3012 wrote to memory of 632 3012 cmd.exe 104 PID 3012 wrote to memory of 632 3012 cmd.exe 104 PID 3012 wrote to memory of 632 3012 cmd.exe 104 PID 3012 wrote to memory of 4212 3012 cmd.exe 105 PID 3012 wrote to memory of 4212 3012 cmd.exe 105 PID 3012 wrote to memory of 2956 3012 cmd.exe 107 PID 3012 wrote to memory of 2956 3012 cmd.exe 107 PID 3012 wrote to memory of 2956 3012 cmd.exe 107 PID 2228 wrote to memory of 1768 2228 MsiExec.exe 109 PID 2228 wrote to memory of 1768 2228 MsiExec.exe 109 PID 2228 wrote to memory of 1768 2228 MsiExec.exe 109 PID 2228 wrote to memory of 4752 2228 MsiExec.exe 111 PID 2228 wrote to memory of 4752 2228 MsiExec.exe 111 PID 2228 wrote to memory of 4752 2228 MsiExec.exe 111 PID 4752 wrote to memory of 3504 4752 WPS_Setup_18608.exe 115 PID 4752 wrote to memory of 3504 4752 WPS_Setup_18608.exe 115 PID 4752 wrote to memory of 3504 4752 WPS_Setup_18608.exe 115 PID 1412 wrote to memory of 3432 1412 QtrVrzdIjlZB.exe 120 PID 1412 wrote to memory of 3432 1412 QtrVrzdIjlZB.exe 120 PID 1412 wrote to memory of 3432 1412 QtrVrzdIjlZB.exe 120 PID 3432 wrote to memory of 2676 3432 ZhObbZwOavDN.exe 122 PID 3432 wrote to memory of 2676 3432 ZhObbZwOavDN.exe 122 PID 3432 wrote to memory of 2676 3432 ZhObbZwOavDN.exe 122 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fd6e356f17c7db639084ea710174ed0c4ca6c43cc701525f855f241653d47e2d.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1652
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:3216
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 48A7572FFAA34358BC889E9E71D5B4B1 E Global\MSI00002⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2228 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\UpgradeValiantSupervisor','C:\Program Files','C:\Program Files'3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5044
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe" x "C:\Program Files\UpgradeValiantSupervisor\XKYmrPWFxyBWJVhaoMMkJtrOmLOXqQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"216407uRm!g5%as}S}It" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe" x "C:\Program Files\UpgradeValiantSupervisor\lZUcUGIkCrHpRcYmglgTBsqAioyfvZ" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_VDHzjIgYYVtDUEXESCkEnfwqxTFttd.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"39895lK3p$:%-WI>c*Z|" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3012 -
C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe"C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe" x "C:\Program Files\UpgradeValiantSupervisor\XKYmrPWFxyBWJVhaoMMkJtrOmLOXqQ" -o"C:\Program Files\UpgradeValiantSupervisor\" -p"216407uRm!g5%as}S}It" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:632
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:4212
-
-
C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe"C:\Program Files\UpgradeValiantSupervisor\QuKXZsRXURIinRpoBrKGXnAQNKrytv.exe" x "C:\Program Files\UpgradeValiantSupervisor\lZUcUGIkCrHpRcYmglgTBsqAioyfvZ" -x!1_ZhObbZwOavDN.exe -x!sss -x!1_VDHzjIgYYVtDUEXESCkEnfwqxTFttd.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\UpgradeValiantSupervisor\" -p"39895lK3p$:%-WI>c*Z|" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2956
-
-
-
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 111 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1768
-
-
C:\Program Files\UpgradeValiantSupervisor\WPS_Setup_18608.exe"C:\Program Files\UpgradeValiantSupervisor\WPS_Setup_18608.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4752 -
C:\ProgramData\kingsoft\20241115_42958\WPS_Setup_18608.exe"C:\ProgramData\kingsoft\20241115_42958\WPS_Setup_18608.exe" /ThemeIndex=#ThemeIndex#4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3504
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1624
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.vbs"1⤵
- Modifies data under HKEY_USERS
PID:3732
-
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" install1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2904
-
C:\ProgramData\kingsoft\20241115_42958\WPS_Setup_18608.exe"C:\ProgramData\kingsoft\20241115_42958\WPS_Setup_18608.exe" -downpower -ThemeIndex="#ThemeIndex#" -msgwndname=wpssetup_message_E581047 -curinstalltemppath=C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\ -msgsmname=Global\_wpssetup_message_sm_DB01⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4860
-
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3548
-
C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"C:\Program Files\UpgradeValiantSupervisor\QtrVrzdIjlZB.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 248 -file file3 -mode mode32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe"C:\Program Files\UpgradeValiantSupervisor\ZhObbZwOavDN.exe" -number 62 -file file3 -mode mode33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2676
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD51411eda46372611001a29f5b8c2a3abb
SHA196991d37cfacab578cb34209f236a46f48369154
SHA2566ce6e16c2baacfa9998e19e6df8fd20136be7b304764f9f49686a9e70fb0e2f0
SHA512c9cb72571c5b60af60b4bc39729d92a462a87613bd13ac245c521b993d1847631ee193c1b5a2762fde17b2ef67f8879ea80c9a09f7ee37c218d1a618a2d57363
-
Filesize
2.1MB
MD5124b1390f39511fa043e99578d4fad57
SHA19f2e13afe318878167328104b6710ad53f1f168b
SHA256f65559e20b9473aa23450850ac2a0a6d6045a8987236db6ff9b2b3e448e569e9
SHA512eb0d19da7f3e775ca6e36f0c51f7a83116a16b6096dd0c5e42ef23a4cdcf2cea805e928092c2adc6c78138455b2b2fb7f62dfe287ead2fb3ee7dd0e86f16c9ac
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
280B
MD5bc3796a02ccf42fc5467520a0d11457a
SHA13c11d6b91379109d53c1cc7f2b0d2be22fb92af3
SHA25640555400b90ba6a023ee485ff059365d944e0f8a155a8e1c8b943a2f475593c6
SHA5128e048c09e84fbe86f01b9e5bf5daa4201d256d224b7712433d1aae89a888bd23dcbcbef0b592bb9d64a8b46aef5b079791bb7684311dc19256e1cda91a8ba62b
-
Filesize
443B
MD540f1946d105b556da4cd175886cdbe99
SHA1b29c13fdbdb7f350e7c2fbe78db59b0ee022c12c
SHA256e90b6adb3d4ff7dcbd17f76989d0d39226e323295f5a31a3c6c0862a4239b37e
SHA512b6d6414bd16171ffc81cfb99a37070282e4679c2361af822d8b9048b11df69f42ed9da11e83154647d99ec5e4410b2efcd3374b0532aabea5817901696445511
-
Filesize
507B
MD580629f451409b29ff181b0ef0bc948cb
SHA123df4bf65801774c9a0a2e8c2fb1c54c5017b52d
SHA2567cb4520f06cf001c46e38bfb721f9d0e2475be77c26ed1939020e6b12d78f968
SHA51217ce98d46968f7a16a70e264f23ecb2a6016489a2053a29e1cfd072345b14952efb9ac8a7415e8c558097a93356b97d6e403fdb83f92adaddd12a4608e80af23
-
Filesize
753B
MD56bd1477294da4f9ef97dfdf4b4244b6c
SHA1f431a2f4f70cb2de267e17b83366a20a1d75962b
SHA25673b591373aefaf8c43810d0cfcd79e5891a046a829bdbba04256f6607074932b
SHA512ebbd62dfa4fc1c86871b96ce7a23018d0ece25e1caa1ff6b71f785db05cd7fc55adae02ad2f1782ed279f80b788c30c16854f183f0799c2b245a5b08fb69275e
-
Filesize
436B
MD5a8dfb5c5b3a332807549a2558bc1fa23
SHA1e5984cb0b66cda5f32990026f173526ac3e332c5
SHA2565a919e7daef00b56eecfbf48a01f77187becd2123a46812c5e0b1590fba4b3a4
SHA512bcefd46b515ab4d80e2dcad23d45cc542cc9a37b757d3517ba1d00e7e7d5459a312255a74cfdbd074a55c2c5da617292977c3a7dd7e2875472c5f77451372ea7
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
1.5MB
MD50a73dff245b9dd0ef7135a3ce13c658d
SHA18776a42095dd0373fbd6fb810ce427ec8259cc66
SHA256f5006ccdb830241f30c9c2cc0fff2aba502369dff0f402db65fb8033a4562fc8
SHA512be1b38507c4090f5a3010c114322c0b039e5606efb35d3295d466e4a8cf88be228645fb3131bf6a51b25cbda8b3e49b88ea2336f01d7bf994dbac6e595e257c1
-
Filesize
2KB
MD531cb7c228337b05b262877c9d1d31f40
SHA1c67ef4beb96061c1bdf53334e125dde65d079e2a
SHA256f3acc593d2324d95131363105f89f5e97a0d251a997eab95486b8f0ffe76baee
SHA512fda05de734d8dadd6250687bdd9e74a1ee833f860ddb296faac2e7c1251cd2a346e31e68590d6694ab504982815482b888b9328ab5248a431d6ae9df30997be8
-
Filesize
1.5MB
MD5a8c7cb63bdb51e60bbbb6ff4474015b1
SHA1250280ba33a0784bc5c00be39f5c297683db0935
SHA256960bc0889a671757fa66e98e5a0d3aa8c3b839b884a88ab4f40ebff3025eb6d8
SHA512e020225fbcfa53cdbe41d55ca5dbfd49b72428ee58bbf2dc769d401c39056af8cdc8bd1ee80da76eed86b4af7a5548e3b113d012f4ae29b97614abceb194db71
-
Filesize
1KB
MD5920068869d99afbee8244a2be1e667dd
SHA14fb5d143480d258cb4afa9d009b303a08fc9122b
SHA25653b4432efa05bb55dec931a4641e32a6dccae3fb4730bf66bab2fe58df904d2f
SHA512466623f31264a788fbf83589f8d5601ba1797d9df21da04fca5a13ff25678ddc3291d3086fedfbf5829a1eed93a67759af704c51c38c3378202c34e242eae8da
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
13KB
MD528c87a09fdb49060aa4ab558a2832109
SHA19213a24964cd479eac91d01ad54190f9c11d0c75
SHA256933cadcd3a463484bbb3c45077afda0edbb539dfbe988efad79a88cae63bf95f
SHA512413b3afe5a3b139a199f2a6954edc055eee3b312c3dffd568cfdbe1f740f07a7c27fbf7b2a0b6e3c3dd6ee358ce96cc1ca821883f055bf63ddebda854384700d
-
Filesize
11KB
MD50063d48afe5a0cdc02833145667b6641
SHA1e7eb614805d183ecb1127c62decb1a6be1b4f7a8
SHA256ac9dfe3b35ea4b8932536ed7406c29a432976b685cc5322f94ef93df920fede7
SHA51271cbbcaeb345e09306e368717ea0503fe8df485be2e95200febc61bcd8ba74fb4211cd263c232f148c0123f6c6f2e3fd4ea20bdecc4070f5208c35c6920240f0
-
Filesize
192KB
MD5500318167948bdd3ad42a40721e1a72b
SHA124134691693e6d78d6eb0a0c64833c12a0090968
SHA256d3378ee739debcaee8c715963403d96bf025db98bfbb55e54635429890db85c6
SHA5120a2d3b55528cc53cfce5b47158997300c562afd2c7bb5596532b218d3f482380887ee7c204b13d42425dc0c4cc439a7f9ed167f3767bda7b6e205e7e8f454863
-
Filesize
5.0MB
MD5e847288468d4daadcb8f5a8bb152e923
SHA1574f7b2d1def9d79c4257c4268246fb399041bf6
SHA256dc450ada7d31c9df923803e687c87dda9b9bec5e3f0efef6a30206872c9559a5
SHA512b0c939485c7ab200837f8f4eb1da305644457825611a6d829cb6f789e486ef69ef4716f152e487b599f85cddaeb53808e71e3e016b4f7b4c4a71a2506586e133
-
Filesize
5.3MB
MD5c79bc97c4dc3a9f6beff0d18a0916b15
SHA13cb0b6ae6fd034ee24511c8ecd91c16d73d2b76a
SHA2560c490173ab692710614f42dde8cf643aec26ff4636dc25d778d1444fe90368ea
SHA512df1475695972a4c17401a4552e43eb249a99c77c3292c42d48a64964bcd10534fa006ab09124acb197b0b27283042afd0e9163953f824507ca2279c04a82d147
-
Filesize
392KB
MD5d7207f0e20b9ec71399fb9914ffb8278
SHA1e862601902fb95f2cd2b79370dc0547cf382ccd5
SHA2566b47184545802c689971608dea86a2e7925b21714db800afd56a5eb40398dcc0
SHA51259afd7add23f80bbe0d3df5be60226b1a80133439b2b6f217a67db1911d3adaba6b360b29f4debf6ed9574619521dc3677248185ad9cc6870488565309f1a3e8
-
Filesize
4.5MB
MD5e680d10a2632b3bcc9e87790b11c9fc5
SHA1c97b51036952a79e7173e672f59492487902952a
SHA256ec89fe25ce694fa68c80aab24cef732c0d9d102b35f38b946cdcce517b5ad329
SHA512cb6284236c3259bbacc2f90cb6ac059ef9da9d03277df21ac0ec69eb0132271a346477e9305875d4723f6f3327d04fd5f5bb26a9b39d8e8b7c94fea57a83dceb
-
Filesize
217KB
MD54df516604e20d8defb35aaf0fb16a2b5
SHA16b34b3fcb1da882e6adbd78f1aa38bfc4710a098
SHA2564c7efb65779f1b988bfc12623e042338061bd123a89b8171c7db7ace7d416628
SHA512cd7d4b005f1ff7fbdfbb15da4ffe5513fcb741b2088fa42560f45b6fe4f3dd97efb78c7a2ec49b0ce8a0dc4a5fe237f4ffc68ea6c8b6a048718876656fb5282d
-
Filesize
1.9MB
MD5283a731e55f15516cbefe175ced45d26
SHA159eb1520c7b7f1ca8faa494426d6c9a64c15e145
SHA2569fa73aeb2092080fc29f80f3a1287c1740ed4eb85f883c87be385c846b9b47fe
SHA5127dc7da18fe2376780ccc226ee1caf7eddb38edc4540fab8c2e5a9589dcdea3b8218fb483df2e8b5c5df358e484b161292399340f4e1ea06b71464b05b220643b
-
Filesize
427KB
MD5db1e9807b717b91ac6df6262141bd99f
SHA1f55b0a6b2142c210bbfeebf1bac78134acc383b2
SHA2565a6dfa5e1ffb6c1e7fc76bd121c6c91305e10dd75fc2124f79fee291a9dd9e86
SHA512f0621977d20989d21ae14b66c1a7a6c752bfd6d7ccc2c4c4ec1c70ba6756e642fb7f9b1c6a94afadd0f8a05d3c377792e4aa4c1a771d833c40a6f46b90cbe7c3
-
Filesize
61KB
MD5b2555aac6faa3c776c7963538e3d642c
SHA101d7a80ce29872195770b6a76854d4e0e5576325
SHA256894172fcd20aa7bf493cab6599d04102208810be1b080d0ef8422b047cdb3c3f
SHA5120571aed245f8d62d387315a27d485b1154a8664e4db96fb54a67eb2c19ccbd547040378240d60d67668867f715da7775bbe86794329b48ae27e6a5f787e63109
-
Filesize
41KB
MD590b1c6c13aa734636f94ac73d295c87a
SHA1d5a9ab0696de39719bdb9bb71eb35353a8552525
SHA256d62301457c3751ccb81d1a069491ef2ead1379b7910bc763f2d17969efea0406
SHA51294a4a35294cb1ce7cf233fa95825b989fc7553a9ff78e23284aa592874fc01816fd765ecb800c030a6f92eac2ba69b1d2aad11600a2caa2afeda22e2d1b1325d
-
Filesize
1.3MB
MD5b6a37f22541908b36755c1b2907f4972
SHA11327b11691fe35918cedfaf35b7c3f2c040f07d0
SHA256915bc4bb230e1a33ddca17faa5d1a5d63b33a1382a425d4c7364301283f9b977
SHA512bcace988eae77a67a162aea424920d6ca5ca3b83a4047e450380f67dd6966c47d6b98aeb5b9f05f972f7b4ec39e2ba1cb648997efd62fc82087a24563326b6d3
-
C:\Users\Admin\AppData\Local\Temp\wps\~e580e72\CONTROL\office6\qt\plugins\styles\qwindowsvistastyle.dll
Filesize145KB
MD5ce3eb6e3e6d950fb03ed3753baafd6d1
SHA1cadd8a045a037a9ce10372b0d1a6907f7c9b93d1
SHA256d470ed8b89ef39e86587825e17a0525253a2245c9be125818229d1ece015165c
SHA51202b9fc512fb813e1aa9ee51032d0ba4182ab184883022b46f533df119649e8116869e6be6161681f38d79c1949636ba6309786425f2c1ede5b3f7a16e63a8d96
-
Filesize
1.1MB
MD52040cdcd779bbebad36d36035c675d99
SHA1918bc19f55e656f6d6b1e4713604483eb997ea15
SHA2562ad9a105a9caa24f41e7b1a6f303c07e6faeceaf3aaf43ebd644d9d5746a4359
SHA51283dc3c7e35f0f83e1224505d04cdbaee12b7ea37a2c3367cb4fccc4fff3e5923cf8a79dd513c33a667d8231b1cc6cfb1e33f957d92e195892060a22f53c7532f
-
Filesize
75KB
MD58fdb26199d64ae926509f5606460f573
SHA17d7d8849e7c77af3042a6f54bdf2bb303d7cd678
SHA256f1fd5f6ec1cfe0cc3b66b5322ac97568bc63b19c1e415b99aad7c69ddbafa33c
SHA512f56bf11d4259dbf5d4d1f9fc2ad60ff609cddb21278999e9fa55fe5d74552e8a01ddc55cfdc9bf4b09b3e3130a1356142a24a7db8ec5ea19344de617dc9fa99f
-
Filesize
95KB
MD5bb7426885c5f57b6b9405fdc7a94cc65
SHA10a58a34a41cbea358fd57d278e9b15e669cc28e6
SHA256f32133a910d0ab4b64bb7bc33fd5894e1afeb048b83b09336d8b02cd4c7ae118
SHA5123e8d20fc055b9ebbb49439adc69878e2b1c9a11f45400e7155874c031f950e3dc6ece86998366345c85ee98ac091ac319eb2175fd0100e300b9e856d06ef891d
-
Filesize
382B
MD56a5eea749583001de63b993fc66496ba
SHA1fd41691ec4751e85be89917d46454f8533800b4e
SHA256bca613688e735ccd1fae7164550bd8ae90862028cd0bf31534c149ea0d7c9f60
SHA5126a5b9b863bf139c87b5734d6e8310c7231a1015d8eceb15f76ccf7676d36f9107fd5d817a6f04ed47c3ee45be409073c837beee3c079abde5bc38233c98b9712
-
Filesize
428B
MD55e1b68b67986b1588301c0135f19fc7c
SHA1957ea47285f7d903cce7530ee34852435de5b5b4
SHA25623456d8ce681d1a5a31bf06262e088f4feb8d0e8fdc1d37afa4aa02830ffacdc
SHA512268ec437c5971552dacca1e9ef6850543614d5a7f05ac34b41bf05f73e97e4c694d59e4f0618a57660ffad4f2faee653b4c0c824f97a6e9fddc48d22c52739af
-
Filesize
7KB
MD5f1e4e2094914a19b784b5baa67366235
SHA1e46175ed0d33016699ee69e6507096d0d36e6061
SHA256642caa154910e6ad5da4e3c61490ad7a50e07c673581da1dfdd303dd9e538f70
SHA5129d6555a33acf019f00101818e9b2979fd0e80d72dca4fc34f08a50d3f32cc0e5d89be23306a237b09c33a8dfb644da9093c51871c3513597d857d760f0283c8f
-
Filesize
8KB
MD50265e33cc29419711345539f2ea7805f
SHA19af3ea6885a77dc33b6733f469e526aafb210ce6
SHA2560fab45f06dc11b27de144521dda022ff883e6abbf1b2f931cc129ffdeca772e7
SHA5121fd31318c23f36f94b6a4bf3f9da5b4eb342f69410e56c316501078ae87724143a775d5bd018169ccb1f84f1725a60342a5950f908ed7f7147d542d9eda9d041
-
Filesize
26KB
MD59410ab68bdd28f3c96857f485da23d0f
SHA13db236c86b1f0a4b9bf89e679bf357b31a8425d5
SHA256f9e040e3bf92f2e3763733d5beb86af9cbc347a7bd396efcdbcda6aae72dcead
SHA51208c1a0ed862659cc334d4d30cec06c0e4c26a25bd8fe56ae0cf1b39a27660dd7a898e5420381fa46007b5c83416eae06a8a9ed99a030d7b6eb1a794d7a80514c
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\QtrVrzdIjlZB.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
24.1MB
MD5fec2bce9b8e48398208a647116bdf3d9
SHA1262d947b0351fd37e43c60ede0b571241ed2f723
SHA2561b95e088156fdd45897dbbd8c96c08cb90a94035de2feb2c22b6554c776dad0c
SHA512e72a95da1fd2cfd83126c3a416efc2da666206952a8e2ccee57b3e8257c30dd494935862cf5a9027f68615e518b4c0e7913825fd4b821d3e3843b8eac37e6226
-
\??\Volume{1541411d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bbf1f15b-3906-43ca-9022-dc7933f48dc5}_OnDiskSnapshotProp
Filesize6KB
MD5c4aafa5da82f9f36ac7f5cb7e2bd07c9
SHA1f5a533d45bcffe40a7d44a557febb6d91cbde4ce
SHA256fb06910c7714679b7f0df176de31b7fdf1241d64d7be8807a3a6073a97141cc7
SHA512a041f128c89f483d91dab6460b0124b64257816dde1d3e0a403080da10d47e18806dbaeebfd8150e43f0b70d000c448d54833a1f9159914293583932853a53b2