Malware Analysis Report

2024-12-07 14:02

Sample ID 241118-fls5esymes
Target sougou_setup.msi.vir
SHA256 4315a6afe728ff28580a4c7ef798c47ccd7a438bbf58e97aaffce26b837c7384
Tags
discovery execution persistence privilege_escalation upx gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4315a6afe728ff28580a4c7ef798c47ccd7a438bbf58e97aaffce26b837c7384

Threat Level: Known bad

The file sougou_setup.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation upx gh0strat purplefox rat rootkit trojan

Detect PurpleFox Rootkit

Purplefox family

Gh0st RAT payload

PurpleFox

Gh0strat

Gh0strat family

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

UPX packed file

Loads dropped DLL

Drops file in Program Files directory

Executes dropped EXE

Drops file in Windows directory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Enumerates physical storage devices

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: CmdExeWriteProcessMemorySpam

Runs ping.exe

Modifies registry class

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 04:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 04:58

Reported

2024-11-18 05:01

Platform

win7-20241023-en

Max time kernel

144s

Max time network

136s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sougou_setup.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File created C:\Program Files\DriveHumbleTechnician\sougou.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76f853.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f854.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76f856.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76f853.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFA18.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76f854.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C04103A3-8000-47DA-B923-A65D328C266E} C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000701b63ac7639db01 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0123000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000d07c65ac7639db01 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-dc-9b-fc-96-c8\WpadDecisionReason = "1" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C04103A3-8000-47DA-B923-A65D328C266E}\ea-dc-9b-fc-96-c8 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = c0d0b9a57639db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-dc-9b-fc-96-c8 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\ea-dc-9b-fc-96-c8\WpadDecisionTime = a0f047ae7639db01 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{C04103A3-8000-47DA-B923-A65D328C266E}\WpadDecisionReason = "1" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Program Files\DriveHumbleTechnician\sougou.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\PackageCode = "F8186EA320B6B324B8DC596BDF338BDD" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\85CFF785A28B007498F9AABC4CA11EB4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\85CFF785A28B007498F9AABC4CA11EB4\C259A3F8E2816124C91D684BAC99461D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C259A3F8E2816124C91D684BAC99461D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\ProductName = "DriveHumbleTechnician" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Version = "117571589" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\PackageName = "sougou_setup.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C259A3F8E2816124C91D684BAC99461D\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Assignment = "1" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\sougou.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: 35 N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: 35 N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2296 wrote to memory of 548 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2296 wrote to memory of 548 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2296 wrote to memory of 548 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2296 wrote to memory of 548 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2296 wrote to memory of 548 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 548 wrote to memory of 784 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 548 wrote to memory of 784 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 548 wrote to memory of 784 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 548 wrote to memory of 2840 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 548 wrote to memory of 2840 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 548 wrote to memory of 2840 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2840 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 2840 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 2840 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 2840 wrote to memory of 1808 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 2840 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2840 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2840 wrote to memory of 2064 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2840 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 2840 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 2840 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 2840 wrote to memory of 1248 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 548 wrote to memory of 2344 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 548 wrote to memory of 2344 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 548 wrote to memory of 2344 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 548 wrote to memory of 2344 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 548 wrote to memory of 2304 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\sougou.exe
PID 548 wrote to memory of 2304 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\sougou.exe
PID 548 wrote to memory of 2304 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\sougou.exe
PID 548 wrote to memory of 2304 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\sougou.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sougou_setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "000000000000056C"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding B6ADDCA3DC46E9811B74AD24C15685C9 M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DriveHumbleTechnician'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI" -o"C:\Program Files\DriveHumbleTechnician\" -p"37709OJvgn~xO.H..>S=" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"182119:SRG:B.Wa.ph~}" -y

C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe

"C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI" -o"C:\Program Files\DriveHumbleTechnician\" -p"37709OJvgn~xO.H..>S=" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe

"C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"182119:SRG:B.Wa.ph~}" -y

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 288 -file file3 -mode mode3

C:\Program Files\DriveHumbleTechnician\sougou.exe

"C:\Program Files\DriveHumbleTechnician\sougou.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 pinyin.sogou.com udp
HK 129.226.102.244:80 pinyin.sogou.com tcp
US 8.8.8.8:53 get.sogou.com udp
HK 129.226.102.244:443 get.sogou.com tcp
US 8.8.8.8:53 www.microsoft.com udp
N/A 127.0.0.1:49282 tcp

Files

memory/548-12-0x0000000000180000-0x0000000000190000-memory.dmp

memory/784-18-0x0000000001F60000-0x0000000001F68000-memory.dmp

memory/784-17-0x000000001B750000-0x000000001BA32000-memory.dmp

C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI

MD5 96b8cac1192eacf6ca4f258a8668c410
SHA1 a92f95201110d3aabad4aeb29ae3c12abbdb5066
SHA256 f3d900a4ec1b331e7f29d56d6fb1617d5a8ad606cc9b0264d63961dbea99fb44
SHA512 147fd5be2a731fb5f2edb9b0d00300daf12d476db068918c98c7c71ed022b0a22d9fee6a70183e6afc541e3cad9a86da9f54811a328713eb0698eebdbfee0f19

C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ

MD5 362ccedbb2427712ed515c837ad28813
SHA1 95340d7edd1c26fd7ea3f3ff5a41921c29be7190
SHA256 f881d7523aaec5dd3d96e2e9c6439ff703d57722d4061073b7321eda37c02329
SHA512 2d037cafb48c69bcc91c712a82110a4b2820f1ae1cba76011673f8159e283b98a2f7c59278c26cc8349b4b1c1a28e6711702f159ac316e138b1816908f92d75c

C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe

MD5 d9a41a6ce1809032f7e409a79766fbe6
SHA1 c011b1122fb750ce3b393fc35df623d7fb21ebaa
SHA256 0099f9e565c7bb368d24fa3e497fb6cad33463ef13a02017f8d072bfb7185520
SHA512 23d324a40aca1ecc022a42646826632d43c67496722004fe155df7d76e1175a02a3a69595606d452834ad61cbc119fa4fe8c98b7a39845b4fefaece34d4a92e1

memory/2304-44-0x0000000000400000-0x00000000006DD000-memory.dmp

C:\Config.Msi\f76f855.rbs

MD5 a867029638936132e144882cd32dae56
SHA1 628603e946e35062d7746d2cb3b8610fc45ea804
SHA256 dee97df76ba2f8000953e20aa26e5b90533ee6070f98729afc342d7b14d49cc2
SHA512 ba1b8d52a1038c58396b44ff2d277e997a01dec14986351903a8d1054377c9b23868addef99179d89c8b8be81c5bc5de785c521523fda787c90d81ffd91d78ea

memory/2344-58-0x0000000001E70000-0x0000000001E9F000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst1D33.tmp\SetupLib.dll

MD5 b713d9c939fe455aea4be2eb94215730
SHA1 c51af6b0be8452f77056d7a4a8554c8cb21c6ddb
SHA256 7dd85f1d4725ff05c35b6c0632992523a3f1cadb6294f516ef2528738b3a53af
SHA512 1185b1002c85aa832f380e81a45d50b0a6b44d9b87eefc1a0325c0dfbf921d2b9f531c81d564723874f555a10e2516fa1e6bd91a7e473893083998a57b8e2fed

memory/2304-71-0x000000006F310000-0x000000006F320000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst1D33.tmp\SetupLibNew.dll

MD5 72fb079823f0e6c80caff804cf626ca9
SHA1 464ae7293affcadd0aafec8a52635bcc92047e55
SHA256 23a25b73fd5d66aef3abc0c90b1eeff2fd3921a7d49aa69891e926139969b31e
SHA512 431d0e3469785981760185b38813148154fecb82abe37431c0591873e462ad597ad1449c29f3619b10f4435c08bbe231877f8debf9c48a26f258c5fef16b52c4

memory/2304-77-0x00000000034C0000-0x00000000038B6000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst1D33.tmp\ImageMagik.dll

MD5 745007cd039d16bbbe05e308c223c8b0
SHA1 f3fc435a325118cbb4af4219bc41755c245afe54
SHA256 b550ed8935bbc51571aabfb5c3130d295909df89e7c4c1e204f219d88a652332
SHA512 40d1146fd001f138d0ecd0516078364947f180431bec36a689e03e5fadd4851ec5b6cd5862fc1702231c5a442c1be4bf6c0d759ca333f939cd74d55fc64cad74

memory/2304-84-0x000000006F300000-0x000000006F310000-memory.dmp

\Users\Admin\AppData\Local\Temp\nst1D33.tmp\System.dll

MD5 c51fc979c1c3e17bece7bd194aeb6ea2
SHA1 9a5d000d6393f2980062b4cc6e8f543493b1be8f
SHA256 93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61
SHA512 716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

\Users\Admin\AppData\Local\Temp\nst1D33.tmp\HWSignature.dll

MD5 154aea6ca8875fe8023f5f0554adbe60
SHA1 54a6c770e4ab3aef95782f1bc647ab664163d42f
SHA256 e035633d5a97dbc492d125a379a198ddadb09547d4b576552016e690a573e339
SHA512 93063a15acf077e0de9634eef68d21a3243be36a3a02f44065cac7c279ddc06a9a9e2ea5ef8f5d70662d6b9a710f988a0455b78aa8f8092155acfd359ae976ec

memory/2304-91-0x0000000003350000-0x0000000003375000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst1D33.tmp\validate.ini

MD5 59da6b50ff42da1a3230fbca1bd90e11
SHA1 6870be998befa4bf02e8824e0a101303fe76ef4f
SHA256 5f60c14e1d82e49f4dd48c648c31bd572adf7a6e236aa7b2a8854bbc90d21c4a
SHA512 e3e7061e1ca6d8ce0ebca216d88988247cb6b824b19fe2ed1fd4dfb19bdbb9d231655b378d0990cc51b3df82183cbb28818f60d2efb9cb40daf58ef183ba2a19

C:\Users\Admin\AppData\Local\Temp\nst1D33.tmp\ioSpecial.ini

MD5 9957dcb6bcaf80c86b8fb98a4f0ab602
SHA1 ddb345fc11df63a42d175f8983eed1d6f9e828e1
SHA256 5ffa062d01bdd3c4e32fac89b67d1179e13e1d35e83f01e3b725e527b16b5e2b
SHA512 39578502c8c576712814c2762c2b0cf706486aa575211c105bfe3a29e60c109b00eae5c7f9bda334aa116071fdba7b15baa934016548124fc62a5a5f66d1abca

\Users\Admin\AppData\Local\Temp\nst1D33.tmp\InstallOptions.dll

MD5 34d24e6ecdfb6859096816436c5875da
SHA1 a4504b5eccc48ce867623dd1d081a760ab70a12f
SHA256 734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28
SHA512 cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

C:\Windows\SysWOW64\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar3D76.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/2304-223-0x0000000000400000-0x00000000006DD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 04:58

Reported

2024-11-18 05:01

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

162s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sougou_setup.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\S: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\M: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\V: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\Y: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\R: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\N: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\T: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\U: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\J: C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PpMCUaskmPAB.exe.log C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DriveHumbleTechnician\sougou.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe N/A
File created C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe N/A
File created C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
File created C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
File opened for modification C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e583803.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e583803.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8F3A952C-182E-4216-9CD1-86B4CA9964D1} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D91.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e583805.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DriveHumbleTechnician\sougou.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\System32\WScript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Program Files\DriveHumbleTechnician\sougou.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\85CFF785A28B007498F9AABC4CA11EB4\C259A3F8E2816124C91D684BAC99461D C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Version = "117571589" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\PackageName = "sougou_setup.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\ProductName = "DriveHumbleTechnician" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\PackageCode = "F8186EA320B6B324B8DC596BDF338BDD" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\85CFF785A28B007498F9AABC4CA11EB4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C259A3F8E2816124C91D684BAC99461D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\C259A3F8E2816124C91D684BAC99461D\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\C259A3F8E2816124C91D684BAC99461D\Language = "1033" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A
N/A N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: 35 N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: 35 N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 448 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 448 wrote to memory of 1476 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 448 wrote to memory of 1396 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 448 wrote to memory of 1396 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1396 wrote to memory of 4388 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 4388 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1396 wrote to memory of 1132 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1396 wrote to memory of 1132 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1132 wrote to memory of 1068 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 1132 wrote to memory of 1068 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 1132 wrote to memory of 1068 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 1132 wrote to memory of 3748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1132 wrote to memory of 3748 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1132 wrote to memory of 4108 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 1132 wrote to memory of 4108 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 1132 wrote to memory of 4108 N/A C:\Windows\System32\cmd.exe C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe
PID 1396 wrote to memory of 3764 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 1396 wrote to memory of 3764 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 1396 wrote to memory of 3764 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 1396 wrote to memory of 5024 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\sougou.exe
PID 1396 wrote to memory of 5024 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\sougou.exe
PID 1396 wrote to memory of 5024 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DriveHumbleTechnician\sougou.exe
PID 1672 wrote to memory of 3244 N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 1672 wrote to memory of 3244 N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 1672 wrote to memory of 3244 N/A C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 3244 wrote to memory of 4852 N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 3244 wrote to memory of 4852 N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe
PID 3244 wrote to memory of 4852 N/A C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sougou_setup.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 2EEDA5845DA4D05B3205F13B6C07DA59 E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DriveHumbleTechnician'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI" -o"C:\Program Files\DriveHumbleTechnician\" -p"37709OJvgn~xO.H..>S=" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"182119:SRG:B.Wa.ph~}" -y

C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe

"C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI" -o"C:\Program Files\DriveHumbleTechnician\" -p"37709OJvgn~xO.H..>S=" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe

"C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe" x "C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ" -x!1_yrjwPObnoqyg.exe -o"C:\Program Files\DriveHumbleTechnician\" -p"182119:SRG:B.Wa.ph~}" -y

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 288 -file file3 -mode mode3

C:\Program Files\DriveHumbleTechnician\sougou.exe

"C:\Program Files\DriveHumbleTechnician\sougou.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs"

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe" install

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe" start

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

"C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe"

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 272 -file file3 -mode mode3

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe

"C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.exe" -number 62 -file file3 -mode mode3

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 167.57.26.184.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 pinyin.sogou.com udp
HK 129.226.102.244:80 pinyin.sogou.com tcp
US 8.8.8.8:53 244.102.226.129.in-addr.arpa udp
US 8.8.8.8:53 get.sogou.com udp
HK 129.226.103.145:443 get.sogou.com tcp
US 8.8.8.8:53 145.103.226.129.in-addr.arpa udp
N/A 127.0.0.1:62616 tcp
US 8.8.8.8:53 fgfdg5631gfd.icu udp
HK 38.47.221.103:80 fgfdg5631gfd.icu tcp
US 8.8.8.8:53 103.221.47.38.in-addr.arpa udp
US 8.8.8.8:53 ryouok1688.cc udp
HK 154.23.180.81:10200 ryouok1688.cc tcp
US 8.8.8.8:53 81.180.23.154.in-addr.arpa udp
US 8.8.8.8:53 qweao.cyou udp
US 8.8.8.8:53 qweaq.shop udp
US 148.178.21.107:29550 qweaq.shop tcp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 qweao.cyou udp
US 148.178.21.107:29550 qweaq.shop tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 qweao.cyou udp
US 148.178.21.107:29550 qweaq.shop tcp
US 8.8.8.8:53 qweao.cyou udp
US 148.178.21.107:29550 qweaq.shop tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djwixb2m.h3c.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4388-22-0x000002D961EE0000-0x000002D961F02000-memory.dmp

C:\Program Files\DriveHumbleTechnician\eaHeznmosyoOWAGglCKDwYQViYXayS.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\DriveHumbleTechnician\YJgbLqUbskWexDENSZyOncyGkufCAI

MD5 96b8cac1192eacf6ca4f258a8668c410
SHA1 a92f95201110d3aabad4aeb29ae3c12abbdb5066
SHA256 f3d900a4ec1b331e7f29d56d6fb1617d5a8ad606cc9b0264d63961dbea99fb44
SHA512 147fd5be2a731fb5f2edb9b0d00300daf12d476db068918c98c7c71ed022b0a22d9fee6a70183e6afc541e3cad9a86da9f54811a328713eb0698eebdbfee0f19

C:\Program Files\DriveHumbleTechnician\fCwpAyMuVRIFHFczCVKWCOKCaXKCyQ

MD5 362ccedbb2427712ed515c837ad28813
SHA1 95340d7edd1c26fd7ea3f3ff5a41921c29be7190
SHA256 f881d7523aaec5dd3d96e2e9c6439ff703d57722d4061073b7321eda37c02329
SHA512 2d037cafb48c69bcc91c712a82110a4b2820f1ae1cba76011673f8159e283b98a2f7c59278c26cc8349b4b1c1a28e6711702f159ac316e138b1816908f92d75c

C:\Program Files\DriveHumbleTechnician\2_yrjwPObnoqyg.exe

MD5 d9a41a6ce1809032f7e409a79766fbe6
SHA1 c011b1122fb750ce3b393fc35df623d7fb21ebaa
SHA256 0099f9e565c7bb368d24fa3e497fb6cad33463ef13a02017f8d072bfb7185520
SHA512 23d324a40aca1ecc022a42646826632d43c67496722004fe155df7d76e1175a02a3a69595606d452834ad61cbc119fa4fe8c98b7a39845b4fefaece34d4a92e1

memory/3764-52-0x000000002A1C0000-0x000000002A1EF000-memory.dmp

memory/5024-54-0x0000000000400000-0x00000000006DD000-memory.dmp

\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0965a205-d6a6-4453-9f4b-71ac7f4093fe}_OnDiskSnapshotProp

MD5 dda9ff163dc013df86a66c454c806d9c
SHA1 a67c5708a56b64887b6902f941645ea19c84844c
SHA256 1fdf4b19511c9ac354c7cf2acc1092470bb946fbfe48a0765809f4f02d910280
SHA512 551acdf4793af72439be4300a2849f6555886d586251cdfb8727aeb4f6a5aae6dcce799f219b4dc59f4f8d3a8345626cba77d892e537308aeb9b019ed8fcb5d3

C:\Config.Msi\e583804.rbs

MD5 ef29d8050b2eee12370d7822bbd56872
SHA1 cf5a23ef9ddd9b4ba319c8ed97a08e1875fc9733
SHA256 466814321de594181ff1a9fa34168f4324220ad0d47d84b007b6c80f7abaeb50
SHA512 9f96bb64734557874daf5e546b43cb9a902c203f3fa8e126a4a4c3dc80e3bfbfd7100610f7613a44d0d6234288bc073824a249290a47eb113c1e2b9a957a0d37

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\DriveHumbleTechnician\yrjwPObnoqyg.vbs

MD5 520a9fbf61757e655381fe3638d5123e
SHA1 31e1912d044d5f1ba205823809d175a6ad1b52e6
SHA256 ee4b4f26b8d36ba2ec844f526c18715841236aaa7fed06b9018ba9aa34a5a413
SHA512 3888d4407f796984a95dae37aca58c4c855540244d33a69563bd55d36ab43d59440f94c7097e0661d016eb0c9f96d1ca0e7cc43a04e4cb6026135812170caca8

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 8e2207bd7b94923f52dbc9bf7f9f9c1e
SHA1 c2f363b0461afd606be30f681517edcdfbe1724e
SHA256 9fef84d1ab94df1b15e01b6faa9d0a73d0ca3ae1e255c2bf38d96ba515804ce5
SHA512 3ea2d06cc36500015629c91f265c8a3c6925f72c9d05e546e78888d6c759a191395a15d1d9acc5892142c996d6896c0a2e4cd24eb105d5acfa19d6ae09cdd355

memory/2564-74-0x0000000000990000-0x0000000000A66000-memory.dmp

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.xml

MD5 e52022c707c44b73469961b596661b68
SHA1 127ce698f030787073acb314d1f58d0ba7c28e0c
SHA256 6430071f672054385dbcd25baee94eeafb5b82c51c279cb8f816e9082c0088ff
SHA512 4cc2c33eed3d7011561c155d3f9e90516be900d26a20fa68674b7c9a8298c6acad707575faf79e2d98b808481ac550bc5a90fe008f9b88f12d53c1ec196a48e5

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\SetupLib.dll

MD5 b713d9c939fe455aea4be2eb94215730
SHA1 c51af6b0be8452f77056d7a4a8554c8cb21c6ddb
SHA256 7dd85f1d4725ff05c35b6c0632992523a3f1cadb6294f516ef2528738b3a53af
SHA512 1185b1002c85aa832f380e81a45d50b0a6b44d9b87eefc1a0325c0dfbf921d2b9f531c81d564723874f555a10e2516fa1e6bd91a7e473893083998a57b8e2fed

memory/5024-88-0x000000006E920000-0x000000006E930000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\SetupLibNew.dll

MD5 72fb079823f0e6c80caff804cf626ca9
SHA1 464ae7293affcadd0aafec8a52635bcc92047e55
SHA256 23a25b73fd5d66aef3abc0c90b1eeff2fd3921a7d49aa69891e926139969b31e
SHA512 431d0e3469785981760185b38813148154fecb82abe37431c0591873e462ad597ad1449c29f3619b10f4435c08bbe231877f8debf9c48a26f258c5fef16b52c4

memory/5024-104-0x000000006E910000-0x000000006E920000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\System.dll

MD5 c51fc979c1c3e17bece7bd194aeb6ea2
SHA1 9a5d000d6393f2980062b4cc6e8f543493b1be8f
SHA256 93a8e95708882e56250ae55aef93417333b2dbe7ea99590abed34cdca2227e61
SHA512 716cdeb890307ff42901464dd24aa94e29415ef20d4e975c2733e34330fdf85edfd4ad9e00878edbe98921deebe44153279cb95acb309c5e1812026716dcdc4e

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\HWSignature.dll

MD5 154aea6ca8875fe8023f5f0554adbe60
SHA1 54a6c770e4ab3aef95782f1bc647ab664163d42f
SHA256 e035633d5a97dbc492d125a379a198ddadb09547d4b576552016e690a573e339
SHA512 93063a15acf077e0de9634eef68d21a3243be36a3a02f44065cac7c279ddc06a9a9e2ea5ef8f5d70662d6b9a710f988a0455b78aa8f8092155acfd359ae976ec

memory/5024-115-0x0000000003F10000-0x0000000003F35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\ImageMagik.dll

MD5 745007cd039d16bbbe05e308c223c8b0
SHA1 f3fc435a325118cbb4af4219bc41755c245afe54
SHA256 b550ed8935bbc51571aabfb5c3130d295909df89e7c4c1e204f219d88a652332
SHA512 40d1146fd001f138d0ecd0516078364947f180431bec36a689e03e5fadd4851ec5b6cd5862fc1702231c5a442c1be4bf6c0d759ca333f939cd74d55fc64cad74

memory/5024-95-0x00000000037D0000-0x0000000003BC6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\validate.ini

MD5 59da6b50ff42da1a3230fbca1bd90e11
SHA1 6870be998befa4bf02e8824e0a101303fe76ef4f
SHA256 5f60c14e1d82e49f4dd48c648c31bd572adf7a6e236aa7b2a8854bbc90d21c4a
SHA512 e3e7061e1ca6d8ce0ebca216d88988247cb6b824b19fe2ed1fd4dfb19bdbb9d231655b378d0990cc51b3df82183cbb28818f60d2efb9cb40daf58ef183ba2a19

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\ioSpecial.ini

MD5 b91f23e23afa7dc3cdd23035e37cfd8c
SHA1 0dfb4abe3b0033f086cfb7641b7bac61ab40bc02
SHA256 de739cb211824d6d09e0e4c812793d39c7a097736ca66b97c36f66504345545f
SHA512 80b2da6b23e15f934b4dbcac017d43141962f78ad61a411d8a95c57a95a9d1ff881e50feef909a4eab8f45438a97b9ab39fa4d117462e1906c49b1d41918a091

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\InstallOptions.dll

MD5 34d24e6ecdfb6859096816436c5875da
SHA1 a4504b5eccc48ce867623dd1d081a760ab70a12f
SHA256 734d6299964cab87eeeb5f8c7e5bdf6aa8c3e29d938fdd1ada6addcd5006de28
SHA512 cf163ef71ed297259371d5bb352f8b0ef5e8bab9ad2168a26714e2d9f9037af87ec48b7e983b9fa9dc3f478c02cc0775583d52aca7604f3ac1e4a8882b3ecad9

C:\Users\Admin\AppData\Local\Temp\nsy6704.tmp\ioSpecial.ini

MD5 45fe2cb12e2463a152d312949580eca1
SHA1 fb543b94f994d3c54db84e50fb05a5b27c96b461
SHA256 a10d17f65ef1a25591fbfcb3fd2f0310f71adb97ee4a236dc8f0bc8a506314a0
SHA512 069d63369a875d2b89c9d3abb98b4f53298160f9814de1734c20ba91cf4891c2abee259d1cba067125496a5e453c62bfc6c3047ee19daf3729f1fd60300dc0c5

memory/5024-219-0x0000000000400000-0x00000000006DD000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PpMCUaskmPAB.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

MD5 3e73b93a37539b5c22c75e127c3602cd
SHA1 84946b988ff80666b1aa57a12df0d2b983964504
SHA256 ff9be0b6088f7ea383f625847637d05f40013bba114e3ae693d72d9f311e28d2
SHA512 8a7f573daaeb6a98496089332361d30a0d90d0398b2ea4d0262b2f4759bded96d600018c5263e111e6fe040a46731516cf587dc0c0cdd9bf4d947daf9a4b55dc

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

MD5 81c39b124f2fadbfd520b0858f2c23f5
SHA1 232f307749b6364493b23d2d0972898ee99077fd
SHA256 094615ecfd0219f0451ac0d310613cd34320a7ba52621b458bced18001cabb09
SHA512 b562362dfa4a7e483ab755558eafdf5807512840764b1e971592da1e54864c7a450b4187c7557021d81ea3536bff81272dfec84afeea9add40a8319bbefc7502

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

MD5 0e3267bbcb598fea1a322d5beec0d0e9
SHA1 daaaa68cc882bfa1836097c6fb146d75ece890b7
SHA256 0e27944828f7d20d8d1060affe85614398382d7b76244cba6ffbf68fcd977d49
SHA512 13219d730e9286140b4e1d828e66031d069fa152fbc125aa8595dadb249e4b573389ef7f131960269b2be075586c787ccc6d37f814c3baa4ee54d68124c294ed

C:\Program Files\DriveHumbleTechnician\PpMCUaskmPAB.wrapper.log

MD5 820fdef5328f21b38e771f9077ec45cb
SHA1 059bd1ac9fe0fc0c532fa1d3769d48ff39138948
SHA256 76db81d5c0075f0e6b79ff7d1162df62273b257cca283b427644b1c20d12836a
SHA512 9db91557373f35a33f0bd34282194b00463437779be40673ac8f42d5dd39f2221d01761b9c64800e796ece29f35cc4eafaa5fec5f6744fd7119dee6ca0dc0e99

memory/4852-239-0x000000002A0C0000-0x000000002A10D000-memory.dmp

memory/4852-240-0x000000002BCE0000-0x000000002BE9D000-memory.dmp

memory/4852-242-0x000000002BCE0000-0x000000002BE9D000-memory.dmp

memory/4852-243-0x000000002BCE0000-0x000000002BE9D000-memory.dmp

memory/4852-244-0x000000002BCE0000-0x000000002BE9D000-memory.dmp