Malware Analysis Report

2024-12-07 13:55

Sample ID 241118-gr25yszmgw
Target kugou_yinyue-X64.msi.vir
SHA256 4defef20d0c620fcc1743147f44a244fa7c61b484a5ca5cfb8f60e99e970a7a2
Tags
gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4defef20d0c620fcc1743147f44a244fa7c61b484a5ca5cfb8f60e99e970a7a2

Threat Level: Known bad

The file kugou_yinyue-X64.msi.vir was found to be: Known bad.

Malicious Activity Summary

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Purplefox family

Detect PurpleFox Rootkit

Gh0st RAT payload

PurpleFox

Gh0strat family

Gh0strat

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Loads dropped DLL

Executes dropped EXE

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-18 06:03

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-18 06:03

Reported

2024-11-18 06:06

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

160s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kugou_yinyue-X64.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\N: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\T: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\R: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\L: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\W: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\U: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yINMOeuVvrtK.exe.log C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.vbs C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.xml C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.xml C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\kugou11131.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e583f46.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{800F15D9-CFD7-460A-83A0-E92BF852D3C2} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI439C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e583f48.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e583f46.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeployDeterminedRetailer\kugou11131.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\PackageName = "kugou_yinyue-X64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B111F7821E44204F86D3FB2C9D25454\9D51F0087DFCA064380A9EB28F253D2C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9D51F0087DFCA064380A9EB28F253D2C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\PackageCode = "2B31C87B8EF03FF46879ADE5DD5B9979" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\ProductName = "DeployDeterminedRetailer" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Version = "151388165" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9D51F0087DFCA064380A9EB28F253D2C\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B111F7821E44204F86D3FB2C9D25454 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
Token: 35 N/A C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\DeployDeterminedRetailer\kugou11131.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3972 wrote to memory of 648 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3972 wrote to memory of 648 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3972 wrote to memory of 2092 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3972 wrote to memory of 2092 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2092 wrote to memory of 5044 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 5044 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2092 wrote to memory of 1264 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2092 wrote to memory of 1264 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1264 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
PID 1264 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
PID 1264 wrote to memory of 4748 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
PID 2092 wrote to memory of 5060 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 2092 wrote to memory of 5060 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 2092 wrote to memory of 5060 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 2092 wrote to memory of 2068 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 2092 wrote to memory of 2068 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 2092 wrote to memory of 2068 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 716 wrote to memory of 548 N/A C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 716 wrote to memory of 548 N/A C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 716 wrote to memory of 548 N/A C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 548 wrote to memory of 2224 N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 548 wrote to memory of 2224 N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 548 wrote to memory of 2224 N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kugou_yinyue-X64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 96A3A90B08492D6C8F735AAA493B819D E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DeployDeterminedRetailer'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe" x "C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE" -o"C:\Program Files\DeployDeterminedRetailer\" -pkYpyaRvRcFdTfVUfUNOC -y

C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe

"C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe" x "C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE" -o"C:\Program Files\DeployDeterminedRetailer\" -pkYpyaRvRcFdTfVUfUNOC -y

C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe

"C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe" -number 289 -file file3 -mode mode3

C:\Program Files\DeployDeterminedRetailer\kugou11131.exe

"C:\Program Files\DeployDeterminedRetailer\kugou11131.exe"

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.vbs"

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe

"C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe" install

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe

"C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe" start

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe

"C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe"

C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe

"C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe" -number 149 -file file3 -mode mode3

C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe

"C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe" -number 62 -file file3 -mode mode3

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 fgfdg5631gfd.icu udp
HK 38.47.221.103:80 fgfdg5631gfd.icu tcp
US 8.8.8.8:53 103.221.47.38.in-addr.arpa udp
HK 47.242.9.172:10200 tcp
US 8.8.8.8:53 172.9.242.47.in-addr.arpa udp
US 8.8.8.8:53 qweay.shop udp
US 8.8.8.8:53 qweaq.shop udp
US 148.178.21.107:29130 qweaq.shop tcp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 qweay.shop udp
US 148.178.21.107:29130 qweaq.shop tcp
US 8.8.8.8:53 qweay.shop udp
US 148.178.21.107:29130 qweaq.shop tcp
US 8.8.8.8:53 qweay.shop udp
US 148.178.21.107:29130 qweaq.shop tcp

Files

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cdmjz0ck.g3t.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5044-22-0x0000018A73F60000-0x0000018A73F82000-memory.dmp

C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE

MD5 f97e41d5d36b59621dba93d7727cb67b
SHA1 b2e9e34874a9cb8c61fc276b9d77a0e1cb0532f0
SHA256 a85e5b6d77e5ddc9f00155f1cda319508c92c8e21c16bd99cfc87b15ae774174
SHA512 c8de402c10fb3505a7ef7b7ec8039f03b5810e6c38d7b2969865148f0a1ed21e798f386aae9ca2cb1655184accac39169d59cc7e6662ffa213c7a0edc4cd8c67

\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2c4c9041-537f-4726-869e-844a5ce4ca0d}_OnDiskSnapshotProp

MD5 df130406c4e7a9cb447fcffdb7a61ba6
SHA1 78385bbb7e133ad93c56318d9b84725368dee508
SHA256 f2630656385eab737dd67b1720d5a39d7a9a8762ece641f658fc57c8b59e1eba
SHA512 fc8ee2249854987d9f9a0b664f5561ff4b67839ee9801d773c50a8df46f40ef196fadd9cc4c04f9855b2530a33598434c839fdec1e8e7bd0eb173c811ee4b356

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 35a5bad57a1549b28a84abb72ee59055
SHA1 0a2b9a50ad4b24b2dd3f21cd8fa6bc51b0a7a6c3
SHA256 b2e3a2b053c235a8b0682d812a5241166ef908ec9ada34e0fb0e12a2e5c2cb27
SHA512 224b0ba559bba236bf91d9e1b1d4acfd4da66600d412d900201e8e43769172f7104f6aaaec81cb00c44c732a64d4eaa6a1d5fdff02a72e85e739242fcec496a5

C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe

MD5 13c482a12d740c8fc27b23038fa097d4
SHA1 4c0d85646dfa60d3dbe9bab472fe1ef3ae8da957
SHA256 f12ea05152c21c0de7b9f81b9e9004a40ee7f3c4cf7b63b7918d53c74a1219a6
SHA512 73a1df4797a092de6b5fbede88a96d593ba34198f32f44eb390e223ebd0df988e114a7caa19de723b15698fcf884943f004a2d35d4bbd3c2ae18155594e74bbf

memory/5060-41-0x000000002A040000-0x000000002A06F000-memory.dmp

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Config.Msi\e583f47.rbs

MD5 79403a2b4509a4c89e1ced15466a36f8
SHA1 0efba7758ee523f0837fa27167118ea60cda4e6f
SHA256 c3f05e1fd8e277a91b509dccee81a085e0de0f79bbed2083b7067eef8a15b3f4
SHA512 c5b08ddeb1f66547af5e041d95a393f9d04b9719e5e6aa8e3607b07029c5bdb7019f268a9c8ed8d34822700018d2c4184272b1be0155439fa7b57c87a676344e

C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.vbs

MD5 356d0af8d51ae7f16002536c0434f660
SHA1 fe1e6c649951f3fe679777665eb30337913bdc4d
SHA256 d8ffa54ce41ca565e0a70aeeafe73655c8121c8e3d103db58e295cb340530b8c
SHA512 268ac9057da999a76f8bea43f2c6d6ad824cf9a9d87d7de2ed4bbf5826d211cd84f37005633dff601bf0d56b1afdd88731d98a121cd372016f799b92bda7666c

C:\Users\Admin\AppData\Local\Temp\nst73E4.tmp\isx.dll

MD5 c65109a207007208ef83b48de15d1145
SHA1 d76057c4e67f850c2100c31c1222618efeed146b
SHA256 4aaffbd45bc8d3498c76f78dba9b95f920367af37020e382099961437e89d071
SHA512 b2c34bfb1ff5b3272780e9d2f89ff09e2146daa783f3a860aa30cac06b28c6063f2349cc30dd20e154565ad1e6310cd45d33e683f336c8f4905ebd15e5543370

memory/912-66-0x00000000007C0000-0x0000000000896000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nst73E4.tmp\System.dll

MD5 88513dbed3a5bba74d020b0d56ae587a
SHA1 f0f4f6f7e5e423ad1918ea553aa9e5c2ca75370a
SHA256 cbce0c9051e6f4724070186feb71255e01f606f6f0d2ca1d2fcbc8c942d8e11f
SHA512 6a61e4700c286202741cb344b4f6851573084b2dd78639f642252a9d5bcc35734fc7daa9d4e5d083577a0d4887d5a4a20ac04100b178205269fe13eb9d7393a7

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.xml

MD5 80f071c1613d7880de16db74f25032b3
SHA1 c47536a65da37af688ed63f2f39c5b21fc09a4a6
SHA256 62e2cd96cf9208a576ab674db3503d8d3b83f0d26382c14dabb9071be878e894
SHA512 1e30378ff3baf8f74661b12f7ce193645528daa5815b59d48e36994c8b9c630c6e43ca06fc47a21318b76ff9b04d5224f48f2986dd6eb4b9d37268f74f5f7702

C:\Users\Admin\AppData\Local\Temp\nst73E4.tmp\kgskin.dll

MD5 5a671b81a0d59cd5192b1861b65f2543
SHA1 f679af0550a31a5cfbaa1b055cfaf2396027e391
SHA256 5c7b02317096c5fe6fcfe173711e06aeb288c916e97a2abfe5939907744e0d97
SHA512 6d76a6ac670e147335760a03288c6fc7e99c18611edfa859f4e76027bd937ac0a650479bdd2d09f9b94bb56bc81e3d292a42769c763971ff9a24d9566d22b442

C:\Users\Admin\AppData\Local\Temp\nst73E4.tmp\svg.dll

MD5 f7b407c2c1600587cb6e5679a93250fb
SHA1 00b0cbedff910b4016cb957d6043eadb99575dd0
SHA256 3ca02f89d98b7781c242b60029ddeb4f6b8610b624c0b70c6347a50b49f59024
SHA512 428ae534ea6af1986f596b4a38b45926d2fe19cab09544fcc601a0a615e1ac45129e4eb88ac58489694b6b0c1a22514003eac5fdd0a7497cc719c1e047ad6624

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\yINMOeuVvrtK.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log

MD5 973fc3a9f5457f02a4039d048370d755
SHA1 7bd7319d3b461f59dbbe05f317e46e83628ff300
SHA256 c8b7443589164be258a5d1e1697d0df185cc43cbee7215149dcbd9148eac7a41
SHA512 a4e25e557ac39f6d61d9e6f96d08cab2521a6023fad55ee024f776f73c098148d59d77d354f267c756e8b0770b89c54b1d43ecca6980b6746fe5696dcb3ca762

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log

MD5 283ad5c7efac45c4b6364aa07baa0b92
SHA1 3bffdc887396f60006c76915a8b33fd19ec16dbe
SHA256 de56012f3f3a4511a3e53e95697f865a58b58e06e58f78cebdc30431ddb99d5e
SHA512 677d2803869fd9625e751435d364cac61577956ddd8a0d769a80aacbe93f00f8e949587691ee2c49dc61ff986234dcce57e465a4356364a038fcda288f98cb89

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log

MD5 14fe43e1516e676bbc442b037b5e9e23
SHA1 3229844e3a67bcb4abebbd9740576019db9cbd0d
SHA256 8f21a55879c706a3420a8ba3bdd9e87e9e20dcd6ae4a4314465744fbb393ac32
SHA512 e7cbea631c2ad42d4ebf1d8eb67d64ed15ed863e3379da9508c5b260f41d3a0089ad06aeff786a406767990f11ced8c833d7cee889368ab976b67f123e3ead2a

C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.wrapper.log

MD5 eb44b1970e0c7e5296ad15620330471d
SHA1 e8dd24852696b16ba18063c66dd22cf0d6eea0e3
SHA256 e22a1da7765601ba86ff72662ee45fd37d3ba2062400359b44f4b0101ca221e7
SHA512 b9fb0ae06ff27b6473955c29eae0305ee3e7b82eaac8711bcbb05bf40f6b769d52682e206ce460ba3c7dd454efff74b660c44f3fc154a47d1b62d55966feb2b1

memory/2224-250-0x000000002B870000-0x000000002B8BD000-memory.dmp

memory/2224-251-0x000000002BCF0000-0x000000002BEAD000-memory.dmp

memory/2224-253-0x000000002BCF0000-0x000000002BEAD000-memory.dmp

memory/2224-254-0x000000002BCF0000-0x000000002BEAD000-memory.dmp

memory/2224-255-0x000000002BCF0000-0x000000002BEAD000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-18 06:03

Reported

2024-11-18 06:06

Platform

win7-20240903-en

Max time kernel

117s

Max time network

122s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kugou_yinyue-X64.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.vbs C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.xml C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.xml C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File opened for modification C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\yINMOeuVvrtK.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\kugou11131.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\DeployDeterminedRetailer\valibclang2d.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f76c11d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c11e.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c120.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.app.log C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
File opened for modification C:\Windows\Installer\f76c11e.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76c11d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDD73.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\DeployDeterminedRetailer\kugou11131.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = d0863dad7f39db01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Program Files\DeployDeterminedRetailer\kugou11131.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2e\52C64B7E C:\Program Files\DeployDeterminedRetailer\kugou11131.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E\@"%windir%\System32\ie4uinit.exe",-732 = "Finds and displays information and Web sites on the Internet." C:\Program Files\DeployDeterminedRetailer\kugou11131.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\ProductName = "DeployDeterminedRetailer" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9D51F0087DFCA064380A9EB28F253D2C\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\Version = "151388165" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B111F7821E44204F86D3FB2C9D25454\9D51F0087DFCA064380A9EB28F253D2C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\SourceList\PackageName = "kugou_yinyue-X64.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9D51F0087DFCA064380A9EB28F253D2C C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\PackageCode = "2B31C87B8EF03FF46879ADE5DD5B9979" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9D51F0087DFCA064380A9EB28F253D2C\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\9B111F7821E44204F86D3FB2C9D25454 C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A
N/A N/A C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
Token: 35 N/A C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\DeployDeterminedRetailer\kugou11131.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2688 wrote to memory of 2880 N/A C:\Windows\system32\vssvc.exe C:\Windows\system32\WerFault.exe
PID 2688 wrote to memory of 2880 N/A C:\Windows\system32\vssvc.exe C:\Windows\system32\WerFault.exe
PID 2688 wrote to memory of 2880 N/A C:\Windows\system32\vssvc.exe C:\Windows\system32\WerFault.exe
PID 2380 wrote to memory of 1956 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2380 wrote to memory of 1956 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2380 wrote to memory of 1956 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2380 wrote to memory of 1956 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 2380 wrote to memory of 1956 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1956 wrote to memory of 1584 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1584 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1584 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1956 wrote to memory of 1588 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1956 wrote to memory of 1588 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1956 wrote to memory of 1588 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1588 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
PID 1588 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
PID 1588 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
PID 1588 wrote to memory of 3048 N/A C:\Windows\System32\cmd.exe C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe
PID 1956 wrote to memory of 2112 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 1956 wrote to memory of 2112 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 1956 wrote to memory of 2112 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 1956 wrote to memory of 2112 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe
PID 1956 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 1956 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 1956 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 1956 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 1956 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 1956 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe
PID 1956 wrote to memory of 2960 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\DeployDeterminedRetailer\kugou11131.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\kugou_yinyue-X64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2688 -s 580

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000003AC"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 57B259D4E938DBC19927DCB2DB8C2D43 M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DeployDeterminedRetailer'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start "" "C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe" x "C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE" -o"C:\Program Files\DeployDeterminedRetailer\" -pkYpyaRvRcFdTfVUfUNOC -y

C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe

"C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe" x "C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE" -o"C:\Program Files\DeployDeterminedRetailer\" -pkYpyaRvRcFdTfVUfUNOC -y

C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe

"C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe" -number 289 -file file3 -mode mode3

C:\Program Files\DeployDeterminedRetailer\kugou11131.exe

"C:\Program Files\DeployDeterminedRetailer\kugou11131.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp

Files

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1956-13-0x0000000000610000-0x0000000000620000-memory.dmp

memory/1584-18-0x000000001B6A0000-0x000000001B982000-memory.dmp

memory/1584-19-0x0000000001EB0000-0x0000000001EB8000-memory.dmp

C:\Program Files\DeployDeterminedRetailer\UsfWMVCzYNmv.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\DeployDeterminedRetailer\QnEAZeOBmPdAEfzPaPmE

MD5 f97e41d5d36b59621dba93d7727cb67b
SHA1 b2e9e34874a9cb8c61fc276b9d77a0e1cb0532f0
SHA256 a85e5b6d77e5ddc9f00155f1cda319508c92c8e21c16bd99cfc87b15ae774174
SHA512 c8de402c10fb3505a7ef7b7ec8039f03b5810e6c38d7b2969865148f0a1ed21e798f386aae9ca2cb1655184accac39169d59cc7e6662ffa213c7a0edc4cd8c67

C:\Program Files\DeployDeterminedRetailer\YbAWjEbpulWw.exe

MD5 13c482a12d740c8fc27b23038fa097d4
SHA1 4c0d85646dfa60d3dbe9bab472fe1ef3ae8da957
SHA256 f12ea05152c21c0de7b9f81b9e9004a40ee7f3c4cf7b63b7918d53c74a1219a6
SHA512 73a1df4797a092de6b5fbede88a96d593ba34198f32f44eb390e223ebd0df988e114a7caa19de723b15698fcf884943f004a2d35d4bbd3c2ae18155594e74bbf

C:\Config.Msi\f76c11f.rbs

MD5 5b4c9421d3fd5cac63a0d801c7d1c80d
SHA1 419725c22a2b4594948f29d07d6dca4f76d8f797
SHA256 19c1bf4738ec664d17074de033ece34a351b674f7f9e55801a77c791a489d2e0
SHA512 e1a8632f8f1346985ebc009d6a09586992e09499de6d32d265c4b0acfa0e9b46405b3a61108d2dfa5a8ba0d63e19f2635e0ae17e7d7cf248448bdd51ce15ccdb

memory/2112-47-0x000000002B240000-0x000000002B26F000-memory.dmp

\Users\Admin\AppData\Local\Temp\nse475.tmp\isx.dll

MD5 c65109a207007208ef83b48de15d1145
SHA1 d76057c4e67f850c2100c31c1222618efeed146b
SHA256 4aaffbd45bc8d3498c76f78dba9b95f920367af37020e382099961437e89d071
SHA512 b2c34bfb1ff5b3272780e9d2f89ff09e2146daa783f3a860aa30cac06b28c6063f2349cc30dd20e154565ad1e6310cd45d33e683f336c8f4905ebd15e5543370

\Users\Admin\AppData\Local\Temp\nse475.tmp\System.dll

MD5 88513dbed3a5bba74d020b0d56ae587a
SHA1 f0f4f6f7e5e423ad1918ea553aa9e5c2ca75370a
SHA256 cbce0c9051e6f4724070186feb71255e01f606f6f0d2ca1d2fcbc8c942d8e11f
SHA512 6a61e4700c286202741cb344b4f6851573084b2dd78639f642252a9d5bcc35734fc7daa9d4e5d083577a0d4887d5a4a20ac04100b178205269fe13eb9d7393a7

\Users\Admin\AppData\Local\Temp\nse475.tmp\kgskin.dll

MD5 5a671b81a0d59cd5192b1861b65f2543
SHA1 f679af0550a31a5cfbaa1b055cfaf2396027e391
SHA256 5c7b02317096c5fe6fcfe173711e06aeb288c916e97a2abfe5939907744e0d97
SHA512 6d76a6ac670e147335760a03288c6fc7e99c18611edfa859f4e76027bd937ac0a650479bdd2d09f9b94bb56bc81e3d292a42769c763971ff9a24d9566d22b442

\Users\Admin\AppData\Local\Temp\nse475.tmp\svg.dll

MD5 f7b407c2c1600587cb6e5679a93250fb
SHA1 00b0cbedff910b4016cb957d6043eadb99575dd0
SHA256 3ca02f89d98b7781c242b60029ddeb4f6b8610b624c0b70c6347a50b49f59024
SHA512 428ae534ea6af1986f596b4a38b45926d2fe19cab09544fcc601a0a615e1ac45129e4eb88ac58489694b6b0c1a22514003eac5fdd0a7497cc719c1e047ad6624