Analysis Overview
SHA256
bdd5b875e9233fce93774ffcfc925daf2924eef9455d088d5dcddf41915d1112
Threat Level: Known bad
The file Fanyi.msi.vir was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Detect PurpleFox Rootkit
Gh0strat family
PurpleFox
Gh0st RAT payload
Purplefox family
Command and Scripting Interpreter: PowerShell
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Executes dropped EXE
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Event Triggered Execution: Installer Packages
System Network Configuration Discovery: Internet Connection Discovery
Checks processor information in registry
Uses Volume Shadow Copy service COM API
Modifies data under HKEY_USERS
Runs ping.exe
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 03:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 03:57
Reported
2024-11-19 04:00
Platform
win7-20240903-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1352 wrote to memory of 2692 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\WerFault.exe |
| PID 1352 wrote to memory of 2692 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\WerFault.exe |
| PID 1352 wrote to memory of 2692 | N/A | C:\Windows\system32\msiexec.exe | C:\Windows\system32\WerFault.exe |
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fanyi.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1352 -s 828
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 03:57
Reported
2024-11-19 04:00
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
150s
Command Line
Signatures
Detect PurpleFox Rootkit
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Gh0strat family
PurpleFox
Purplefox family
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Enumerates connected drives
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\EnsureOptimizedConsultant\VC_redist.x64.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\igc964.dll | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File created | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | C:\Windows\System32\MsiExec.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| File opened for modification | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\SourceHash{BAE5191B-634D-4FA3-8A18-A96FC79A226D} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB844.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57b73c.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e57b73a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e57b73a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| N/A | N/A | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
System Network Configuration Discovery: Internet Connection Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings | C:\Windows\System32\WScript.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host | C:\Windows\System32\WScript.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\System32\MsiExec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\System32\WScript.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C5E14B8AB47855B4C80C5E0912705F5C\B1915EABD4363AF4A8819AF67CA922D6 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B1915EABD4363AF4A8819AF67CA922D6 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\Version = "151191556" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C5E14B8AB47855B4C80C5E0912705F5C | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\PackageName = "Fanyi.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B1915EABD4363AF4A8819AF67CA922D6\ProductFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\PackageCode = "AF22DF62929E352458618D1C37BDA328" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\Language = "1033" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\ProductName = "EnsureOptimizedConsultant" | C:\Windows\system32\msiexec.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\PING.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Token: 35 | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Token: 35 | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fanyi.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 5804F76620F5D960600CE394027C5685 E Global\MSI0000
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnsureOptimizedConsultant','C:\Program Files','C:\Program Files'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"77889mQ.lKbWjlL+;EHv" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx" -x!1_mAaRrGrorewO.exe -x!sss -x!1_gmFEzzgRgEXnNiUbsEYUyCvvFbviXj.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"56555&-YUD]NF+xlU&V!" -y
C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe
"C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"77889mQ.lKbWjlL+;EHv" -y
C:\Windows\system32\PING.EXE
ping 127.0.0.1 -n 2
C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe
"C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx" -x!1_mAaRrGrorewO.exe -x!sss -x!1_gmFEzzgRgEXnNiUbsEYUyCvvFbviXj.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"56555&-YUD]NF+xlU&V!" -y
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 180 -file file3 -mode mode3
C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs"
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" install
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" start
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 109 -file file3 -mode mode3
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe
"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 62 -file file3 -mode mode3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | im.qq.com | udp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fgfdg5631gfd.icu | udp |
| HK | 38.47.221.103:80 | fgfdg5631gfd.icu | tcp |
| US | 8.8.8.8:53 | 103.221.47.38.in-addr.arpa | udp |
| HK | 103.94.77.45:10200 | tcp | |
| US | 8.8.8.8:53 | 45.77.94.103.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qweaq.cyou | udp |
| US | 148.178.21.107:29390 | qweaq.cyou | tcp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | qweaq.shop | udp |
| US | 148.178.21.107:29390 | qweaq.shop | tcp |
| US | 148.178.21.107:29390 | qweaq.shop | tcp |
| US | 148.178.21.107:29390 | qweaq.shop | tcp |
| US | 148.178.21.107:29390 | qweaq.shop | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_v2aj2cll.i2b.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/2140-22-0x000001CBF0280000-0x000001CBF02A2000-memory.dmp
C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe
| MD5 | c31c4b04558396c6fabab64dcf366534 |
| SHA1 | fa836d92edc577d6a17ded47641ba1938589b09a |
| SHA256 | 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3 |
| SHA512 | 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99 |
C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ
| MD5 | 3f13e97feef00523f66fa7712c761086 |
| SHA1 | 8f423c0ca6b6ccef72a72e663784c479e4e0c6d8 |
| SHA256 | 76e46c8dd318c90073888022563019f0027a33258c4656bd65321847d8ce758c |
| SHA512 | 8e4ca0967df09f0d136974987e7044b0b81802d53f50c9aa91acd752ac9832ffb4dcb32e6e21b4371e836bd6efb2d12796c518a7d1b2a26c8a25738c98b97e3c |
C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx
| MD5 | ce383e5084ed5e632f4daa4d67419699 |
| SHA1 | d7c33fe3e8b5924abe5b171e1a04fb6c057828ec |
| SHA256 | 7e99e636ee0d1dd375e3a9708ed9abf4e24c065fc666f29cea73b210e5a4d3c7 |
| SHA512 | e19dc8c9b1abd5578d386c4bb7609336f71211bdbf809e9f4826f77d09a7a4b7a55d50a887b3a818f5b9fbe0a33df6aabf0892ac4b609bd035055af680a6baec |
C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe
| MD5 | 0e76fd2dd06b069ed52c2f632ea0a532 |
| SHA1 | 1f7abe1527bd0670346354a71c0d3e25a0c45d09 |
| SHA256 | 262314d5d3d5be46b9c5cf1cbf59945529ae6a0baa0fc17ac81f5b9213488bc9 |
| SHA512 | db7684bbcc29d839e9b9c5ac15221f694d1554973e02182a0bbc22a60287d8b6be83ccfe4e66be62def34eb3a3412bd1632c043984850121751d89d91e8503aa |
C:\Config.Msi\e57b73b.rbs
| MD5 | efd30e2462127d66ea098c6d5df8c7d9 |
| SHA1 | 47429d5c3328f07bf0e208b46084ab88580e46f3 |
| SHA256 | 730adbbaa7dde3a16be5dcab96562119ac84dbc5332091e6a842c9ede57e3ab1 |
| SHA512 | 0685fc25797c515efbf0848dda9d8090e52b26795dc89af05533299dcebbe8802d359fa95e1bf6ee7bdedd746d447c49b70bd4f96ef49ac0473c3cf1dd735f3c |
C:\Windows\Installer\e57b73a.msi
| MD5 | 3d6804261513077c81543bfa24503bae |
| SHA1 | a5b387c2402a77bf6ffd6835dbf79129a41a4ec6 |
| SHA256 | bdd5b875e9233fce93774ffcfc925daf2924eef9455d088d5dcddf41915d1112 |
| SHA512 | 899b6e4ebe9ea71a37772149a78ed19b9e09d6b0b9f8287b85a484008d6e6ad0efa99eabf4c245958929a1f0b52672ffec05cb824578738fbb0107f312f531ec |
memory/1276-63-0x0000000009F20000-0x0000000009F4F000-memory.dmp
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe
| MD5 | d305d506c0095df8af223ac7d91ca327 |
| SHA1 | 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a |
| SHA256 | 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66 |
| SHA512 | 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796 |
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs
| MD5 | 52009f48e9e0b20f57bad46cbcb394cf |
| SHA1 | add56fb60a485bd2e8e51e92dad44c06f6404858 |
| SHA256 | 8640976c703cb5f3177959424c3d3049fab696a8fe1f637539fc0e96bbb712c9 |
| SHA512 | 2c602469c0db4a52e452e764aa2bd4f502d18d2b76ed6e28850aa61d021f34080653407b8e3c26e6b310f3cbed378ed320d31a2037aca434339278618b2209e4 |
memory/5076-68-0x0000000000FE0000-0x00000000010B6000-memory.dmp
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml
| MD5 | 3b942a37e0de1ccf15af63724e09c55f |
| SHA1 | cc3ca1a1998c48cf3c9425c12e703accc7187cc4 |
| SHA256 | c616cfdab5db1b5d31f8a551f5fbf4ee99a1896733e07ca62b3c45e5263c4a9d |
| SHA512 | 2a5670891b34de3a72d36e8b184072b808c587109871f8ed89f661da1447478db07010866072306545d7f7c20c3b6a30d217e94a84694aa5babbd4ac6bdacfd4 |
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1d6b2313-e2f3-4345-9c62-8561546a7f51}_OnDiskSnapshotProp
| MD5 | b823cdbb35892b48fffa46c25cfba8ff |
| SHA1 | af25ab834d76a224e4fd2b75930c9b065b683be1 |
| SHA256 | 481f04b93c31be2b079b1965f02dd648a0998c08c5ebdf1d86315ac2ee6d8d7b |
| SHA512 | 4c91ce6d36732ba5e137d1dac01f57079874eb29f52874a05c0f4fea39130c1371eb7b74b6c5400e3acb2ce0e73a887a1b9d897a60f41aff707bbdcf68cace26 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 213e760dea6108c3a3e886bf4e805390 |
| SHA1 | ed367b0f24f2fb1b8888bbb74d9c8a7f144ea73e |
| SHA256 | ac17cbd1cf55df00c80a26ca231992fa643111c826ad050f4c4d3451bf4a00b3 |
| SHA512 | 73f6014d95b6edd27791fed177d3080e9c974965c098d47d97d906d20b4ed39d80f90d4ddf0297e7bf6d5aa53618de132d5fb88a43b427b4c53825c4ccfc936c |
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log
| MD5 | 122cf3c4f3452a55a92edee78316e071 |
| SHA1 | f2caa36d483076c92d17224cf92e260516b3cbbf |
| SHA256 | 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0 |
| SHA512 | c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c |
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log
| MD5 | 4b98fe94da93c769d70877f256a9852b |
| SHA1 | 4bf1229354f443a35162eda5c97541bdfb18a226 |
| SHA256 | d303ee161850f87b2cb855dc2591fd282a3a8fa577b2ea9a63315eed84435a8d |
| SHA512 | 6f6d8d2de4affe66af22862ebd2942d79dd0bcd770bcd75ec935e5f0604d96c5cb0c16ca321c7dcf6fcb822973cc58f8fd0bac8d149ece31d01658e1be9a8d42 |
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log
| MD5 | c9b8b28e713ac8357694e0b76e7ee78d |
| SHA1 | ff1275e6b40cc3d4ccda77573ad41c969e3aaaf6 |
| SHA256 | 19ea7df6e03fbab4e4314ca37351eadde94971e307e6856b96a4f96d568aa17f |
| SHA512 | a44ece08d88a7853c8967ef53c8278c08916daf148c99369819fef494fc71fb5874bd62ed944d9509717bdb7b409aaa4d2233f16cd6d29d0eb643e85582e4b2e |
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log
| MD5 | 67a6c8438f0388678973083f0ec5645b |
| SHA1 | 0690456abbb77669fa513d111000327aaa54f5bd |
| SHA256 | 2d5da88a96de55bcd213a971110d002667f56f5d77b9892a82ffbac92db0c8bc |
| SHA512 | a7b7695618df6b35e4a9d7fcf742205636a9a51022d2d07e5629637355926c12905e2b16fb02038809c522195b6e551223a1adc71b5fa5ecdd34010d51570850 |
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log
| MD5 | 4db9712873117b640e4482da72e75ee2 |
| SHA1 | 2d55346aef9a813d352da26131a78055bcc00ddb |
| SHA256 | bed9fb42dad84221e03b2757c23cccb5fcd24533d7207479d44a603f3a22eea3 |
| SHA512 | d104c6ed609391c6005827db90fc5d955ee1513246ad4e962e8d84cd8a9c1d54ce6417a62c13a058264ef49a4126a7983b1bb9e821d156b386e7c36e2ab91709 |
memory/4936-98-0x0000000029D40000-0x0000000029D8D000-memory.dmp
memory/4936-99-0x000000002B970000-0x000000002BB2D000-memory.dmp
memory/4936-101-0x000000002B970000-0x000000002BB2D000-memory.dmp
memory/4936-102-0x000000002B970000-0x000000002BB2D000-memory.dmp
memory/4936-103-0x000000002B970000-0x000000002BB2D000-memory.dmp