gh0strat | 54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 10:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81.msi
Size

19.6MB
MD5

ff821162f4a52975c227837b4310bcfc
SHA1

9c809183f9e16a752a10c53745037fe9e76984c0
SHA256

54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81
SHA512

9a36a0a5e1a679858a32e7030ab429b7252fa0da0318f6732f873b76b80f5cfa59476e1ec5cd9d2a096794a3bf81a179658c0ad21904b38bfabab0444762a656
SSDEEP

393216:7SlQBSnINh5eoFeRqEE4QUJpKLV/tWytmaI69SCNmLKfFYfrAW6rg:WdI/5lFeRJFjJWV/7tmapNJfkC

Score

10^/10

gh0strat purplefox discovery execution persistence privilege_escalation rat rootkit trojan

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/3560-118-0x000000002BF10000-0x000000002C0CC000-memory.dmp	purplefox_rootkit
behavioral2/memory/3560-120-0x000000002BF10000-0x000000002C0CC000-memory.dmp	purplefox_rootkit
behavioral2/memory/3560-121-0x000000002BF10000-0x000000002C0CC000-memory.dmp	purplefox_rootkit
behavioral2/memory/3560-122-0x000000002BF10000-0x000000002C0CC000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/3560-118-0x000000002BF10000-0x000000002C0CC000-memory.dmp	family_gh0strat
behavioral2/memory/3560-120-0x000000002BF10000-0x000000002C0CC000-memory.dmp	family_gh0strat
behavioral2/memory/3560-121-0x000000002BF10000-0x000000002C0CC000-memory.dmp	family_gh0strat
behavioral2/memory/3560-122-0x000000002BF10000-0x000000002C0CC000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4932	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	zKzEtPocmTOd.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	zKzEtPocmTOd.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	zKzEtPocmTOd.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	zKzEtPocmTOd.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	zKzEtPocmTOd.exe
File opened (read-only)	\??\X:	zKzEtPocmTOd.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	zKzEtPocmTOd.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	zKzEtPocmTOd.exe
File opened (read-only)	\??\T:	zKzEtPocmTOd.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	zKzEtPocmTOd.exe
File opened (read-only)	\??\O:	zKzEtPocmTOd.exe
File opened (read-only)	\??\G:	zKzEtPocmTOd.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	zKzEtPocmTOd.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	zKzEtPocmTOd.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	zKzEtPocmTOd.exe
File opened (read-only)	\??\W:	zKzEtPocmTOd.exe
File opened (read-only)	\??\V:	zKzEtPocmTOd.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	zKzEtPocmTOd.exe
File opened (read-only)	\??\K:	zKzEtPocmTOd.exe
File opened (read-only)	\??\N:	zKzEtPocmTOd.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	zKzEtPocmTOd.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	zKzEtPocmTOd.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HJbqSVHgWRnX.exe.log	HJbqSVHgWRnX.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File created	C:\Program Files\PersonalizationInterpretBuild\DLTVCKTfgMURslRjMJmTCJEERkiaWM	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\VideoConverter.exe	msiexec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\cTehvxsnNwchkLFRUmGbIaeJKOzhvJ	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\cTehvxsnNwchkLFRUmGbIaeJKOzhvJ	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File created	C:\Program Files\PersonalizationInterpretBuild\WhatsApp1.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs	zKzEtPocmTOd.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild	zKzEtPocmTOd.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File created	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{916A8DD3-A3D7-4DF7-A514-5AFDD9FBBC56}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF6A4.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f59d.msi	msiexec.exe
File created	C:\Windows\Installer\e57f59b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f59b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 9 IoCs

pid	Process
1976	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
4168	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
3036	zKzEtPocmTOd.exe
1680	WhatsApp1.exe
4176	HJbqSVHgWRnX.exe
4876	HJbqSVHgWRnX.exe
4204	HJbqSVHgWRnX.exe
2700	zKzEtPocmTOd.exe
3560	zKzEtPocmTOd.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1840	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009fc5eef0dbaffe7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009fc5eef00000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009fc5eef0000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9fc5eef0000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009fc5eef000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zKzEtPocmTOd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	zKzEtPocmTOd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4884	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\CUAS\DefaultCompositionWindow	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	WhatsApp1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS	WhatsApp1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	WhatsApp1.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000f753bfe15f3edb01	WhatsApp1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Left = "0"	WhatsApp1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer"	OpenWith.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E	WhatsApp1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	WhatsApp1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Top = "0"	WhatsApp1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	WhatsApp1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\S-1-5-18_Classes\Local Settings	OpenWith.exe

Modifies registry class 22 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\56350C874AACB6B43A4E890D35C67983\3DD8A6197D3A7FD45A41A5DF9DBFCB65	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\PackageName = "54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\56350C874AACB6B43A4E890D35C67983	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3DD8A6197D3A7FD45A41A5DF9DBFCB65	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\3DD8A6197D3A7FD45A41A5DF9DBFCB65\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\PackageCode = "BA0CC31A6753E2B4DA4D38E775725F06"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\ProductName = "PersonalizationInterpretBuild"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\Version = "117571592"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\3DD8A6197D3A7FD45A41A5DF9DBFCB65\SourceList\Net	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3272	msiexec.exe
3272	msiexec.exe
4932	powershell.exe
4932	powershell.exe
4932	powershell.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe
3036	zKzEtPocmTOd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1840	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1840	msiexec.exe
Token: SeSecurityPrivilege	3272	msiexec.exe
Token: SeCreateTokenPrivilege	1840	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1840	msiexec.exe
Token: SeLockMemoryPrivilege	1840	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1840	msiexec.exe
Token: SeMachineAccountPrivilege	1840	msiexec.exe
Token: SeTcbPrivilege	1840	msiexec.exe
Token: SeSecurityPrivilege	1840	msiexec.exe
Token: SeTakeOwnershipPrivilege	1840	msiexec.exe
Token: SeLoadDriverPrivilege	1840	msiexec.exe
Token: SeSystemProfilePrivilege	1840	msiexec.exe
Token: SeSystemtimePrivilege	1840	msiexec.exe
Token: SeProfSingleProcessPrivilege	1840	msiexec.exe
Token: SeIncBasePriorityPrivilege	1840	msiexec.exe
Token: SeCreatePagefilePrivilege	1840	msiexec.exe
Token: SeCreatePermanentPrivilege	1840	msiexec.exe
Token: SeBackupPrivilege	1840	msiexec.exe
Token: SeRestorePrivilege	1840	msiexec.exe
Token: SeShutdownPrivilege	1840	msiexec.exe
Token: SeDebugPrivilege	1840	msiexec.exe
Token: SeAuditPrivilege	1840	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1840	msiexec.exe
Token: SeChangeNotifyPrivilege	1840	msiexec.exe
Token: SeRemoteShutdownPrivilege	1840	msiexec.exe
Token: SeUndockPrivilege	1840	msiexec.exe
Token: SeSyncAgentPrivilege	1840	msiexec.exe
Token: SeEnableDelegationPrivilege	1840	msiexec.exe
Token: SeManageVolumePrivilege	1840	msiexec.exe
Token: SeImpersonatePrivilege	1840	msiexec.exe
Token: SeCreateGlobalPrivilege	1840	msiexec.exe
Token: SeBackupPrivilege	2236	vssvc.exe
Token: SeRestorePrivilege	2236	vssvc.exe
Token: SeAuditPrivilege	2236	vssvc.exe
Token: SeBackupPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeDebugPrivilege	4932	powershell.exe
Token: SeRestorePrivilege	1976	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: 35	1976	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeSecurityPrivilege	1976	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeSecurityPrivilege	1976	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeRestorePrivilege	4168	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: 35	4168	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeSecurityPrivilege	4168	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeSecurityPrivilege	4168	aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe
Token: SeRestorePrivilege	3272	msiexec.exe
Token: SeTakeOwnershipPrivilege	3272	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1840	msiexec.exe
1840	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4192	OpenWith.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3272 wrote to memory of 4660	3272	msiexec.exe	94
PID 3272 wrote to memory of 4660	3272	msiexec.exe	94
PID 3272 wrote to memory of 3820	3272	msiexec.exe	96
PID 3272 wrote to memory of 3820	3272	msiexec.exe	96
PID 3820 wrote to memory of 4932	3820	MsiExec.exe	97
PID 3820 wrote to memory of 4932	3820	MsiExec.exe	97
PID 3820 wrote to memory of 1680	3820	MsiExec.exe	104
PID 3820 wrote to memory of 1680	3820	MsiExec.exe	104
PID 3820 wrote to memory of 4884	3820	MsiExec.exe	105
PID 3820 wrote to memory of 4884	3820	MsiExec.exe	105
PID 4204 wrote to memory of 2700	4204	HJbqSVHgWRnX.exe	116
PID 4204 wrote to memory of 2700	4204	HJbqSVHgWRnX.exe	116
PID 4204 wrote to memory of 2700	4204	HJbqSVHgWRnX.exe	116
PID 2700 wrote to memory of 3560	2700	zKzEtPocmTOd.exe	117
PID 2700 wrote to memory of 3560	2700	zKzEtPocmTOd.exe	117
PID 2700 wrote to memory of 3560	2700	zKzEtPocmTOd.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1840

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3272
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4660
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 445425551465B2907582E6DC7E0159A2 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3820
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PersonalizationInterpretBuild','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4932
- - C:\Program Files\PersonalizationInterpretBuild\WhatsApp1.exe
    "C:\Program Files\PersonalizationInterpretBuild\WhatsApp1.exe"
    3⤵
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:1680
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
    3⤵
    - Kills process with taskkill
    PID:4884

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2236

C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
"C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe" x "C:\Program Files\PersonalizationInterpretBuild\DLTVCKTfgMURslRjMJmTCJEERkiaWM" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"17314<A}a(~9p3>d:L}0" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe
"C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe" x "C:\Program Files\PersonalizationInterpretBuild\cTehvxsnNwchkLFRUmGbIaeJKOzhvJ" -x!"1_zKzEtPocmTOd.exe" -x!"sss" -x!"1_CNPdcWBDNfcfUyDsWrbvmBQhkPnnVe.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"70768UY!eWKrRq2&262_" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4168

C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
"C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 132
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3036

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:4288

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:4176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4192

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4876

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
  "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 173
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
    "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 72 -chg ppo -me hhgff
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:3560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:1928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f59c.rbs

Filesize
8KB

MD5
f7ad1832c2a078f5a13c165fb1901f7a

SHA1
1037843a32a34431d2a629842e5f0f729da948c7

SHA256
65fa9abee0426cda2647ac45f0ac2dd751e55dee9a0afe8fbc72b2f79a19f1ec

SHA512
9961b44fe4128ed0991ad5d07d0616c4555e65a56d903124b247a12b265ff6db015f600caece59bdaa3ed07d3b07801c91a278fdf63b4efb13845ed0400187db

Download Submit
C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe

Filesize
3.9MB

MD5
10b0c2d503e18dbf51c067d54dd1267e

SHA1
2a0b1317961900c0b8666ae09152c31415f63b3a

SHA256
5bc819ea66774c21cdf699529a998b81779f5c6ebb9b82a3aafd2690d10165c2

SHA512
0d60717b7ef2194cee4fcc5e1f2f4f8e0d5a0d42a8cb6d5369b0c609ec12f598efb06611e77f97e92199f92f4303b161868dccf0a0cb307a670d503de6f729b2

Download Submit
C:\Program Files\PersonalizationInterpretBuild\DLTVCKTfgMURslRjMJmTCJEERkiaWM

Filesize
2.0MB

MD5
67d5bae557527ce6b1c7997657e2b980

SHA1
f08be2a47caf7cd87ab5ffd95d6f20a1f8329820

SHA256
05c17714bc0a0529cdcd3957a0df638f50f7eb1cbde86d954e3020d8df90e201

SHA512
5d629946561408bdf75761003307463b453ee3276bb40138d769311890e36dc7fe256e3fafb048f2ee7f0e6de95bccb47ad6faa64b4867c4f5ea1313da80b045

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe

Filesize
606KB

MD5
4e85cc36adc996c3ddd3a9825d4b7f73

SHA1
e5aa0e5db7d9fd27e2a0484f3fd6c322fc5ee97f

SHA256
7b36e127e1fa53e0c6462312777c5d004ea83bde67e6df32fb8920b6c001d664

SHA512
2d7b7c5eb54cf68a218fca7239c0e194af0b81796e621bc039edccea64b60a202670a47af207988467a8c25584cef96a6652f52d53464ce3cf01006c680f2980

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
367B

MD5
2a72b8e4602e62e54c3c3321a1c53d9f

SHA1
cbde222b410fbcb9a437c4cebb98a417c8d00054

SHA256
f9acec7ad1c353520d72eff6036a6d78fcbdc5f7c3592b8ecb1cd1797cba3b0d

SHA512
a03051da5119b7d433f1400ffef00a4be120fdadc322245fb77ba19848a2865493ca46d05f3ea0edf39a7d4122f8f5c0e6c730f4963f970def79c84fdbd79120

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
609B

MD5
afa122bcc54650fdf3963a331fbdff6e

SHA1
c3f60d9849d3b221255f529fab0e7ade53f74add

SHA256
cbec2ddccc3ab53fa5e927ae009815f7a6a6a1621ed65e452ca35d3673a3143b

SHA512
7c8640ebb6ab132c6f8e49b94ee9c0e6764aeb4a67ddca197d8fe3869241b1d0400e0d9164072f21a3308c14605b444f27fb81775af5bb8d2cb2a4540f1da2dc

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
796B

MD5
3e9c84959da7fa7470264ec14b5455ae

SHA1
58ed5cf4d3d2a2df2bbde5de1635a8ac6dd2c9bf

SHA256
e8faf30fda16d97ee80c2b1033971f8f21d09a2461ef7d77956ff705685c5db5

SHA512
00b398e664fb6539db318b5e352d3a6b0c2dd83324599a85d81d0a89d648c6dd1a7ef35fd7d84c876117337e8ad643a62f765fa992be822f1a64f4cac176f374

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
214B

MD5
847e58825be150bc0221f8a686a04c96

SHA1
81f220022a96cca09dce34fe207c471a3f73be18

SHA256
b93fb9b1113932af2456ab74df07cfad7dd59181202f2622c09c8e9cf8132eb3

SHA512
0f939ec3d3709366a36bbc94599ec7348cb6c786ac42fa6f08765793e24a24a04d3f5ac0e5b107b6603f9d7080ce2fd0b08e33becc0230adb8d0562b985024d7

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml

Filesize
420B

MD5
1f07876d83255334b13b191d8431a4fc

SHA1
c76c032ed46761c1f8463d8608e5708cb9dbe2b0

SHA256
03cbb13a92ee03073cca3a3fc3ae5f6618dde91583a351d64327dd5857aec574

SHA512
c88da060c86612b4d5ef0c1d3d1b4de9e836705fe7822507100da57ea8e35e44e033a7c630ea53ef24cf180cddbcb2d2e66fb593785e5ee3204d907c2cb4917f

Download Submit
C:\Program Files\PersonalizationInterpretBuild\WhatsApp1.exe

Filesize
1.0MB

MD5
f90ddf18d65bb3153bcdfdc4856ce2a5

SHA1
611376391f17207d60ca8c2ec81354933f8dac45

SHA256
62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce

SHA512
f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

Download Submit
C:\Program Files\PersonalizationInterpretBuild\aHnnvlhzvwbrQLAFVpMkAtGHNysRqE.exe

Filesize
577KB

MD5
0fe04f5747f21419bc96e130b2068238

SHA1
558279fe10e5dc98419c3d7e138a569e7ca59011

SHA256
06654d17334fa342f62d42bd805c8bc6da8105612d9ff45c45b8f092a7c46e17

SHA512
a76fe81d96b1c4af92f4cee5ec567cee1393960bccf290963541e50df0b5286154878de577f7e383b5c0a75a4e134b71243e4e6154ab10ddda0d7a3a4c1a939b

Download Submit
C:\Program Files\PersonalizationInterpretBuild\cTehvxsnNwchkLFRUmGbIaeJKOzhvJ

Filesize
2.0MB

MD5
271644676d6ea23625b591f63e46cb88

SHA1
3df4cf1cb757f2567b38dab0af08c4bee1e5df8a

SHA256
4c8ba9e619f7eaa617bd110eb77e9b39b21dbf93d1941cd24c29274f1d41c5a3

SHA512
c9c1fe43370bfd1cf1d1477f35c9b89d998184bfde75137b52c3de6ec689e4f139367f10c93ca29b3cab0959a4a4dad7794ee5b8482a7018429f22375262b1dd

Download Submit
C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs

Filesize
2KB

MD5
519103da059ae0348f3b566f02689088

SHA1
9867ecb75fc0d981532bd4e1d5a2f7568d4b6e1d

SHA256
bb157a1ecb2bde63bcb191bc556fba60c805a8f9481d2e27170a35ee308de143

SHA512
ac6c1d9bffa72857f463bd98fec58b7b26a457e7664e7dbed16130f5724be7afd120ee8e1bc815fb8192f79c56e578228ec4ee99e2808569e2ec2e8ec1c1be2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp2268.tmp

Filesize
1KB

MD5
a10f31fa140f2608ff150125f3687920

SHA1
ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b

SHA256
28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6

SHA512
cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_3dcre2ov.0n0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57f59b.msi

Filesize
19.6MB

MD5
ff821162f4a52975c227837b4310bcfc

SHA1
9c809183f9e16a752a10c53745037fe9e76984c0

SHA256
54fca74da7efd3ad0e56edf58b8e0407fb5772bce15869a8a9d57db7426fca81

SHA512
9a36a0a5e1a679858a32e7030ab429b7252fa0da0318f6732f873b76b80f5cfa59476e1ec5cd9d2a096794a3bf81a179658c0ad21904b38bfabab0444762a656

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HJbqSVHgWRnX.exe.log

Filesize
1KB

MD5
2da44f7c2b3721a44a3760ab180ca05e

SHA1
ce3325e28e5911967b403fee03f6cbf6b1b303af

SHA256
7253a1555ca5787509e338a9b09e6bd99f9db0ac6102baf21ca632ca8f8380d4

SHA512
78d1cf7ea933c0d61426604c5010dde5d3111dcb1a0de2f1bb218b2bc654685de6830245e1a20efcb20b6cd16f0df862b75aa98b2ac467b3e6a66dfffe6ae1ee

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
19cd7307a194f4756ed0d6679101b9f5

SHA1
a296ba27b79bc6d792c98f6a4ee49a6e7e28f0bf

SHA256
ccedb26e783d3f30d13df5f601a41357d1962f9da6f610f4bd7bdab3dbeb7051

SHA512
73b8f2c17050fc3b527226a03c562eab256550d01031037200398e50d54bc5c1edf6ccb112fed01bb0e55dadd5dc2cf83c65990d5715b3f5e89e17f6349d54fb

Download Submit
\??\Volume{f0eec59f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{884e3747-659d-4514-b570-d0f4326233fe}_OnDiskSnapshotProp

Filesize
6KB

MD5
1d373976e7f510f01841df750aeab6fb

SHA1
bd6a6c68e2384e65f24eeaaa2e22adfaaf0cdd2b

SHA256
301ae00e3aa6f148318f71b2f07aaabad7b7013b03a5172d754a14b4c673245f

SHA512
f3003a0e957276a68b57f9fe2f5bd07dceff2eb505b1f66684b9aed941d30bd855d78cd24f67c0b9c5766c8926868c974e3486dbf0472ce06aff5caace68fb40

Download Submit
memory/1680-51-0x0000027D900E0000-0x0000027D900EA000-memory.dmp

Filesize
40KB

Download
memory/1680-82-0x0000027D91A30000-0x0000027D91A42000-memory.dmp

Filesize
72KB

Download
memory/1680-83-0x0000027DAA280000-0x0000027DAA2BC000-memory.dmp

Filesize
240KB

Download
memory/1680-87-0x0000027DAB480000-0x0000027DAB488000-memory.dmp

Filesize
32KB

Download
memory/1680-88-0x0000027DADF40000-0x0000027DADF78000-memory.dmp

Filesize
224KB

Download
memory/1680-89-0x0000027DABD30000-0x0000027DABD3E000-memory.dmp

Filesize
56KB

Download
memory/1680-95-0x0000027DAE800000-0x0000027DAE826000-memory.dmp

Filesize
152KB

Download
memory/1680-46-0x0000027D8FB40000-0x0000027D8FC42000-memory.dmp

Filesize
1.0MB

Download
memory/1680-66-0x0000027DAB3A0000-0x0000027DAB45A000-memory.dmp

Filesize
744KB

Download
memory/3036-47-0x0000000029FF0000-0x000000002A01F000-memory.dmp

Filesize
188KB

Download
memory/3560-117-0x0000000029FD0000-0x000000002A01D000-memory.dmp

Filesize
308KB

Download
memory/3560-118-0x000000002BF10000-0x000000002C0CC000-memory.dmp

Filesize
1.7MB

Download
memory/3560-120-0x000000002BF10000-0x000000002C0CC000-memory.dmp

Filesize
1.7MB

Download
memory/3560-121-0x000000002BF10000-0x000000002C0CC000-memory.dmp

Filesize
1.7MB

Download
memory/3560-122-0x000000002BF10000-0x000000002C0CC000-memory.dmp

Filesize
1.7MB

Download
memory/4176-67-0x0000000000220000-0x00000000002BE000-memory.dmp

Filesize
632KB

Download
memory/4932-22-0x0000028F7EF30000-0x0000028F7EF52000-memory.dmp

Filesize
136KB

Download