gh0strat | 35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 11:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi
Size

37.5MB
MD5

0abc6b6ea4e322a248f31125ddb8911b
SHA1

26f0a5b6631e7ae1e324f8ce24eb967379f07416
SHA256

35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91
SHA512

364314fa2a63d53537a60a322fee9879650e653085719c5c81149037fafb12dd3bbc0e019e4a22cd3400db1c9e9bfcf637749f7efbcfed8368771dbfcd42ebe9
SSDEEP

786432:TddVYfoDIf7i1q8WjTRThlXgxopO+9giU2yoLVhm+Zjh:TddVYf00pDfO+9DU2vLVVVh

Score

10^/10

gh0strat purplefox bootkit discovery execution persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/2560-108-0x000000002C8F0000-0x000000002CAAC000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-110-0x000000002C8F0000-0x000000002CAAC000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-111-0x000000002C8F0000-0x000000002CAAC000-memory.dmp	purplefox_rootkit
behavioral2/memory/2560-112-0x000000002C8F0000-0x000000002CAAC000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/2560-108-0x000000002C8F0000-0x000000002CAAC000-memory.dmp	family_gh0strat
behavioral2/memory/2560-110-0x000000002C8F0000-0x000000002CAAC000-memory.dmp	family_gh0strat
behavioral2/memory/2560-111-0x000000002C8F0000-0x000000002CAAC000-memory.dmp	family_gh0strat
behavioral2/memory/2560-112-0x000000002C8F0000-0x000000002CAAC000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1588	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	zKzEtPocmTOd.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\M:	zKzEtPocmTOd.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	zKzEtPocmTOd.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	zKzEtPocmTOd.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	zKzEtPocmTOd.exe
File opened (read-only)	\??\S:	zKzEtPocmTOd.exe
File opened (read-only)	\??\Y:	zKzEtPocmTOd.exe
File opened (read-only)	\??\Z:	zKzEtPocmTOd.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	zKzEtPocmTOd.exe
File opened (read-only)	\??\T:	zKzEtPocmTOd.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	zKzEtPocmTOd.exe
File opened (read-only)	\??\O:	zKzEtPocmTOd.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	zKzEtPocmTOd.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	zKzEtPocmTOd.exe
File opened (read-only)	\??\R:	zKzEtPocmTOd.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	zKzEtPocmTOd.exe
File opened (read-only)	\??\X:	zKzEtPocmTOd.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	zKzEtPocmTOd.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	zKzEtPocmTOd.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	zKzEtPocmTOd.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WPS1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HJbqSVHgWRnX.exe.log	HJbqSVHgWRnX.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023cc9-45.dat	upx
behavioral2/memory/3824-49-0x0000000000140000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3824-84-0x0000000000140000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3824-114-0x0000000000140000-0x00000000006E3000-memory.dmp	upx
behavioral2/memory/3824-118-0x0000000000140000-0x00000000006E3000-memory.dmp	upx

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File created	C:\Program Files\PersonalizationInterpretBuild\asktao_mini_1.77_360rg.exe	msiexec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild	zKzEtPocmTOd.exe
File created	C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\WPS1.exe	msiexec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File created	C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs	zKzEtPocmTOd.exe
File created	C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{4832CEB7-C870-402D-8207-E04B8C354DAD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFF5F.tmp	msiexec.exe
File created	C:\Windows\Installer\e57fdcb.msi	msiexec.exe
File created	C:\Windows\Installer\e57fdc9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fdc9.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 9 IoCs

pid	Process
4400	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
2276	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
3516	zKzEtPocmTOd.exe
3824	WPS1.exe
1976	HJbqSVHgWRnX.exe
3584	HJbqSVHgWRnX.exe
4880	HJbqSVHgWRnX.exe
2916	zKzEtPocmTOd.exe
2560	zKzEtPocmTOd.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
2632	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f59c2d6185d8bf0c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f59c2d610000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f59c2d61000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df59c2d61000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f59c2d6100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	zKzEtPocmTOd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zKzEtPocmTOd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
1420	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\kingsoft\kwpsonlinesetup	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\plugins\kdcsdk\lastUpdateDeviceInfoDate = "2024/11/24"	WPS1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\plugins	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "390938a6d2aef79d0478f9cd90aee95b"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "24"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\plugins\kdcsdk	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Version = "101187584"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\20D98A37C2C80BF4888618064CC24A64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7BEC2384078CD20428700EB4C853D4DA\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\PackageCode = "0E44915F58A6BFA40AE77CF19B2A2304"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\20D98A37C2C80BF4888618064CC24A64\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\ProductName = "PersonalizationInterpretBuild"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\PackageName = "35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1448	msiexec.exe
1448	msiexec.exe
1588	powershell.exe
1588	powershell.exe
1588	powershell.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3824	WPS1.exe
3824	WPS1.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe
3516	zKzEtPocmTOd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2632	msiexec.exe
Token: SeSecurityPrivilege	1448	msiexec.exe
Token: SeCreateTokenPrivilege	2632	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2632	msiexec.exe
Token: SeLockMemoryPrivilege	2632	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2632	msiexec.exe
Token: SeMachineAccountPrivilege	2632	msiexec.exe
Token: SeTcbPrivilege	2632	msiexec.exe
Token: SeSecurityPrivilege	2632	msiexec.exe
Token: SeTakeOwnershipPrivilege	2632	msiexec.exe
Token: SeLoadDriverPrivilege	2632	msiexec.exe
Token: SeSystemProfilePrivilege	2632	msiexec.exe
Token: SeSystemtimePrivilege	2632	msiexec.exe
Token: SeProfSingleProcessPrivilege	2632	msiexec.exe
Token: SeIncBasePriorityPrivilege	2632	msiexec.exe
Token: SeCreatePagefilePrivilege	2632	msiexec.exe
Token: SeCreatePermanentPrivilege	2632	msiexec.exe
Token: SeBackupPrivilege	2632	msiexec.exe
Token: SeRestorePrivilege	2632	msiexec.exe
Token: SeShutdownPrivilege	2632	msiexec.exe
Token: SeDebugPrivilege	2632	msiexec.exe
Token: SeAuditPrivilege	2632	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2632	msiexec.exe
Token: SeChangeNotifyPrivilege	2632	msiexec.exe
Token: SeRemoteShutdownPrivilege	2632	msiexec.exe
Token: SeUndockPrivilege	2632	msiexec.exe
Token: SeSyncAgentPrivilege	2632	msiexec.exe
Token: SeEnableDelegationPrivilege	2632	msiexec.exe
Token: SeManageVolumePrivilege	2632	msiexec.exe
Token: SeImpersonatePrivilege	2632	msiexec.exe
Token: SeCreateGlobalPrivilege	2632	msiexec.exe
Token: SeBackupPrivilege	4516	vssvc.exe
Token: SeRestorePrivilege	4516	vssvc.exe
Token: SeAuditPrivilege	4516	vssvc.exe
Token: SeBackupPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeBackupPrivilege	1592	srtasks.exe
Token: SeRestorePrivilege	1592	srtasks.exe
Token: SeSecurityPrivilege	1592	srtasks.exe
Token: SeTakeOwnershipPrivilege	1592	srtasks.exe
Token: SeBackupPrivilege	1592	srtasks.exe
Token: SeRestorePrivilege	1592	srtasks.exe
Token: SeSecurityPrivilege	1592	srtasks.exe
Token: SeTakeOwnershipPrivilege	1592	srtasks.exe
Token: SeRestorePrivilege	4400	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: 35	4400	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	4400	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	4400	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeRestorePrivilege	2276	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: 35	2276	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	2276	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	2276	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe
Token: SeRestorePrivilege	1448	msiexec.exe
Token: SeTakeOwnershipPrivilege	1448	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2632	msiexec.exe
2632	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 1592	1448	msiexec.exe	101
PID 1448 wrote to memory of 1592	1448	msiexec.exe	101
PID 1448 wrote to memory of 3204	1448	msiexec.exe	104
PID 1448 wrote to memory of 3204	1448	msiexec.exe	104
PID 3204 wrote to memory of 1588	3204	MsiExec.exe	105
PID 3204 wrote to memory of 1588	3204	MsiExec.exe	105
PID 3204 wrote to memory of 3824	3204	MsiExec.exe	112
PID 3204 wrote to memory of 3824	3204	MsiExec.exe	112
PID 3204 wrote to memory of 3824	3204	MsiExec.exe	112
PID 3204 wrote to memory of 1420	3204	MsiExec.exe	113
PID 3204 wrote to memory of 1420	3204	MsiExec.exe	113
PID 4880 wrote to memory of 2916	4880	HJbqSVHgWRnX.exe	126
PID 4880 wrote to memory of 2916	4880	HJbqSVHgWRnX.exe	126
PID 4880 wrote to memory of 2916	4880	HJbqSVHgWRnX.exe	126
PID 2916 wrote to memory of 2560	2916	zKzEtPocmTOd.exe	128
PID 2916 wrote to memory of 2560	2916	zKzEtPocmTOd.exe	128
PID 2916 wrote to memory of 2560	2916	zKzEtPocmTOd.exe	128

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2632

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 320745B22054ADC5B26616F5211558C3 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PersonalizationInterpretBuild','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1588
- - C:\Program Files\PersonalizationInterpretBuild\WPS1.exe
    "C:\Program Files\PersonalizationInterpretBuild\WPS1.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:3824
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
    3⤵
    - Kills process with taskkill
    PID:1420

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4516

C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
"C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe" x "C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"10622B;o}[SV|Z[m54bB" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4400

C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
"C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe" x "C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc" -x!"1_zKzEtPocmTOd.exe" -x!"sss" -x!"1_evudGJAAUuEQzpsWgsAOjfYIWkhhmp.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"88601f*mYxbaI3~k+)!U" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
"C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 123
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3516

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:2628

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:1976

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:3584

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
  "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 184
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
    "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 72 -chg ppo -me hhgff
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:2560

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:3644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57fdca.rbs

Filesize
8KB

MD5
44a6950e878d54e174a1af9054591921

SHA1
edb3cb5f1c06b8650a6603501c0d37eabf146368

SHA256
28e0903cc0209dfe6803b30bb6cddc12ed61627cc5feb3d3c7cd3441ff3b7302

SHA512
cd88b7d9678c81ab99ee9c7ba62c64e1d586e598bb72e86c6ee9b72ae92d51f739bef1b05ab2ae1fcc9f7f4480a8e3d5c1252de7f3e6f88ca3ad67e3056fa5fb

Download Submit
C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe

Filesize
3.9MB

MD5
10b0c2d503e18dbf51c067d54dd1267e

SHA1
2a0b1317961900c0b8666ae09152c31415f63b3a

SHA256
5bc819ea66774c21cdf699529a998b81779f5c6ebb9b82a3aafd2690d10165c2

SHA512
0d60717b7ef2194cee4fcc5e1f2f4f8e0d5a0d42a8cb6d5369b0c609ec12f598efb06611e77f97e92199f92f4303b161868dccf0a0cb307a670d503de6f729b2

Download Submit
C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe

Filesize
577KB

MD5
0fe04f5747f21419bc96e130b2068238

SHA1
558279fe10e5dc98419c3d7e138a569e7ca59011

SHA256
06654d17334fa342f62d42bd805c8bc6da8105612d9ff45c45b8f092a7c46e17

SHA512
a76fe81d96b1c4af92f4cee5ec567cee1393960bccf290963541e50df0b5286154878de577f7e383b5c0a75a4e134b71243e4e6154ab10ddda0d7a3a4c1a939b

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe

Filesize
606KB

MD5
4e85cc36adc996c3ddd3a9825d4b7f73

SHA1
e5aa0e5db7d9fd27e2a0484f3fd6c322fc5ee97f

SHA256
7b36e127e1fa53e0c6462312777c5d004ea83bde67e6df32fb8920b6c001d664

SHA512
2d7b7c5eb54cf68a218fca7239c0e194af0b81796e621bc039edccea64b60a202670a47af207988467a8c25584cef96a6652f52d53464ce3cf01006c680f2980

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
214B

MD5
8d73cc71683573bc0c94b51534474c07

SHA1
de1746d5e2569a25449802f558ed8ab4444b8363

SHA256
ea6a209035eb27322b336690b71fe3c6a1c5a5420f1e59d9d8b6b287202af7bc

SHA512
579cf7aeb2e847e4a10358eb6491c96b74916d03b683145b4cd6207048b870b26eb4bf12dacb26ad8ae30d58b8ff989166305698990e0a96ce5e3a27feb7a1d8

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
367B

MD5
2e0e1ee6f4a896731dac8ee1c1c6fa8e

SHA1
a93705727da2bcefbf8e3b19a2ac8c8d5539f1d1

SHA256
cd26ff4609bbf3e5feeed31e3ab8d0fad8f05c67ec915fd15c8eecf6090d2e4f

SHA512
3c39e9cb549df261cb30db25faa6efade3f2178c906a86fb76af517645c538769ae0df05979f3ec56a6ea963cb98ac84559fdf58d820c65c544eadd39e2c02ca

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
494B

MD5
3ddff52936948a0a28fd7a4e8bed4c23

SHA1
ccee7c59e58382bda9c8153dd87b69daa06024a4

SHA256
d7a6649f1838c38733f3b342b2fb2b241cd0675765728fbad7709a4f6d57571a

SHA512
69dcba6b7dd673ee5e04fdf94dee60b0986dee5a4023ab37632d25c37a7092ea029f8ecd61d80c60fff579e8192c1e61ee34741c7cdda0c58b96a1037f36b647

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
609B

MD5
e196f44ab6326d251956564e4b46a2c7

SHA1
90e56858a1e887bfd9f88b0697e254d069f891a4

SHA256
cbd28696ec875da1d92cf660bb904b25a456e6680ddbdc03b42fbfa4d0ea4a6f

SHA512
f85858d72605d9ef16de54ca41eef3a383995b3abcee79df4719696b3dfb6dbc5f4b272b662b06759b76e526aef9e3ef191e016b2ceb23eaf4668a9b8a92efcd

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml

Filesize
418B

MD5
cb78a46a022668002cd9949645521591

SHA1
ecb47d6cac4718d70ff62bf8c9c27e4064f55f96

SHA256
b6541e451634cf3827bc1f90c379778e6f0420164cc38562b117647baf569131

SHA512
736ad189a8b1e99c5faa5d4f5eaab26b9dbc5683f5a78bbf64753c89c5b5e5119cc26fccd5898c983b773db46da98ba3339d1c86f2dd28d7744c4862e5ebab56

Download Submit
C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw

Filesize
2.0MB

MD5
d0b84606fb3c8992e9809c59c67d9b55

SHA1
d6e1d515849c7a0cb7a720b8fa3c04e0eb258634

SHA256
123e17069df2e1609449e4866213fb55d5e1e190f5519a5ab57aa58e1acd57be

SHA512
938f9c6be0bd2eade1784fd0772a742d71ec6f1b0b55df3e6844cab3823dfe79d25953b4dffc02ff2136f047c7a8bae43f709c0ba42ad04748902d9840d9e02e

Download Submit
C:\Program Files\PersonalizationInterpretBuild\WPS1.exe

Filesize
2.9MB

MD5
b52ba2b99108c496389ae5bb81fa6537

SHA1
9073d8c4a1968be24357862015519f2afecd833a

SHA256
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8

SHA512
6637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397

Download Submit
C:\Program Files\PersonalizationInterpretBuild\asktao_mini_1.77_360rg.exe

Filesize
33.4MB

MD5
20dd50eb0410ad3306914bf541ff277c

SHA1
4b1722a4545625f7c596d556f17c647b30e3b1e4

SHA256
bf74b4a95cd815afdfca7e52973063248ace2703a4c7d9d37b87462962f0dd9f

SHA512
d54a4f5427bd2480da37ad4e8e5ebea56c882a1179487064f1060092ea1135c55421daa8d8c36d4268f98a3e7fdf27b9258404bc4bae184bafaf317b4c7c4ac3

Download Submit
C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc

Filesize
2.0MB

MD5
0bde9a66ca45b4dc1d3a2d7a7b600393

SHA1
3f263970fcdc2f5a0f6db058defb0dc9dbaeaad4

SHA256
a588a4b29e7d7d3ca051e9045abc8ad99bb136abdf1a0fb711c03645a16e56fc

SHA512
ae5e0388cc1c28ebb21e1a53573777d357a40c653365e19c73dedcd878c04321baf3977f85ae665560da651ef08ba1ed28a12b6020a48aa960b5eca5f7b492bf

Download Submit
C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs

Filesize
2KB

MD5
519103da059ae0348f3b566f02689088

SHA1
9867ecb75fc0d981532bd4e1d5a2f7568d4b6e1d

SHA256
bb157a1ecb2bde63bcb191bc556fba60c805a8f9481d2e27170a35ee308de143

SHA512
ac6c1d9bffa72857f463bd98fec58b7b26a457e7664e7dbed16130f5724be7afd120ee8e1bc815fb8192f79c56e578228ec4ee99e2808569e2ec2e8ec1c1be2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eaujcioi.ysv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57fdc9.msi

Filesize
37.5MB

MD5
0abc6b6ea4e322a248f31125ddb8911b

SHA1
26f0a5b6631e7ae1e324f8ce24eb967379f07416

SHA256
35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91

SHA512
364314fa2a63d53537a60a322fee9879650e653085719c5c81149037fafb12dd3bbc0e019e4a22cd3400db1c9e9bfcf637749f7efbcfed8368771dbfcd42ebe9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HJbqSVHgWRnX.exe.log

Filesize
1KB

MD5
2da44f7c2b3721a44a3760ab180ca05e

SHA1
ce3325e28e5911967b403fee03f6cbf6b1b303af

SHA256
7253a1555ca5787509e338a9b09e6bd99f9db0ac6102baf21ca632ca8f8380d4

SHA512
78d1cf7ea933c0d61426604c5010dde5d3111dcb1a0de2f1bb218b2bc654685de6830245e1a20efcb20b6cd16f0df862b75aa98b2ac467b3e6a66dfffe6ae1ee

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
f2f268e292c99274935c911d6c050cb6

SHA1
c6810b8a82c6c3623909299e5f176c28ed417415

SHA256
61285565bbe5a885c7dc5beb9edee5903f1854befc77afb90f4e6571b8bc3999

SHA512
96b270e8a63e1a90c8621a35bd3402c252566a3443e59c1e808559acf65846f3dd3a7a2d7bc80ed21a0b0e6d3e264a3dc071f6e4197d3afd0803002ad5ca8681

Download Submit
\??\Volume{612d9cf5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0c366d1d-0f12-4973-b17f-5929a16eff22}_OnDiskSnapshotProp

Filesize
6KB

MD5
15e53bd426d784afa6392d69ee9324b5

SHA1
2487bd7174c00fd5185640dfd0890d27d46d3b09

SHA256
cd2b3e966f925b66e65d10112aeccc3a3e0338a95bd7ca6fd7f10ac846caf344

SHA512
2e2ec9c808faefb577c559a0efc55cb4ae731246d3e507804d35fe8e1ce869c42980e9fff69f7675fcb2623038b3a26426f20d055bf7650639eb429e5a70926b

Download Submit
memory/1588-22-0x00000194DDF10000-0x00000194DDF32000-memory.dmp

Filesize
136KB

Download
memory/1976-72-0x00000000001A0000-0x000000000023E000-memory.dmp

Filesize
632KB

Download
memory/2560-110-0x000000002C8F0000-0x000000002CAAC000-memory.dmp

Filesize
1.7MB

Download
memory/2560-112-0x000000002C8F0000-0x000000002CAAC000-memory.dmp

Filesize
1.7MB

Download
memory/2560-111-0x000000002C8F0000-0x000000002CAAC000-memory.dmp

Filesize
1.7MB

Download
memory/2560-101-0x000000002A980000-0x000000002A9CD000-memory.dmp

Filesize
308KB

Download
memory/2560-108-0x000000002C8F0000-0x000000002CAAC000-memory.dmp

Filesize
1.7MB

Download
memory/3516-47-0x000000002A6D0000-0x000000002A6FF000-memory.dmp

Filesize
188KB

Download
memory/3824-49-0x0000000000140000-0x00000000006E3000-memory.dmp

Filesize
5.6MB

Download
memory/3824-84-0x0000000000140000-0x00000000006E3000-memory.dmp

Filesize
5.6MB

Download
memory/3824-114-0x0000000000140000-0x00000000006E3000-memory.dmp

Filesize
5.6MB

Download
memory/3824-118-0x0000000000140000-0x00000000006E3000-memory.dmp

Filesize
5.6MB

Download