gh0strat | 35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi
Size

37.5MB
MD5

0abc6b6ea4e322a248f31125ddb8911b
SHA1

26f0a5b6631e7ae1e324f8ce24eb967379f07416
SHA256

35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91
SHA512

364314fa2a63d53537a60a322fee9879650e653085719c5c81149037fafb12dd3bbc0e019e4a22cd3400db1c9e9bfcf637749f7efbcfed8368771dbfcd42ebe9
SSDEEP

786432:TddVYfoDIf7i1q8WjTRThlXgxopO+9giU2yoLVhm+Zjh:TddVYf00pDfO+9DU2vLVVVh

Score

10^/10

gh0strat purplefox bootkit discovery execution persistence privilege_escalation rat rootkit trojan upx

Malware Config

Signatures

Detect PurpleFox Rootkit 4 IoCs

Detect PurpleFox Rootkit.

rootkit

resource	yara_rule
behavioral2/memory/1484-109-0x000000002BE00000-0x000000002BFBC000-memory.dmp	purplefox_rootkit
behavioral2/memory/1484-111-0x000000002BE00000-0x000000002BFBC000-memory.dmp	purplefox_rootkit
behavioral2/memory/1484-112-0x000000002BE00000-0x000000002BFBC000-memory.dmp	purplefox_rootkit
behavioral2/memory/1484-113-0x000000002BE00000-0x000000002BFBC000-memory.dmp	purplefox_rootkit

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral2/memory/1484-109-0x000000002BE00000-0x000000002BFBC000-memory.dmp	family_gh0strat
behavioral2/memory/1484-111-0x000000002BE00000-0x000000002BFBC000-memory.dmp	family_gh0strat
behavioral2/memory/1484-112-0x000000002BE00000-0x000000002BFBC000-memory.dmp	family_gh0strat
behavioral2/memory/1484-113-0x000000002BE00000-0x000000002BFBC000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat
Gh0strat family
gh0strat
PurpleFox
PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.
rootkit trojan purplefox
Purplefox family
purplefox

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4544	powershell.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	zKzEtPocmTOd.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	zKzEtPocmTOd.exe
File opened (read-only)	\??\O:	zKzEtPocmTOd.exe
File opened (read-only)	\??\U:	zKzEtPocmTOd.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	zKzEtPocmTOd.exe
File opened (read-only)	\??\Z:	zKzEtPocmTOd.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	zKzEtPocmTOd.exe
File opened (read-only)	\??\X:	zKzEtPocmTOd.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	zKzEtPocmTOd.exe
File opened (read-only)	\??\N:	zKzEtPocmTOd.exe
File opened (read-only)	\??\V:	zKzEtPocmTOd.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	zKzEtPocmTOd.exe
File opened (read-only)	\??\G:	zKzEtPocmTOd.exe
File opened (read-only)	\??\L:	zKzEtPocmTOd.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	zKzEtPocmTOd.exe
File opened (read-only)	\??\R:	zKzEtPocmTOd.exe
File opened (read-only)	\??\T:	zKzEtPocmTOd.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	zKzEtPocmTOd.exe
File opened (read-only)	\??\Y:	zKzEtPocmTOd.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	zKzEtPocmTOd.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	zKzEtPocmTOd.exe
File opened (read-only)	\??\Q:	zKzEtPocmTOd.exe
File opened (read-only)	\??\S:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	WPS1.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HJbqSVHgWRnX.exe.log	HJbqSVHgWRnX.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c99-45.dat	upx
behavioral2/memory/1768-48-0x00000000007C0000-0x0000000000D63000-memory.dmp	upx
behavioral2/memory/1768-102-0x00000000007C0000-0x0000000000D63000-memory.dmp	upx
behavioral2/memory/1768-115-0x00000000007C0000-0x0000000000D63000-memory.dmp	upx
behavioral2/memory/1768-119-0x00000000007C0000-0x0000000000D63000-memory.dmp	upx

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs	zKzEtPocmTOd.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File created	C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File created	C:\Program Files\PersonalizationInterpretBuild\asktao_mini_1.77_360rg.exe	msiexec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File created	C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe	MsiExec.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild	zKzEtPocmTOd.exe
File opened for modification	C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log	HJbqSVHgWRnX.exe
File created	C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw	msiexec.exe
File created	C:\Program Files\PersonalizationInterpretBuild\WPS1.exe	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57e0bd.msi	msiexec.exe
File created	C:\Windows\Installer\e57e0bb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e0bb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4832CEB7-C870-402D-8207-E04B8C354DAD}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE213.tmp	msiexec.exe

Executes dropped EXE 9 IoCs

pid	Process
2304	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
1212	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
4436	zKzEtPocmTOd.exe
1768	WPS1.exe
1736	HJbqSVHgWRnX.exe
2712	HJbqSVHgWRnX.exe
368	HJbqSVHgWRnX.exe
968	zKzEtPocmTOd.exe
1484	zKzEtPocmTOd.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3116	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPS1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zKzEtPocmTOd.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000f914d34881601a250000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000f914d3480000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900f914d348000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1df914d348000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000f914d34800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	zKzEtPocmTOd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	zKzEtPocmTOd.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
700	taskkill.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\plugins\kdcsdk	WPS1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office	WPS1.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "390938a6d2aef79d0478f9cd90aee95b"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host	WScript.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft	WPS1.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\kwpsonlinesetup\infoGUID = "{A8F5DCEE-ABAE-428D-ACA5-DE0AE08DFDCE}"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\plugins	WPS1.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "24"	WPS1.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\kingsoft\kwpsonlinesetup	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	WScript.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\plugins\kdcsdk\lastUpdateDeviceInfoDate = "2024/11/24"	WPS1.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe

Modifies registry class 22 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\PackageCode = "0E44915F58A6BFA40AE77CF19B2A2304"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\20D98A37C2C80BF4888618064CC24A64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\PackageName = "35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\7BEC2384078CD20428700EB4C853D4DA\ProductFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\ProductName = "PersonalizationInterpretBuild"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\Version = "101187584"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\20D98A37C2C80BF4888618064CC24A64\7BEC2384078CD20428700EB4C853D4DA	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\7BEC2384078CD20428700EB4C853D4DA\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4612	msiexec.exe
4612	msiexec.exe
4544	powershell.exe
4544	powershell.exe
4544	powershell.exe
1768	WPS1.exe
1768	WPS1.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe
4436	zKzEtPocmTOd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3116	msiexec.exe
Token: SeSecurityPrivilege	4612	msiexec.exe
Token: SeCreateTokenPrivilege	3116	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3116	msiexec.exe
Token: SeLockMemoryPrivilege	3116	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3116	msiexec.exe
Token: SeMachineAccountPrivilege	3116	msiexec.exe
Token: SeTcbPrivilege	3116	msiexec.exe
Token: SeSecurityPrivilege	3116	msiexec.exe
Token: SeTakeOwnershipPrivilege	3116	msiexec.exe
Token: SeLoadDriverPrivilege	3116	msiexec.exe
Token: SeSystemProfilePrivilege	3116	msiexec.exe
Token: SeSystemtimePrivilege	3116	msiexec.exe
Token: SeProfSingleProcessPrivilege	3116	msiexec.exe
Token: SeIncBasePriorityPrivilege	3116	msiexec.exe
Token: SeCreatePagefilePrivilege	3116	msiexec.exe
Token: SeCreatePermanentPrivilege	3116	msiexec.exe
Token: SeBackupPrivilege	3116	msiexec.exe
Token: SeRestorePrivilege	3116	msiexec.exe
Token: SeShutdownPrivilege	3116	msiexec.exe
Token: SeDebugPrivilege	3116	msiexec.exe
Token: SeAuditPrivilege	3116	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3116	msiexec.exe
Token: SeChangeNotifyPrivilege	3116	msiexec.exe
Token: SeRemoteShutdownPrivilege	3116	msiexec.exe
Token: SeUndockPrivilege	3116	msiexec.exe
Token: SeSyncAgentPrivilege	3116	msiexec.exe
Token: SeEnableDelegationPrivilege	3116	msiexec.exe
Token: SeManageVolumePrivilege	3116	msiexec.exe
Token: SeImpersonatePrivilege	3116	msiexec.exe
Token: SeCreateGlobalPrivilege	3116	msiexec.exe
Token: SeBackupPrivilege	4548	vssvc.exe
Token: SeRestorePrivilege	4548	vssvc.exe
Token: SeAuditPrivilege	4548	vssvc.exe
Token: SeBackupPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeBackupPrivilege	1684	srtasks.exe
Token: SeRestorePrivilege	1684	srtasks.exe
Token: SeSecurityPrivilege	1684	srtasks.exe
Token: SeTakeOwnershipPrivilege	1684	srtasks.exe
Token: SeDebugPrivilege	4544	powershell.exe
Token: SeBackupPrivilege	1684	srtasks.exe
Token: SeRestorePrivilege	1684	srtasks.exe
Token: SeSecurityPrivilege	1684	srtasks.exe
Token: SeTakeOwnershipPrivilege	1684	srtasks.exe
Token: SeRestorePrivilege	2304	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: 35	2304	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	2304	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	2304	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeRestorePrivilege	1212	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: 35	1212	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	1212	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeSecurityPrivilege	1212	ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeDebugPrivilege	700	taskkill.exe
Token: SeRestorePrivilege	4612	msiexec.exe
Token: SeTakeOwnershipPrivilege	4612	msiexec.exe
Token: SeRestorePrivilege	4612	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3116	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4612 wrote to memory of 1684	4612	msiexec.exe	100
PID 4612 wrote to memory of 1684	4612	msiexec.exe	100
PID 4612 wrote to memory of 1916	4612	msiexec.exe	102
PID 4612 wrote to memory of 1916	4612	msiexec.exe	102
PID 1916 wrote to memory of 4544	1916	MsiExec.exe	103
PID 1916 wrote to memory of 4544	1916	MsiExec.exe	103
PID 1916 wrote to memory of 1768	1916	MsiExec.exe	110
PID 1916 wrote to memory of 1768	1916	MsiExec.exe	110
PID 1916 wrote to memory of 1768	1916	MsiExec.exe	110
PID 1916 wrote to memory of 700	1916	MsiExec.exe	112
PID 1916 wrote to memory of 700	1916	MsiExec.exe	112
PID 368 wrote to memory of 968	368	HJbqSVHgWRnX.exe	124
PID 368 wrote to memory of 968	368	HJbqSVHgWRnX.exe	124
PID 368 wrote to memory of 968	368	HJbqSVHgWRnX.exe	124
PID 968 wrote to memory of 1484	968	zKzEtPocmTOd.exe	126
PID 968 wrote to memory of 1484	968	zKzEtPocmTOd.exe	126
PID 968 wrote to memory of 1484	968	zKzEtPocmTOd.exe	126

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3116

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4612
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding DE5EB750D764E02D031AC83B2B7DEB94 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:1916
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\PersonalizationInterpretBuild','C:\Program Files','C:\Program Files'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4544
- - C:\Program Files\PersonalizationInterpretBuild\WPS1.exe
    "C:\Program Files\PersonalizationInterpretBuild\WPS1.exe"
    3⤵
    - Writes to the Master Boot Record (MBR)
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    PID:1768
- - C:\Windows\System32\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4548

C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
"C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe" x "C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"10622B;o}[SV|Z[m54bB" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe
"C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe" x "C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc" -x!"1_zKzEtPocmTOd.exe" -x!"sss" -x!"1_evudGJAAUuEQzpsWgsAOjfYIWkhhmp.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\PersonalizationInterpretBuild\" -p"88601f*mYxbaI3~k+)!U" -y
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
"C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 123
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:4436

C:\Windows\System32\WScript.exe
C:\Windows\System32\WScript.exe "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs"
1⤵
- Modifies data under HKEY_USERS
PID:4316

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe" install
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:1736

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe" start
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2712

C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe
"C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe"
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:368
- C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
  "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 184
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe
    "C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.exe" -nbg 72 -chg ppo -me hhgff
    3⤵
    - Enumerates connected drives
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1484

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e0bc.rbs

Filesize
8KB

MD5
a04739b31bf3a968646375f5aec4c7a9

SHA1
bc198075751aef75ee775617ce88f4c144b6e0cc

SHA256
e51034741d3375458a85be8a48e5b2af6555e307b379044f644d153e0c2fe56d

SHA512
1cb765b4bbf18ab694de4446838911d66c0c658d5c00c1e2686501cc3d1d0818f7ce25a59e99bb5b6918e49050e3c2c18a82d68e63ebcd8e1cea1899fac37c23

Download Submit
C:\Program Files\PersonalizationInterpretBuild\2_zKzEtPocmTOd.exe

Filesize
3.9MB

MD5
10b0c2d503e18dbf51c067d54dd1267e

SHA1
2a0b1317961900c0b8666ae09152c31415f63b3a

SHA256
5bc819ea66774c21cdf699529a998b81779f5c6ebb9b82a3aafd2690d10165c2

SHA512
0d60717b7ef2194cee4fcc5e1f2f4f8e0d5a0d42a8cb6d5369b0c609ec12f598efb06611e77f97e92199f92f4303b161868dccf0a0cb307a670d503de6f729b2

Download Submit
C:\Program Files\PersonalizationInterpretBuild\ASRJUwRdiWVTtNPFIyuoIsPBWWOfSD.exe

Filesize
577KB

MD5
0fe04f5747f21419bc96e130b2068238

SHA1
558279fe10e5dc98419c3d7e138a569e7ca59011

SHA256
06654d17334fa342f62d42bd805c8bc6da8105612d9ff45c45b8f092a7c46e17

SHA512
a76fe81d96b1c4af92f4cee5ec567cee1393960bccf290963541e50df0b5286154878de577f7e383b5c0a75a4e134b71243e4e6154ab10ddda0d7a3a4c1a939b

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.exe

Filesize
606KB

MD5
4e85cc36adc996c3ddd3a9825d4b7f73

SHA1
e5aa0e5db7d9fd27e2a0484f3fd6c322fc5ee97f

SHA256
7b36e127e1fa53e0c6462312777c5d004ea83bde67e6df32fb8920b6c001d664

SHA512
2d7b7c5eb54cf68a218fca7239c0e194af0b81796e621bc039edccea64b60a202670a47af207988467a8c25584cef96a6652f52d53464ce3cf01006c680f2980

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
214B

MD5
599b1b7d1ff9187c175d7ebeb67cafac

SHA1
faff88476e3f8cf0b751724988a8082e32e4fa72

SHA256
9875c55333e1f04c04f2e76b28b8b2a396ae3ea7f1d9f5f6f7e6e0752402a568

SHA512
3af3971ee3ba4a105b91c430540a626fc79fa68fb41a32eab38f80193fdb7abd9e3a13ed51ffa516eaa7b63d4a938e6f89d8241442d5871a34bbd26a192fb603

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
367B

MD5
090e609ecc7b8689ca612c9b74fd25b5

SHA1
d71050ec827a3ffc09f0af74de45a659530da79e

SHA256
cd80b1e0b2eb9dec2c7c33e60e138be69a8714fff429afe13e4fabacf01aaaf3

SHA512
372ab74b023d2ae21c445179e9fffe422727c4f7e800eb4f2e4cf0b33b4a6458d3b45ca2684e6c90d79987e7c0a27a5ac156e927a02ce4c2211de5bad286d0d4

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
494B

MD5
35f564e18b7db002f0016dd9fdb587a5

SHA1
8f397e46712650f70674adb1ee27710101156c04

SHA256
da35791a1de238e3ce6b586a78271c729d4fdbfebaa17c511e268550dbd77f00

SHA512
bd96892f173214499ace18c8f7223420b3e0c2a38de39b2aa171049161b2defb5721cbea75a34ba0af445a1b0cfed443bd308d076f3f287481fb2c11f44d190f

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.wrapper.log

Filesize
609B

MD5
2eab3c6b9eb966b201cafcc248f5e59c

SHA1
a6b91547fcfbec0a49d9570efc3c47e50e8137fa

SHA256
9c132c7d23650b295949a35241ce045180d6546dc51916d8699cdc742c9c82a4

SHA512
968cc1a54149740f3a3d4d259cb8bad323cb165c661fb60bfda06c233c2154211ee34365b9ba086f7d7098af37164c8f74c383b83fb94ce6bb36362877a6435c

Download Submit
C:\Program Files\PersonalizationInterpretBuild\HJbqSVHgWRnX.xml

Filesize
418B

MD5
cb78a46a022668002cd9949645521591

SHA1
ecb47d6cac4718d70ff62bf8c9c27e4064f55f96

SHA256
b6541e451634cf3827bc1f90c379778e6f0420164cc38562b117647baf569131

SHA512
736ad189a8b1e99c5faa5d4f5eaab26b9dbc5683f5a78bbf64753c89c5b5e5119cc26fccd5898c983b773db46da98ba3339d1c86f2dd28d7744c4862e5ebab56

Download Submit
C:\Program Files\PersonalizationInterpretBuild\QaZWmfqGejWhUKQpUuRLOUYNCalvYw

Filesize
2.0MB

MD5
d0b84606fb3c8992e9809c59c67d9b55

SHA1
d6e1d515849c7a0cb7a720b8fa3c04e0eb258634

SHA256
123e17069df2e1609449e4866213fb55d5e1e190f5519a5ab57aa58e1acd57be

SHA512
938f9c6be0bd2eade1784fd0772a742d71ec6f1b0b55df3e6844cab3823dfe79d25953b4dffc02ff2136f047c7a8bae43f709c0ba42ad04748902d9840d9e02e

Download Submit
C:\Program Files\PersonalizationInterpretBuild\WPS1.exe

Filesize
2.9MB

MD5
b52ba2b99108c496389ae5bb81fa6537

SHA1
9073d8c4a1968be24357862015519f2afecd833a

SHA256
c6ac7d9add40b913112b265d4f366d9ef80bbd711049db085fc750fcad4e14d8

SHA512
6637506ee80d359e729e0011b97e8d827e14356393193247f502b7fcfbbca249dc045b8acfe4b31ce462468f421dc5d9a4e31183bedb66c45a9aa43c01f81397

Download Submit
C:\Program Files\PersonalizationInterpretBuild\asktao_mini_1.77_360rg.exe

Filesize
33.4MB

MD5
20dd50eb0410ad3306914bf541ff277c

SHA1
4b1722a4545625f7c596d556f17c647b30e3b1e4

SHA256
bf74b4a95cd815afdfca7e52973063248ace2703a4c7d9d37b87462962f0dd9f

SHA512
d54a4f5427bd2480da37ad4e8e5ebea56c882a1179487064f1060092ea1135c55421daa8d8c36d4268f98a3e7fdf27b9258404bc4bae184bafaf317b4c7c4ac3

Download Submit
C:\Program Files\PersonalizationInterpretBuild\oxYQFsIZTdfqniDYjuvGTUMaSlhGEc

Filesize
2.0MB

MD5
0bde9a66ca45b4dc1d3a2d7a7b600393

SHA1
3f263970fcdc2f5a0f6db058defb0dc9dbaeaad4

SHA256
a588a4b29e7d7d3ca051e9045abc8ad99bb136abdf1a0fb711c03645a16e56fc

SHA512
ae5e0388cc1c28ebb21e1a53573777d357a40c653365e19c73dedcd878c04321baf3977f85ae665560da651ef08ba1ed28a12b6020a48aa960b5eca5f7b492bf

Download Submit
C:\Program Files\PersonalizationInterpretBuild\zKzEtPocmTOd.vbs

Filesize
2KB

MD5
519103da059ae0348f3b566f02689088

SHA1
9867ecb75fc0d981532bd4e1d5a2f7568d4b6e1d

SHA256
bb157a1ecb2bde63bcb191bc556fba60c805a8f9481d2e27170a35ee308de143

SHA512
ac6c1d9bffa72857f463bd98fec58b7b26a457e7664e7dbed16130f5724be7afd120ee8e1bc815fb8192f79c56e578228ec4ee99e2808569e2ec2e8ec1c1be2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ygsi1rkc.uam.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Installer\e57e0bb.msi

Filesize
37.5MB

MD5
0abc6b6ea4e322a248f31125ddb8911b

SHA1
26f0a5b6631e7ae1e324f8ce24eb967379f07416

SHA256
35aa7b5eede048c5bc4c26f73b5bc9c62edc9167cc3f04bc0e967f8aeabd2b91

SHA512
364314fa2a63d53537a60a322fee9879650e653085719c5c81149037fafb12dd3bbc0e019e4a22cd3400db1c9e9bfcf637749f7efbcfed8368771dbfcd42ebe9

Download Submit
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\HJbqSVHgWRnX.exe.log

Filesize
1KB

MD5
2da44f7c2b3721a44a3760ab180ca05e

SHA1
ce3325e28e5911967b403fee03f6cbf6b1b303af

SHA256
7253a1555ca5787509e338a9b09e6bd99f9db0ac6102baf21ca632ca8f8380d4

SHA512
78d1cf7ea933c0d61426604c5010dde5d3111dcb1a0de2f1bb218b2bc654685de6830245e1a20efcb20b6cd16f0df862b75aa98b2ac467b3e6a66dfffe6ae1ee

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
27703b036122b579d35775fab369d4b9

SHA1
121394151e06365f5ca8e20a37bcbbdb2101a82c

SHA256
b646f4c792bcbcf78a827522cf7d408920750179fc391331d3ee29b5459f0e5a

SHA512
244f3b9faca8ee8f67dfbbcb20e9559edd759c441566649dd841a9d76efb5e5455a238f5be0544038512732d2d7e5ac05542c9babe53aed137293c6bc3bac18e

Download Submit
\??\Volume{48d314f9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bb9f2605-19a9-49ed-8468-e36a766ff3a9}_OnDiskSnapshotProp

Filesize
6KB

MD5
7287d95b88cadc531335196178b67053

SHA1
f6228e2a60fd3757cfa2898234dd5184c4f4849e

SHA256
6096e6995affcf520fc8c5b44cc2a735e27c80d2c86187c26b4d22ce149251e8

SHA512
384417f15364dc29e4032f8dfb3be06292d78d1e502392737e24a768ee3a6438e3555b7cb67cff7b43ef743303ecf6d04eff21cc16b39fc19fed5ca3f3ea4dcf

Download Submit
memory/1484-109-0x000000002BE00000-0x000000002BFBC000-memory.dmp

Filesize
1.7MB

Download
memory/1484-100-0x0000000029E90000-0x0000000029EDD000-memory.dmp

Filesize
308KB

Download
memory/1484-111-0x000000002BE00000-0x000000002BFBC000-memory.dmp

Filesize
1.7MB

Download
memory/1484-112-0x000000002BE00000-0x000000002BFBC000-memory.dmp

Filesize
1.7MB

Download
memory/1484-113-0x000000002BE00000-0x000000002BFBC000-memory.dmp

Filesize
1.7MB

Download
memory/1736-72-0x0000000000310000-0x00000000003AE000-memory.dmp

Filesize
632KB

Download
memory/1768-102-0x00000000007C0000-0x0000000000D63000-memory.dmp

Filesize
5.6MB

Download
memory/1768-48-0x00000000007C0000-0x0000000000D63000-memory.dmp

Filesize
5.6MB

Download
memory/1768-115-0x00000000007C0000-0x0000000000D63000-memory.dmp

Filesize
5.6MB

Download
memory/1768-119-0x00000000007C0000-0x0000000000D63000-memory.dmp

Filesize
5.6MB

Download
memory/4436-66-0x000000002A5C0000-0x000000002A5EF000-memory.dmp

Filesize
188KB

Download
memory/4544-21-0x0000025C2E7D0000-0x0000025C2E7F2000-memory.dmp

Filesize
136KB

Download