Malware Analysis Report

2025-03-15 03:51

Sample ID 230806-gw5fwagb79
Target Whatsapp.msi
SHA256 b360f349017399408e0680d71b9c3e774a89ae19259a8396e697fccb18867960
Tags
fatalrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b360f349017399408e0680d71b9c3e774a89ae19259a8396e697fccb18867960

Threat Level: Known bad

The file Whatsapp.msi was found to be: Known bad.

Malicious Activity Summary

fatalrat infostealer persistence rat

FatalRat

Fatal Rat payload

Downloads MZ/PE file

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Enumerates connected drives

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-06 06:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-06 06:10

Reported

2023-08-06 06:19

Platform

win7-20230712-en

Max time kernel

383s

Max time network

520s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Whatsapp.msi

Signatures

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Admin\Documents\robot\elf.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2712 set thread context of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\en-US.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ro.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\hu.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\lt.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sw.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\electron-panel-window\bin\win32-x64-87\electron-panel-window.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\bin\win32-x64-87\wavoip.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\ql-win32\bin\win32-x64-87\ql-win32.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\libGLESv2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ru.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-focus-assist\bin\win32-x64-87\windows-focus-assist.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-quiet-hours\build\Release\quiethours.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\en-GB.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\pt-BR.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sv.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\vi.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\electron-panel-window\build\Release\NativeExtension.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\WhatsApp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\icudtl.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fi.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\lv.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\ql-win32\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\SquirrelSetup.log C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\cs.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\el.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\es-419.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\kn.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ko.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sk.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-shared-mem\build\Release\node_shared_mem.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\am.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\de.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ja.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\nl.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\te.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\zh-TW.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_100_percent.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fa.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\uk.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-notification-state\build\Release\notificationstate.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\squirrel.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\packages\.betaId C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fil.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\hr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-notification-state\bin\win32-x64-87\windows-notification-state.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-quiet-hours\bin\win32-x64-87\windows-quiet-hours.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ta.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\tr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\zh-CN.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\snapshot_blob.bin C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f772433.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI25D8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2906.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI2C51.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f772434.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f772433.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI27CD.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f772434.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f772436.msi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\PackageCode = "11FE28F678602204588BDDDE05E5B591" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\whatsapp\shell\open\command C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\ProductName = "WhatsApp plus" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Language = "2052" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB6F8A2A053124E4D835B0A95DA361FB C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\whatsapp\shell\open\command\ = "\"C:\\Program Files (x86)\\WhatsApp\\WhatsApp plus\\app-2.2310.5\\WhatsApp.exe\" \"%1\"" C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\jF C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\whatsapp\shell\open C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\whatsapp C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\whatsapp\URL Protocol C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB6F8A2A053124E4D835B0A95DA361FB\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\whatsapp\ = "URL:whatsapp" C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000_CLASSES\whatsapp\shell C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\PackageName = "Whatsapp.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 2952 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2816 wrote to memory of 1844 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2952 wrote to memory of 2712 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 2952 wrote to memory of 2712 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 2952 wrote to memory of 2712 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 2952 wrote to memory of 2712 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1048 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2712 wrote to memory of 1940 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2712 wrote to memory of 1940 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2712 wrote to memory of 1940 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2712 wrote to memory of 1940 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2712 wrote to memory of 1340 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1340 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1340 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2712 wrote to memory of 1340 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1652 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1792 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1792 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 1792 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 776 wrote to memory of 2876 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe
PID 776 wrote to memory of 2876 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe
PID 776 wrote to memory of 2876 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe
PID 776 wrote to memory of 2876 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe
PID 776 wrote to memory of 2876 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe
PID 776 wrote to memory of 2876 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe
PID 776 wrote to memory of 2876 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe
PID 1964 wrote to memory of 2200 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1964 wrote to memory of 2200 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1964 wrote to memory of 2200 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Whatsapp.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 858EDFA8A45389A0D0A72776ADD96EC7 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004D8" "0000000000000570"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E9D0680E17C47D4DDFABD081695149E1

C:\Users\Public\jF\u9.exe

"C:\Users\Public\jF\u9.exe"

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\Documents\robot\elf.exe

"C:\Users\Admin\Documents\robot\elf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del u9.exe

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe"

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe"

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=gpu-process --field-trial-handle=1004,3763216262313950458,2363110754839493677,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1012 /prefetch:2

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\WhatsApp /prefetch:7 --no-rate-limit --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\WhatsApp\Crashpad --url=https://crashlogs.whatsapp.net/wa_clb_data?access_token=1063127757113399%7C745146ffa34413f9dbb5469f5370b7af --annotation=_productName=WhatsApp --annotation=_version=2.2310.5 --annotation=prod=Electron --annotation=ver=12.2.3 --initial-client-data=0x544,0x548,0x54c,0x540,0x550,0x146e02bc0,0x146e02bd0,0x146e02be0

C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe" --checkForUpdate https://web.whatsapp.com/desktop/windows/release/x64?version=2.2310.5

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=gpu-process --field-trial-handle=1008,16566391158058968780,4939981510239907378,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1016 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 jf.wccabc.com udp
HK 43.249.29.99:3927 jf.wccabc.com tcp
US 8.8.8.8:53 xfer.10jqka.com.cn udp
CN 175.6.25.37:80 xfer.10jqka.com.cn tcp
N/A 127.0.0.1:58155 tcp
CN 175.6.25.36:80 xfer.10jqka.com.cn tcp
US 8.8.8.8:53 huanpy.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 web.whatsapp.com udp
IE 31.13.73.52:443 web.whatsapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI9859.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI9859.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI99C1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI99C1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9A3F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9A3F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI9A3F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9BF4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI9BF4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI9CA1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI9CA1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9D1F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI9D1F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSID417.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSID417.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSID4B4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSID4B4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSID4B4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSID58F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSID58F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI25D8.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSI25D8.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI27CD.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI27CD.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI2906.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI2906.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

C:\Config.Msi\f772435.rbs

MD5 8925014b36940a906fa4d73c51f6890e
SHA1 2cef53cfe8a3f0694e37ce3bb59e78c568e8c771
SHA256 0bf648812420462e355ac423b620c97f32dc5db8105ce7b08dea8431fa9bd47b
SHA512 de5d6b62f025883afcaa60c298696168742f88481518b09a326ae30adc6e646717ad98bad0499ba9072c01daed12aa7b9e36527848b71e359d53cf64c92b58f3

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\Users\Admin\AppData\Local\Temp\MSI6E66.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI6E66.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\f772433.msi

MD5 efa5dbed98ee67aaad29dcb32a333ef4
SHA1 cdd185b6c158052fb7d888d0ba2ec0a164843f6f
SHA256 b360f349017399408e0680d71b9c3e774a89ae19259a8396e697fccb18867960
SHA512 9b4fd7bdf60489ad2b6fdd9863a035a7395f6ca462be190083295faff90c365468e3207b5acc1cc95a71f060b8185e53514a8e5c2c7deceec064895814ded0a4

memory/2952-242-0x00000000028C0000-0x0000000002D3A000-memory.dmp

C:\Users\Public\jF\u9.exe

MD5 92bd14c4a22b2aed0fe832f2b1174af0
SHA1 f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512 bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a

\Users\Public\jF\u9.exe

MD5 92bd14c4a22b2aed0fe832f2b1174af0
SHA1 f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512 bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a

memory/2712-245-0x0000000075640000-0x0000000075687000-memory.dmp

memory/2712-1064-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1125-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1123-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1121-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1119-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1117-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1115-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1113-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1111-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1109-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1107-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1105-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1103-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1101-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1099-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1097-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1095-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1093-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1091-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1089-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1087-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1085-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1083-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1081-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1079-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1077-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1075-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1073-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1071-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1069-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1067-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-1065-0x0000000002700000-0x0000000002811000-memory.dmp

memory/2712-2800-0x00000000022F0000-0x00000000023F0000-memory.dmp

memory/2712-2801-0x0000000002570000-0x00000000026F1000-memory.dmp

memory/2712-4549-0x00000000022F0000-0x00000000023F0000-memory.dmp

memory/2952-6849-0x00000000028C0000-0x0000000002D3A000-memory.dmp

memory/2712-7126-0x0000000000400000-0x000000000087A000-memory.dmp

memory/2712-8943-0x0000000002700000-0x0000000002811000-memory.dmp

C:\Users\Public\jF\u9.exe

MD5 92bd14c4a22b2aed0fe832f2b1174af0
SHA1 f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512 bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a

memory/2712-8945-0x0000000002430000-0x0000000002531000-memory.dmp

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Users\Public\jF\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\skin\mainres.xml

MD5 47fb824e5df4deb39e5b5342e833d8e4
SHA1 3196520d4dabefd5b4eb6c689210d5ce459476da
SHA256 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289
SHA512 fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

C:\Users\Admin\Documents\robot\switch.json

MD5 20ffcb92aa8762faf93f2d2c4fc9a476
SHA1 72f47bbe9b3c347271f0446760e8fa8b77390503
SHA256 d53db9eec154122a186e908536ed4995b11a99534f4d08972ed38fb2b83c3b48
SHA512 a4482b957c45d67a62d01c840d36b4276ec7fa9f9a97726e7f0a7c956c35bda7e709d741ebbfa955205752ef24cd173a1022df69666219da6d745ee461d23aba

C:\Users\Public\jF\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

memory/2712-9059-0x0000000000400000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIB5B3.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIB5B3.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIC483.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIC483.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll

MD5 5963feb848d7dc57541c041bc6f7539e
SHA1 fc2d66b84a003192b9ce2536c7bd2351eddfcd47
SHA256 1817f50f1bc77c512149d6be845a420eac4be4c2f3233ade61f61d77f8f87dbd
SHA512 0948b13487cc949a1d37e98f7605110c8b581d94a2ee8d16cdab1ea159d82e8b7dd636025246b95d3d7f9f33a0ce7ff8a9e262756badfc8e8a3f5a6dc09de38a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll

MD5 5963feb848d7dc57541c041bc6f7539e
SHA1 fc2d66b84a003192b9ce2536c7bd2351eddfcd47
SHA256 1817f50f1bc77c512149d6be845a420eac4be4c2f3233ade61f61d77f8f87dbd
SHA512 0948b13487cc949a1d37e98f7605110c8b581d94a2ee8d16cdab1ea159d82e8b7dd636025246b95d3d7f9f33a0ce7ff8a9e262756badfc8e8a3f5a6dc09de38a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\v8_context_snapshot.bin

MD5 b64c1fc7d75234994012c86dc5af10a6
SHA1 d0d562b5735d28381d59d0d86078ff6b493a678e
SHA256 31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790
SHA512 6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll

MD5 5963feb848d7dc57541c041bc6f7539e
SHA1 fc2d66b84a003192b9ce2536c7bd2351eddfcd47
SHA256 1817f50f1bc77c512149d6be845a420eac4be4c2f3233ade61f61d77f8f87dbd
SHA512 0948b13487cc949a1d37e98f7605110c8b581d94a2ee8d16cdab1ea159d82e8b7dd636025246b95d3d7f9f33a0ce7ff8a9e262756badfc8e8a3f5a6dc09de38a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\icudtl.dat

MD5 70499b58dc18e7ee1d7452a1d7a8bc6e
SHA1 41c5382f08c6a88670ce73a20c0dcdb3822f19e9
SHA256 02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0
SHA512 a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar

MD5 8adfcf5e1c94cb641af975373fc2a013
SHA1 a68b1d6c064395a3b2bc60bd94972f3806c76c4a
SHA256 64d2951477c43e59944f7b169de2d22fdcd342d4d75b9d582d789d0330d62add
SHA512 eb41113e5aab37a72a248fd5943fe256a26bfb19f14fa00f781287096defc5b10d9e0f8665fad6068ed3f565c1623e71afbe380180369c4fe36d117971c4cd09

C:\Program Files (x86)\WhatsApp\WhatsApp plus\update.exe

MD5 94bf0cf7fb285fa7e336ec30e3994e22
SHA1 8475fbbe356791d40fc873ef3cc9f554ee15a49b
SHA256 62ebeaf33b43417b99ea8e918b41c8c9a0d6acc53d47dd450de99f8ddbb9fa11
SHA512 8b71326289a3228e127a87b66a1002ee54ef5cdd3d9beedd26ec02dff70ec689f326dd652f1c8b377d78a58a0ca027ac7fcecbd8be70b686d1201b549a398726

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

MD5 b7ab76624efc7219962eacbfdf231b41
SHA1 f7ff359cd7aa0d39d26687cc7014dedd2738ad53
SHA256 56c3f149c7811c81f6129896d2f06c6052d7bd85c20c4c26f65539db2c33fba1
SHA512 472851b0ad5f8f11e7143bb7ceeb5cde58c6613a3be7fb3f356c6eae2a90fe0972c50bbf6ce511e9b57a9242aa7a8fb727b024a20fa4e803bd3772a2cd71945a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

MD5 b7ab76624efc7219962eacbfdf231b41
SHA1 f7ff359cd7aa0d39d26687cc7014dedd2738ad53
SHA256 56c3f149c7811c81f6129896d2f06c6052d7bd85c20c4c26f65539db2c33fba1
SHA512 472851b0ad5f8f11e7143bb7ceeb5cde58c6613a3be7fb3f356c6eae2a90fe0972c50bbf6ce511e9b57a9242aa7a8fb727b024a20fa4e803bd3772a2cd71945a

memory/776-9111-0x0000000000B60000-0x0000000000B61000-memory.dmp

memory/2876-9118-0x0000000000EF0000-0x000000000111A000-memory.dmp

memory/2876-9159-0x00000000733B0000-0x0000000073A9E000-memory.dmp

memory/2876-9160-0x0000000004ED0000-0x0000000004F10000-memory.dmp

memory/2876-9161-0x00000000733B0000-0x0000000073A9E000-memory.dmp

memory/2876-9162-0x0000000004ED0000-0x0000000004F10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cab6BDD.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar6D37.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

memory/2876-9200-0x00000000733B0000-0x0000000073A9E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-06 06:10

Reported

2023-08-06 06:19

Platform

win10-20230703-en

Max time kernel

515s

Max time network

517s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Whatsapp.msi

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Admin\Documents\robot\elf.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000\Software\Microsoft\Windows\CurrentVersion\Run\hxrobot = "C:\\Users\\Admin\\Documents\\robot\\elf.exe" C:\Users\Admin\Documents\robot\elf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2948 set thread context of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\it.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ro.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\uk.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\ql-win32\bin\win32-x64-87\ql-win32.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_100_percent.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\el.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\hu.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\squirrel.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\SquirrelSetup.log C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-quiet-hours\bin\win32-x64-87\windows-quiet-hours.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vulkan-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\am.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\en-GB.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ru.pak C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\WhatsApp\WhatsApp plus\SquirrelSetup.log C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\zh-CN.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\packages\.betaId C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ta.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\th.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\tr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\he.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\nl.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-shared-mem\bin\win32-x64-87\node-shared-mem.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\de.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\en-US.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\es-419.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-quiet-hours\build\Release\quiethours.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\SquirrelSetup.log C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\gu.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\nb.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\pl.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\pt-BR.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sv.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_200_percent.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\bg.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fil.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\zh-TW.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\electron-panel-window\bin\win32-x64-87\electron-panel-window.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vk_swiftshader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\libEGL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ja.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sk.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\snapshot_blob.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ca.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\lt.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\id.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\mr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-quarantine\bin\win32-x64-87\node-quarantine.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\es.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\et.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fa.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ar.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-quarantine\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC5FE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58c272.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58c270.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e58c270.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC494.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8F8EB75E-D7C7-4B2A-BBD4-3CC4F98C7AA7} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICDDE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC38A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC551.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\jF C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\PackageName = "Whatsapp.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\ProductName = "WhatsApp plus" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\whatsapp C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\whatsapp\shell\open\command\ = "\"C:\\Program Files (x86)\\WhatsApp\\WhatsApp plus\\app-2.2310.5\\WhatsApp.exe\" \"%1\"" C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\PackageCode = "11FE28F678602204588BDDDE05E5B591" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB6F8A2A053124E4D835B0A95DA361FB C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\whatsapp\URL Protocol C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\whatsapp\ = "URL:whatsapp" C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Language = "2052" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\whatsapp\shell\open C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\whatsapp\shell\open\command C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\whatsapp\shell C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB6F8A2A053124E4D835B0A95DA361FB\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4036 wrote to memory of 4736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4036 wrote to memory of 4736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4036 wrote to memory of 4736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4036 wrote to memory of 4436 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4036 wrote to memory of 4436 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4036 wrote to memory of 4840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4036 wrote to memory of 4840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4036 wrote to memory of 4840 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4736 wrote to memory of 2948 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 4736 wrote to memory of 2948 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 4736 wrote to memory of 2948 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 2948 wrote to memory of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2948 wrote to memory of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2948 wrote to memory of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2948 wrote to memory of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2948 wrote to memory of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2948 wrote to memory of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2948 wrote to memory of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2948 wrote to memory of 3628 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 2948 wrote to memory of 4776 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2948 wrote to memory of 4776 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2948 wrote to memory of 4776 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 2948 wrote to memory of 784 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 784 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2948 wrote to memory of 784 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 2248 wrote to memory of 4428 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Whatsapp.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 35D76F6123415FCBFDBB91C274969A77 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C3DE870336B3272D3EDFF00B509966FA

C:\Users\Public\jF\u9.exe

"C:\Users\Public\jF\u9.exe"

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\Documents\robot\elf.exe

"C:\Users\Admin\Documents\robot\elf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del u9.exe

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe"

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=gpu-process --field-trial-handle=1524,349781558816664895,8069814279302260444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1532 /prefetch:2

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\WhatsApp /prefetch:7 --no-rate-limit --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\WhatsApp\Crashpad --url=https://crashlogs.whatsapp.net/wa_clb_data?access_token=1063127757113399%7C745146ffa34413f9dbb5469f5370b7af --annotation=_productName=WhatsApp --annotation=_version=2.2310.5 --annotation=prod=Electron --annotation=ver=12.2.3 --initial-client-data=0x654,0x658,0x65c,0x650,0x660,0x7ff6e2b62bc0,0x7ff6e2b62bd0,0x7ff6e2b62be0

C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe" --checkForUpdate https://web.whatsapp.com/desktop/windows/release/x64?version=2.2310.5

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,349781558816664895,8069814279302260444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --standard-schemes=whatsapp --secure-schemes=whatsapp --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1928 /prefetch:8

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1524,349781558816664895,8069814279302260444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --standard-schemes=whatsapp --secure-schemes=whatsapp --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.squirrel.WhatsApp.WhatsApp --app-path="C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2224 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe csproduct get /value"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe csproduct get /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1524,349781558816664895,8069814279302260444,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --standard-schemes=whatsapp --secure-schemes=whatsapp --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2688 /prefetch:8

C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe" --checkForUpdate https://web.whatsapp.com/desktop/windows/release/x64?version=2.2310.5

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2dc

Network

Country Destination Domain Proto
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 45.147.19.2.in-addr.arpa udp
US 8.8.8.8:53 9.57.101.20.in-addr.arpa udp
US 8.8.8.8:53 jf.wccabc.com udp
HK 43.249.29.99:3927 jf.wccabc.com tcp
US 8.8.8.8:53 99.29.249.43.in-addr.arpa udp
US 8.8.8.8:53 xfer.10jqka.com.cn udp
CN 175.6.25.16:80 xfer.10jqka.com.cn tcp
US 8.8.8.8:53 16.25.6.175.in-addr.arpa udp
N/A 127.0.0.1:62400 tcp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 huanpy.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 161.19.75.47.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 web.whatsapp.com udp
NL 157.240.247.60:443 web.whatsapp.com tcp
US 8.8.8.8:53 60.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 web.whatsapp.com udp
NL 157.240.201.60:443 web.whatsapp.com tcp
US 8.8.8.8:53 60.201.240.157.in-addr.arpa udp
NL 157.240.201.60:443 web.whatsapp.com tcp
NL 157.240.247.60:443 web.whatsapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSICED9.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSICED9.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSID061.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSID061.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSID0DF.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSID0DF.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSID0DF.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSID18B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSID18B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSID332.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSID332.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSID3DF.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSID3DF.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSID690.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSID690.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI418F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI418F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI423C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI423C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI423C.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI4376.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI4376.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIC38A.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSIC38A.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIC494.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSIC494.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIC551.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSIC551.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIC5FE.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSIC5FE.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\??\Volume{96faa851-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a3ecc10a-f340-46d1-ab55-bcdd7cbbd4d9}_OnDiskSnapshotProp

MD5 2ba3373520272e18b897152e7ce6db21
SHA1 4247b8d839810b970c2fb15f9c3feb19a0d22050
SHA256 53edb7426ab075398e4de66f07bc15ae9227ac8b882a82fa7fed55a25e162557
SHA512 ab26ebd958a6a45e4c8ae1a01bf8166220b1006d7a43cef641f16784cfbf4b5156f6888dff78f281b654ed437c5e5e2f514b580a36e0c72594826ecdf20bc33b

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 1445337c61e46764fad7fb013c320b90
SHA1 01ca7cb1042252885c304566f54e0542c75c434c
SHA256 6b9d14b2a4ff91a21a7b90628599d048685189d70fc0fbfca32000cadaa8d63d
SHA512 61798db208007fc70f27b9232f9010f68eec603876b1f01ed2fca89d769810cd6b4fbf32a41a02d44896fc4aae76675b75e8cf7ceb0fa84514919e4542d8162d

C:\Config.Msi\e58c271.rbs

MD5 57ba85a72a17dfc4a810bb47ddcf2227
SHA1 a272496d600fa877412929191127285b29755a03
SHA256 616d4d316a1d6f395bd95941d9efeb0b9621c1058111b75dd7ace4217778eb24
SHA512 4c5823b6b36434b08f3ceac76ceb438e4418c8c965227fed05bddca80e7df7552eb8a1e3e8295adbfd51ccf604f2858c5d637b27cd4c6517d888f05c0d909c37

C:\Windows\Installer\e58c270.msi

MD5 efa5dbed98ee67aaad29dcb32a333ef4
SHA1 cdd185b6c158052fb7d888d0ba2ec0a164843f6f
SHA256 b360f349017399408e0680d71b9c3e774a89ae19259a8396e697fccb18867960
SHA512 9b4fd7bdf60489ad2b6fdd9863a035a7395f6ca462be190083295faff90c365468e3207b5acc1cc95a71f060b8185e53514a8e5c2c7deceec064895814ded0a4

\Users\Admin\AppData\Local\Temp\MSIFE99.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIFE99.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\jF\u9.exe

MD5 92bd14c4a22b2aed0fe832f2b1174af0
SHA1 f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512 bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a

C:\Users\Public\jF\u9.exe

MD5 92bd14c4a22b2aed0fe832f2b1174af0
SHA1 f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512 bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a

memory/2948-317-0x0000000000400000-0x000000000087A000-memory.dmp

memory/2948-320-0x0000000075F30000-0x00000000760F2000-memory.dmp

memory/2948-4049-0x0000000002B80000-0x0000000002D44000-memory.dmp

memory/2948-4051-0x0000000077030000-0x000000007716C000-memory.dmp

memory/2948-4050-0x0000000002800000-0x000000000299F000-memory.dmp

memory/2948-5840-0x0000000075D70000-0x0000000075DE7000-memory.dmp

memory/2948-12707-0x0000000002660000-0x0000000002733000-memory.dmp

memory/2948-12708-0x00000000029A0000-0x0000000002AE5000-memory.dmp

memory/3628-12711-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3628-12712-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3628-12713-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/3628-12717-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/3628-12718-0x0000000010000000-0x000000001002A000-memory.dmp

memory/2948-12724-0x0000000002B80000-0x0000000002D44000-memory.dmp

\Users\Public\jF\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Public\jF\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\skin\mainres.xml

MD5 47fb824e5df4deb39e5b5342e833d8e4
SHA1 3196520d4dabefd5b4eb6c689210d5ce459476da
SHA256 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289
SHA512 fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

memory/2948-12767-0x0000000002800000-0x000000000299F000-memory.dmp

C:\Users\Admin\Documents\robot\skin\Robot\icon_wnd.xml

MD5 f74ff1f559d4f5a7af7b09b00d17a3f7
SHA1 7ae57ae206977eb874cf1037e7dedb37cb464e4b
SHA256 1ebba2b9a0d222642016121ca19ee5cd6d1b32f40b43bd57aed165dc8dcdf781
SHA512 fc26f6af3c8e0d642a91e31e5060db94d7ed2cce33619a4d8e9b78c68b95b397db15863165ce536fbc364f2e361772ffb86be61e3d9a921011f167ca9c9d9c51

C:\Users\Admin\Documents\robot\skin\Robot\push_wnd.xml

MD5 ee58358ad4380ad0da672cdb49247454
SHA1 e99376e5eaa92538221789ff8f25768d83f0cf1e
SHA256 633b462f98038aa0f9ab302d3cd0def8352fde79990af747b3c97b49ebab2103
SHA512 eded6474a11deb02292682e3354b2d7d17ac898348f533fc13a74451fb5a312ec25a0de69bd40d2b9a4159e2284834277b47072b2e8990780f6783519b0dfda3

C:\Users\Admin\Documents\robot\skin\Robot\Robot.xml

MD5 2fdb0ba1aa4f2088d10468757490b3fc
SHA1 3757f286d6fa2585747bf6135eb8c927bc3145b8
SHA256 6f1d5abe5173cab5a5d5553d6ebf4c78f0b0d587337c8c942c170acf24d9f02a
SHA512 aba55dd158a645d76c05c5b4e226547b42619f123de30050963cced626b914dce7c79574eca4f222b6eaae3a0acfd737818a423fc4bdf1402a31979f859fdaaa

C:\Users\Admin\Documents\robot\switch.json

MD5 66fc880f0f331d0b1abb98f511e831fd
SHA1 230b04ccadbf2a586e25f5bc46940f6e7cc60edb
SHA256 87fa2ca07ca9ad4655d2dcd924ff56897e621f5a1d22ec1f9b49ba6cd8a3c090
SHA512 3926b2c951d604a45fe7fffa817beeb99408537cf12a97157c5f3cb6903af5c269d984f219ad37300f213dc26e01454fb33a9d4341948dbf3d00d68ec322a817

memory/2948-12793-0x0000000000400000-0x000000000087A000-memory.dmp

memory/2948-12794-0x0000000002660000-0x0000000002733000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI8927.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI8927.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI822E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI822E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll

MD5 5963feb848d7dc57541c041bc6f7539e
SHA1 fc2d66b84a003192b9ce2536c7bd2351eddfcd47
SHA256 1817f50f1bc77c512149d6be845a420eac4be4c2f3233ade61f61d77f8f87dbd
SHA512 0948b13487cc949a1d37e98f7605110c8b581d94a2ee8d16cdab1ea159d82e8b7dd636025246b95d3d7f9f33a0ce7ff8a9e262756badfc8e8a3f5a6dc09de38a

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll

MD5 5963feb848d7dc57541c041bc6f7539e
SHA1 fc2d66b84a003192b9ce2536c7bd2351eddfcd47
SHA256 1817f50f1bc77c512149d6be845a420eac4be4c2f3233ade61f61d77f8f87dbd
SHA512 0948b13487cc949a1d37e98f7605110c8b581d94a2ee8d16cdab1ea159d82e8b7dd636025246b95d3d7f9f33a0ce7ff8a9e262756badfc8e8a3f5a6dc09de38a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\v8_context_snapshot.bin

MD5 b64c1fc7d75234994012c86dc5af10a6
SHA1 d0d562b5735d28381d59d0d86078ff6b493a678e
SHA256 31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790
SHA512 6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\icudtl.dat

MD5 70499b58dc18e7ee1d7452a1d7a8bc6e
SHA1 41c5382f08c6a88670ce73a20c0dcdb3822f19e9
SHA256 02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0
SHA512 a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

C:\Program Files (x86)\WhatsApp\WhatsApp plus\update.exe

MD5 94bf0cf7fb285fa7e336ec30e3994e22
SHA1 8475fbbe356791d40fc873ef3cc9f554ee15a49b
SHA256 62ebeaf33b43417b99ea8e918b41c8c9a0d6acc53d47dd450de99f8ddbb9fa11
SHA512 8b71326289a3228e127a87b66a1002ee54ef5cdd3d9beedd26ec02dff70ec689f326dd652f1c8b377d78a58a0ca027ac7fcecbd8be70b686d1201b549a398726

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar

MD5 8adfcf5e1c94cb641af975373fc2a013
SHA1 a68b1d6c064395a3b2bc60bd94972f3806c76c4a
SHA256 64d2951477c43e59944f7b169de2d22fdcd342d4d75b9d582d789d0330d62add
SHA512 eb41113e5aab37a72a248fd5943fe256a26bfb19f14fa00f781287096defc5b10d9e0f8665fad6068ed3f565c1623e71afbe380180369c4fe36d117971c4cd09

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

MD5 b7ab76624efc7219962eacbfdf231b41
SHA1 f7ff359cd7aa0d39d26687cc7014dedd2738ad53
SHA256 56c3f149c7811c81f6129896d2f06c6052d7bd85c20c4c26f65539db2c33fba1
SHA512 472851b0ad5f8f11e7143bb7ceeb5cde58c6613a3be7fb3f356c6eae2a90fe0972c50bbf6ce511e9b57a9242aa7a8fb727b024a20fa4e803bd3772a2cd71945a

\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

MD5 b7ab76624efc7219962eacbfdf231b41
SHA1 f7ff359cd7aa0d39d26687cc7014dedd2738ad53
SHA256 56c3f149c7811c81f6129896d2f06c6052d7bd85c20c4c26f65539db2c33fba1
SHA512 472851b0ad5f8f11e7143bb7ceeb5cde58c6613a3be7fb3f356c6eae2a90fe0972c50bbf6ce511e9b57a9242aa7a8fb727b024a20fa4e803bd3772a2cd71945a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_100_percent.pak

MD5 a59ea69d64bf4f748401dc5a46a65854
SHA1 111c4cc792991faf947a33386a5862e3205b0cff
SHA256 f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9
SHA512 12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_200_percent.pak

MD5 1985b8fc603db4d83df72cfaeeac7c50
SHA1 5b02363de1c193827062bfa628261b1ec16bd8cf
SHA256 7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b
SHA512 27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources.pak

MD5 5507bc28022b806ea7a3c3bc65a1c256
SHA1 9f8d3a56fef7374c46cd3557f73855d585692b54
SHA256 367467609a389b67600628760c26732fc1a25f563f73263bc2c4bf6eec9033df
SHA512 ae698d4feacc3e908981ee44df3a9d76e42a39bf083eaf099442ace2b863f882b43232e26e2c18051ca7aec81dccef5742acc7b82fb0cda2e14086b14d5a9a26

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\en-US.pak

MD5 6bbeeb72daebc3b0cbd9c39e820c87a9
SHA1 bd9ebec2d3fc03a2b27f128cf2660b33a3344f43
SHA256 ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b
SHA512 66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

memory/4428-12824-0x00007FF8A4020000-0x00007FF8A4021000-memory.dmp

memory/4716-12848-0x0000000000070000-0x000000000029A000-memory.dmp

memory/4716-12856-0x00000000739E0000-0x00000000740CE000-memory.dmp

memory/4716-12857-0x0000000004B90000-0x0000000004BA0000-memory.dmp

memory/4716-12873-0x00000000739E0000-0x00000000740CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\WhatsApp\IndexedDB\file__0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Roaming\WhatsApp\File System\Origins\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/3808-12925-0x00000000739E0000-0x00000000740CE000-memory.dmp

memory/3808-12927-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3808-12974-0x00000000739E0000-0x00000000740CE000-memory.dmp

C:\Users\Admin\AppData\Roaming\WhatsApp\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

MD5 a280eaad2645cb8148404be0022ad1ff
SHA1 aac58e24773825a95a32af765ccf107b6bc83265
SHA256 12f177f902d970a1c79d39212e8be221a9141306a11f032e6a25261ed393c6c7
SHA512 a27e9c7122ff7485facfcad84c2badba7026004c77a3402d51a56a4ecc0353a87fb21a2e46e720763b1b1f0eca0b73232488a390dacbde490b07144150797c5c

C:\Users\Admin\AppData\Roaming\WhatsApp\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\1fc3e15d-05c2-40ed-a365-d42372c8cf8b\index-dir\the-real-index

MD5 6fe6fd7285f573b6c8be58eec7cf4160
SHA1 6ec5a383035863611300a60f9133407ce299ba13
SHA256 5d9c930ec38dbd499ee7635157b77102c01693debec5a0f46eb93015f35e4a82
SHA512 70372d2dc63083819ff263a8c355c5e3cfc09b19dab30860720a72cbf0adc3b2ad3bf5783a0b5e6099ca68fc62357e80ba8efd9f332390d375b275ababe0550d

C:\Users\Admin\AppData\Roaming\WhatsApp\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\1fc3e15d-05c2-40ed-a365-d42372c8cf8b\index-dir\the-real-index~RFe5b5b8a.TMP

MD5 9c1559fbf32a4da210db714eb4472114
SHA1 12c2f36d10d3210b7a13f47744d37b781b63e7b9
SHA256 b4f6e2edf5e27428d220f2f03d9691521e489e546825029f463f5e4ded8119a1
SHA512 26edfa0ce32d6a25bc72e2729b48cfa0c25de960046fc16c84fd7b1f2f93775cd55d757392014c552d0bf1611009809dfacc05ee3d444275e27a0e04e6a35d49

C:\Users\Admin\AppData\Roaming\WhatsApp\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

MD5 bd3a40208ea8f411c46aaab14f426273
SHA1 b7e9e4857141d8099a07298e1263ef5caad59266
SHA256 da8108113d3d06483ce38c2aac7e245def6276bd242bb04d30bdca483e01cfd7
SHA512 b0294abfb8b4dfb036d5bdc15a574236d92036be3f520c066e2f1dbc7d337e3de0d2a5f8b506828488981ed1007a2ba31b26596045fc4f6c16102875ff787cf2

C:\Users\Admin\AppData\Roaming\WhatsApp\Network Persistent State

MD5 e8c80349c3fd50606dd0ef8faf0b41cf
SHA1 dd57a9c87a2d3b745165616487c29243727e38e9
SHA256 4c7534eaa1b0e94bf5b49acccac70c3ded62f2e345c1c19dfcbff078f03366a9
SHA512 b76b26f6ead4d2559449885f1a3c6dde1c5c1098a0e9f06bd3e8a5b36fb25b632c4fee064617246b17748bd081e5e58b3c0756cd17e0356205cd4ce8710c4f70

C:\Users\Admin\AppData\Roaming\WhatsApp\Network Persistent State~RFe5b5b9a.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\WhatsApp\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Roaming\WhatsApp\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\WhatsApp\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-06 06:10

Reported

2023-08-06 06:19

Platform

win10v2004-20230703-en

Max time kernel

484s

Max time network

522s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Whatsapp.msi

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Admin\Documents\robot\elf.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\hxrobot = "C:\\Users\\Admin\\Documents\\robot\\elf.exe" C:\Users\Admin\Documents\robot\elf.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4332 set thread context of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\el.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\cs.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ru.pak C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\WhatsApp\WhatsApp plus\SquirrelSetup.log C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\mr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\es-419.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\hr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-quarantine\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\snapshot_blob.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\v8_context_snapshot.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_200_percent.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\de.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fi.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\lt.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-focus-assist\build\Release\focus-assist.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\squirrel.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\da.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\he.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ko.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\tr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-shared-mem\build\Release\node_shared_mem.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vulkan-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\icudtl.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\libEGL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fil.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ms.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\SquirrelSetup.log C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\WhatsApp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\electron-panel-window\build\Release\NativeExtension.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\ql-win32\bin\win32-x64-87\ql-win32.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-quiet-hours\bin\win32-x64-87\windows-quiet-hours.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\libGLESv2.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\en-GB.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\pt-BR.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-quarantine\bin\win32-x64-87\node-quarantine.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\vcruntime140_1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-focus-assist\bin\win32-x64-87\windows-focus-assist.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vk_swiftshader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\am.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\id.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\lv.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ml.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\electron-panel-window\bin\win32-x64-87\electron-panel-window.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\WhatsApp\WhatsApp plus\packages\.betaId C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\bn.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\zh-CN.pak C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files (x86)\WhatsApp\WhatsApp plus\SquirrelSetup.log C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\hu.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\et.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\it.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\nb.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\pt-PT.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sk.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\te.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\ql-win32\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e58a8be.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAB30.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAB7F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAC7A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58a8c0.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e58a8be.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAA26.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{8F8EB75E-D7C7-4B2A-BBD4-3CC4F98C7AA7} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB5A3.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\whatsapp\ = "URL:whatsapp" C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\PackageCode = "11FE28F678602204588BDDDE05E5B591" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB6F8A2A053124E4D835B0A95DA361FB C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\PackageName = "Whatsapp.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\whatsapp C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\whatsapp\shell\open\command C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\whatsapp\shell\open\command\ = "\"C:\\Program Files (x86)\\WhatsApp\\WhatsApp plus\\app-2.2310.5\\WhatsApp.exe\" \"%1\"" C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\whatsapp\shell\open C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\jF C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB6F8A2A053124E4D835B0A95DA361FB\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\whatsapp\shell C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000_Classes\whatsapp\URL Protocol C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\ProductName = "WhatsApp plus" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\E57BE8F87C7DA2B4BB4DC34C9FC8A77A\Language = "2052" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\jF\u9.exe N/A
N/A N/A C:\Users\Public\jF\u9.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 4076 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 4076 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 4076 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 1124 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2900 wrote to memory of 1124 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2900 wrote to memory of 2020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 2020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2900 wrote to memory of 2020 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4076 wrote to memory of 4332 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 4076 wrote to memory of 4332 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 4076 wrote to memory of 4332 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jF\u9.exe
PID 4332 wrote to memory of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4332 wrote to memory of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4332 wrote to memory of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4332 wrote to memory of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4332 wrote to memory of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4332 wrote to memory of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4332 wrote to memory of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4332 wrote to memory of 1728 N/A C:\Users\Public\jF\u9.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4332 wrote to memory of 1912 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4332 wrote to memory of 1912 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4332 wrote to memory of 1912 N/A C:\Users\Public\jF\u9.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4332 wrote to memory of 4592 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4592 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 4332 wrote to memory of 4592 N/A C:\Users\Public\jF\u9.exe C:\Windows\SysWOW64\cmd.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe
PID 1348 wrote to memory of 2952 N/A C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Whatsapp.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A172FA18B1A55AC876A75F98659059DF C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4C30B32B9B01740984CEBD908FD3F076

C:\Users\Public\jF\u9.exe

"C:\Users\Public\jF\u9.exe"

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\Documents\robot\elf.exe

"C:\Users\Admin\Documents\robot\elf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del u9.exe

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe"

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=gpu-process --field-trial-handle=1628,9596683091568775057,73900870488701962,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1636 /prefetch:2

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\WhatsApp /prefetch:7 --no-rate-limit --no-upload-gzip --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\WhatsApp\Crashpad --url=https://crashlogs.whatsapp.net/wa_clb_data?access_token=1063127757113399%7C745146ffa34413f9dbb5469f5370b7af --annotation=_productName=WhatsApp --annotation=_version=2.2310.5 --annotation=prod=Electron --annotation=ver=12.2.3 --initial-client-data=0x850,0x84c,0x854,0x844,0x858,0x7ff608b12bc0,0x7ff608b12bd0,0x7ff608b12be0

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1628,9596683091568775057,73900870488701962,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --standard-schemes=whatsapp --secure-schemes=whatsapp --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=1912 /prefetch:8

C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe" --checkForUpdate https://web.whatsapp.com/desktop/windows/release/x64?version=2.2310.5

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=renderer --autoplay-policy=no-user-gesture-required --field-trial-handle=1628,9596683091568775057,73900870488701962,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --standard-schemes=whatsapp --secure-schemes=whatsapp --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --app-user-model-id=com.squirrel.WhatsApp.WhatsApp --app-path="C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar" --no-sandbox --no-zygote --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2380 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe csproduct get /value"

C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe" --checkForUpdate https://web.whatsapp.com/desktop/windows/release/x64?version=2.2310.5

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe csproduct get /value

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value"

C:\Windows\system32\wbem\WMIC.exe

C:\Windows\system32\wbem\wmic.exe /namespace:\\root\wmi path MS_SystemInformation get /value

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

"C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1628,9596683091568775057,73900870488701962,131072 --enable-features=WebComponentsV0Enabled --disable-features=CertVerifierService,CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=audio --standard-schemes=whatsapp --secure-schemes=whatsapp --bypasscsp-schemes --cors-schemes --fetch-schemes --service-worker-schemes --streaming-schemes --mojo-platform-channel-handle=2984 /prefetch:8

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3ec 0x3f4

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 254.109.26.67.in-addr.arpa udp
US 8.8.8.8:53 45.147.19.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 jf.wccabc.com udp
HK 43.249.29.99:3927 jf.wccabc.com tcp
US 8.8.8.8:53 99.29.249.43.in-addr.arpa udp
US 8.8.8.8:53 xfer.10jqka.com.cn udp
CN 175.6.25.18:80 xfer.10jqka.com.cn tcp
N/A 127.0.0.1:59156 tcp
US 8.8.8.8:53 18.25.6.175.in-addr.arpa udp
US 8.8.8.8:53 huanpy.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.161:443 huanpy.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 161.19.75.47.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 199.111.78.13.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 web.whatsapp.com udp
IE 31.13.73.52:443 web.whatsapp.com tcp
US 8.8.8.8:53 52.73.13.31.in-addr.arpa udp
US 8.8.8.8:53 web.whatsapp.com udp
IE 31.13.73.52:443 web.whatsapp.com tcp
IE 31.13.73.52:443 web.whatsapp.com tcp
IE 31.13.73.52:443 web.whatsapp.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI9431.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9431.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI983A.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI983A.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI98C7.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI98C7.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI98C7.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9964.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9964.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9BB7.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI9BB7.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI9C35.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9C35.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9C55.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9C55.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3913.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI3913.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI39D0.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI39D0.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI39D0.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI3A3E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI3A3E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIAA26.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIAA26.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIAB30.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIAB30.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIAB7F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIAB7F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIAC7A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIAC7A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

\??\Volume{87184775-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{319d23ef-4f41-491b-960c-c265096cf17f}_OnDiskSnapshotProp

MD5 ae08c1cc89a77dd5d6e148ec9c984c9f
SHA1 725acd1c433b9e2e5dfcf8d441b6f3c5e3f6a450
SHA256 7c3e8e54efad371004ba401c9793f6b3eecb62bf270b6908fea3611e2e99774e
SHA512 5c681a1105df08d1a1647e02c189245c9c726fc72064198ae142b90402d6b3143acc7bff5018495e022d70493b9bbc68ce2688af43cddd152b386abcd3bc9b19

C:\Config.Msi\e58a8bf.rbs

MD5 c4a35970dbc4c807afb5f1263ca756de
SHA1 6a9bf4fd1b6eb4138ede11c5b3bd7f289e32f28f
SHA256 e7b7af54cabf1971a33438ac21c9bc2c167c38a8d1c3d9acd57f7f37ce0f14c1
SHA512 4660e6e942ef3014a5a8ed015e910349daf3861cf678837333248ea792a4bd36138bc7cd6ffe1b61837df52bf5b1ae44e1ffe734c3f838d4e63b676d2910d630

C:\Windows\Installer\e58a8be.msi

MD5 efa5dbed98ee67aaad29dcb32a333ef4
SHA1 cdd185b6c158052fb7d888d0ba2ec0a164843f6f
SHA256 b360f349017399408e0680d71b9c3e774a89ae19259a8396e697fccb18867960
SHA512 9b4fd7bdf60489ad2b6fdd9863a035a7395f6ca462be190083295faff90c365468e3207b5acc1cc95a71f060b8185e53514a8e5c2c7deceec064895814ded0a4

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 5f4c9346f03613e2e61caef816a979df
SHA1 78334e13034f6d838b2da6a5677582cf369cb021
SHA256 388e444350d9a1192fed1c3f5c199625d6f32795a0050bcb789b4f64871a8ad8
SHA512 86846ef23eca6c4d4a4c6b619c0768b95a609bde130f949c471774ef0b0c00e3c337dc571a4c17c758b26638f4b533b1c7de9a26c7666e57c9d8ce873ef6caa9

C:\Users\Admin\AppData\Local\Temp\MSI223.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI223.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\jF\u9.exe

MD5 92bd14c4a22b2aed0fe832f2b1174af0
SHA1 f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512 bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a

C:\Users\Public\jF\u9.exe

MD5 92bd14c4a22b2aed0fe832f2b1174af0
SHA1 f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512 bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a

C:\Users\Public\jF\u9.exe

MD5 92bd14c4a22b2aed0fe832f2b1174af0
SHA1 f08d2d2e6a6ffc92a7133d0ceaf01963cfaebe86
SHA256 7107606074d34bfb3d9a659b21bf84e55692b810b8e7d60c677b86b6477fdd7a
SHA512 bbc16c3595cf20a6aec3811975d8ae4121220f4549456dca9a4cc03e0d13131139736fa669d0dd941052f0cee25cf7d6d251e5cc61e34a22e712b19751c68b6a

memory/4332-332-0x0000000000400000-0x000000000087A000-memory.dmp

memory/4332-333-0x0000000076F80000-0x0000000077195000-memory.dmp

memory/4332-4208-0x0000000076740000-0x00000000768E0000-memory.dmp

memory/4332-6217-0x00000000766C0000-0x000000007673A000-memory.dmp

memory/4332-13404-0x0000000000400000-0x000000000087A000-memory.dmp

memory/1728-13407-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1728-13406-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1728-13408-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/1728-13412-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/1728-13414-0x0000000010000000-0x000000001002A000-memory.dmp

C:\Users\Public\jF\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Public\jF\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\skin\mainres.xml

MD5 47fb824e5df4deb39e5b5342e833d8e4
SHA1 3196520d4dabefd5b4eb6c689210d5ce459476da
SHA256 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289
SHA512 fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

C:\Users\Admin\Documents\robot\skin\Robot\icon_wnd.xml

MD5 f74ff1f559d4f5a7af7b09b00d17a3f7
SHA1 7ae57ae206977eb874cf1037e7dedb37cb464e4b
SHA256 1ebba2b9a0d222642016121ca19ee5cd6d1b32f40b43bd57aed165dc8dcdf781
SHA512 fc26f6af3c8e0d642a91e31e5060db94d7ed2cce33619a4d8e9b78c68b95b397db15863165ce536fbc364f2e361772ffb86be61e3d9a921011f167ca9c9d9c51

C:\Users\Admin\Documents\robot\skin\Robot\Robot.xml

MD5 2fdb0ba1aa4f2088d10468757490b3fc
SHA1 3757f286d6fa2585747bf6135eb8c927bc3145b8
SHA256 6f1d5abe5173cab5a5d5553d6ebf4c78f0b0d587337c8c942c170acf24d9f02a
SHA512 aba55dd158a645d76c05c5b4e226547b42619f123de30050963cced626b914dce7c79574eca4f222b6eaae3a0acfd737818a423fc4bdf1402a31979f859fdaaa

C:\Users\Admin\Documents\robot\skin\Robot\push_wnd.xml

MD5 ee58358ad4380ad0da672cdb49247454
SHA1 e99376e5eaa92538221789ff8f25768d83f0cf1e
SHA256 633b462f98038aa0f9ab302d3cd0def8352fde79990af747b3c97b49ebab2103
SHA512 eded6474a11deb02292682e3354b2d7d17ac898348f533fc13a74451fb5a312ec25a0de69bd40d2b9a4159e2284834277b47072b2e8990780f6783519b0dfda3

C:\Users\Admin\Documents\robot\switch.json

MD5 8a6f8c090d4880784c56b05d8713b89f
SHA1 8bf2e9cbc79cc9260735e0c404c8b113e013dc2b
SHA256 d4eeec8400896106129b016ea0748c5bcf9e7878383c9450605cf3ba667d46a2
SHA512 d3822b85641a8b887a2b846748cab978130fe68e126016ee6e9b632983cdc70215eac186ec980de0a6282b562a8946215e2f0e65e2b2a7a99aa808c728dfe095

memory/4332-13492-0x0000000000400000-0x000000000087A000-memory.dmp

memory/4332-13497-0x0000000000400000-0x000000000087A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIB651.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIB651.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI3631.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI3631.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\WhatsApp.exe

MD5 1157e62b77b905f01f99388fea1c933a
SHA1 bb8b87655f2e634bb90a964f00690b9aa9f044bf
SHA256 288dce85890e7c5350886b082eb20e3b19159906c3431e6e81a54c95cf722760
SHA512 bd1fe6961d03ea5bfaa1fc0bd9962ecc7c97d5bbd9644b07f6378e7648b582f71a63c56f82a635aebee5b3a9b3b8159ef6021d1bf348bb3d7e9ecb5def43b1bf

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll

MD5 5963feb848d7dc57541c041bc6f7539e
SHA1 fc2d66b84a003192b9ce2536c7bd2351eddfcd47
SHA256 1817f50f1bc77c512149d6be845a420eac4be4c2f3233ade61f61d77f8f87dbd
SHA512 0948b13487cc949a1d37e98f7605110c8b581d94a2ee8d16cdab1ea159d82e8b7dd636025246b95d3d7f9f33a0ce7ff8a9e262756badfc8e8a3f5a6dc09de38a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll

MD5 5963feb848d7dc57541c041bc6f7539e
SHA1 fc2d66b84a003192b9ce2536c7bd2351eddfcd47
SHA256 1817f50f1bc77c512149d6be845a420eac4be4c2f3233ade61f61d77f8f87dbd
SHA512 0948b13487cc949a1d37e98f7605110c8b581d94a2ee8d16cdab1ea159d82e8b7dd636025246b95d3d7f9f33a0ce7ff8a9e262756badfc8e8a3f5a6dc09de38a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\v8_context_snapshot.bin

MD5 b64c1fc7d75234994012c86dc5af10a6
SHA1 d0d562b5735d28381d59d0d86078ff6b493a678e
SHA256 31c3aa5645b5487bf484fd910379003786523f3063e946ef9b50d257d0ee5790
SHA512 6218fcb74ef715030a2dd718c87b32f41e976dd4ce459c54a45341ee0f5ca5c927ad507d3afcffe7298b989e969885ed7fb72030ea59387609e8bd5c4b8eb60a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\icudtl.dat

MD5 70499b58dc18e7ee1d7452a1d7a8bc6e
SHA1 41c5382f08c6a88670ce73a20c0dcdb3822f19e9
SHA256 02db39ba465fc8b7a4cd280732760f29911edde87b331bf7cea7677e94d483e0
SHA512 a80939e9809bb7d20f00ad685c94d5c182fa729616c975e605abf09afb58376be73a49fefa35b75ed1a284eccf208af7656c8df44c5959df7eaf51367d232dc6

C:\Program Files (x86)\WhatsApp\WhatsApp plus\update.exe

MD5 94bf0cf7fb285fa7e336ec30e3994e22
SHA1 8475fbbe356791d40fc873ef3cc9f554ee15a49b
SHA256 62ebeaf33b43417b99ea8e918b41c8c9a0d6acc53d47dd450de99f8ddbb9fa11
SHA512 8b71326289a3228e127a87b66a1002ee54ef5cdd3d9beedd26ec02dff70ec689f326dd652f1c8b377d78a58a0ca027ac7fcecbd8be70b686d1201b549a398726

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar

MD5 8adfcf5e1c94cb641af975373fc2a013
SHA1 a68b1d6c064395a3b2bc60bd94972f3806c76c4a
SHA256 64d2951477c43e59944f7b169de2d22fdcd342d4d75b9d582d789d0330d62add
SHA512 eb41113e5aab37a72a248fd5943fe256a26bfb19f14fa00f781287096defc5b10d9e0f8665fad6068ed3f565c1623e71afbe380180369c4fe36d117971c4cd09

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

MD5 b7ab76624efc7219962eacbfdf231b41
SHA1 f7ff359cd7aa0d39d26687cc7014dedd2738ad53
SHA256 56c3f149c7811c81f6129896d2f06c6052d7bd85c20c4c26f65539db2c33fba1
SHA512 472851b0ad5f8f11e7143bb7ceeb5cde58c6613a3be7fb3f356c6eae2a90fe0972c50bbf6ce511e9b57a9242aa7a8fb727b024a20fa4e803bd3772a2cd71945a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node

MD5 b7ab76624efc7219962eacbfdf231b41
SHA1 f7ff359cd7aa0d39d26687cc7014dedd2738ad53
SHA256 56c3f149c7811c81f6129896d2f06c6052d7bd85c20c4c26f65539db2c33fba1
SHA512 472851b0ad5f8f11e7143bb7ceeb5cde58c6613a3be7fb3f356c6eae2a90fe0972c50bbf6ce511e9b57a9242aa7a8fb727b024a20fa4e803bd3772a2cd71945a

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources.pak

MD5 5507bc28022b806ea7a3c3bc65a1c256
SHA1 9f8d3a56fef7374c46cd3557f73855d585692b54
SHA256 367467609a389b67600628760c26732fc1a25f563f73263bc2c4bf6eec9033df
SHA512 ae698d4feacc3e908981ee44df3a9d76e42a39bf083eaf099442ace2b863f882b43232e26e2c18051ca7aec81dccef5742acc7b82fb0cda2e14086b14d5a9a26

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\en-US.pak

MD5 6bbeeb72daebc3b0cbd9c39e820c87a9
SHA1 bd9ebec2d3fc03a2b27f128cf2660b33a3344f43
SHA256 ac1cdb4fb4d9fb27a908ed0e24cc9cc2bd885bc3ffba7e08b0b907fd4d1a8c4b
SHA512 66944fb1abcc2a7e08e5fd8a2cee53eb9da57653d7880aea226f25879e26379f7d745ebf62a3518378fa503f3a31b3ea3716f49fe4c7db4f4af0228b81b53a10

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_200_percent.pak

MD5 1985b8fc603db4d83df72cfaeeac7c50
SHA1 5b02363de1c193827062bfa628261b1ec16bd8cf
SHA256 7f9ded50d81c50f9c6ed89591fa621fabbd45cef150c8aabcceb3b7a9de5603b
SHA512 27e90dd18cbce0e27c70b395895ef60a8d2f2f3c3f2ca38f48b7ecf6b0d5e6fefbe88df7e7c98224222b34ff0fbd60268fdec17440f1055535a79002044c955b

C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_100_percent.pak

MD5 a59ea69d64bf4f748401dc5a46a65854
SHA1 111c4cc792991faf947a33386a5862e3205b0cff
SHA256 f1a935db8236203cbc1dcbb9672d98e0bd2fa514429a3f2f82a26e0eb23a4ff9
SHA512 12a1d953df00b6464ecc132a6e5b9ec3b301c7b3cefe12cbcad27a496d2d218f89e2087dd01d293d37f29391937fcbad937f7d5cf2a6f303539883e2afe3dacd

memory/2952-13524-0x00007FF8550A0000-0x00007FF8550A1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

memory/2112-13567-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/2112-13566-0x0000000000960000-0x0000000000B8A000-memory.dmp

memory/2112-13569-0x0000000005530000-0x0000000005540000-memory.dmp

C:\Users\Admin\AppData\Roaming\WhatsApp\IndexedDB\file__0.indexeddb.leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

memory/2112-13593-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/2732-13598-0x0000000074910000-0x00000000750C0000-memory.dmp

memory/2732-13599-0x0000000005700000-0x0000000005710000-memory.dmp

memory/2732-13608-0x0000000074910000-0x00000000750C0000-memory.dmp

C:\Users\Admin\AppData\Roaming\WhatsApp\File System\Origins\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Roaming\WhatsApp\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

MD5 ccbf7ab55f0d69fbe7ddec28e5c1f4b3
SHA1 c3d35f57a7332704c7b27ad308d8be9602dc95cb
SHA256 dee842c59d6a7ee00db12c306683d9d99fdd7b36c1c7d61590a4edf9b1de92f2
SHA512 137d4c278305f6ac18de65a989ae05ab0216178e4e02cf14532227546adaed7c6603e45430bd557a43385386ccfe880e2774a2d66edab70d345ed53a9051834d

C:\Users\Admin\AppData\Roaming\WhatsApp\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\index.txt

MD5 0392ee782bdb64a4cc0ae943588ac22a
SHA1 ebe4add5eb33ddf7d8b9e96b3a2bbdee36917e2d
SHA256 dc84ed187c5217bb0a6657e02842dc69657228a76f8d10a6fb3f7ffd4ad2225a
SHA512 8735800f8da3663db0f39625cdc4e097e9b61d13e8ce09f85e7ef599f0fb1ab82edd7c02a8664412dcbbc4aaa67140c1c70853bb26aa5c6650d6729637c97c4a

C:\Users\Admin\AppData\Roaming\WhatsApp\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\28a69ff7-4a89-403d-b7d2-606a1b8ae5f4\index-dir\the-real-index

MD5 41d7d4ec305dd6cc1c562cb24c68fbdb
SHA1 a125ce1842951f26c7b70d5c5c9f4b5594becea3
SHA256 0e9e2a33619ef1470e2a2d862d0b71e1c3fae4a5b6ae1284a937159a27734782
SHA512 f95a0577bf853686d4dfeb37a76f26cd0d6ec7dc30a96a8895a080471505fb892caa4f019278ea0faf5aef71c71ff6427b4073e4a74a469c7b344d2cfe461c30

C:\Users\Admin\AppData\Roaming\WhatsApp\Network Persistent State

MD5 e8c80349c3fd50606dd0ef8faf0b41cf
SHA1 dd57a9c87a2d3b745165616487c29243727e38e9
SHA256 4c7534eaa1b0e94bf5b49acccac70c3ded62f2e345c1c19dfcbff078f03366a9
SHA512 b76b26f6ead4d2559449885f1a3c6dde1c5c1098a0e9f06bd3e8a5b36fb25b632c4fee064617246b17748bd081e5e58b3c0756cd17e0356205cd4ce8710c4f70

C:\Users\Admin\AppData\Roaming\WhatsApp\Network Persistent State~RFe5b4070.TMP

MD5 2800881c775077e1c4b6e06bf4676de4
SHA1 2873631068c8b3b9495638c865915be822442c8b
SHA256 226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974
SHA512 e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

C:\Users\Admin\AppData\Roaming\WhatsApp\Service Worker\CacheStorage\3e8ad32ef6e0ff2c8dfb0722a7a862f0a1038fb3\28a69ff7-4a89-403d-b7d2-606a1b8ae5f4\index-dir\the-real-index~RFe5b4051.TMP

MD5 1ec86217a0af0bd0560395cd0a90b081
SHA1 228ac525e6301fa78cb3e325d066b705badfc3df
SHA256 b7167c6133270d83b116b2daa394439842b6d8b61a357dcdfb40971cbe2586dc
SHA512 bec998617affe26b75324d220622f2f47c597cf1dd17e585fa72c07e45d5b33d62d2a22debb8ccb323b4b6e09415518ada810876ef09dea80740dd6836abe831

C:\Users\Admin\AppData\Roaming\WhatsApp\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Roaming\WhatsApp\GPUCache\data_2

MD5 0962291d6d367570bee5454721c17e11
SHA1 59d10a893ef321a706a9255176761366115bedcb
SHA256 ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7
SHA512 f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

C:\Users\Admin\AppData\Roaming\WhatsApp\GPUCache\data_3

MD5 41876349cb12d6db992f1309f22df3f0
SHA1 5cf26b3420fc0302cd0a71e8d029739b8765be27
SHA256 e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c
SHA512 e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e