dddff8c76f01f60cb373d71c073c9e5f09f7ca57ced4f5cea1eaaced2ab48353

Analysis

max time kernel
144s
max time network
152s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
02/10/2023, 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WhatsApp.msi
Size

124.6MB
MD5

31a882ef9d5a0c2c2954de8e4f5b1f5a
SHA1

8b5837fe4a119637f47ed2328d8aed6b2c130592
SHA256

dddff8c76f01f60cb373d71c073c9e5f09f7ca57ced4f5cea1eaaced2ab48353
SHA512

d2f6cedc146b76609e8ab9b7fa320a291976e024d6bf96dbb1945de11a142aa659660064166bca7210d7220e40816d9482178d2a2606950dd9dece3637e62641
SSDEEP

3145728:gk9pnvYFF5AhV6BDv8UGLVxfjPC3drAuBpBqGghd9z:pYZA+b8nl3uBpDY

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4372	ApplicatonLaunch.exe
4956	ApplicatonLaunch.exe

Loads dropped DLL 8 IoCs

pid	Process
820	MsiExec.exe
820	MsiExec.exe
820	MsiExec.exe
820	MsiExec.exe
820	MsiExec.exe
1760	MsiExec.exe
1760	MsiExec.exe
1760	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI3BDB.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1DC3DDD9-883A-4554-9E28-B30BE074FC46}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI68F9.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e583ad2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3D05.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3DB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\e583ad2.msi	msiexec.exe

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2884	4372	WerFault.exe	88
1992	4956	WerFault.exe	91
4480	4956	WerFault.exe	91

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe

Modifies Internet Explorer settings 1 TTPs 14 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\client.anscxnyn.com	ApplicatonLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	ApplicatonLaunch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\client.anscxnyn.com\ = "40"	ApplicatonLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\anscxnyn.com	ApplicatonLaunch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\anscxnyn.com\Total = "40"	ApplicatonLaunch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "40"	ApplicatonLaunch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\anscxnyn.com\Total = "40"	ApplicatonLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\anscxnyn.com	ApplicatonLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage	ApplicatonLaunch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\client.anscxnyn.com\ = "40"	ApplicatonLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\client.anscxnyn.com	ApplicatonLaunch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\anscxnyn.com\NumberOfSubdomains = "1"	ApplicatonLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	ApplicatonLaunch.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1894964180-3551943068-3090682958-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "40"	ApplicatonLaunch.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
4428	msiexec.exe
4428	msiexec.exe
1824	powershell.exe
1824	powershell.exe
1824	powershell.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe
4936	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2576	msiexec.exe
Token: SeSecurityPrivilege	4428	msiexec.exe
Token: SeCreateTokenPrivilege	2576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2576	msiexec.exe
Token: SeLockMemoryPrivilege	2576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2576	msiexec.exe
Token: SeMachineAccountPrivilege	2576	msiexec.exe
Token: SeTcbPrivilege	2576	msiexec.exe
Token: SeSecurityPrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeLoadDriverPrivilege	2576	msiexec.exe
Token: SeSystemProfilePrivilege	2576	msiexec.exe
Token: SeSystemtimePrivilege	2576	msiexec.exe
Token: SeProfSingleProcessPrivilege	2576	msiexec.exe
Token: SeIncBasePriorityPrivilege	2576	msiexec.exe
Token: SeCreatePagefilePrivilege	2576	msiexec.exe
Token: SeCreatePermanentPrivilege	2576	msiexec.exe
Token: SeBackupPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeShutdownPrivilege	2576	msiexec.exe
Token: SeDebugPrivilege	2576	msiexec.exe
Token: SeAuditPrivilege	2576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2576	msiexec.exe
Token: SeChangeNotifyPrivilege	2576	msiexec.exe
Token: SeRemoteShutdownPrivilege	2576	msiexec.exe
Token: SeUndockPrivilege	2576	msiexec.exe
Token: SeSyncAgentPrivilege	2576	msiexec.exe
Token: SeEnableDelegationPrivilege	2576	msiexec.exe
Token: SeManageVolumePrivilege	2576	msiexec.exe
Token: SeImpersonatePrivilege	2576	msiexec.exe
Token: SeCreateGlobalPrivilege	2576	msiexec.exe
Token: SeCreateTokenPrivilege	2576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2576	msiexec.exe
Token: SeLockMemoryPrivilege	2576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2576	msiexec.exe
Token: SeMachineAccountPrivilege	2576	msiexec.exe
Token: SeTcbPrivilege	2576	msiexec.exe
Token: SeSecurityPrivilege	2576	msiexec.exe
Token: SeTakeOwnershipPrivilege	2576	msiexec.exe
Token: SeLoadDriverPrivilege	2576	msiexec.exe
Token: SeSystemProfilePrivilege	2576	msiexec.exe
Token: SeSystemtimePrivilege	2576	msiexec.exe
Token: SeProfSingleProcessPrivilege	2576	msiexec.exe
Token: SeIncBasePriorityPrivilege	2576	msiexec.exe
Token: SeCreatePagefilePrivilege	2576	msiexec.exe
Token: SeCreatePermanentPrivilege	2576	msiexec.exe
Token: SeBackupPrivilege	2576	msiexec.exe
Token: SeRestorePrivilege	2576	msiexec.exe
Token: SeShutdownPrivilege	2576	msiexec.exe
Token: SeDebugPrivilege	2576	msiexec.exe
Token: SeAuditPrivilege	2576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2576	msiexec.exe
Token: SeChangeNotifyPrivilege	2576	msiexec.exe
Token: SeRemoteShutdownPrivilege	2576	msiexec.exe
Token: SeUndockPrivilege	2576	msiexec.exe
Token: SeSyncAgentPrivilege	2576	msiexec.exe
Token: SeEnableDelegationPrivilege	2576	msiexec.exe
Token: SeManageVolumePrivilege	2576	msiexec.exe
Token: SeImpersonatePrivilege	2576	msiexec.exe
Token: SeCreateGlobalPrivilege	2576	msiexec.exe
Token: SeCreateTokenPrivilege	2576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2576	msiexec.exe
Token: SeLockMemoryPrivilege	2576	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2576	msiexec.exe
2576	msiexec.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4372	ApplicatonLaunch.exe
4372	ApplicatonLaunch.exe
4372	ApplicatonLaunch.exe
4372	ApplicatonLaunch.exe
4956	ApplicatonLaunch.exe
4956	ApplicatonLaunch.exe
4956	ApplicatonLaunch.exe
4956	ApplicatonLaunch.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 820	4428	msiexec.exe	72
PID 4428 wrote to memory of 820	4428	msiexec.exe	72
PID 4428 wrote to memory of 820	4428	msiexec.exe	72
PID 4428 wrote to memory of 4208	4428	msiexec.exe	76
PID 4428 wrote to memory of 4208	4428	msiexec.exe	76
PID 4428 wrote to memory of 1760	4428	msiexec.exe	78
PID 4428 wrote to memory of 1760	4428	msiexec.exe	78
PID 4428 wrote to memory of 1760	4428	msiexec.exe	78
PID 4428 wrote to memory of 4012	4428	msiexec.exe	79
PID 4428 wrote to memory of 4012	4428	msiexec.exe	79
PID 4012 wrote to memory of 1824	4012	cmd.exe	82
PID 4012 wrote to memory of 1824	4012	cmd.exe	82
PID 4012 wrote to memory of 4936	4012	cmd.exe	87
PID 4012 wrote to memory of 4936	4012	cmd.exe	87

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\WhatsApp.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 45E6E0108FD509077D4F1C00B546AB52 C
  2⤵
  - Loads dropped DLL
  PID:820
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4208
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 61BD47F598C85B2363BAA23F6A7EFE31
  2⤵
  - Loads dropped DLL
  PID:1760
- C:\Windows\system32\cmd.exe
  cmd.exe /c install.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-AppxPackage *.dat
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1824
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Add-AppxPackage *.dll
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4936

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4724

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2220

C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe
"C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4372
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 2372
  2⤵
  - Program crash
  PID:2884

C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe
"C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4956
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 1992
  2⤵
  - Program crash
  PID:1992
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4956 -s 2276
  2⤵
  - Program crash
  PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e583ad3.rbs

Filesize
3KB

MD5
8905575a4515c2805f610370577f7250

SHA1
0dc841d032d42cb9ba7bbf304eb6c1a5a36e06a1

SHA256
f621b9c33f14e9aa3323d5c1c3530d37033d7dde2590f08aa60637c4951c01c7

SHA512
06e1e18a8d8047e7d1e15591bc150b90bc305611421def042a01e898b6959192c79c3d45c98bf4fc4607f432009a443fc760a3339e43785fecb76a8e10c90264

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

Filesize
717B

MD5
60fe01df86be2e5331b0cdbe86165686

SHA1
2a79f9713c3f192862ff80508062e64e8e0b29bd

SHA256
c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8

SHA512
ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
300B

MD5
dec6bbe308eb44937f77160a25ee32db

SHA1
8f08a4b641b564b67205e00106ca6bd9ca46fc6e

SHA256
68a71de28f488586c2b169f4652347e0a1fd632d48a6d6725393607bfa18bc7e

SHA512
6c2d684af52588cfd34a682337749b829c2336b34d6add7e8bd6e0c641862c26889617b4d6e9f298fd177b89527deb696c493a205ea8490bb8aee60090a68475

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

Filesize
192B

MD5
1918d7f2e96002ccd911a23953e04d5f

SHA1
088c6d39f5f0f4be0cae30b99eaa4d840e0014cc

SHA256
43fd289cca39a544c1980cce8b58ffabd0e464af3c6f337629f3193808dab815

SHA512
c786cfd27155c030050ac2a8b4155cae678c15f7fe9b2451c510c99fb69eff5743b184994455818c979cde6b3a31ce14209c1790c232fee4c1444ef77283f6e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1495DD322A24490E2BF2FAABAE1C61

Filesize
192B

MD5
eff70693f3410cb1370cb5292f35992f

SHA1
27728568049ba5c36a3ad3c1e72d27439443b734

SHA256
9a38ce8076d7169975c0120e2b3fb93f829e3d2f0319010539571956eba9e6a3

SHA512
f462acdaf48511981bec4079d0c617cfe92b6981aa32a832d735e3154365af86b71d970ae98304724c709368052a2d904be14ce252c6354082449e52e8e1a6f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
5df65be66aaf93d9d83722db465a94a7

SHA1
bdd9f09dee03f9374aee6f050b5b6446635a2433

SHA256
d7e63656df5d23289bf83220f1a694d86531edf268ec9a5cd0daa1fe87c1fc99

SHA512
4090951df0b7a3dedf9402a007e9f71f37a3009eb701c4f80621a88a4e0f15fa73571ffd63dc656d8eef16978867ff2b837ef838665003aa20f25e15b3858abc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\E1VRYZ09\client.anscxnyn[1].xml

Filesize
114B

MD5
e9a0aa83e7c30a8253eac552b3433b21

SHA1
2a9d7560941bad41a035161afbff1e64c75116f3

SHA256
151f00293c4d2a3d6a2875a5fe7aa0fc733f9b88fafd08196afeea3625dd1657

SHA512
c357eb0fc1fcf9308a98a65385766284733064df80d0c9d113570c73b6acbe31b6bd53ca24bc065ccc55ab77dfe8e035a6dc54c8adb103b391f5acf0ed6332d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0G1F2NWK\main.fdf0caa2786c3269572d[1].css

Filesize
149KB

MD5
e521494eaab76cd47c500800e4f7b167

SHA1
8568e69ae91ab80338d49220858bc1fae66d5fbf

SHA256
79acde4aa0ad3feafd96271141640066d0c52c050724b13272b1ca3d6930f8d1

SHA512
c28efaf5a69d497b1878d64ebe1ed194409e21bc611b3769560d224c4e02add38340ffd6c5f3329689d3572fa80a52e828d5bc2b479b5e0a7b35a64f95f5c202

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\12PQGVKB\main~.b66100b3486cd1857cd3[1].css

Filesize
21KB

MD5
840ddae368d7ff1a7b468d1f74a6110b

SHA1
49eca8c4fccae17ddea24becc57e9e5a8986e1d2

SHA256
8a636dbd66666f13902713e7bc7d2e1cab497b299f533495759a2c68c459c5a4

SHA512
533943e162db8e4add3f8647e064f458058ee8efbaceccefd7bd27e1f30b436cbab7d83f32154bdb6d5788362a9cad43eaa95056e123e5cf85d9471056613a0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\12PQGVKB\qr-video_0c6ec69b054fdeb31cf3e5e10290fd8e[1].png

Filesize
15KB

MD5
0c6ec69b054fdeb31cf3e5e10290fd8e

SHA1
5b2d2ef0e3b5824addcc34d642769f5f14671411

SHA256
d980ab372658f4c7c8f07d730ef6dc67e3fb3471f37928274f915c0308850994

SHA512
61947eefdefdc94654991e00de1045ca1e781b69fe1c7305614735926e256f007368f3e904207c8612e03d09e904e03b2a69a4cb297672a49952b2dda5459ca1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DP57REOA\jquery.min[1].js

Filesize
90KB

MD5
e0e0559014b222245deb26b6ae8bd940

SHA1
e2f3603e23711f6446f278a411d905623d65201e

SHA256
89a15e9c40bc6b14809f236ee8cd3ed1ea42393c1f6ca55c7855cd779b3f922e

SHA512
60740da8f871b8263675db2421b0e565fc18e95c772f7c3d5916f224263cd71a6a2e6acceab2f6f8ba1c0607951f0198f525d87d0589fa57045b1d5f292dacf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\DP57REOA\stylex-ce269a9819ee8f292840728689a22cc5[1].css

Filesize
174KB

MD5
bddd6c64513ffb50747ea146307b410a

SHA1
bf67bf8e2eed16259a332e1a3aaf4ba7f5f0b606

SHA256
775fafc214e32a36e2a39e694322fed097e37d964c9dce65663655b64492d068

SHA512
e5ae5f4d22c0229b5d9aa16dbb6e0b8c7a1ee024fb8fd489ee49b8464285dc69269984148e61313dfa547ebd0019c86fdeb092373256fb385f4376efb0198402

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HCNWBYQW\app-6d34864fd47903428794[1].css

Filesize
186KB

MD5
bfafa571a7a8ba0853896553a2463e98

SHA1
af7358ff5de66bab7fcdbaf3b0b1169084aa5dba

SHA256
69acbe3d7c92af1a509b7351cabfac35b356c18eef8c9299f5ac354acfdba079

SHA512
44961d81b6a14dc1eda31fdba67af0a5b516e2114d232616b1a442cdc610764a31a446cb87100e118d0ee8ff52f39025db019fe5f6dfea97f469935062f35b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\HCNWBYQW\main[1].js

Filesize
18KB

MD5
66862a6b4f17e1f90f2103511f5f1e69

SHA1
8e3fe4d5d38f950b53a6e7d8e0c8f19d771a6c29

SHA256
a449af42da1b5140cdfac11b04bcbd081af2b6c65eecac9005526ab3f6b13193

SHA512
87b3401d134c3cc37a115bd9fe4caaba89bf79eaf2114b911535b323603c7e63147e0538ac3a31aa63b789115e6969cad8aa4b19811cc34a74cdf31bcc733b35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
352654c7ed5451cd8735edf8ca46d202

SHA1
11cc70bf8531b9a8fa37f6efeca7d8f491c5fa5a

SHA256
6a396d3cb9b901b5a9c9f5573d1fccdae97ac0eb2769cecf30e94acfbd480538

SHA512
f0ce408480d74a09d9f37c88d24e0b9cf95a61c9a6a368ce34a023d66b4817f0386ab2959b94e75a4c96d3afc5a35fb83e0b2f8aee64e0d5f1779490960d8c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBA86.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBC4C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBCAB.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBCAB.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBD77.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIBED0.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ree32rt1.bg5.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe

Filesize
2.0MB

MD5
b7c3d07dd8c327f76763c4df0cc7018c

SHA1
ac8b0daf52382c711836cbe00081a6584d7b5f4c

SHA256
ffb8b8c36012a6ddbb4ab91c9b2d9f64c280feffe2a2bd5d3ca536cea6b697b8

SHA512
c4b46878d93ac86e514bbf5323f42446a0b27c1c86fca8b55fca37efc92bb9136fa54f9554a9445686b96dfa3859438c671cb9841f82c21b175bd61cc881e0dd

Download Submit
C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe

Filesize
2.0MB

MD5
b7c3d07dd8c327f76763c4df0cc7018c

SHA1
ac8b0daf52382c711836cbe00081a6584d7b5f4c

SHA256
ffb8b8c36012a6ddbb4ab91c9b2d9f64c280feffe2a2bd5d3ca536cea6b697b8

SHA512
c4b46878d93ac86e514bbf5323f42446a0b27c1c86fca8b55fca37efc92bb9136fa54f9554a9445686b96dfa3859438c671cb9841f82c21b175bd61cc881e0dd

Download Submit
C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\ApplicatonLaunch.exe

Filesize
2.0MB

MD5
b7c3d07dd8c327f76763c4df0cc7018c

SHA1
ac8b0daf52382c711836cbe00081a6584d7b5f4c

SHA256
ffb8b8c36012a6ddbb4ab91c9b2d9f64c280feffe2a2bd5d3ca536cea6b697b8

SHA512
c4b46878d93ac86e514bbf5323f42446a0b27c1c86fca8b55fca37efc92bb9136fa54f9554a9445686b96dfa3859438c671cb9841f82c21b175bd61cc881e0dd

Download Submit
C:\Users\Admin\AppData\Roaming\WhatsApp 独立版\install.bat

Filesize
77B

MD5
0ec7fb1b5a72701bf94495d0f1dc1ee6

SHA1
3cae540c7b896391fb71a6c1eed3c55cb44369ab

SHA256
86befb9328e11ea9ca97e848ba0ea91eefc3382fe2bbc951fc2c01820b8b3d65

SHA512
c2cb3ab4590c2cb2ed719f76723a7a09f2b3c310e4b57bfcbc7b3b164ab76181b14bd699822d5f4707df268d199150e5b9b0624f9db77d8921df35925152d052

Download Submit
C:\Windows\Installer\MSI3BDB.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI3D05.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSI3DB2.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
a0b7d3937b21d728786c3c6bc1988cf8

SHA1
61146acbbdd8f9b1e9b4764c40f1ceaebf1821c8

SHA256
9da421c8b651b818f76d3b2fff21a810953e791e982fce567c5187f5b7fe65f9

SHA512
2aca6053a8a2d19c0002c07b5bf309742d706bd4f23dda65c6b3af85b035062502f03b9266111b10af4dd36e89f6ae39f522bf79d7655fac1cfa2a1451def668

Download Submit
\??\Volume{956dfe23-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{37cd6f61-0f0b-416b-a961-a38b692aac29}_OnDiskSnapshotProp

Filesize
5KB

MD5
25b177c7e57350136210bf78189ac9e4

SHA1
b7a33dacf4e6d529358190e9525fcef3819f0c1b

SHA256
dd6ac8c97a37e1362b2c450f1358b3ee7e901e9eeead26170cac833d2d267287

SHA512
97c18dd4c1fa2b24809546735f5a3b605f287302313567aea443640e4888bb4fdd0515514b52c414fb6521a8a3c11501d8c47d6ba89106cfd05be178c350401f

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBA86.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBC4C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBCAB.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBD77.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Users\Admin\AppData\Local\Temp\MSIBED0.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI3BDB.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI3D05.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
\Windows\Installer\MSI3DB2.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
memory/1824-156-0x000002185D0D0000-0x000002185D0E4000-memory.dmp

Filesize
80KB

Download
memory/1824-157-0x000002185D0B0000-0x000002185D0BA000-memory.dmp

Filesize
40KB

Download
memory/1824-79-0x00007FF9A9760000-0x00007FF9AA14C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-78-0x000002185CE20000-0x000002185CE42000-memory.dmp

Filesize
136KB

Download
memory/1824-82-0x000002185CEA0000-0x000002185CEB0000-memory.dmp

Filesize
64KB

Download
memory/1824-80-0x000002185CEA0000-0x000002185CEB0000-memory.dmp

Filesize
64KB

Download
memory/1824-84-0x000002185D130000-0x000002185D1A6000-memory.dmp

Filesize
472KB

Download
memory/1824-129-0x000002185CEA0000-0x000002185CEB0000-memory.dmp

Filesize
64KB

Download
memory/1824-166-0x00007FF9A9760000-0x00007FF9AA14C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-162-0x000002185CEA0000-0x000002185CEB0000-memory.dmp

Filesize
64KB

Download
memory/1824-161-0x00007FF9A9760000-0x00007FF9AA14C000-memory.dmp

Filesize
9.9MB

Download
memory/1824-160-0x000002185CEA0000-0x000002185CEB0000-memory.dmp

Filesize
64KB

Download
memory/1824-159-0x000002185CEA0000-0x000002185CEB0000-memory.dmp

Filesize
64KB

Download
memory/4936-222-0x000002367EA10000-0x000002367EA20000-memory.dmp

Filesize
64KB

Download
memory/4936-171-0x00007FF9A9760000-0x00007FF9AA14C000-memory.dmp

Filesize
9.9MB

Download
memory/4936-172-0x000002367EA10000-0x000002367EA20000-memory.dmp

Filesize
64KB

Download
memory/4936-174-0x000002367EA10000-0x000002367EA20000-memory.dmp

Filesize
64KB

Download
memory/4936-254-0x00007FF9A9760000-0x00007FF9AA14C000-memory.dmp

Filesize
9.9MB

Download
memory/4936-251-0x000002367EA10000-0x000002367EA20000-memory.dmp

Filesize
64KB

Download
memory/4936-250-0x000002367EA10000-0x000002367EA20000-memory.dmp

Filesize
64KB

Download