Resubmissions
30/10/2024, 16:26
241030-txqekaymbr 809/01/2024, 22:14
240109-15vsksaahp 809/01/2024, 22:09
240109-127mzabcf9 709/01/2024, 21:52
240109-1q2mksbcb5 7Analysis
-
max time kernel
1595s -
max time network
1597s -
platform
windows10-1703_x64 -
resource
win10-20231220-en -
resource tags
arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system -
submitted
09/01/2024, 22:14
Static task
static1
Behavioral task
behavioral1
Sample
9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe
Resource
win7-20231215-en
windows7-x64
29 signatures
1800 seconds
Behavioral task
behavioral2
Sample
9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe
Resource
win10-20231220-en
windows10-1703-x64
27 signatures
1800 seconds
Behavioral task
behavioral3
Sample
9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe
Resource
win10v2004-20231215-en
windows10-2004-x64
28 signatures
1800 seconds
Behavioral task
behavioral4
Sample
9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe
Resource
win11-20231215-en
windows11-21h2-x64
21 signatures
1800 seconds
General
-
Target
9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe
-
Size
5.4MB
-
MD5
fc5134ba4711406149556e32d47773aa
-
SHA1
24e23d1ce7273410b778a36aaa8191c3abeedf3e
-
SHA256
9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1
-
SHA512
c457b37709914362717b867b88becda3751f2c79ee11a9f6d67a1780308e123a2e2a65ffb5af9431d99f7881a36ae16899d01cfcb8f52a569e3ca69ec78ac965
-
SSDEEP
98304:wG7cl1155MF19r71Gw5/91TK1IyHZnVD8jSTzpRcUOeCNx1w8vlXWUlCaHKMDqwK:xuQ3j51RK1IyvlvpcestRKMD4
Score
8/10
Malware Config
Signatures
-
Modifies RDP port number used by Windows 1 TTPs
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion regedit.exe -
Executes dropped EXE 8 IoCs
pid Process 1464 CPUGuardian.exe 2940 InstAct.exe 5004 InstAct.exe 4212 CPUGuardian.exe 4204 CPUGuardian.exe 1272 updater.exe 2040 CPUGuardian.exe 4956 CPUGuardian.exe -
Loads dropped DLL 64 IoCs
pid Process 3568 9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe 3568 9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe 1296 MsiExec.exe 1296 MsiExec.exe 1296 MsiExec.exe 1296 MsiExec.exe 1296 MsiExec.exe 1296 MsiExec.exe 1304 MsiExec.exe 1296 MsiExec.exe 3568 9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe 1304 MsiExec.exe 1304 MsiExec.exe 2940 InstAct.exe 2940 InstAct.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 2940 InstAct.exe 2940 InstAct.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 5004 InstAct.exe 5004 InstAct.exe 5004 InstAct.exe 5004 InstAct.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 2040 CPUGuardian.exe -
Blocklisted process makes network request 4 IoCs
flow pid Process 2 4600 msiexec.exe 4 4600 msiexec.exe 7 4600 msiexec.exe 10 4600 msiexec.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 2 IoCs
description ioc Process File opened for modification C:\$RECYCLE.BIN\S-1-5-18\desktop.ini MsiExec.exe File opened for modification F:\$RECYCLE.BIN\S-1-5-18\desktop.ini MsiExec.exe -
Enumerates connected drives 3 TTPs 26 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: CPUGuardian.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: MsiExec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: CPUGuardian.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Maps connected drives based on registry 3 TTPs 5 IoCs
Disk information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\0 regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\Count regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum\NextInstance regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum regedit.exe -
Drops file in System32 directory 15 IoCs
description ioc Process File opened for modification C:\Windows\syswow64\dll\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\symbols\dll\msi.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\symbols\DLL\wkernel32.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\wkernel32.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\tmp\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\dll\msi.pdb MsiExec.exe File opened for modification C:\Windows\SysWOW64\msi.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\DLL\wkernel32.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\symbols\tmp\ResourceCleaner.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\symbols\dll\wntdll.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\msi.pdb MsiExec.exe File opened for modification C:\Windows\syswow64\wkernel32.pdb MsiExec.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Helper.dll.config msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Interop.Shell32.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\nl\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\fr\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\pt\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Interop.IWshRuntimeLibrary.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\CPUGuardian.resources.dll msiexec.exe File opened for modification C:\Program Files (x86)\CPU Guardian\updater.ini msiexec.exe File created C:\Program Files (x86)\CPU Guardian\InstAct.exe msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Splash.exe msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Splash.exe.config msiexec.exe File created C:\Program Files (x86)\CPU Guardian\ar\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\bo.dll.config msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Logging.dll.config msiexec.exe File created C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe.config msiexec.exe File created C:\Program Files (x86)\CPU Guardian\updater.exe msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Setup.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\sv\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\bs-Latn-BA\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\he\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\se-FI\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\sr-Cyrl-RS\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\sv\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Uninst000.CA.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\it\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe msiexec.exe File created C:\Program Files (x86)\CPU Guardian\tr-TR\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\ja\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\sr-Latn-RS\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\es\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\th-TH\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\hr-HR\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\de\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\it\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\nl\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\th-TH\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\es\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\ru\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\da\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\he\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\fil-PH\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\th-TH\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\de\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\ru\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Helper.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\Microsoft.Win32.TaskScheduler.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\tr-TR\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\hr-HR\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\se-FI\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\fr\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\pt\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\bs-Cyrl-BA\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\de\Splash.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\ar\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\sv\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\es\CPUGuardian.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\no\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\se-FI\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\tr-TR\Uninst000.resources.dll msiexec.exe File created C:\Program Files (x86)\CPU Guardian\ComponentFactory.Krypton.Toolkit.dll msiexec.exe -
Drops file in Windows directory 22 IoCs
description ioc Process File opened for modification C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\SystemFoldermsiexec.exe msiexec.exe File opened for modification C:\Windows\Installer\e57733c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9404.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9520.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI95BD.tmp msiexec.exe File created C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\icon.exe msiexec.exe File opened for modification C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\icon.exe msiexec.exe File created C:\Windows\Installer\e577340.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9B22.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI94F0.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9727.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9832.tmp msiexec.exe File created C:\Windows\Installer\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\SystemFoldermsiexec.exe msiexec.exe File created C:\Windows\Installer\e57733c.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI9337.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI93E4.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI966A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9AD3.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Capabilities regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName regedit.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties regedit.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Device Parameters regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ContainerID regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ContainerID regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038 svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties regedit.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\LocationInformation regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Device Parameters\Storport regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Storport regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\LocationInformation regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags regedit.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ClassGUID regedit.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor regedit.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier regedit.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision regedit.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 regedit.exe -
Enumerates system info in registry 2 TTPs 64 IoCs
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\PreferredProfile regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Component Information regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Configuration Data regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier regedit.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController regedit.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Configuration Data regedit.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 regedit.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral regedit.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BootArchitecture regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMinorRelease regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMajorRelease regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\0\Identifier regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BiosMajorRelease regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter regedit.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0\Identifier regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier regedit.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ECFirmwareMinorRelease regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000\ regedit.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\Configuration Data regedit.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral\0 regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0\DiskPeripheral regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardVersion regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BIOSVendor regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1 regedit.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\DiskController\0 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Configuration Data regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data regedit.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS regedit.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\FloatingPointProcessor\1\Component Information regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0 regedit.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoAdapterBusses\PCIBus\0000 regedit.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information regedit.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2 regedit.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName regedit.exe -
Modifies data under HKEY_USERS 20 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\AI_RecycleBin MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\AI_RecycleBin\{759B2E21-9D98-4FDC-BDB2-0C395EA36CBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\AI_RecycleBin MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57c63f37-0000-0000-0000-d01200000000}\MaxCapacity = "14116" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57c63f37-0000-0000-0000-f0ff3a000000} MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\TelemetrySalt = "4" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57c63f37-0000-0000-0000-f0ff3a000000}\MaxCapacity = "2047" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\AI_RECYCLEBIN\{759B2E21-9D98-4FDC-BDB2-0C395EA36CBB} MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57c63f37-0000-0000-0000-d01200000000} MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57c63f37-0000-0000-0000-d01200000000}\NukeOnDelete = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{57c63f37-0000-0000-0000-f0ff3a000000}\NukeOnDelete = "0" MsiExec.exe -
Modifies registry class 24 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6867B48316010F045B46248378806BA3\2CFC8D7853E00FB418CB5C3B1D56F2D6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\SourceList\PackageName = "CPUGuardian.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\ProductName = "CPU Guardian" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\Assignment = "1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\ProductIcon = "C:\\Windows\\Installer\\{87D8CFC2-0E35-4BF0-81BC-C5B3D1652F6D}\\icon.exe" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\6867B48316010F045B46248378806BA3 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Roaming\\CPU Guardian\\CPU Guardian 2.6.1\\install\\1652F6D\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Roaming\\CPU Guardian\\CPU Guardian 2.6.1\\install\\1652F6D\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CFC8D7853E00FB418CB5C3B1D56F2D6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\2CFC8D7853E00FB418CB5C3B1D56F2D6\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\PackageCode = "6E740B912658B6C4BBDEF138DE81424A" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\Version = "33947649" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\2CFC8D7853E00FB418CB5C3B1D56F2D6\Clients = 3a0000000000 msiexec.exe -
Runs .reg file with regedit 1 IoCs
pid Process 3804 regedit.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4600 msiexec.exe 4600 msiexec.exe 1304 MsiExec.exe 1304 MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4956 CPUGuardian.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4004 msiexec.exe Token: SeIncreaseQuotaPrivilege 4004 msiexec.exe Token: SeSecurityPrivilege 4600 msiexec.exe Token: SeCreateTokenPrivilege 4004 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4004 msiexec.exe Token: SeLockMemoryPrivilege 4004 msiexec.exe Token: SeIncreaseQuotaPrivilege 4004 msiexec.exe Token: SeMachineAccountPrivilege 4004 msiexec.exe Token: SeTcbPrivilege 4004 msiexec.exe Token: SeSecurityPrivilege 4004 msiexec.exe Token: SeTakeOwnershipPrivilege 4004 msiexec.exe Token: SeLoadDriverPrivilege 4004 msiexec.exe Token: SeSystemProfilePrivilege 4004 msiexec.exe Token: SeSystemtimePrivilege 4004 msiexec.exe Token: SeProfSingleProcessPrivilege 4004 msiexec.exe Token: SeIncBasePriorityPrivilege 4004 msiexec.exe Token: SeCreatePagefilePrivilege 4004 msiexec.exe Token: SeCreatePermanentPrivilege 4004 msiexec.exe Token: SeBackupPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4004 msiexec.exe Token: SeShutdownPrivilege 4004 msiexec.exe Token: SeDebugPrivilege 4004 msiexec.exe Token: SeAuditPrivilege 4004 msiexec.exe Token: SeSystemEnvironmentPrivilege 4004 msiexec.exe Token: SeChangeNotifyPrivilege 4004 msiexec.exe Token: SeRemoteShutdownPrivilege 4004 msiexec.exe Token: SeUndockPrivilege 4004 msiexec.exe Token: SeSyncAgentPrivilege 4004 msiexec.exe Token: SeEnableDelegationPrivilege 4004 msiexec.exe Token: SeManageVolumePrivilege 4004 msiexec.exe Token: SeImpersonatePrivilege 4004 msiexec.exe Token: SeCreateGlobalPrivilege 4004 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe Token: SeRestorePrivilege 4600 msiexec.exe Token: SeTakeOwnershipPrivilege 4600 msiexec.exe -
Suspicious use of FindShellTrayWindow 16 IoCs
pid Process 3568 9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 2040 CPUGuardian.exe 2040 CPUGuardian.exe 2040 CPUGuardian.exe 4956 CPUGuardian.exe 4956 CPUGuardian.exe 4956 CPUGuardian.exe -
Suspicious use of SendNotifyMessage 15 IoCs
pid Process 1464 CPUGuardian.exe 1464 CPUGuardian.exe 1464 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4212 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 4204 CPUGuardian.exe 2040 CPUGuardian.exe 2040 CPUGuardian.exe 2040 CPUGuardian.exe 4956 CPUGuardian.exe 4956 CPUGuardian.exe 4956 CPUGuardian.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1272 updater.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 3568 wrote to memory of 4004 3568 9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe 74 PID 3568 wrote to memory of 4004 3568 9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe 74 PID 3568 wrote to memory of 4004 3568 9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe 74 PID 4600 wrote to memory of 1296 4600 msiexec.exe 77 PID 4600 wrote to memory of 1296 4600 msiexec.exe 77 PID 4600 wrote to memory of 1296 4600 msiexec.exe 77 PID 4600 wrote to memory of 1304 4600 msiexec.exe 78 PID 4600 wrote to memory of 1304 4600 msiexec.exe 78 PID 4600 wrote to memory of 1304 4600 msiexec.exe 78 PID 1304 wrote to memory of 788 1304 MsiExec.exe 82 PID 1304 wrote to memory of 788 1304 MsiExec.exe 82 PID 1304 wrote to memory of 788 1304 MsiExec.exe 82 PID 1304 wrote to memory of 1028 1304 MsiExec.exe 79 PID 1304 wrote to memory of 1028 1304 MsiExec.exe 79 PID 1304 wrote to memory of 1028 1304 MsiExec.exe 79 PID 4600 wrote to memory of 1464 4600 msiexec.exe 85 PID 4600 wrote to memory of 1464 4600 msiexec.exe 85 PID 4600 wrote to memory of 1464 4600 msiexec.exe 85 PID 4600 wrote to memory of 2940 4600 msiexec.exe 84 PID 4600 wrote to memory of 2940 4600 msiexec.exe 84 PID 4600 wrote to memory of 2940 4600 msiexec.exe 84 PID 4600 wrote to memory of 5004 4600 msiexec.exe 88 PID 4600 wrote to memory of 5004 4600 msiexec.exe 88 PID 4600 wrote to memory of 5004 4600 msiexec.exe 88 PID 4212 wrote to memory of 4204 4212 CPUGuardian.exe 90 PID 4212 wrote to memory of 4204 4212 CPUGuardian.exe 90 PID 4212 wrote to memory of 4204 4212 CPUGuardian.exe 90 PID 4204 wrote to memory of 1272 4204 CPUGuardian.exe 91 PID 4204 wrote to memory of 1272 4204 CPUGuardian.exe 91 PID 4204 wrote to memory of 1272 4204 CPUGuardian.exe 91 PID 4204 wrote to memory of 3804 4204 CPUGuardian.exe 92 PID 4204 wrote to memory of 3804 4204 CPUGuardian.exe 92 PID 4204 wrote to memory of 3804 4204 CPUGuardian.exe 92 PID 4204 wrote to memory of 2040 4204 CPUGuardian.exe 97 PID 4204 wrote to memory of 2040 4204 CPUGuardian.exe 97 PID 4204 wrote to memory of 2040 4204 CPUGuardian.exe 97 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe"C:\Users\Admin\AppData\Local\Temp\9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe"1⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3568 -
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\CPUGuardian.msi" /qn AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\9c1129a7ffa519f670ca67fdec455f2b39a54b00745d06012cccef6e4b5f2ce1.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /exelang 0 /noprereqs "2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4004
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 53DC8B9FE943D52ED4BB461FC26657BB2⤵
- Loads dropped DLL
PID:1296
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 149102E131C1D48905B6CBA0529F8CAC E Global\MSI00002⤵
- Loads dropped DLL
- Drops desktop.ini file(s)
- Enumerates connected drives
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{CE44F930-506D-42D9-B5BE-C317F2B44EA4}.bat"3⤵PID:1028
-
-
C:\Windows\SysWOW64\cmd.exe/C "C:\Users\Admin\AppData\Local\Temp\{CE44F930-506D-42D9-B5BE-C317F2B44EA4}.bat"3⤵PID:788
-
-
-
C:\Program Files (x86)\CPU Guardian\InstAct.exe"C:\Program Files (x86)\CPU Guardian\InstAct.exe" install 1 02⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2940
-
-
C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe" true2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1464
-
-
C:\Program Files (x86)\CPU Guardian\InstAct.exe"C:\Program Files (x86)\CPU Guardian\InstAct.exe" installurl2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:5004
-
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x33c1⤵PID:4808
-
C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4212 -
C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4204 -
C:\Program Files (x86)\CPU Guardian\updater.exe"C:\Program Files (x86)\CPU Guardian\updater.exe" /justcheck3⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1272
-
-
C:\Windows\SysWOW64\regedit.exe"regedit.exe" /e "C:\Users\Admin\Documents\CPUGuardian\registry.reg"3⤵
- Checks BIOS information in registry
- Maps connected drives based on registry
- Checks SCSI registry key(s)
- Checks processor information in registry
- Enumerates system info in registry
- Runs .reg file with regedit
PID:3804
-
-
C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:3888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4076
-
C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"C:\Program Files (x86)\CPU Guardian\CPUGuardian.exe"1⤵
- Executes dropped EXE
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4956
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x4301⤵PID:4064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\jnerd1oc.newcfg
Filesize711B
MD5e36498307944914e4122ecdc2f680b12
SHA1f596e13c9917455a6c6fe3e242e8528d937cf2f2
SHA2568b8215e081f490e7f57c7588a07a6b1422e3063b6ab642ba40884bba186e10e4
SHA51234095ad567a985a170edfe359d0b0a5c4390240113c3f5f49229bb60a0dd79c323c5c36a945cc267adc607be161ab68c9c79e63c7eea218d5278be954d732a2a
-
C:\Users\Admin\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\uk2zsg0j.newcfg
Filesize711B
MD5fd30f162afd04a164778209b85407eed
SHA18160b717d1cc6cfeb00ee3f4558c1b9a831db7b2
SHA256a9a52ce7d1822a30dcf7305ea00d71e08456e24582726ef72cb1e08046bcf9bd
SHA512adbebd8c8359762d0055dfc0ad3c59abdcbd97385c76d67a1981810628f51973a9aa7bcff28696515903b621b4ee81c0d9f06a9ae1f8e3f7070fb6c6967bf968
-
C:\Users\Admin\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\user.config
Filesize319B
MD5c3712a40a97b4ca4d23d92e582c3ab19
SHA13129333c2c32a7238570e57c348b3e9e9963ca2c
SHA256e39c48e501f99cf9c50fba3d74c105d55c42fc7666f590532d1bfbb1dfc958dd
SHA512df184a90728c0f251c10d5db10cdc4f675dcd8e4a67e0d8559e3972084fceb9eb94136427d81ba93f68731ba36cf61eedcd1cba5b2772f6f4f537fc464ef017f
-
C:\Users\Admin\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\user.config
Filesize455B
MD51fd0e8e842a16965e69d150892d30e0b
SHA1fde8e9d4c1c94d147f45e387408bc8b44b4713a5
SHA25632323988eee1e25a016790544356c4689230dc860bf7429fddf410a76a041be3
SHA5125a4a5e07db947782536fa1c1b8c68fd0e0bd86a9e2125760d2466dd39408b87048c5f897905b47c4b4829ceeb10916e609d2d3065303f8be7e9871a09cce8720
-
C:\Users\Admin\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\user.config
Filesize583B
MD5613452297135f491e0b6eae3c1405538
SHA16e5ae69ae8ae0441c963301092daaa11e07f37e6
SHA256a46db82bb68b3014c9f530a6b3f26d99e42fc18bff0a9d28b55b5c3f1732f682
SHA51219390fdfc524b5ef600030ea8b2b577a1e01e6c31b0d636fe7ae07f9e8b92e51a1f85a184d3d45abbcedad14ba9f62ddd0b58af9c5507099f0202351d7bb901a
-
C:\Users\Admin\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\user.config
Filesize711B
MD5cdf214f54686fece82fb49fdb4807f00
SHA19f76c521df59448e8b86048bd481d8bb8e256977
SHA256eb9725a93bb1d1a90bf3ece9f0b2a36b7c1ae42239f83bdd2a070d8d4889fc05
SHA512a0d683a6248f43c7013002c954bdd2f60528a082aab4b3f387dbe2635ff31f4358bc61d5c34b760a51fb0e05a74bf40f935798c1e179cfea9a70e23e0782b81e
-
C:\Users\Admin\AppData\Local\CPU_Guardian\CPUGuardian.exe_Url_iwid41inmr3ot3ooc1a1q3rf4b4cgitj\2.6.1.0\user.config
Filesize711B
MD5d8a3f0f9c5cfff246cb15155cf6ee5c2
SHA1273c1d254185122ef09e5faf7f5e9e06023cc6ed
SHA256c3b84616e6c0b465948b0c9a7e02289fa9573a3f5bab8b36e1da4af8dd489536
SHA512c1efa81e73f1542687736d95cfd042d389412877091934f690104d28f4e1de3c9f044150cfde5cf385237b8378ae4472deb24d6da6334033388ad19d77a76e21
-
Filesize
3KB
MD50990cd5ab4003dcee491437632ce56e6
SHA1b53a87d00c2852fc702eb60baba36e4e2ca044d1
SHA256f1d3bce16d2789f3c42ac2dc9371c521822a2851c8a77bb18cb1258af0c3339b
SHA512626f160e00b51c7628bfb2a33ce2fa3d79731daaf08a2decf9a4ce7c569972732065fe045095794237b251145cca8b98110932bda4eb5ba9e1a4249a90726d25
-
Filesize
90B
MD5c28e2ed79cc3d8ca0d482a41b02a103a
SHA1a5b44c78a5d6d234160037073038f594d8896890
SHA2564248be5a03cfbd55be84c00340c77dbe350ee65a265cddd4913b55a5362dac73
SHA512c902cc474bac2b27e5d0bb5b2cf95a47937ff79a7892e2e42a24efbe7b6561dbbb5f8983020b62c6111301eea2b00d71ad5a98293ac2bbc44d7f6ab61fef0462
-
Filesize
1.2MB
MD5955e3a6f8138f5cffff24ab48109bf5e
SHA16bb76d4244d92533a92bd2ffcc3071629408cae8
SHA2563ba7793a75b91956f9bf347512b16ed79968fb47f4ad18cf0f6aa1efacc50e33
SHA512d40d85a5719417cbeee2066e0702eff9b7480ba890c56f892a7675764f26063a0cdc061695e6a4f5044e5f2ca2f79f5b52ba97ffb13230cb6e8c86764fd5d78c
-
C:\Users\Admin\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\ComponentFactory.Krypton.Toolkit.dll
Filesize1.4MB
MD5b2353970a4aa2f064622967ef267347d
SHA1186a242e628456f57e8b7efcb7fafa1b27a21f4b
SHA2560c320f3c9323e49b734c9c3c13af5c60bc94233a389bf8d2431f8ae08511965e
SHA5127e8b915cfbc304d64d7c489bb970e7155fcc2f94ada52bc6cd2a151c83eb94d2ae339300b7370a8802ca526bdf1ab56ea24012228622748e2db84aa5ed5f9d69
-
Filesize
58KB
MD52880c4eccdbce5491ac23d9ac5b45c79
SHA1ce9376a66620e9e55b2b45b1dfe439b4989a3362
SHA25623d1cfbb1b628cfb8ead4c452cef6135b1c3053ee6e41f5cfbb66ab49a6d783b
SHA512887531d74311fb83fbe82af1fd4bc0281f1b5a5d29a2bccfe77a3e855ad2539f61bbd2dafdea14dd44c317b00cb569a2a9ddac1c4f9a9f1367377f100fb35313
-
Filesize
8KB
MD528b7eb67a7889a46ece863ee6ec6c3bc
SHA1ba12371be8ce73cf52c3270ca46941b71ff90025
SHA256b71bed56159a16652075ca90f6c5191b47102c653a2facac7f1823985b141ff6
SHA512b767676da12d1d8915c956071f81d107c2795add2f8318d7fbe2efe12096612c3d4904f6a4991e1eb1e3170412260226ffbcc4bcaeebc59cdc2ace4f313a15b4
-
C:\Users\Admin\AppData\Roaming\CPU Guardian\CPU Guardian 2.6.1\install\1652F6D\Microsoft.Win32.TaskScheduler.dll
Filesize92KB
MD541c33334afb63787528b08ea1982f06c
SHA1a39247ee7638d484d7f8fce51cbcb4bdcfc07d1f
SHA2567650c4dfab1b7f598759c2d34b08130ed781bc2cf4fdc20b674ba52aa2655202
SHA51297ce1ded3acdd3787c5af3993155b5daa758ff261fd3c68dc6ec8f5b94f32ab3b274fbe772b115d50d4c6388b43b848c528e51d241a5aaff2a5e9fa43a3fae3b
-
Filesize
1.0MB
MD50bcc088a002518322e1ecbce9fdf796b
SHA157b9c096a8eb3636cf3815afd4c0c5d08bffec53
SHA256a51751f54889932e87dcc1c73f4165f0c99b8224416f9200e77d02eab688eea1
SHA512555b61ed74f16adb168084809f703e26b7bfbbb979174caf2ae79a25d5f45ad719fb2d837c53f4d00b135450ce0872753dc1777ec0f90b7a9ef6fc224398d489
-
Filesize
8KB
MD5c57d5679e6a2e2e4b4deb278a1eaf8f4
SHA1a67de39528104b271531195643fa7cb5243831f3
SHA25629c716b81ae2b875b772ca6892e3917436d7aab30bb8c8fcc3cd38eb10e42603
SHA512f1c5afcd424b810d6bdd123b635d976eb4c73fab683b44171d70a87d43e2ea3965c9737f4073e8eeab381f521b3f501e734c84700d2ecd9ca21498225e86decf
-
Filesize
423KB
MD555c585039516be3ad631c2c4d7427699
SHA131b0c9d42e7919c7801920005c71bf3bb0b8dba5
SHA256773c09b3dcbd38f08521228d3e0521182ee84e4d8bf22c33f28cc30a0d217f3d
SHA51272f64f17ff5cdf51ee0116c8fc95c23c2aca5dc360b7abe49108741eee11061320586dddfd478cce75e246c7e91a38419db2b190ee4b0479c59eda9f30bd85e9
-
Filesize
125KB
MD5e14324092de7df785684c2fc677f0ddf
SHA1947a50e2d8237df137c78cb329ad2c594a422f94
SHA256cacb69cc777b1ca7d97e47579f72aa986b2bd307862a722563a9bccffa4dc492
SHA5122c101de3d99db06911f4ceae588af43cabe8131d0085f9c661987236f210827d1be0dbea0122eec8211b6b79ff793ec94a0346a64949e25ccd8a37dee7474f71
-
Filesize
8KB
MD503cda985b8f388553b3282176f7f8531
SHA1edb7b9b03a1a81f5b6a14345fb12be7789fdb8cb
SHA2566b3f4608df828933998225e925573c30e52fac20c9f075c6edc738986a890d41
SHA512362fc1b9629d5442922f78bdaa8e481352f3d0c371244b41ead6a1ee15b6a79287ae0502be6c48f848408474f5f6f6edb5e8298dbb9319949c22638cfe37bc89
-
Filesize
7KB
MD567dc6788631fe575be7adf3e98256d3f
SHA16a1a41804c31bf063e47415ce387c6cb58ec1419
SHA2560a9bc746c7903a088b7e7390b0dfa99904e6b17d9209850f48eda7128fe1d771
SHA512bcadea37012986602854fa8ae64ed3773ffe15ffd2b11ffd39b9edbb09d4b9aee8ca4e1921f6f9b820798c423225e0add859c838ec0110cc24f0106ba9a1d021
-
Filesize
1KB
MD55f251d46ac714eef37c174aa9ffb4edb
SHA1e9c637896d8c17eacc7e0530e9cf5d8aabf7019d
SHA25646e11945ae868bee3e1b155d0a14006764920c7244d5344c1617883eeaaab43a
SHA512140010658f98767db7c816e9ae65a3757e2442f74558adf6c573f757587fcce6057e178f961c5cefda873b7fe5545c574944b4f8646603818cc60758bad2d59d
-
Filesize
4KB
MD5660dde7ed7b97fbcb67e977ab39896d9
SHA1f9f9ac119ceaa476fb7c3e9d00f707bea2139078
SHA256ca52334a4faa6ad156510047bdff51c186fac6d91e6f19b58d24a358a370cb58
SHA512fc176a5477fef8813c9e6bd3e5609e10846a153046fc81d63c321f0aef96cb0dcfd4cd74e7f016074ed2a13546f5c5cb509584369eb1c8b78abb2929dae55133
-
Filesize
1KB
MD5c6a53e6cf6624a4abc18703016a540cd
SHA15de16a5d8334e80aebd7e91e8adba38e8fbce4c4
SHA256014496da0957bd595b908633bdf7ab6dea39f2407804e0d28e0a06bb34251e71
SHA5129359cb4c3b9f514c0df4d14da4272de1e1e9f59fbe71c024588a7c87b085925681e62c301c52e62c0884cc01b3ee7bc84ba1cde3bb963c55cc9b49dba3cdea47
-
Filesize
3KB
MD5f05440255bca34d78c7f4cd132bae738
SHA1115d245aaa36b465ec9a0f782e801592289f7757
SHA256b55470d512a12b6efe3d88490bd7383bff65b539673da8e2222193258f2a3d8e
SHA51248fb99290c190b9485cef634b7900d391cdfc8fdac640d2007326eba750f963f184b7754d0058ac2b0b5eacf55cfabaa7ae058bd528896e1673da811e773ac4d
-
Filesize
5KB
MD5728e1ebba7f6a926041d45b426e9606d
SHA127d8c131c8bf55be8036bcae68b8248ff3116bab
SHA256a6846ea1dddca9a7e0197e8c5b111cbed154002987ec667a1a4e8ed9b149cd7f
SHA512e3ad2a7be1db239829086b4a86393909e3f6bd0ff401f6838309a3389423174665a7fc6efddb1cb517be651d7b6786a4820be8fc0a4392579eeba3835ecbf8ad
-
Filesize
294KB
MD536885842c1e86ac026470d3931c1fb16
SHA1c9264ee7d297d8873651d1b780f2ee40430539c7
SHA256e760209574843bd3879ff1f631c377df8f4be0a5e2c6c09ffe60c9e52c9a4308
SHA512c5b831bb08dc9e70e462e6b747fd7be6200a55e51ff4060bc9c4e8f9c0544206194466f9c1e0c3b5a6963b6aee5c9e27f4b968a804fae7339a8334b6f62839c8
-
Filesize
352KB
MD5accc5e05c4009b2a44cadf1d093cd07a
SHA16b9167b1c61f8dcc9d8ee4dc880f1db90331e89d
SHA25628d23dfcd76f4b50d5e847b1415a4b193c843bf52b2522a8be83840d77e59d97
SHA5126cfc01b9abbe4de4cc3afe64aec3bf4ed12f8304cbd6009e39c3301357b26a93ad5a845eef7dba184a3baff3dc8eba664f7ef2d2e8b7f8f0b5f70a5ea54b5b51
-
Filesize
93KB
MD54e08b1e5b2b01e060b70ba19317752f4
SHA1d7fcd4c40eb8e10a1f288bc45b58bed4d4369f41
SHA2568c97c20483616b036f964cd1364f2386114f2126f91108034b432e7029e44984
SHA512c41d2f6734d90f6f36c659090fa0c8415ab65da17e15785cf9a91c986ea822f41cc1a2563fc0c7efd8c4d7cbc63b45b79475f8acece51b6233d4bd222bb2f15a
-
Filesize
92KB
MD59415f3c83a62afb2e8531238b337ae64
SHA1221db324086ec91b0c29a3f4bc77d1ef3e3e1137
SHA2567235847c4d53c720eb4bfbad61b8f2a47426068160eb3a38f7696ac29533ed36
SHA512b4dfbbaadc5809fa557ead96d17633d8bb209f8cdcf09cdd4c4d2c67e92da0e08102edf3bab42f9bbc16e25bc9e6c20f45f8660ac8037f2717fd3c3785651de9
-
Filesize
90KB
MD561e0d69413e1d3f975d6910fe04cadd8
SHA1382dc5ab38f75c40430c28affe9146dc583a5909
SHA256a4d9154276def89a52cfba94aa872c0284a01780d5728a4f57b8b562eaa4a5e0
SHA512518d04c87818a66825f25d0fd9d79aaf1a6c030b917fb59caed5f7341cfc912b1f635d2544a92dffef04054ef98eba65031978804458ca777d6cc8a6df62e930
-
Filesize
129KB
MD51e88c98dfe1237a7b0f5fa8d3cc6fc61
SHA144bc5c35b465762fe90525076667ffbeb6fd6fec
SHA25691c6ec17d109fd60e1e67c9d18f46b884f4a24516c3309a412c353c6a63345ed
SHA5127ce75818ff3300299c8e82285232177291a3627c96b9f4dd84caa58393518b152d1bbbadcf3860b6e71be9b57117178e3b7d3cbaba525cc27dcd230b3b4a8618