Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 03:57
Static task
static1
Behavioral task
behavioral1
Sample
Fanyi.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
Fanyi.msi
Resource
win10v2004-20241007-en
General
-
Target
Fanyi.msi
-
Size
26.5MB
-
MD5
3d6804261513077c81543bfa24503bae
-
SHA1
a5b387c2402a77bf6ffd6835dbf79129a41a4ec6
-
SHA256
bdd5b875e9233fce93774ffcfc925daf2924eef9455d088d5dcddf41915d1112
-
SHA512
899b6e4ebe9ea71a37772149a78ed19b9e09d6b0b9f8287b85a484008d6e6ad0efa99eabf4c245958929a1f0b52672ffec05cb824578738fbb0107f312f531ec
-
SSDEEP
786432:FyPHKm4X1Ut5pZnm0p0syQvIwOpc1SYrBsff/p9QE:FEqm4X1U5pZm02syQt4iZr4n
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4936-99-0x000000002B970000-0x000000002BB2D000-memory.dmp purplefox_rootkit behavioral2/memory/4936-101-0x000000002B970000-0x000000002BB2D000-memory.dmp purplefox_rootkit behavioral2/memory/4936-102-0x000000002B970000-0x000000002BB2D000-memory.dmp purplefox_rootkit behavioral2/memory/4936-103-0x000000002B970000-0x000000002BB2D000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 4 IoCs
resource yara_rule behavioral2/memory/4936-99-0x000000002B970000-0x000000002BB2D000-memory.dmp family_gh0strat behavioral2/memory/4936-101-0x000000002B970000-0x000000002BB2D000-memory.dmp family_gh0strat behavioral2/memory/4936-102-0x000000002B970000-0x000000002BB2D000-memory.dmp family_gh0strat behavioral2/memory/4936-103-0x000000002B970000-0x000000002BB2D000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2140 powershell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Y: mAaRrGrorewO.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\R: mAaRrGrorewO.exe File opened (read-only) \??\S: mAaRrGrorewO.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: mAaRrGrorewO.exe File opened (read-only) \??\T: mAaRrGrorewO.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: mAaRrGrorewO.exe File opened (read-only) \??\Z: mAaRrGrorewO.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: mAaRrGrorewO.exe File opened (read-only) \??\W: mAaRrGrorewO.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\E: mAaRrGrorewO.exe File opened (read-only) \??\K: mAaRrGrorewO.exe File opened (read-only) \??\M: mAaRrGrorewO.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: mAaRrGrorewO.exe File opened (read-only) \??\J: mAaRrGrorewO.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: mAaRrGrorewO.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: mAaRrGrorewO.exe File opened (read-only) \??\Q: mAaRrGrorewO.exe File opened (read-only) \??\U: mAaRrGrorewO.exe File opened (read-only) \??\X: mAaRrGrorewO.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log SvwYSxmZIFRH.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\EnsureOptimizedConsultant\VC_redist.x64.exe msiexec.exe File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File created C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs mAaRrGrorewO.exe File created C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ msiexec.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File created C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File created C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe MsiExec.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant mAaRrGrorewO.exe File created C:\Program Files\EnsureOptimizedConsultant\igc964.dll msiexec.exe File created C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File created C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.xml wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File created C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe msiexec.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\2_mAaRrGrorewO.exe wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe MsiExec.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log SvwYSxmZIFRH.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log SvwYSxmZIFRH.exe File opened for modification C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.wrapper.log SvwYSxmZIFRH.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\SourceHash{BAE5191B-634D-4FA3-8A18-A96FC79A226D} msiexec.exe File opened for modification C:\Windows\Installer\MSIB844.tmp msiexec.exe File created C:\Windows\Installer\e57b73c.msi msiexec.exe File created C:\Windows\Installer\e57b73a.msi msiexec.exe File opened for modification C:\Windows\Installer\e57b73a.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe -
Executes dropped EXE 8 IoCs
pid Process 3516 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe 1180 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe 1276 mAaRrGrorewO.exe 5076 SvwYSxmZIFRH.exe 2672 SvwYSxmZIFRH.exe 2360 SvwYSxmZIFRH.exe 1388 mAaRrGrorewO.exe 4936 mAaRrGrorewO.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1560 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mAaRrGrorewO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mAaRrGrorewO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language mAaRrGrorewO.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1300 cmd.exe 3352 PING.EXE -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz mAaRrGrorewO.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 mAaRrGrorewO.exe -
Modifies data under HKEY_USERS 56 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C5E14B8AB47855B4C80C5E0912705F5C\B1915EABD4363AF4A8819AF67CA922D6 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B1915EABD4363AF4A8819AF67CA922D6 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\Version = "151191556" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C5E14B8AB47855B4C80C5E0912705F5C msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\PackageName = "Fanyi.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\Media msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B1915EABD4363AF4A8819AF67CA922D6\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\PackageCode = "AF22DF62929E352458618D1C37BDA328" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B1915EABD4363AF4A8819AF67CA922D6\ProductName = "EnsureOptimizedConsultant" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3352 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1104 msiexec.exe 1104 msiexec.exe 2140 powershell.exe 2140 powershell.exe 2140 powershell.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe 1276 mAaRrGrorewO.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1560 msiexec.exe Token: SeIncreaseQuotaPrivilege 1560 msiexec.exe Token: SeSecurityPrivilege 1104 msiexec.exe Token: SeCreateTokenPrivilege 1560 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1560 msiexec.exe Token: SeLockMemoryPrivilege 1560 msiexec.exe Token: SeIncreaseQuotaPrivilege 1560 msiexec.exe Token: SeMachineAccountPrivilege 1560 msiexec.exe Token: SeTcbPrivilege 1560 msiexec.exe Token: SeSecurityPrivilege 1560 msiexec.exe Token: SeTakeOwnershipPrivilege 1560 msiexec.exe Token: SeLoadDriverPrivilege 1560 msiexec.exe Token: SeSystemProfilePrivilege 1560 msiexec.exe Token: SeSystemtimePrivilege 1560 msiexec.exe Token: SeProfSingleProcessPrivilege 1560 msiexec.exe Token: SeIncBasePriorityPrivilege 1560 msiexec.exe Token: SeCreatePagefilePrivilege 1560 msiexec.exe Token: SeCreatePermanentPrivilege 1560 msiexec.exe Token: SeBackupPrivilege 1560 msiexec.exe Token: SeRestorePrivilege 1560 msiexec.exe Token: SeShutdownPrivilege 1560 msiexec.exe Token: SeDebugPrivilege 1560 msiexec.exe Token: SeAuditPrivilege 1560 msiexec.exe Token: SeSystemEnvironmentPrivilege 1560 msiexec.exe Token: SeChangeNotifyPrivilege 1560 msiexec.exe Token: SeRemoteShutdownPrivilege 1560 msiexec.exe Token: SeUndockPrivilege 1560 msiexec.exe Token: SeSyncAgentPrivilege 1560 msiexec.exe Token: SeEnableDelegationPrivilege 1560 msiexec.exe Token: SeManageVolumePrivilege 1560 msiexec.exe Token: SeImpersonatePrivilege 1560 msiexec.exe Token: SeCreateGlobalPrivilege 1560 msiexec.exe Token: SeBackupPrivilege 4448 vssvc.exe Token: SeRestorePrivilege 4448 vssvc.exe Token: SeAuditPrivilege 4448 vssvc.exe Token: SeBackupPrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe Token: SeDebugPrivilege 2140 powershell.exe Token: SeRestorePrivilege 3516 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Token: 35 3516 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Token: SeSecurityPrivilege 3516 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Token: SeSecurityPrivilege 3516 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Token: SeRestorePrivilege 1180 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Token: 35 1180 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Token: SeSecurityPrivilege 1180 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Token: SeSecurityPrivilege 1180 wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe Token: SeRestorePrivilege 1104 msiexec.exe Token: SeTakeOwnershipPrivilege 1104 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1560 msiexec.exe 1560 msiexec.exe -
Suspicious use of WriteProcessMemory 25 IoCs
description pid Process procid_target PID 1104 wrote to memory of 5048 1104 msiexec.exe 98 PID 1104 wrote to memory of 5048 1104 msiexec.exe 98 PID 1104 wrote to memory of 3708 1104 msiexec.exe 101 PID 1104 wrote to memory of 3708 1104 msiexec.exe 101 PID 3708 wrote to memory of 2140 3708 MsiExec.exe 102 PID 3708 wrote to memory of 2140 3708 MsiExec.exe 102 PID 3708 wrote to memory of 1300 3708 MsiExec.exe 107 PID 3708 wrote to memory of 1300 3708 MsiExec.exe 107 PID 1300 wrote to memory of 3516 1300 cmd.exe 109 PID 1300 wrote to memory of 3516 1300 cmd.exe 109 PID 1300 wrote to memory of 3516 1300 cmd.exe 109 PID 1300 wrote to memory of 3352 1300 cmd.exe 110 PID 1300 wrote to memory of 3352 1300 cmd.exe 110 PID 1300 wrote to memory of 1180 1300 cmd.exe 112 PID 1300 wrote to memory of 1180 1300 cmd.exe 112 PID 1300 wrote to memory of 1180 1300 cmd.exe 112 PID 3708 wrote to memory of 1276 3708 MsiExec.exe 114 PID 3708 wrote to memory of 1276 3708 MsiExec.exe 114 PID 3708 wrote to memory of 1276 3708 MsiExec.exe 114 PID 2360 wrote to memory of 1388 2360 SvwYSxmZIFRH.exe 126 PID 2360 wrote to memory of 1388 2360 SvwYSxmZIFRH.exe 126 PID 2360 wrote to memory of 1388 2360 SvwYSxmZIFRH.exe 126 PID 1388 wrote to memory of 4936 1388 mAaRrGrorewO.exe 128 PID 1388 wrote to memory of 4936 1388 mAaRrGrorewO.exe 128 PID 1388 wrote to memory of 4936 1388 mAaRrGrorewO.exe 128 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Fanyi.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1560
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:5048
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 5804F76620F5D960600CE394027C5685 E Global\MSI00002⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:3708 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\EnsureOptimizedConsultant','C:\Program Files','C:\Program Files'3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2140
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"77889mQ.lKbWjlL+;EHv" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx" -x!1_mAaRrGrorewO.exe -x!sss -x!1_gmFEzzgRgEXnNiUbsEYUyCvvFbviXj.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"56555&-YUD]NF+xlU&V!" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe"C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\aVtIJLgGgcGxLFnglYFRNfQHCAjTzJ" -o"C:\Program Files\EnsureOptimizedConsultant\" -p"77889mQ.lKbWjlL+;EHv" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3516
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3352
-
-
C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe"C:\Program Files\EnsureOptimizedConsultant\wLTHTBvoAUsPVexjgJCLQEmWSoiRwE.exe" x "C:\Program Files\EnsureOptimizedConsultant\VOCcbQbkNjexsfDtMfOljQvmAGbPQx" -x!1_mAaRrGrorewO.exe -x!sss -x!1_gmFEzzgRgEXnNiUbsEYUyCvvFbviXj.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\EnsureOptimizedConsultant\" -p"56555&-YUD]NF+xlU&V!" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1180
-
-
-
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 180 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:1276
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4448
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.vbs"1⤵
- Modifies data under HKEY_USERS
PID:4656
-
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" install1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:5076
-
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:2672
-
C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"C:\Program Files\EnsureOptimizedConsultant\SvwYSxmZIFRH.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 109 -file file3 -mode mode32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1388 -
C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe"C:\Program Files\EnsureOptimizedConsultant\mAaRrGrorewO.exe" -number 62 -file file3 -mode mode33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4936
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5efd30e2462127d66ea098c6d5df8c7d9
SHA147429d5c3328f07bf0e208b46084ab88580e46f3
SHA256730adbbaa7dde3a16be5dcab96562119ac84dbc5332091e6a842c9ede57e3ab1
SHA5120685fc25797c515efbf0848dda9d8090e52b26795dc89af05533299dcebbe8802d359fa95e1bf6ee7bdedd746d447c49b70bd4f96ef49ac0473c3cf1dd735f3c
-
Filesize
2.8MB
MD50e76fd2dd06b069ed52c2f632ea0a532
SHA11f7abe1527bd0670346354a71c0d3e25a0c45d09
SHA256262314d5d3d5be46b9c5cf1cbf59945529ae6a0baa0fc17ac81f5b9213488bc9
SHA512db7684bbcc29d839e9b9c5ac15221f694d1554973e02182a0bbc22a60287d8b6be83ccfe4e66be62def34eb3a3412bd1632c043984850121751d89d91e8503aa
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
288B
MD54b98fe94da93c769d70877f256a9852b
SHA14bf1229354f443a35162eda5c97541bdfb18a226
SHA256d303ee161850f87b2cb855dc2591fd282a3a8fa577b2ea9a63315eed84435a8d
SHA5126f6d8d2de4affe66af22862ebd2942d79dd0bcd770bcd75ec935e5f0604d96c5cb0c16ca321c7dcf6fcb822973cc58f8fd0bac8d149ece31d01658e1be9a8d42
-
Filesize
455B
MD5c9b8b28e713ac8357694e0b76e7ee78d
SHA1ff1275e6b40cc3d4ccda77573ad41c969e3aaaf6
SHA25619ea7df6e03fbab4e4314ca37351eadde94971e307e6856b96a4f96d568aa17f
SHA512a44ece08d88a7853c8967ef53c8278c08916daf148c99369819fef494fc71fb5874bd62ed944d9509717bdb7b409aaa4d2233f16cd6d29d0eb643e85582e4b2e
-
Filesize
632B
MD567a6c8438f0388678973083f0ec5645b
SHA10690456abbb77669fa513d111000327aaa54f5bd
SHA2562d5da88a96de55bcd213a971110d002667f56f5d77b9892a82ffbac92db0c8bc
SHA512a7b7695618df6b35e4a9d7fcf742205636a9a51022d2d07e5629637355926c12905e2b16fb02038809c522195b6e551223a1adc71b5fa5ecdd34010d51570850
-
Filesize
770B
MD54db9712873117b640e4482da72e75ee2
SHA12d55346aef9a813d352da26131a78055bcc00ddb
SHA256bed9fb42dad84221e03b2757c23cccb5fcd24533d7207479d44a603f3a22eea3
SHA512d104c6ed609391c6005827db90fc5d955ee1513246ad4e962e8d84cd8a9c1d54ce6417a62c13a058264ef49a4126a7983b1bb9e821d156b386e7c36e2ab91709
-
Filesize
447B
MD53b942a37e0de1ccf15af63724e09c55f
SHA1cc3ca1a1998c48cf3c9425c12e703accc7187cc4
SHA256c616cfdab5db1b5d31f8a551f5fbf4ee99a1896733e07ca62b3c45e5263c4a9d
SHA5122a5670891b34de3a72d36e8b184072b808c587109871f8ed89f661da1447478db07010866072306545d7f7c20c3b6a30d217e94a84694aa5babbd4ac6bdacfd4
-
Filesize
2.2MB
MD5ce383e5084ed5e632f4daa4d67419699
SHA1d7c33fe3e8b5924abe5b171e1a04fb6c057828ec
SHA2567e99e636ee0d1dd375e3a9708ed9abf4e24c065fc666f29cea73b210e5a4d3c7
SHA512e19dc8c9b1abd5578d386c4bb7609336f71211bdbf809e9f4826f77d09a7a4b7a55d50a887b3a818f5b9fbe0a33df6aabf0892ac4b609bd035055af680a6baec
-
Filesize
2.2MB
MD53f13e97feef00523f66fa7712c761086
SHA18f423c0ca6b6ccef72a72e663784c479e4e0c6d8
SHA25676e46c8dd318c90073888022563019f0027a33258c4656bd65321847d8ce758c
SHA5128e4ca0967df09f0d136974987e7044b0b81802d53f50c9aa91acd752ac9832ffb4dcb32e6e21b4371e836bd6efb2d12796c518a7d1b2a26c8a25738c98b97e3c
-
Filesize
2KB
MD552009f48e9e0b20f57bad46cbcb394cf
SHA1add56fb60a485bd2e8e51e92dad44c06f6404858
SHA2568640976c703cb5f3177959424c3d3049fab696a8fe1f637539fc0e96bbb712c9
SHA5122c602469c0db4a52e452e764aa2bd4f502d18d2b76ed6e28850aa61d021f34080653407b8e3c26e6b310f3cbed378ed320d31a2037aca434339278618b2209e4
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
26.5MB
MD53d6804261513077c81543bfa24503bae
SHA1a5b387c2402a77bf6ffd6835dbf79129a41a4ec6
SHA256bdd5b875e9233fce93774ffcfc925daf2924eef9455d088d5dcddf41915d1112
SHA512899b6e4ebe9ea71a37772149a78ed19b9e09d6b0b9f8287b85a484008d6e6ad0efa99eabf4c245958929a1f0b52672ffec05cb824578738fbb0107f312f531ec
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SvwYSxmZIFRH.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
24.1MB
MD5213e760dea6108c3a3e886bf4e805390
SHA1ed367b0f24f2fb1b8888bbb74d9c8a7f144ea73e
SHA256ac17cbd1cf55df00c80a26ca231992fa643111c826ad050f4c4d3451bf4a00b3
SHA51273f6014d95b6edd27791fed177d3080e9c974965c098d47d97d906d20b4ed39d80f90d4ddf0297e7bf6d5aa53618de132d5fb88a43b427b4c53825c4ccfc936c
-
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1d6b2313-e2f3-4345-9c62-8561546a7f51}_OnDiskSnapshotProp
Filesize6KB
MD5b823cdbb35892b48fffa46c25cfba8ff
SHA1af25ab834d76a224e4fd2b75930c9b065b683be1
SHA256481f04b93c31be2b079b1965f02dd648a0998c08c5ebdf1d86315ac2ee6d8d7b
SHA5124c91ce6d36732ba5e137d1dac01f57079874eb29f52874a05c0f4fea39130c1371eb7b74b6c5400e3acb2ce0e73a887a1b9d897a60f41aff707bbdcf68cace26