Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 04:56
Static task
static1
Behavioral task
behavioral1
Sample
wpsupdate.msi
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
wpsupdate.msi
Resource
win10v2004-20241007-en
General
-
Target
wpsupdate.msi
-
Size
28.2MB
-
MD5
ef294458016f546c5eebd07d2dd98bad
-
SHA1
66bb14f670055272e12899d401b8668cad15fac9
-
SHA256
c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
-
SHA512
97ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333
-
SSDEEP
786432:r3pUIX4j1lP1FYKJGIC6rO9HN47EbHxjprMfy6s0A:zpUIIj1l9FxJGIzcteEt2e0A
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/3836-110-0x000000002BA30000-0x000000002BBED000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 1 IoCs
resource yara_rule behavioral2/memory/3836-110-0x000000002BA30000-0x000000002BBED000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4416 powershell.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 wpsupdate.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nKecPJAaIeFB.exe.log nKecPJAaIeFB.exe -
Drops file in Program Files directory 23 IoCs
description ioc Process File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe MsiExec.exe File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe MsiExec.exe File created C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe msiexec.exe File created C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw msiexec.exe File created C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\2_WSEcydALszNI.exe QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log nKecPJAaIeFB.exe File created C:\Program Files\TransformOptimisticContributor\VC_redist.x64.exe msiexec.exe File opened for modification C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs WSEcydALszNI.exe File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log nKecPJAaIeFB.exe File opened for modification C:\Program Files\TransformOptimisticContributor\WSEcydALszNI QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor WSEcydALszNI.exe File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.wrapper.log nKecPJAaIeFB.exe File created C:\Program Files\TransformOptimisticContributor\wpsupdate.exe msiexec.exe File created C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.xml QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File opened for modification C:\Program Files\TransformOptimisticContributor\pvugBgEMyjnfIRZnnRolAMMekSRFAr QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe File created C:\Program Files\TransformOptimisticContributor\WSEcydALszNI QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIDB4C.tmp msiexec.exe File created C:\Windows\Installer\e57d9f7.msi msiexec.exe File created C:\Windows\Installer\e57d9f5.msi msiexec.exe File opened for modification C:\Windows\Installer\e57d9f5.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{5E7ABEF0-9D09-49C1-952F-E73FA3349D07} msiexec.exe -
Executes dropped EXE 9 IoCs
pid Process 4460 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe 4444 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe 632 WSEcydALszNI.exe 3828 wpsupdate.exe 952 nKecPJAaIeFB.exe 1080 nKecPJAaIeFB.exe 436 nKecPJAaIeFB.exe 2724 WSEcydALszNI.exe 3836 WSEcydALszNI.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 1516 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WSEcydALszNI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language wpsupdate.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WSEcydALszNI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WSEcydALszNI.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1892 PING.EXE 3952 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHDt = "19" wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD = "f69076662ad68ef948dba3f08594f011" wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3_C = "f69076662ad68ef948dba3f08594f011" wpsupdate.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3Verify_C = 32003000320034002d00310031002d00310039007c00570044004300200032002e0035002b00320033003200310033003800380030003400310036003500200020002000200020002000200020007c00440041002d00360037002d00420035002d00360045002d00360043002d00310042000000 wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\InfoHD3t = "19" wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoLastHardInfo wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0 wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo wpsupdate.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common\khdinfo\InfoCurHardInfo = "29a56b8a14940c3acb7a4a6443907c56|e7074c32322ef165a9d6e271ff2be5c7" wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Kingsoft\Office\6.0\Common wpsupdate.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections wpsupdate.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed powershell.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\PackageCode = "CCD296EAB4068834AB0FC3DB62EF5779" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Version = "100859912" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\0FEBA7E590D91C9459F27EF33A43D970\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\ProductName = "TransformOptimisticContributor" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\ED4346F32F1F8CA46B2D014BA47DCC9B\0FEBA7E590D91C9459F27EF33A43D970 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\PackageName = "wpsupdate.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\SourceList\Media\1 = ";" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\0FEBA7E590D91C9459F27EF33A43D970\DeploymentFlags = "3" msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1892 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4880 msiexec.exe 4880 msiexec.exe 4416 powershell.exe 4416 powershell.exe 3828 wpsupdate.exe 3828 wpsupdate.exe 3828 wpsupdate.exe 3828 wpsupdate.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe 632 WSEcydALszNI.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1516 msiexec.exe Token: SeIncreaseQuotaPrivilege 1516 msiexec.exe Token: SeSecurityPrivilege 4880 msiexec.exe Token: SeCreateTokenPrivilege 1516 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1516 msiexec.exe Token: SeLockMemoryPrivilege 1516 msiexec.exe Token: SeIncreaseQuotaPrivilege 1516 msiexec.exe Token: SeMachineAccountPrivilege 1516 msiexec.exe Token: SeTcbPrivilege 1516 msiexec.exe Token: SeSecurityPrivilege 1516 msiexec.exe Token: SeTakeOwnershipPrivilege 1516 msiexec.exe Token: SeLoadDriverPrivilege 1516 msiexec.exe Token: SeSystemProfilePrivilege 1516 msiexec.exe Token: SeSystemtimePrivilege 1516 msiexec.exe Token: SeProfSingleProcessPrivilege 1516 msiexec.exe Token: SeIncBasePriorityPrivilege 1516 msiexec.exe Token: SeCreatePagefilePrivilege 1516 msiexec.exe Token: SeCreatePermanentPrivilege 1516 msiexec.exe Token: SeBackupPrivilege 1516 msiexec.exe Token: SeRestorePrivilege 1516 msiexec.exe Token: SeShutdownPrivilege 1516 msiexec.exe Token: SeDebugPrivilege 1516 msiexec.exe Token: SeAuditPrivilege 1516 msiexec.exe Token: SeSystemEnvironmentPrivilege 1516 msiexec.exe Token: SeChangeNotifyPrivilege 1516 msiexec.exe Token: SeRemoteShutdownPrivilege 1516 msiexec.exe Token: SeUndockPrivilege 1516 msiexec.exe Token: SeSyncAgentPrivilege 1516 msiexec.exe Token: SeEnableDelegationPrivilege 1516 msiexec.exe Token: SeManageVolumePrivilege 1516 msiexec.exe Token: SeImpersonatePrivilege 1516 msiexec.exe Token: SeCreateGlobalPrivilege 1516 msiexec.exe Token: SeBackupPrivilege 1484 vssvc.exe Token: SeRestorePrivilege 1484 vssvc.exe Token: SeAuditPrivilege 1484 vssvc.exe Token: SeBackupPrivilege 4880 msiexec.exe Token: SeRestorePrivilege 4880 msiexec.exe Token: SeRestorePrivilege 4880 msiexec.exe Token: SeTakeOwnershipPrivilege 4880 msiexec.exe Token: SeRestorePrivilege 4880 msiexec.exe Token: SeTakeOwnershipPrivilege 4880 msiexec.exe Token: SeDebugPrivilege 4416 powershell.exe Token: SeBackupPrivilege 3028 srtasks.exe Token: SeRestorePrivilege 3028 srtasks.exe Token: SeSecurityPrivilege 3028 srtasks.exe Token: SeTakeOwnershipPrivilege 3028 srtasks.exe Token: SeRestorePrivilege 4460 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: 35 4460 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeSecurityPrivilege 4460 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeSecurityPrivilege 4460 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeBackupPrivilege 3028 srtasks.exe Token: SeRestorePrivilege 3028 srtasks.exe Token: SeSecurityPrivilege 3028 srtasks.exe Token: SeTakeOwnershipPrivilege 3028 srtasks.exe Token: SeRestorePrivilege 4444 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: 35 4444 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeSecurityPrivilege 4444 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeSecurityPrivilege 4444 QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe Token: SeRestorePrivilege 4880 msiexec.exe Token: SeTakeOwnershipPrivilege 4880 msiexec.exe Token: SeRestorePrivilege 4880 msiexec.exe Token: SeTakeOwnershipPrivilege 4880 msiexec.exe Token: SeRestorePrivilege 4880 msiexec.exe Token: SeTakeOwnershipPrivilege 4880 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
pid Process 1516 msiexec.exe 1516 msiexec.exe 3828 wpsupdate.exe 3828 wpsupdate.exe 3828 wpsupdate.exe 3828 wpsupdate.exe 3828 wpsupdate.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 3828 wpsupdate.exe 3828 wpsupdate.exe 3828 wpsupdate.exe 3828 wpsupdate.exe 3828 wpsupdate.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4880 wrote to memory of 3028 4880 msiexec.exe 94 PID 4880 wrote to memory of 3028 4880 msiexec.exe 94 PID 4880 wrote to memory of 2680 4880 msiexec.exe 96 PID 4880 wrote to memory of 2680 4880 msiexec.exe 96 PID 2680 wrote to memory of 4416 2680 MsiExec.exe 99 PID 2680 wrote to memory of 4416 2680 MsiExec.exe 99 PID 2680 wrote to memory of 3952 2680 MsiExec.exe 104 PID 2680 wrote to memory of 3952 2680 MsiExec.exe 104 PID 3952 wrote to memory of 4460 3952 cmd.exe 106 PID 3952 wrote to memory of 4460 3952 cmd.exe 106 PID 3952 wrote to memory of 4460 3952 cmd.exe 106 PID 3952 wrote to memory of 1892 3952 cmd.exe 107 PID 3952 wrote to memory of 1892 3952 cmd.exe 107 PID 3952 wrote to memory of 4444 3952 cmd.exe 109 PID 3952 wrote to memory of 4444 3952 cmd.exe 109 PID 3952 wrote to memory of 4444 3952 cmd.exe 109 PID 2680 wrote to memory of 632 2680 MsiExec.exe 113 PID 2680 wrote to memory of 632 2680 MsiExec.exe 113 PID 2680 wrote to memory of 632 2680 MsiExec.exe 113 PID 2680 wrote to memory of 3828 2680 MsiExec.exe 115 PID 2680 wrote to memory of 3828 2680 MsiExec.exe 115 PID 2680 wrote to memory of 3828 2680 MsiExec.exe 115 PID 436 wrote to memory of 2724 436 nKecPJAaIeFB.exe 129 PID 436 wrote to memory of 2724 436 nKecPJAaIeFB.exe 129 PID 436 wrote to memory of 2724 436 nKecPJAaIeFB.exe 129 PID 2724 wrote to memory of 3836 2724 WSEcydALszNI.exe 131 PID 2724 wrote to memory of 3836 2724 WSEcydALszNI.exe 131 PID 2724 wrote to memory of 3836 2724 WSEcydALszNI.exe 131 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\wpsupdate.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1516
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 94C8925FDAC075AE237B5605BCE04F8E E Global\MSI00002⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\TransformOptimisticContributor','C:\Program Files','C:\Program Files'3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4416
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3952 -
C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\YRtKSPCVXxSCmPuaAzactTPSddUXyw" -o"C:\Program Files\TransformOptimisticContributor\" -p"03621GQD}PR[O^Dmi;;h" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4460
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1892
-
-
C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe"C:\Program Files\TransformOptimisticContributor\QxbnJjybITIHnXwFgsfiCRpWIdJkGQ.exe" x "C:\Program Files\TransformOptimisticContributor\WhlKFlLXxHUitNNcNwtpUJDzrKytNL" -x!1_WSEcydALszNI.exe -x!sss -x!1_OzasXnwPtTbfCAAsrowrLIIDEPUHpa.exe -x!1_ -x!1_ -x!sa -o"C:\Program Files\TransformOptimisticContributor\" -p"93629#*_tvw?-L5@gQl=" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4444
-
-
-
C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 177 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:632
-
-
C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"C:\Program Files\TransformOptimisticContributor\wpsupdate.exe"3⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3828
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1484
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.vbs"1⤵
- Modifies data under HKEY_USERS
PID:1796
-
C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe" install1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:952
-
C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:1080
-
C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe"C:\Program Files\TransformOptimisticContributor\nKecPJAaIeFB.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 151 -file file3 -mode mode32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe"C:\Program Files\TransformOptimisticContributor\WSEcydALszNI.exe" -number 62 -file file3 -mode mode33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3836
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Event Triggered Execution
1Installer Packages
1Pre-OS Boot
1Bootkit
1Defense Evasion
Pre-OS Boot
1Bootkit
1System Binary Proxy Execution
1Msiexec
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD55d18475afd5a885c1cdd7fccb3049e32
SHA17c060f44c3d984f7d045440fe47724a1cc9d3b14
SHA256e0b0a867b136f3ee3008f41666e0dadf5a7143acaf455ebaf7f5d4809bb85e85
SHA51294f62085155cbf4392e48ec7e9a1eb56017d3952ecaf18dfb78f93c8c294ed4dae4771a81bfff8c2449ef4f7b950e54c0adae571d547c223563d8d046febdf59
-
Filesize
2.1MB
MD5fb22fb79f366c65257b7adb24c70d843
SHA1ca6d29a4806d52350e1a50c7b71526dfaab2d525
SHA25644f2ea5b5dd47fc256a341dee1d2dacfc24adba395a49fd8c4ad3613bfe2d43d
SHA512c4dfb9273bd937f5480646e12d77073a476719f1f15ee5885e0999f0bbc68f80b1909489f7bd78a3bfb4687a55442f655f4538fda20afe4a7b87623e9bdfe7d9
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
2KB
MD5c5053a9c469416b52ac1ef0f3c4b6f3a
SHA11b2a53afcb6b22db953ad16116642a5e603d59c6
SHA2567c54fccfbce7fef4dcd82fedd5811f43b553fca88811ace4e37d0837923830e5
SHA512b9df8e58a1eabff54635a776a1c80c3c42643e3ad3ca3245eb0428b3e779ab903fcd2260d529c5fa34bb0f6b9dc62002cf1c0ba9e0d439b6905b12c837359ffa
-
Filesize
1.5MB
MD5d045828473a8165effd59a97232e6107
SHA1f86bd9763d6c70ec3ca79134598de4fa44c6bc94
SHA2569aaae0f7b3bdab287ad703c7eb4baa1a0746b6d353e57ae74d985b10a2102016
SHA51207e77aa6a433d4541d80276d37e682012509b480a6861f9fbe3cd89929b352d6754cc649526f95c4bd76cf4e1c8bceb275a0217c38193ab88891166934d79659
-
Filesize
1.5MB
MD5831ff4029b30419da4ac4d32bf8ff05c
SHA18c121d0cd017ce5f7ca8cbf6abd8909b2fe445bc
SHA256ab281716242897be222c1d4cc979fd5de9e7d1cde56e70ac1010e6b3dc76826d
SHA51217f2efdb891dcf9ceacb8b24801ec59866f969baa55d1c92c15a7150c13f18cc3f481984b5971456e1ad0f204db016698bfe012c086ffa2028582c1d9302a8c5
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
290B
MD54a3b8c0e53a3ca076d6d3659300c096c
SHA1a49a2be43a87cde92a60f17dbd29d5d1d5cac353
SHA256d2964d10f1431ffeb289bce75ca9b5f1ffa1ee58a9ee7f7028cc65413e8878b0
SHA5128c94c15b557cc0d58d27d74b7e4cd0fba0ce84742f99d4b848be741ab48c82f9c864c47aa0986f31c9c75f4f005e8ff7a3e1963c1c00f217381081177a3b276d
-
Filesize
458B
MD56923590bb4fac906ac5a9996ceb9362b
SHA12fae07821afeacee9441779591cf51eb0b39dda0
SHA256b3b4e0f086c456e9156cd796a1b985ac426af7764647b197682b40b362c4bb1d
SHA512db68e9982acb4e27ef36cd22d76b6aa42bbd100ae4eaed8a23feaf1a58c9f32470e7184cc6ca65a2c1218cfc873b21553403bf093518e5d9d61bff59a3ff704e
-
Filesize
636B
MD51618efebb4abada9b83b90496410fb57
SHA161fbb12b77328d4cb5e237878caedfa20e936ca3
SHA256462d8c4f845b5bcc5ea5582e2c21c97199c97429043410db7bcf468a2778aa81
SHA51273ea0f4540a25d9234a10142c724bf2c9c8134a786a219fb88d9b4bf4403b4d69fdb6ce61104c4296ec507b9ccae79ec0c45fdea3c86bbac6cfe0b45ac15ab5d
-
Filesize
450B
MD5423a8dfeda50218b0d1f99440f1f19bb
SHA15979983be9657f79aa8523018779fef0ff004282
SHA256c88617337e75ec9a2a8c9b5a589957f2df36dd28c9d5aeb5c1453e71b6fb3c02
SHA51219f4764a3d46de34eb707e1f50685282bfd49d766d1cd8482dae6bd09ed382021dd09e5e9f506e4b2c402c89a29c5fad78ff68d29fda8ba33310c81b74467ab9
-
Filesize
6.0MB
MD557dadd6a929f64c2b1efe2d52c1c4985
SHA1962cb227f81f885f23826c3e040aa9dbc97659cf
SHA256996b5d59cce7955b4374bd00d83c422d3a1d9ffebba59c66074c37ab28cfaeb5
SHA5123f64c35e72698ea6a7e708a4367277f3ab62c27f0652e0c55bab6e02239ee37c4f0a21503c0688301fb77bbf8e59e3c5c8aa2df8d62a4ab8a9b9cdf6f0a775cf
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
2KB
MD5b94b2c9b82f6d491f905dabd4b1c9069
SHA1aa3ffb8acc8b306dd4b76a44ce5889350ced0952
SHA256b91ce4bca71e439c20faba8fb2384efe87a71a8c0ac2a44061888589cbc89a11
SHA5128a627721f668fba9c3ac276953939877bae40f99838fe993ceb4f6a5a64ed90603a11d119941f71a57e8dbb8d46ef8f7e14c043b72609cc33394cc87abf96d10
-
Filesize
28.2MB
MD5ef294458016f546c5eebd07d2dd98bad
SHA166bb14f670055272e12899d401b8668cad15fac9
SHA256c17c018f5df7a413dc053a325b6c291c9cd84f1b9e2415ffe205e02a7e5d6b4a
SHA51297ee150f49bb587147f30d2215174f5376420abd5d659a2c68d58bc67f823715030cc328eab7e11623f4ee8504f1f080ceb44ac2d6fca7c636ea8d7c936f0333
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\nKecPJAaIeFB.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
24.1MB
MD5b3dbb01f64836dd7868f6052e12bc6a6
SHA17ecaaa81392adbfb9cd1f885c7d9102879b00e25
SHA25620f224401f9d8b6778e121a651aea92604df66708dea32e803d6e1558ebdfa23
SHA5125391f412895ab4497a013670119ce048b29fb269878a3ba9ca25923d95148bad34f375cd423301fd444b632770d4b47f5658c22f498cbad64db42fe9b824666b
-
\??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{22748646-e610-4438-a06b-3a0bb54c46f1}_OnDiskSnapshotProp
Filesize6KB
MD5a4dcdabd7d8131de69eeb205b32f9353
SHA1e8d856ba1888aeee22845b9d7152a4303628570b
SHA256ab03315d3086eaf953e5aa73d527b3faa8b92545f38da41e50ccafd14b4e53ff
SHA5122918c1c7f08106adde47369094c1c37eb9b48bd614b0897166dc752e993eab491d5f1bc2e024ba97493d55a01efa8698f81658886aef9c3c195d33f5d67b41ee