Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
19-11-2024 08:40
Static task
static1
Behavioral task
behavioral1
Sample
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
Resource
win10v2004-20241007-en
General
-
Target
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi
-
Size
27.1MB
-
MD5
756b1b81669fb5b5d745c83ced428cb1
-
SHA1
c573e1f1d32780c808db53e5fd5e571d617816e6
-
SHA256
4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
-
SHA512
d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da
-
SSDEEP
786432:G3OL1MXJ/fZz/yft39ldEQk9EzbR8VP0wiVD8Kyt:iOL1MXJ3Zz/etDdEQfHm10LU
Malware Config
Signatures
-
resource yara_rule behavioral2/memory/4748-129-0x000000002C140000-0x000000002C2FC000-memory.dmp purplefox_rootkit behavioral2/memory/4748-132-0x000000002C140000-0x000000002C2FC000-memory.dmp purplefox_rootkit behavioral2/memory/4748-133-0x000000002C140000-0x000000002C2FC000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 3 IoCs
resource yara_rule behavioral2/memory/4748-129-0x000000002C140000-0x000000002C2FC000-memory.dmp family_gh0strat behavioral2/memory/4748-132-0x000000002C140000-0x000000002C2FC000-memory.dmp family_gh0strat behavioral2/memory/4748-133-0x000000002C140000-0x000000002C2FC000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 4984 powershell.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: hHILqDIvDmMm.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: hHILqDIvDmMm.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: hHILqDIvDmMm.exe File opened (read-only) \??\X: hHILqDIvDmMm.exe File opened (read-only) \??\W: hHILqDIvDmMm.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: hHILqDIvDmMm.exe File opened (read-only) \??\N: hHILqDIvDmMm.exe File opened (read-only) \??\V: hHILqDIvDmMm.exe File opened (read-only) \??\B: hHILqDIvDmMm.exe File opened (read-only) \??\I: hHILqDIvDmMm.exe File opened (read-only) \??\L: hHILqDIvDmMm.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: hHILqDIvDmMm.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: hHILqDIvDmMm.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: hHILqDIvDmMm.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: hHILqDIvDmMm.exe File opened (read-only) \??\P: hHILqDIvDmMm.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\M: hHILqDIvDmMm.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: hHILqDIvDmMm.exe File opened (read-only) \??\Y: hHILqDIvDmMm.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in System32 directory 1 IoCs
description ioc Process File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log DRrFaPIBzOdg.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File opened for modification C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log DRrFaPIBzOdg.exe File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs hHILqDIvDmMm.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log DRrFaPIBzOdg.exe File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe MsiExec.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log DRrFaPIBzOdg.exe File created C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe msiexec.exe File created C:\Program Files\CPUAimLinux\VC_redist.x64.exe msiexec.exe File created C:\Program Files\CPUAimLinux\WhatsApp1.exe msiexec.exe File created C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX fXlHSNCgjpwhjcbESorcUuElETFupI.exe File opened for modification C:\Program Files\CPUAimLinux hHILqDIvDmMm.exe File created C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL msiexec.exe File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe fXlHSNCgjpwhjcbESorcUuElETFupI.exe File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe MsiExec.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{821A1E18-1506-4584-BA6F-A45611D78F4A} msiexec.exe File opened for modification C:\Windows\Installer\MSID205.tmp msiexec.exe File created C:\Windows\Installer\e57d0a0.msi msiexec.exe File created C:\Windows\Installer\e57d09e.msi msiexec.exe File opened for modification C:\Windows\Installer\e57d09e.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Executes dropped EXE 9 IoCs
pid Process 3108 fXlHSNCgjpwhjcbESorcUuElETFupI.exe 2844 fXlHSNCgjpwhjcbESorcUuElETFupI.exe 2280 hHILqDIvDmMm.exe 3724 WhatsApp1.exe 4772 DRrFaPIBzOdg.exe 4796 DRrFaPIBzOdg.exe 4808 DRrFaPIBzOdg.exe 1936 hHILqDIvDmMm.exe 4748 hHILqDIvDmMm.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3012 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fXlHSNCgjpwhjcbESorcUuElETFupI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language fXlHSNCgjpwhjcbESorcUuElETFupI.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hHILqDIvDmMm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hHILqDIvDmMm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language hHILqDIvDmMm.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 3564 PING.EXE 3924 cmd.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 hHILqDIvDmMm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz hHILqDIvDmMm.exe -
Kills process with taskkill 1 IoCs
pid Process 3828 taskkill.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000bc2090c45e3adb01 OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Top = "0" WhatsApp1.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000b0cd5fc45e3adb01 WhatsApp1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates powershell.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" WhatsApp1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" WhatsApp1.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates powershell.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\CUAS\DefaultCompositionWindow WhatsApp1.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E msiexec.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" WhatsApp1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" WhatsApp1.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE WhatsApp1.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Left = "0" WhatsApp1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS WhatsApp1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" WhatsApp1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF WhatsApp1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer" OpenWith.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WScript.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" WhatsApp1.exe Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings WhatsApp1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" WhatsApp1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix WhatsApp1.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" WhatsApp1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft WhatsApp1.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings WScript.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs powershell.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached WhatsApp1.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow WhatsApp1.exe -
Modifies registry class 22 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList msiexec.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 3564 PING.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1364 msiexec.exe 1364 msiexec.exe 4984 powershell.exe 4984 powershell.exe 4984 powershell.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe 2280 hHILqDIvDmMm.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3012 msiexec.exe Token: SeIncreaseQuotaPrivilege 3012 msiexec.exe Token: SeSecurityPrivilege 1364 msiexec.exe Token: SeCreateTokenPrivilege 3012 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3012 msiexec.exe Token: SeLockMemoryPrivilege 3012 msiexec.exe Token: SeIncreaseQuotaPrivilege 3012 msiexec.exe Token: SeMachineAccountPrivilege 3012 msiexec.exe Token: SeTcbPrivilege 3012 msiexec.exe Token: SeSecurityPrivilege 3012 msiexec.exe Token: SeTakeOwnershipPrivilege 3012 msiexec.exe Token: SeLoadDriverPrivilege 3012 msiexec.exe Token: SeSystemProfilePrivilege 3012 msiexec.exe Token: SeSystemtimePrivilege 3012 msiexec.exe Token: SeProfSingleProcessPrivilege 3012 msiexec.exe Token: SeIncBasePriorityPrivilege 3012 msiexec.exe Token: SeCreatePagefilePrivilege 3012 msiexec.exe Token: SeCreatePermanentPrivilege 3012 msiexec.exe Token: SeBackupPrivilege 3012 msiexec.exe Token: SeRestorePrivilege 3012 msiexec.exe Token: SeShutdownPrivilege 3012 msiexec.exe Token: SeDebugPrivilege 3012 msiexec.exe Token: SeAuditPrivilege 3012 msiexec.exe Token: SeSystemEnvironmentPrivilege 3012 msiexec.exe Token: SeChangeNotifyPrivilege 3012 msiexec.exe Token: SeRemoteShutdownPrivilege 3012 msiexec.exe Token: SeUndockPrivilege 3012 msiexec.exe Token: SeSyncAgentPrivilege 3012 msiexec.exe Token: SeEnableDelegationPrivilege 3012 msiexec.exe Token: SeManageVolumePrivilege 3012 msiexec.exe Token: SeImpersonatePrivilege 3012 msiexec.exe Token: SeCreateGlobalPrivilege 3012 msiexec.exe Token: SeBackupPrivilege 1500 vssvc.exe Token: SeRestorePrivilege 1500 vssvc.exe Token: SeAuditPrivilege 1500 vssvc.exe Token: SeBackupPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeDebugPrivilege 4984 powershell.exe Token: SeRestorePrivilege 3108 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: 35 3108 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 3108 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 3108 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeRestorePrivilege 2844 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: 35 2844 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 2844 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeSecurityPrivilege 2844 fXlHSNCgjpwhjcbESorcUuElETFupI.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe Token: SeRestorePrivilege 1364 msiexec.exe Token: SeTakeOwnershipPrivilege 1364 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3012 msiexec.exe 3012 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4284 OpenWith.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1364 wrote to memory of 4904 1364 msiexec.exe 98 PID 1364 wrote to memory of 4904 1364 msiexec.exe 98 PID 1364 wrote to memory of 1152 1364 msiexec.exe 100 PID 1364 wrote to memory of 1152 1364 msiexec.exe 100 PID 1152 wrote to memory of 4984 1152 MsiExec.exe 101 PID 1152 wrote to memory of 4984 1152 MsiExec.exe 101 PID 1152 wrote to memory of 3924 1152 MsiExec.exe 103 PID 1152 wrote to memory of 3924 1152 MsiExec.exe 103 PID 3924 wrote to memory of 3108 3924 cmd.exe 105 PID 3924 wrote to memory of 3108 3924 cmd.exe 105 PID 3924 wrote to memory of 3108 3924 cmd.exe 105 PID 3924 wrote to memory of 3564 3924 cmd.exe 106 PID 3924 wrote to memory of 3564 3924 cmd.exe 106 PID 3924 wrote to memory of 2844 3924 cmd.exe 108 PID 3924 wrote to memory of 2844 3924 cmd.exe 108 PID 3924 wrote to memory of 2844 3924 cmd.exe 108 PID 1152 wrote to memory of 2280 1152 MsiExec.exe 110 PID 1152 wrote to memory of 2280 1152 MsiExec.exe 110 PID 1152 wrote to memory of 2280 1152 MsiExec.exe 110 PID 1152 wrote to memory of 3724 1152 MsiExec.exe 112 PID 1152 wrote to memory of 3724 1152 MsiExec.exe 112 PID 1152 wrote to memory of 3828 1152 MsiExec.exe 113 PID 1152 wrote to memory of 3828 1152 MsiExec.exe 113 PID 4808 wrote to memory of 1936 4808 DRrFaPIBzOdg.exe 123 PID 4808 wrote to memory of 1936 4808 DRrFaPIBzOdg.exe 123 PID 4808 wrote to memory of 1936 4808 DRrFaPIBzOdg.exe 123 PID 1936 wrote to memory of 4748 1936 hHILqDIvDmMm.exe 125 PID 1936 wrote to memory of 4748 1936 hHILqDIvDmMm.exe 125 PID 1936 wrote to memory of 4748 1936 hHILqDIvDmMm.exe 125 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3012
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4904
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 7D9ED90F3DC65945FB3AAEF6E8A6DB6D E Global\MSI00002⤵
- Drops file in Program Files directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1152 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'3⤵
- Command and Scripting Interpreter: PowerShell
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y3⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:3924 -
C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3108
-
-
C:\Windows\system32\PING.EXEping 127.0.0.1 -n 24⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:3564
-
-
C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y4⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2844
-
-
-
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode33⤵
- Drops file in Program Files directory
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2280
-
-
C:\Program Files\CPUAimLinux\WhatsApp1.exe"C:\Program Files\CPUAimLinux\WhatsApp1.exe"3⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:3724
-
-
C:\Windows\System32\taskkill.exe"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe3⤵
- Kills process with taskkill
PID:3828
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs"1⤵
- Modifies data under HKEY_USERS
PID:2640
-
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" install1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Executes dropped EXE
PID:4772
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:4284
-
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" start1⤵
- Drops file in Program Files directory
- Executes dropped EXE
PID:4796
-
C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4808 -
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 205 -file file3 -mode mode32⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 62 -file file3 -mode mode33⤵
- Enumerates connected drives
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:4748
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵PID:1380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD5e4c4c274a0ff1d144ecf1dc3c7001e4f
SHA1e75ca40843ed749087d76cdd66bc707ca8e77c77
SHA25660f03988a2749d380ac973f5ed7bb7746d0759ba2e2e1cb04edc90b8cb5aecf2
SHA51262955054e5375c070a08ff4163e21ede0741767deba368d5c9e61ab992361a2475347166ae09f98d169aa15abc30b2fe69f878148eabdedfd04d99155145d001
-
Filesize
3.1MB
MD5db6688b70f3255877e15541970145e68
SHA15f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA51272f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce
-
Filesize
832KB
MD5d305d506c0095df8af223ac7d91ca327
SHA1679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA51294d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796
-
Filesize
280B
MD5de37d8032bcea161604a9de6bbee3477
SHA1d962dccc00cbbaf848aeb8197e86f787d4322013
SHA25658dfd3758318d10d9b5a52b877daa86858648cdd01c99376da0c22e22b84fa26
SHA51238344da2759b1f803037141213b5df85d76c12e9ed06e7d7bfba79b27fe723aa907b42491d32c56598273dd4e03bca8d381a4dbccf9df7dee2e23192860b900f
-
Filesize
443B
MD5fb3ef75180954b67f6fbc4b6b6ed9260
SHA1df2207ea37ef13f5e0d8e027a108093ecb788fd6
SHA256bed2d253e0c1f8145088d3808f5bbff3b2e3d872f2554ce3f8bfbc1776f6b2e7
SHA5128f274155005a78a41c07ec58904d5343ad5d9e3dae72c1fa472cb2d5e6b79b760fcebf8a4886b673fca5ee119f8c047985f9548a0ebd34bea759245eba942a2c
-
Filesize
616B
MD5f866929182df5ea714ccd43666471aff
SHA1a078b42313157f53f915f138cd96360591f86d76
SHA256e5bc1fae7e2403d337cc8944c54ca0c56bbd08a50c81a74521dd0a74061ae0f6
SHA5120029a2d6fb476667c0ae5350f1f8144baa35bd97bca64920ebad7c591ad3c3dc7ce4c8e5bdc5514499412d3fc9d5e01f583c2c142fa6c0ee694ccbd835cbb3ed
-
Filesize
803B
MD5e8b08d71a300c9aa199dc9f8951d7565
SHA16da50e2881ba3b0921174cc0fc34e8946e06bc5d
SHA256fa0b1076bba423508a720138379c6c390bf6d073475aa3bfc5b15d6318f6acb9
SHA512a43051a675ec8574518c971b8f7937cfa6a38ddce3013fc43f7238f280b15cad9873302dedea1aec442b964bcaae219ed63f0e9b54c2ea4e50161a3fed70bec8
-
Filesize
425B
MD5822ca0d7e00ebb7b990ddea17a3a634d
SHA12a915168df2a2ee8ddfc1f31454c3055d9e1da93
SHA256d48912dbd6aa6c11fb5e7b4a525018e0981aff798dd9e6fe429c32989101c4bb
SHA512cfddae00c0b91d5547413e80f801128e838b2888f6cbebed5506f613ff18dfc59b5e34b86bfeb0b3244675e583359395f211392c5532fad5f9c3b39275424d89
-
Filesize
1.0MB
MD5f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1611376391f17207d60ca8c2ec81354933f8dac45
SHA25662eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316
-
Filesize
2.4MB
MD51b772652a5b64c119b00ec06c00311db
SHA1afeb3bfba34eccadce4d2141d6d59707c83e9583
SHA256c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4
SHA5125cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882
-
Filesize
577KB
MD5c31c4b04558396c6fabab64dcf366534
SHA1fa836d92edc577d6a17ded47641ba1938589b09a
SHA2569d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99
-
Filesize
465KB
MD5adb7908cc0c5a2b6800dcc1474006154
SHA196f081444d4329dbd49eec5003096c2286f8c74e
SHA2569e0c0405ea29b1f3a72a65244c11bb00cacd8ca3a0c212df4f81ac30090a41d0
SHA51269f97d773949a036cca02dfa40db365353975b70dabe2b38e74034882b2857c5002c43e3dc0427d9b13cce50d5451a9452c0682df19905c3efbf7077877b47f0
-
Filesize
2KB
MD56c1dc3d5a28bb7d9cd6b3727ea453446
SHA11fef050968fb54a54ec19c3b620d2f19706baac8
SHA2566acdc010db5a967bd19b86ad766d547a72de8ad12f773d10d4e09df1d1c3219a
SHA51208a16406777e228a54ad71f962f8c50073d3b2d5c3e5822a27f5df0ee9bbf5fe13a08d3b38f2378f0efac12aa6da767d91e2e1f0a324f8888d9fe09edb1709ad
-
Filesize
2.4MB
MD5048cee96f68a4c516b3aa1a8a4781e46
SHA15582bb564630c5ead8704d06bcdb427dd9840de5
SHA256835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293
SHA5122bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32
-
Filesize
1KB
MD5a10f31fa140f2608ff150125f3687920
SHA1ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA25628c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
27.1MB
MD5756b1b81669fb5b5d745c83ced428cb1
SHA1c573e1f1d32780c808db53e5fd5e571d617816e6
SHA2564037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
SHA512d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da
-
C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log
Filesize1KB
MD5122cf3c4f3452a55a92edee78316e071
SHA1f2caa36d483076c92d17224cf92e260516b3cbbf
SHA25642f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c
-
Filesize
24.1MB
MD5cae98054598655c842355d124c89ac75
SHA1d9029f74a1e59f4ab2a91b451939af5e90c8847a
SHA2566abb6f7664d0dae48a29bd48a314eaa143a9a116b298d30f84909fb1c70b0b22
SHA512e701640d594672fc3361b740136e5d35f6aef31b58cec4e391ef82221bd0f36e73a1750009ae65d485965a568df7e76e0f613382590f4ab4bc878bf6413dc7fd
-
\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9ff6b284-bea0-4c92-bc3a-eac8977c8d8e}_OnDiskSnapshotProp
Filesize6KB
MD56be6670160ce6e9dc98673f4ccc749ad
SHA1d5582c1212bdc96153afd88b803c325d1f44ac37
SHA256b59f18c5293d31d392ba7a62401c80f8f556f1d87d3ce387c4371dd3c1b4ef5c
SHA512bb7d8b0b5a7cb595e4afef31f7e78615e430a833b3af08559bfc5737812359e31098d51fc9350f188d1aacd8341b660eb074df91a48692a5cf1b5a0f03d15010