Malware Analysis Report

2024-12-07 13:53

Sample ID 241119-kkt3jsseqe
Target 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi.vir
SHA256 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
Tags
discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d

Threat Level: Known bad

The file 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Gh0st RAT payload

Detect PurpleFox Rootkit

Gh0strat family

Purplefox family

PurpleFox

Gh0strat

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Drops file in Program Files directory

Executes dropped EXE

Drops file in Windows directory

System Location Discovery: System Language Discovery

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Installer Packages

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious behavior: CmdExeWriteProcessMemorySpam

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 08:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 08:40

Reported

2024-11-19 08:43

Platform

win7-20241010-en

Max time kernel

139s

Max time network

121s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File created C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\CPUAimLinux\VC_redist.x64.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSID6CF.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76d58a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76d588.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f76d587.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76d588.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76d587.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = e09d2fb95e3adb01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1964 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1964 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1964 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1964 wrote to memory of 1452 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1452 wrote to memory of 580 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1452 wrote to memory of 580 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1452 wrote to memory of 580 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1452 wrote to memory of 2336 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 2336 wrote to memory of 796 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 2336 wrote to memory of 796 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 2336 wrote to memory of 796 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 2336 wrote to memory of 796 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 2336 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2336 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2336 wrote to memory of 808 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 2336 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 2336 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 2336 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 2336 wrote to memory of 2128 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1452 wrote to memory of 2636 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1452 wrote to memory of 2636 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1452 wrote to memory of 2636 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1452 wrote to memory of 2636 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1452 wrote to memory of 1512 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 1452 wrote to memory of 1512 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 1452 wrote to memory of 1512 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 1452 wrote to memory of 1800 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1452 wrote to memory of 1800 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1452 wrote to memory of 1800 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1512 wrote to memory of 1356 N/A C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\WerFault.exe
PID 1512 wrote to memory of 1356 N/A C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\WerFault.exe
PID 1512 wrote to memory of 1356 N/A C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\WerFault.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000005A4"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 56B252D9CF853C7DDBDBC70503BA860F M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\WhatsApp1.exe

"C:\Program Files\CPUAimLinux\WhatsApp1.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1512 -s 632

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp

Files

memory/1452-12-0x0000000000180000-0x0000000000190000-memory.dmp

memory/580-17-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/580-18-0x0000000002850000-0x0000000002858000-memory.dmp

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL

MD5 048cee96f68a4c516b3aa1a8a4781e46
SHA1 5582bb564630c5ead8704d06bcdb427dd9840de5
SHA256 835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293
SHA512 2bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32

C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX

MD5 1b772652a5b64c119b00ec06c00311db
SHA1 afeb3bfba34eccadce4d2141d6d59707c83e9583
SHA256 c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4
SHA512 5cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882

C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

MD5 db6688b70f3255877e15541970145e68
SHA1 5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256 208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA512 72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

C:\Program Files\CPUAimLinux\WhatsApp1.exe

MD5 f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1 611376391f17207d60ca8c2ec81354933f8dac45
SHA256 62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512 f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

C:\Config.Msi\f76d589.rbs

MD5 fe2040449600ff19d25aa62cc1c51104
SHA1 b32b83378744727730180a52f6904c3ff001ce16
SHA256 eb688de283a2318e5167e1e10a22105e22161a8b22b197d5ab57a7ef82b3d75b
SHA512 a045ab5432d10c9e67cbdb874fa72e3dbb44e73ac3e63b2edc35766e6038f65741d519f7a949cc9757d29e569450bd5e41b18a4a2c3db0b8ac27b5f8844473ad

memory/2636-54-0x000000002B240000-0x000000002B26F000-memory.dmp

memory/1512-57-0x0000000001140000-0x0000000001242000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 08:40

Reported

2024-11-19 08:43

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\X: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\W: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\N: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\V: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\B: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\I: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\L: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\P: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\Y: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\System32\MsiExec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File created C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\VC_redist.x64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File created C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\System32\MsiExec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{821A1E18-1506-4584-BA6F-A45611D78F4A} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID205.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57d0a0.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57d09e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57d09e.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A
N/A N/A C:\Windows\System32\cmd.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 0100000000000000bc2090c45e3adb01 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Top = "0" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000b0cd5fc45e3adb01 C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0" C:\Windows\System32\MsiExec.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\CUAS\DefaultCompositionWindow C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Left = "0" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1364 wrote to memory of 4904 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1364 wrote to memory of 4904 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1364 wrote to memory of 1152 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1364 wrote to memory of 1152 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 1152 wrote to memory of 4984 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 4984 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1152 wrote to memory of 3924 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1152 wrote to memory of 3924 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 3924 wrote to memory of 3108 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3924 wrote to memory of 3108 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3924 wrote to memory of 3108 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3924 wrote to memory of 3564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3924 wrote to memory of 3564 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3924 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3924 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3924 wrote to memory of 2844 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1152 wrote to memory of 2280 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1152 wrote to memory of 2280 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1152 wrote to memory of 2280 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1152 wrote to memory of 3724 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 1152 wrote to memory of 3724 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 1152 wrote to memory of 3828 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1152 wrote to memory of 3828 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 4808 wrote to memory of 1936 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4808 wrote to memory of 1936 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4808 wrote to memory of 1936 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1936 wrote to memory of 4748 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1936 wrote to memory of 4748 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1936 wrote to memory of 4748 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 7D9ED90F3DC65945FB3AAEF6E8A6DB6D E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\WhatsApp1.exe

"C:\Program Files\CPUAimLinux\WhatsApp1.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs"

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" install

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" start

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 205 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 62 -file file3 -mode mode3

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 dsfgdg5641rfe.icu udp
HK 38.47.221.100:80 dsfgdg5641rfe.icu tcp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
HK 118.107.29.131:13000 tcp
US 8.8.8.8:53 fgh523fg4juty.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
US 8.8.8.8:53 35.218.47.38.in-addr.arpa udp
HK 118.107.29.132:13000 tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
HK 118.107.29.131:13000 tcp
HK 118.107.29.132:13000 tcp
HK 118.107.29.131:13000 tcp
HK 118.107.29.132:13000 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
HK 118.107.29.131:13000 tcp
HK 118.107.29.132:13000 tcp
HK 118.107.29.131:13000 tcp
HK 118.107.29.132:13000 tcp
HK 118.107.29.131:13000 tcp
HK 118.107.29.132:13000 tcp
HK 118.107.29.131:13000 tcp
HK 118.107.29.132:13000 tcp

Files

memory/4984-13-0x000001DF71170000-0x000001DF71192000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_djjlpnl1.nhd.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL

MD5 048cee96f68a4c516b3aa1a8a4781e46
SHA1 5582bb564630c5ead8704d06bcdb427dd9840de5
SHA256 835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293
SHA512 2bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32

C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX

MD5 1b772652a5b64c119b00ec06c00311db
SHA1 afeb3bfba34eccadce4d2141d6d59707c83e9583
SHA256 c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4
SHA512 5cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882

C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

MD5 db6688b70f3255877e15541970145e68
SHA1 5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256 208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA512 72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

C:\Program Files\CPUAimLinux\WhatsApp1.exe

MD5 f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1 611376391f17207d60ca8c2ec81354933f8dac45
SHA256 62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512 f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

memory/3724-53-0x00000206559C0000-0x0000020655AC2000-memory.dmp

C:\Config.Msi\e57d09f.rbs

MD5 e4c4c274a0ff1d144ecf1dc3c7001e4f
SHA1 e75ca40843ed749087d76cdd66bc707ca8e77c77
SHA256 60f03988a2749d380ac973f5ed7bb7746d0759ba2e2e1cb04edc90b8cb5aecf2
SHA512 62955054e5375c070a08ff4163e21ede0741767deba368d5c9e61ab992361a2475347166ae09f98d169aa15abc30b2fe69f878148eabdedfd04d99155145d001

C:\Windows\Installer\e57d09e.msi

MD5 756b1b81669fb5b5d745c83ced428cb1
SHA1 c573e1f1d32780c808db53e5fd5e571d617816e6
SHA256 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
SHA512 d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da

memory/2280-66-0x000000002A360000-0x000000002A38F000-memory.dmp

memory/3724-68-0x0000020670130000-0x000002067013A000-memory.dmp

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs

MD5 6c1dc3d5a28bb7d9cd6b3727ea453446
SHA1 1fef050968fb54a54ec19c3b620d2f19706baac8
SHA256 6acdc010db5a967bd19b86ad766d547a72de8ad12f773d10d4e09df1d1c3219a
SHA512 08a16406777e228a54ad71f962f8c50073d3b2d5c3e5822a27f5df0ee9bbf5fe13a08d3b38f2378f0efac12aa6da767d91e2e1f0a324f8888d9fe09edb1709ad

memory/4772-73-0x0000000000C70000-0x0000000000D46000-memory.dmp

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml

MD5 822ca0d7e00ebb7b990ddea17a3a634d
SHA1 2a915168df2a2ee8ddfc1f31454c3055d9e1da93
SHA256 d48912dbd6aa6c11fb5e7b4a525018e0981aff798dd9e6fe429c32989101c4bb
SHA512 cfddae00c0b91d5547413e80f801128e838b2888f6cbebed5506f613ff18dfc59b5e34b86bfeb0b3244675e583359395f211392c5532fad5f9c3b39275424d89

memory/3724-77-0x0000020670970000-0x0000020670A2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TmpF666.tmp

MD5 a10f31fa140f2608ff150125f3687920
SHA1 ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA256 28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512 cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

memory/3724-92-0x0000020670290000-0x00000206702A2000-memory.dmp

memory/3724-97-0x00000206702F0000-0x000002067032C000-memory.dmp

memory/3724-98-0x0000020670360000-0x0000020670368000-memory.dmp

memory/3724-99-0x00000206733C0000-0x00000206733F8000-memory.dmp

memory/3724-100-0x0000020670E80000-0x0000020670E8E000-memory.dmp

\??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9ff6b284-bea0-4c92-bc3a-eac8977c8d8e}_OnDiskSnapshotProp

MD5 6be6670160ce6e9dc98673f4ccc749ad
SHA1 d5582c1212bdc96153afd88b803c325d1f44ac37
SHA256 b59f18c5293d31d392ba7a62401c80f8f556f1d87d3ce387c4371dd3c1b4ef5c
SHA512 bb7d8b0b5a7cb595e4afef31f7e78615e430a833b3af08559bfc5737812359e31098d51fc9350f188d1aacd8341b660eb074df91a48692a5cf1b5a0f03d15010

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 cae98054598655c842355d124c89ac75
SHA1 d9029f74a1e59f4ab2a91b451939af5e90c8847a
SHA256 6abb6f7664d0dae48a29bd48a314eaa143a9a116b298d30f84909fb1c70b0b22
SHA512 e701640d594672fc3361b740136e5d35f6aef31b58cec4e391ef82221bd0f36e73a1750009ae65d485965a568df7e76e0f613382590f4ab4bc878bf6413dc7fd

memory/3724-103-0x0000020673450000-0x0000020673476000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 de37d8032bcea161604a9de6bbee3477
SHA1 d962dccc00cbbaf848aeb8197e86f787d4322013
SHA256 58dfd3758318d10d9b5a52b877daa86858648cdd01c99376da0c22e22b84fa26
SHA512 38344da2759b1f803037141213b5df85d76c12e9ed06e7d7bfba79b27fe723aa907b42491d32c56598273dd4e03bca8d381a4dbccf9df7dee2e23192860b900f

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 fb3ef75180954b67f6fbc4b6b6ed9260
SHA1 df2207ea37ef13f5e0d8e027a108093ecb788fd6
SHA256 bed2d253e0c1f8145088d3808f5bbff3b2e3d872f2554ce3f8bfbc1776f6b2e7
SHA512 8f274155005a78a41c07ec58904d5343ad5d9e3dae72c1fa472cb2d5e6b79b760fcebf8a4886b673fca5ee119f8c047985f9548a0ebd34bea759245eba942a2c

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 f866929182df5ea714ccd43666471aff
SHA1 a078b42313157f53f915f138cd96360591f86d76
SHA256 e5bc1fae7e2403d337cc8944c54ca0c56bbd08a50c81a74521dd0a74061ae0f6
SHA512 0029a2d6fb476667c0ae5350f1f8144baa35bd97bca64920ebad7c591ad3c3dc7ce4c8e5bdc5514499412d3fc9d5e01f583c2c142fa6c0ee694ccbd835cbb3ed

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 e8b08d71a300c9aa199dc9f8951d7565
SHA1 6da50e2881ba3b0921174cc0fc34e8946e06bc5d
SHA256 fa0b1076bba423508a720138379c6c390bf6d073475aa3bfc5b15d6318f6acb9
SHA512 a43051a675ec8574518c971b8f7937cfa6a38ddce3013fc43f7238f280b15cad9873302dedea1aec442b964bcaae219ed63f0e9b54c2ea4e50161a3fed70bec8

memory/4748-127-0x000000002A410000-0x000000002A45D000-memory.dmp

C:\Program Files\CPUAimLinux\hHILqDIvDmMm

MD5 adb7908cc0c5a2b6800dcc1474006154
SHA1 96f081444d4329dbd49eec5003096c2286f8c74e
SHA256 9e0c0405ea29b1f3a72a65244c11bb00cacd8ca3a0c212df4f81ac30090a41d0
SHA512 69f97d773949a036cca02dfa40db365353975b70dabe2b38e74034882b2857c5002c43e3dc0427d9b13cce50d5451a9452c0682df19905c3efbf7077877b47f0

memory/4748-129-0x000000002C140000-0x000000002C2FC000-memory.dmp

memory/4748-132-0x000000002C140000-0x000000002C2FC000-memory.dmp

memory/4748-133-0x000000002C140000-0x000000002C2FC000-memory.dmp