Malware Analysis Report

2024-12-07 13:54

Sample ID 241119-ksanwaspax
Target 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi.vir
SHA256 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
Tags
discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d

Threat Level: Known bad

The file 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery execution persistence privilege_escalation gh0strat purplefox rat rootkit trojan

Purplefox family

Detect PurpleFox Rootkit

PurpleFox

Gh0st RAT payload

Gh0strat

Gh0strat family

Command and Scripting Interpreter: PowerShell

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

Executes dropped EXE

System Network Configuration Discovery: Internet Connection Discovery

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Suspicious behavior: CmdExeWriteProcessMemorySpam

Checks SCSI registry key(s)

Modifies data under HKEY_USERS

Runs ping.exe

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 08:51

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 08:51

Reported

2024-11-19 08:53

Platform

win7-20240903-en

Max time kernel

141s

Max time network

125s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File created C:\Program Files\CPUAimLinux\VC_redist.x64.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\system32\MsiExec.exe N/A
File created C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f770b47.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770b48.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f770b47.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICAE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f770b4a.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f770b48.ipi C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 3069283f603adb01 C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 332 wrote to memory of 1520 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 332 wrote to memory of 1520 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 332 wrote to memory of 1520 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 332 wrote to memory of 1520 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 332 wrote to memory of 1520 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1520 wrote to memory of 2608 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2608 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 2608 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1520 wrote to memory of 1612 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1520 wrote to memory of 1612 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1520 wrote to memory of 1612 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 1612 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1612 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1612 wrote to memory of 1516 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 1612 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1612 wrote to memory of 304 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 1520 wrote to memory of 848 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1520 wrote to memory of 848 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1520 wrote to memory of 848 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1520 wrote to memory of 848 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 1520 wrote to memory of 1020 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 1520 wrote to memory of 1020 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 1520 wrote to memory of 1020 N/A C:\Windows\system32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 1520 wrote to memory of 3024 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1520 wrote to memory of 3024 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1520 wrote to memory of 3024 N/A C:\Windows\system32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 1020 wrote to memory of 3000 N/A C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\WerFault.exe
PID 1020 wrote to memory of 3000 N/A C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\WerFault.exe
PID 1020 wrote to memory of 3000 N/A C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\WerFault.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "00000000000005A8"

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 7DC72E46DDD054285256FC31F8F424C0 M Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\WhatsApp1.exe

"C:\Program Files\CPUAimLinux\WhatsApp1.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1020 -s 632

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 im.qq.com udp

Files

memory/1520-12-0x00000000001F0000-0x0000000000200000-memory.dmp

memory/2608-17-0x000000001B610000-0x000000001B8F2000-memory.dmp

memory/2608-18-0x0000000001E00000-0x0000000001E08000-memory.dmp

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL

MD5 048cee96f68a4c516b3aa1a8a4781e46
SHA1 5582bb564630c5ead8704d06bcdb427dd9840de5
SHA256 835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293
SHA512 2bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32

C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX

MD5 1b772652a5b64c119b00ec06c00311db
SHA1 afeb3bfba34eccadce4d2141d6d59707c83e9583
SHA256 c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4
SHA512 5cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882

C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

MD5 db6688b70f3255877e15541970145e68
SHA1 5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256 208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA512 72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

C:\Program Files\CPUAimLinux\WhatsApp1.exe

MD5 f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1 611376391f17207d60ca8c2ec81354933f8dac45
SHA256 62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512 f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

C:\Config.Msi\f770b49.rbs

MD5 4aca8d053a5f2d4f1304bed01cd88609
SHA1 9018177ee075a5a260a7e6f9b1dd91180b3e7bdf
SHA256 8282941d0e99fbb637d91b750d0577f34274f878d803c498ec7b3d5544911520
SHA512 d96455542a7efc68d8b2f46305d561a16a764c4d66e8ecbf187dfbfe24fed97fc30c7c3afef2bc40af42f9519a0f6f830959f0397e481c640a69b722d26fb390

memory/1020-54-0x0000000001110000-0x0000000001212000-memory.dmp

memory/848-55-0x000000000A7C0000-0x000000000A7EF000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 08:51

Reported

2024-11-19 08:53

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

Signatures

Detect PurpleFox Rootkit

rootkit
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Gh0strat family

gh0strat

PurpleFox

rootkit trojan purplefox

Purplefox family

purplefox

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\P: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\T: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\V: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\W: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\R: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\Q: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\J: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\Y: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\Z: C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File created C:\Program Files\CPUAimLinux\WhatsApp1.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Windows\System32\MsiExec.exe N/A
File created C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe N/A
File created C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File created C:\Program Files\CPUAimLinux\hHILqDIvDmMm C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
File opened for modification C:\Program Files\CPUAimLinux C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
File created C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files\CPUAimLinux\VC_redist.x64.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIF145.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57efb1.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57efaf.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57efaf.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{821A1E18-1506-4584-BA6F-A45611D78F4A} C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A

System Network Configuration Discovery: Internet Connection Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\PING.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000041ba55ff39bb976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000041ba55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090041ba55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d41ba55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000041ba55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\taskkill.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script Host\Settings C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\CTF\CUAS\DefaultCompositionWindow C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\System32\ci.dll,-100 = "Isolated User Mode (IUM)" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Top = "0" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{4234D49B-0245-4DF3-B780-3893943456E1} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000022e7064d603adb01 C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings C:\Windows\System32\MsiExec.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\SlowContextMenuEntries = 6024b221ea3a6910a2dc08002b30309d9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFF = 0100000000000000e455c74c603adb01 C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\System32\MsiExec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\System32\WScript.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF\CUAS\DefaultCompositionWindow\Left = "0" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@C:\Windows\System32\ieframe.dll,-55175 = "Internet Explorer" C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\System32\WScript.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\CTF C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\S-1-5-18_Classes\Local Settings C:\Program Files\CPUAimLinux\WhatsApp1.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software C:\Windows\System32\WScript.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Version = "84344839" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\ProductName = "CPUAimLinux" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\PackageCode = "C9E0E5BB8EB593F42ABE1AE58FB7B24A" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Language = "1033" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\DB99463B25670384096A57D9C0EE62BE\81E1A12860514854ABF64A65117DF8A4 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\PackageName = "4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\81E1A12860514854ABF64A65117DF8A4\ProductFeature C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\81E1A12860514854ABF64A65117DF8A4\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\PING.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A
N/A N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: 35 N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2068 wrote to memory of 4092 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2068 wrote to memory of 4092 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2068 wrote to memory of 4048 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 2068 wrote to memory of 4048 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 4048 wrote to memory of 4076 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 4076 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4048 wrote to memory of 3132 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 4048 wrote to memory of 3132 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\cmd.exe
PID 3132 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 320 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 4304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3132 wrote to memory of 4304 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\PING.EXE
PID 3132 wrote to memory of 1384 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 1384 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 3132 wrote to memory of 1384 N/A C:\Windows\System32\cmd.exe C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe
PID 4048 wrote to memory of 3396 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4048 wrote to memory of 3396 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4048 wrote to memory of 3396 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4048 wrote to memory of 1872 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 4048 wrote to memory of 1872 N/A C:\Windows\System32\MsiExec.exe C:\Program Files\CPUAimLinux\WhatsApp1.exe
PID 4048 wrote to memory of 4772 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 4048 wrote to memory of 4772 N/A C:\Windows\System32\MsiExec.exe C:\Windows\System32\taskkill.exe
PID 3432 wrote to memory of 4048 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 3432 wrote to memory of 4048 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 3432 wrote to memory of 4048 N/A C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4048 wrote to memory of 1124 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4048 wrote to memory of 1124 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe
PID 4048 wrote to memory of 1124 N/A C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 693C5784581A9F0678120DF6E6FC37D8 E Global\MSI0000

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\CPUAimLinux','C:\Program Files','C:\Program Files'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y & ping 127.0.0.1 -n 2 & start /min "" "C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL" -o"C:\Program Files\CPUAimLinux\" -p"08136{%Qmb0Mr~q{WXZU" -y

C:\Windows\system32\PING.EXE

ping 127.0.0.1 -n 2

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

"C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe" x "C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX" -x!"1_hHILqDIvDmMm.exe" -x!"sss" -x!"1_bEUAxCisQyQxhNlIqgtfrSfaocnxud.exe" -x!"1_" -x!"1_" -x!"sa" -o"C:\Program Files\CPUAimLinux\" -p"86225)AYVohjF3DD0{k[" -y

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 169 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\WhatsApp1.exe

"C:\Program Files\CPUAimLinux\WhatsApp1.exe"

C:\Windows\System32\taskkill.exe

"C:\Windows\System32\taskkill.exe" /F /IM msiexec.exe

C:\Windows\System32\WScript.exe

C:\Windows\System32\WScript.exe "C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs"

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" install

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe" start

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

"C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe"

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 205 -file file3 -mode mode3

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe

"C:\Program Files\CPUAimLinux\hHILqDIvDmMm.exe" -number 62 -file file3 -mode mode3

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 3.22.192.23.in-addr.arpa udp
US 8.8.8.8:53 im.qq.com udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 dsfgdg5641rfe.icu udp
HK 38.47.221.100:80 dsfgdg5641rfe.icu tcp
HK 118.107.29.131:13000 tcp
US 8.8.8.8:53 fgh523fg4juty.cyou udp
HK 38.47.218.35:18999 fgh523fg4juty.cyou tcp
US 8.8.8.8:53 35.218.47.38.in-addr.arpa udp
HK 118.107.29.132:13000 tcp
HK 118.107.29.131:13000 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
HK 118.107.29.132:13000 tcp
HK 118.107.29.131:13000 tcp
HK 118.107.29.132:13000 tcp

Files

memory/4076-18-0x000002962A390000-0x000002962A3B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ufldgwtd.umm.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Program Files\CPUAimLinux\fXlHSNCgjpwhjcbESorcUuElETFupI.exe

MD5 c31c4b04558396c6fabab64dcf366534
SHA1 fa836d92edc577d6a17ded47641ba1938589b09a
SHA256 9d182f421381429fd77598feb609fefb54dcaef722ddbf5aa611b68a706c10d3
SHA512 814dcbc1d43bc037dadc2f3f67856dd790b15fc1b0c50fa74a169c8cc02cdc79d44f1f10e200ef662eee20cd6b5ca646ec4e77673e3fe3cb7dfb7649243f6e99

C:\Program Files\CPUAimLinux\sCoWxepalfWCObCLKnAyaHfPkmbWUL

MD5 048cee96f68a4c516b3aa1a8a4781e46
SHA1 5582bb564630c5ead8704d06bcdb427dd9840de5
SHA256 835e566ab875a5dd955882f57ea01cb2dcc5a82755821a6e951d6eb5a4005293
SHA512 2bf13570a5c83b4912ed04759c082a24ba8e53ce0dfae74d80032c075f7a1bc55e47c29014bd71332ff87b5c1f2065259b4b24c285bcddc109263204a0f57c32

C:\Program Files\CPUAimLinux\cuwtzNKpgpoaOTjpwbTJlaaZdnfuAX

MD5 1b772652a5b64c119b00ec06c00311db
SHA1 afeb3bfba34eccadce4d2141d6d59707c83e9583
SHA256 c98f9a50e0240455ce52e01d4b4e94453438a5a5614c2d424bb485ce1db8fbd4
SHA512 5cb2761839634a45c4047cbbe31fc30bf140829630d57104fc27fc770a68b2c7d8209181aba17ace9fe85a3f7b705467c14b2ddbc206aca3c3fd542e666f7882

C:\Program Files\CPUAimLinux\2_hHILqDIvDmMm.exe

MD5 db6688b70f3255877e15541970145e68
SHA1 5f69edadeb9e7dae7f4b034031cb325ce1c7f2bd
SHA256 208f1f3a5928a4b6ea18e91bbbd33ad8d04273f067983e8e09490b1b8a12f7cb
SHA512 72f588728035f844662381e928ed117134ce2bae1be1848204fc1bd753f37fbdfd4a683ff1454ef944643a51c2fe9944a651b2847428f8d15a1c6c026e0ecfce

C:\Program Files\CPUAimLinux\WhatsApp1.exe

MD5 f90ddf18d65bb3153bcdfdc4856ce2a5
SHA1 611376391f17207d60ca8c2ec81354933f8dac45
SHA256 62eef5a5e363624007bc29a6ecd3275aec2e5a67eef058df404d145c90e3a0ce
SHA512 f3f20f216ab6fd055f8d494f2758512413cb1cf121a2b51cae4e7b371a595b4dfe8ed4213aa759ccc4569ad6ed792f936304bfb4aac2952a79a3b2bccd293316

memory/1872-52-0x000001EDA5830000-0x000001EDA5932000-memory.dmp

C:\Config.Msi\e57efb0.rbs

MD5 da768e6e5556d9542a53e12de7edd749
SHA1 5cff502a09a87e8245c3dc0cd1a7be1604112e04
SHA256 ce47557288afb55414732efec227e44d40779dc4191fa688476b79621558a081
SHA512 adeaf927e0bc3d9c08d0a647919354c37304aeb19b3be28e03492d29683a876d09a06426999db975387c75fb0fc1fc0399a66dc1b53b014625a4b210af38c96a

C:\Windows\Installer\e57efaf.msi

MD5 756b1b81669fb5b5d745c83ced428cb1
SHA1 c573e1f1d32780c808db53e5fd5e571d617816e6
SHA256 4037df6c0b60bb7d411ba6f760843830bcb80483713e6eb91db5b9c8b9f0711d
SHA512 d9fd646383ff4fa82a920068b2141a94bd10424c5465040066d28be78be83ad730915b50bf1dfea9c2ed03b4a6b2287a19078a235a78aa835148a0381f5b00da

memory/3396-66-0x0000000000CD0000-0x0000000000CFF000-memory.dmp

memory/1872-68-0x000001EDBFF80000-0x000001EDBFF8A000-memory.dmp

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.exe

MD5 d305d506c0095df8af223ac7d91ca327
SHA1 679cb4c763c84e75ccb0fa3475bd6b7a36e81c4a
SHA256 923111c7142b3dc783a3c722b19b8a21bcb78222d7a136ac33f0ca8a29f4cb66
SHA512 94d369a4db88bff9556a1d7a7fb0188ed935c3592bae09335542c5502ec878e839177be63ac3ab4af75d4dc38a3a4f5d0fd423115ac72cf5dd710c59604db796

C:\Program Files\CPUAimLinux\hHILqDIvDmMm.vbs

MD5 6c1dc3d5a28bb7d9cd6b3727ea453446
SHA1 1fef050968fb54a54ec19c3b620d2f19706baac8
SHA256 6acdc010db5a967bd19b86ad766d547a72de8ad12f773d10d4e09df1d1c3219a
SHA512 08a16406777e228a54ad71f962f8c50073d3b2d5c3e5822a27f5df0ee9bbf5fe13a08d3b38f2378f0efac12aa6da767d91e2e1f0a324f8888d9fe09edb1709ad

\??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c4a6287-a8a3-438f-bd7e-7948d575a568}_OnDiskSnapshotProp

MD5 34672dedc5947e9fb4954eb8aa273004
SHA1 a5052447dd554b44cf39a947dd42343d40429702
SHA256 1d4b02c64d30f8620dbdcfb7203794ea9a4d0f7b0f6db34755c4e2a2d6602923
SHA512 0a0f0744879d1d59ee364ba12cf2c78f9a2745bbf388f9c6c264846ef55ca6ad803a4cf5c45197d1139668d9db18d4be2084ad7321c97c6f319f09051a263fc3

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 7b38db16c4c94f4588c6a692ae227f23
SHA1 834cc48a4d78f376d474fa90136e5057ec5d0400
SHA256 df37c980452aa1585821b4585ee5ecfcf365aa8fedb8ad2de3cb13e0ec0a295d
SHA512 2aef51f0326c180c92e828c21a68bb51929aa178d75f1a81071bbe5bf4f23ef6ba99340b184645e1a2a9d66b2b8c4b41bdf5dbd07968b0f141cd9ed65c73ba13

memory/4508-75-0x00000000007B0000-0x0000000000886000-memory.dmp

memory/1872-76-0x000001EDC0870000-0x000001EDC092A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tmp1EDD.tmp

MD5 a10f31fa140f2608ff150125f3687920
SHA1 ec411cc7005aaa8e3775cf105fcd4e1239f8ed4b
SHA256 28c871238311d40287c51dc09aee6510cac5306329981777071600b1112286c6
SHA512 cf915fb34cd5ecfbd6b25171d6e0d3d09af2597edf29f9f24fa474685d4c5ec9bc742ade9f29abac457dd645ee955b1914a635c90af77c519d2ada895e7ecf12

memory/1872-91-0x000001EDC00E0000-0x000001EDC00F2000-memory.dmp

memory/1872-92-0x000001EDC0170000-0x000001EDC01AC000-memory.dmp

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.xml

MD5 822ca0d7e00ebb7b990ddea17a3a634d
SHA1 2a915168df2a2ee8ddfc1f31454c3055d9e1da93
SHA256 d48912dbd6aa6c11fb5e7b4a525018e0981aff798dd9e6fe429c32989101c4bb
SHA512 cfddae00c0b91d5547413e80f801128e838b2888f6cbebed5506f613ff18dfc59b5e34b86bfeb0b3244675e583359395f211392c5532fad5f9c3b39275424d89

memory/1872-96-0x000001EDC0C30000-0x000001EDC0C38000-memory.dmp

memory/1872-101-0x000001EDC2DA0000-0x000001EDC2DAE000-memory.dmp

memory/1872-100-0x000001EDC2DE0000-0x000001EDC2E18000-memory.dmp

memory/1872-103-0x000001EDC3650000-0x000001EDC3676000-memory.dmp

C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DRrFaPIBzOdg.exe.log

MD5 122cf3c4f3452a55a92edee78316e071
SHA1 f2caa36d483076c92d17224cf92e260516b3cbbf
SHA256 42f5774d1ee4cae5d7a4e83970da42bb17e61ae93c312247211b5ee3535662e0
SHA512 c98666fb86aaff6471c0a96f12f037b9a607579c5891c9d7ba8cd4e90506ca7aa5b5f6264081d25f703c88fb69d8e2cd87809d508e771770550d0c5d4d17d91c

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 a81bce9e37fa5aa1699222b7da16abfa
SHA1 c726a4ad730ff7ab37b1be49c14e4b68aa5be824
SHA256 68b18d45c1738f4e72f71831bc4b3a45dd75118f9ab0546a92b7581818082cb8
SHA512 c86634715459773ebc2fcd32c0c8706c5456308068cae0c35179225c5568d5204165d4c501dcdaf12b17bba8dcf779e6c5490d5675f3d156669b017de5e8fb3c

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 b5d0eb7c7c241cfb4b6889553aaf0e19
SHA1 e065786a790796f1753d5e052478dbdcb9dde297
SHA256 665de438c6b703a4118ac0d6028bdff5ea4b77bdf91b65106dcc3c61ad6d05b2
SHA512 6c8991a3c10a1e1431cf24fe1b12be8d1f6b4785c520be595a3a0e95e56b90f3b0a9ffb1a4aa4570bbde709d4730b806467637a29f09b412380b9b80dd3d46eb

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 0cb339cc040d8a3c890b7de5bae33d24
SHA1 db769b5b0f2aca8a885460546c7cd09b0b2bc150
SHA256 ba987d063a5b402a0b995b6956cf1f5bd63179c051ffc0441a13f4a45eecfdff
SHA512 6712fe78e66185f7c0cd8f81ebee8df5d711a37b0fa5372d459499109149cd9f21ef294eb1cb6ca77ef5ee69138e4141744b317d2d8dac6ca6b454bc6dd00368

C:\Program Files\CPUAimLinux\DRrFaPIBzOdg.wrapper.log

MD5 9cb8da5942bca5c565761a56b960abfa
SHA1 3ed823c2b11bcec9a4bd8947768356c35e328290
SHA256 577c0f47c3a5ee1cd063a591623d7391047ab0bb2f4e513734b7b8cf4c4b151b
SHA512 7387869b6b5a1d668788f04549ff74d037167e65be378a211330e7f566ffa0a1ac1cff2975d2618ca1264cef949b5ab5acad0249d9c2d9d0db5facd719c14d25

memory/1124-128-0x000000002A7D0000-0x000000002A81D000-memory.dmp

C:\Program Files\CPUAimLinux\hHILqDIvDmMm

MD5 adb7908cc0c5a2b6800dcc1474006154
SHA1 96f081444d4329dbd49eec5003096c2286f8c74e
SHA256 9e0c0405ea29b1f3a72a65244c11bb00cacd8ca3a0c212df4f81ac30090a41d0
SHA512 69f97d773949a036cca02dfa40db365353975b70dabe2b38e74034882b2857c5002c43e3dc0427d9b13cce50d5451a9452c0682df19905c3efbf7077877b47f0

memory/1124-131-0x000000002C4D0000-0x000000002C68C000-memory.dmp

memory/1124-134-0x000000002C4D0000-0x000000002C68C000-memory.dmp

memory/1124-135-0x000000002C4D0000-0x000000002C68C000-memory.dmp