Analysis Overview
SHA256
f6dd1ae9db598806ca1a26b514b14c44b98ddfaf998602967c75c40992b11d54
Threat Level: Known bad
The file Bisq-64bit-1.9.9.exe was found to be: Known bad.
Malicious Activity Summary
BazarBackdoor
Bazar/Team9 Backdoor payload
Bazarbackdoor family
Bazar/Team9 Backdoor payload
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-10 08:08
Signatures
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Bazarbackdoor family
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-10 08:07
Reported
2023-01-10 08:11
Platform
win7-20220812-es
Max time kernel
152s
Max time network
47s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\system32\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF | C:\Windows\system32\DrvInst.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\6e7724.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\6e7724.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI7975.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\volsnap.PNF | C:\Windows\system32\DrvInst.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\dnsapi.dll,-103 = "Confianza en el servidor DNS (Sistema de nombres de dominio)" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Confianza de mismo nivel" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\qagentrt.dll,-10 = "Autenticación de mantenimiento del sistema" | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\fveui.dll,-844 = "Agente de recuperación de datos BitLocker" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\fveui.dll,-843 = "Cifrado de unidad BitLocker" | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe
"C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\7090713.tmp\main.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2749D954DDADA4DE712489BDDF2985DC C
C:\Windows\system32\MsiExec.exe
C:\Windows\system32\MsiExec.exe -Embedding 8CF5811863CC0851A991FCB620FC9D34 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002DC" "00000000000002BC"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A2BB473399AA00A8A753072EB21B8186
Network
Files
memory/1732-54-0x0000000000000000-mapping.dmp
memory/1732-55-0x000007FEFB721000-0x000007FEFB723000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7090713.tmp\main.msi
| MD5 | 529ae77f9ef8d19468f5e12e5278e09b |
| SHA1 | ba1fd0b46f3d08cd87f2497f7ec0bf231dc02899 |
| SHA256 | 8b08354621864b3500ac49fd04fbf73a73a5db7c9232afaf6dfc81fb8e15ed83 |
| SHA512 | 9f71eb35a78a54e9d7e698cdaa38f96ac9fa4aaf7c1559b3a16443400c9c68b3fcaaeb22d99d8d0ddf80c26220ff7a53f930fbc9f17701a32165e4e56f26cb51 |
memory/1576-58-0x0000000000000000-mapping.dmp
memory/1576-59-0x0000000075781000-0x0000000075783000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIF9B.tmp
| MD5 | 4fdd16752561cf585fed1506914d73e0 |
| SHA1 | f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424 |
| SHA256 | aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7 |
| SHA512 | 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600 |
\Users\Admin\AppData\Local\Temp\MSIF9B.tmp
| MD5 | 4fdd16752561cf585fed1506914d73e0 |
| SHA1 | f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424 |
| SHA256 | aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7 |
| SHA512 | 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600 |
memory/1688-62-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MSI10B5.tmp
| MD5 | 85442a4ac6bed1b030dd7a5c26379aec |
| SHA1 | 86f7b2a25acc9b974cf2af280022452cc7353925 |
| SHA256 | 8ba4052de621b16c4d1e3c13e317572658eaa4c55782ed8ad9c2bf2ebd9dbaac |
| SHA512 | eea5472e269df6a83262a8f17133d0f9475858c1d0ff99305e324408e5c711bed39c2f6c3e00dc20e101c9dd1e103dce879db7b1460080d3027127185f43cef2 |
\Users\Admin\AppData\Local\Temp\MSI10B5.tmp
| MD5 | 85442a4ac6bed1b030dd7a5c26379aec |
| SHA1 | 86f7b2a25acc9b974cf2af280022452cc7353925 |
| SHA256 | 8ba4052de621b16c4d1e3c13e317572658eaa4c55782ed8ad9c2bf2ebd9dbaac |
| SHA512 | eea5472e269df6a83262a8f17133d0f9475858c1d0ff99305e324408e5c711bed39c2f6c3e00dc20e101c9dd1e103dce879db7b1460080d3027127185f43cef2 |
memory/1312-66-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI7975.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
\Windows\Installer\MSI7975.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-10 08:07
Reported
2023-01-10 08:11
Platform
win10v2004-20220812-es
Max time kernel
88s
Max time network
154s
Command Line
Signatures
BazarBackdoor
Bazar/Team9 Backdoor payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
Loads dropped DLL
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\F: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\jvm.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\dll\jvm.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\symbols\dll\jvm.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\ntdll.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\SYSTEM32\dll\ntdll.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e5773c8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e5773c8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e5773ca.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI757E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{90B559E8-C18E-3159-B4C8-65ADD8953B5D} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\ntdll.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\dll\ntdll.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI81C4.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\symbols\dll\ntdll.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\jvm.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\dll\jvm.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| File opened for modification | C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\symbols\dll\jvm.pdb | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Bisq\Bisq.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe
"C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe"
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\240561578.tmp\main.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2DD819E49045CA1BF2800D62378158DB C
C:\Windows\System32\MsiExec.exe
C:\Windows\System32\MsiExec.exe -Embedding 7D5BF054265A78AD1302C276691D8348 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D89A74C53F988484B073A9546AC169FE
C:\Users\Admin\AppData\Local\Bisq\Bisq.exe
"C:\Users\Admin\AppData\Local\Bisq\Bisq.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.42.65.90:443 | tcp | |
| N/A | 67.27.153.126:80 | tcp | |
| N/A | 204.79.197.200:443 | tcp |
Files
memory/4796-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\240561578.tmp\main.msi
| MD5 | 529ae77f9ef8d19468f5e12e5278e09b |
| SHA1 | ba1fd0b46f3d08cd87f2497f7ec0bf231dc02899 |
| SHA256 | 8b08354621864b3500ac49fd04fbf73a73a5db7c9232afaf6dfc81fb8e15ed83 |
| SHA512 | 9f71eb35a78a54e9d7e698cdaa38f96ac9fa4aaf7c1559b3a16443400c9c68b3fcaaeb22d99d8d0ddf80c26220ff7a53f930fbc9f17701a32165e4e56f26cb51 |
memory/116-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MSID110.tmp
| MD5 | 4fdd16752561cf585fed1506914d73e0 |
| SHA1 | f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424 |
| SHA256 | aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7 |
| SHA512 | 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600 |
C:\Users\Admin\AppData\Local\Temp\MSID110.tmp
| MD5 | 4fdd16752561cf585fed1506914d73e0 |
| SHA1 | f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424 |
| SHA256 | aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7 |
| SHA512 | 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600 |
memory/4652-137-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\MSID8E1.tmp
| MD5 | 85442a4ac6bed1b030dd7a5c26379aec |
| SHA1 | 86f7b2a25acc9b974cf2af280022452cc7353925 |
| SHA256 | 8ba4052de621b16c4d1e3c13e317572658eaa4c55782ed8ad9c2bf2ebd9dbaac |
| SHA512 | eea5472e269df6a83262a8f17133d0f9475858c1d0ff99305e324408e5c711bed39c2f6c3e00dc20e101c9dd1e103dce879db7b1460080d3027127185f43cef2 |
C:\Users\Admin\AppData\Local\Temp\MSID8E1.tmp
| MD5 | 85442a4ac6bed1b030dd7a5c26379aec |
| SHA1 | 86f7b2a25acc9b974cf2af280022452cc7353925 |
| SHA256 | 8ba4052de621b16c4d1e3c13e317572658eaa4c55782ed8ad9c2bf2ebd9dbaac |
| SHA512 | eea5472e269df6a83262a8f17133d0f9475858c1d0ff99305e324408e5c711bed39c2f6c3e00dc20e101c9dd1e103dce879db7b1460080d3027127185f43cef2 |
memory/1248-140-0x0000000000000000-mapping.dmp
memory/1100-141-0x0000000000000000-mapping.dmp
C:\Windows\Installer\MSI757E.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Windows\Installer\MSI757E.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{89e641fa-e816-4781-a6f4-8794ad93f62c}_OnDiskSnapshotProp
| MD5 | 4a7c3f89c6d8ad87586c05edc3e50da2 |
| SHA1 | cacf288c2dc7554353dcb413671630e20bdc77c2 |
| SHA256 | 07681d0267060e96adacd33f60935596561c9097286ae3891aafe89f9c7e2071 |
| SHA512 | 75b039acb306d1be3aae46b3ae0a490c59efbe4cb5e22bc27152d1c69235c758cd307519516d320b9d6adaf19e3ef13953349b28d537419f085680e3f6d9026d |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 226bbd867b06ec26c00befa8924f6271 |
| SHA1 | 265263d81c076f11f054a5f7fe0d919858c12f2a |
| SHA256 | d9b90eb59754087898ea9647be495e0cd5ead2543f3da137de0ae8a126de6f26 |
| SHA512 | 495683961643ac06ef1a39cc03762e89c5ce0787138b6d871ebf9b7f76c24e403bc97d44184ac62cc2d675d792a5fe2ed9a436db506dceef8d653a120151d233 |
C:\Users\Admin\AppData\Local\Temp\MSIB855.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Users\Admin\AppData\Local\Temp\MSIB855.tmp
| MD5 | a3ae5d86ecf38db9427359ea37a5f646 |
| SHA1 | eb4cb5ff520717038adadcc5e1ef8f7c24b27a90 |
| SHA256 | c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74 |
| SHA512 | 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0 |
C:\Users\Admin\AppData\Local\Bisq\Bisq.exe
| MD5 | 3bb2e6aaf86e175558045e007dbf418c |
| SHA1 | fb816b504dd543a55da6bdd478d1b2602da46b62 |
| SHA256 | c92f36567d4a28ad90f6eda284df827fdd1bee69f4f8bbda468469b21f9b5aca |
| SHA512 | 1c8e695968389fd8bbd30343237b9c5dcc20d65a2ba3ead6c068f9095e72c4f6fafb5ae5e0eddf6c7a6fb8d4dc4eca4365bb8529eb953f502c54a814c8de1ffd |
memory/4144-149-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Bisq\Bisq.exe
| MD5 | 3bb2e6aaf86e175558045e007dbf418c |
| SHA1 | fb816b504dd543a55da6bdd478d1b2602da46b62 |
| SHA256 | c92f36567d4a28ad90f6eda284df827fdd1bee69f4f8bbda468469b21f9b5aca |
| SHA512 | 1c8e695968389fd8bbd30343237b9c5dcc20d65a2ba3ead6c068f9095e72c4f6fafb5ae5e0eddf6c7a6fb8d4dc4eca4365bb8529eb953f502c54a814c8de1ffd |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\jli.dll
| MD5 | 731e3aede451c38ca2e60d91fccc1012 |
| SHA1 | b37b5763879386da4a8ad2061e08dbda30296976 |
| SHA256 | 2fc3470350ef342688e417a6baf69a02c8d653ecd07f051808ffba7e5cd2d130 |
| SHA512 | 9164f3e0dcf6700fd6994d41649ad6b6535951261e0099747963b3f3f357757b149a2a2c3759ce1b0b400a84d0d6321ad9010ad6671bc312ed71ea2fa2d13ee6 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\jli.dll
| MD5 | 731e3aede451c38ca2e60d91fccc1012 |
| SHA1 | b37b5763879386da4a8ad2061e08dbda30296976 |
| SHA256 | 2fc3470350ef342688e417a6baf69a02c8d653ecd07f051808ffba7e5cd2d130 |
| SHA512 | 9164f3e0dcf6700fd6994d41649ad6b6535951261e0099747963b3f3f357757b149a2a2c3759ce1b0b400a84d0d6321ad9010ad6671bc312ed71ea2fa2d13ee6 |
C:\Users\Admin\AppData\Local\Bisq\app\Bisq.cfg
| MD5 | 924cddfe7e5f727c5c3389aeaa7b1469 |
| SHA1 | 53a58a6e35d05824712f61103c987c905a9b8ac2 |
| SHA256 | 069e8c4544cd92a7cfaf9540b7a48596dc6a48ecea3b37843c03c03432b3eb40 |
| SHA512 | 088770d4dc1aa691c1392df8f318af74c005f80bf44e88a9bd9c8696da3fab294c15715fab1d31781d94d2d27e03b83b3407f1a7f905b878cdfecac19fb7efce |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\msvcp140.dll
| MD5 | c1b066f9e3e2f3a6785161a8c7e0346a |
| SHA1 | 8b3b943e79c40bc81fdac1e038a276d034bbe812 |
| SHA256 | 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd |
| SHA512 | 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\server\jvm.dll
| MD5 | 73acea153ddb0371c2173603a6a2c5ea |
| SHA1 | 9cce36f2541b3e5b53d607a660a678113f02e1e9 |
| SHA256 | f843d050cfda8aa8c59eaa6278c7190c5932303a0176b1d388a89d7f38d4fdb7 |
| SHA512 | f2c6fcee5b36f70f9597bf47f26766313bc63cbc85bfb182ecf24d637b2f7966f24633132ed751563ed251395bce0a1199ac901c4d5df9816d29ce5e63627382 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\server\jvm.dll
| MD5 | 73acea153ddb0371c2173603a6a2c5ea |
| SHA1 | 9cce36f2541b3e5b53d607a660a678113f02e1e9 |
| SHA256 | f843d050cfda8aa8c59eaa6278c7190c5932303a0176b1d388a89d7f38d4fdb7 |
| SHA512 | f2c6fcee5b36f70f9597bf47f26766313bc63cbc85bfb182ecf24d637b2f7966f24633132ed751563ed251395bce0a1199ac901c4d5df9816d29ce5e63627382 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\jimage.dll
| MD5 | a40991fb2c45b0f8ec35e5b64f1d581c |
| SHA1 | ddaa403678bf1fd7d5ca08c276060c328eb58157 |
| SHA256 | 0b96e2449bf5f119afe0bcdcb61779ccf418fad645e089ba5be81f3f1c4168f0 |
| SHA512 | 6017db2d0f46ad32420df88eeac24c8e2cdb4231bb0f3ac5c175222cbf18ad375f0591f4d672124614f381c68432726707c9ba2b0cd2ff4e56927288da3ca624 |
C:\Users\Admin\AppData\Local\Bisq\runtime\lib\modules
| MD5 | 29ac885f6689038b4a42c5a39126ba48 |
| SHA1 | ea04addaa724771a3915f114abac306a5cb4f44f |
| SHA256 | cb6a40195219ab82293059ad23784547234fd0466a91cd074367e479b9a9737e |
| SHA512 | f71fd2287e23578f40fada050ec62bfc43d9e64b634a386769c28fdf7152fdf3c19d5ce276d92226f2abc3ea39ff0cd3960647548ccfebf937f26a3cec5fbe88 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\java.dll
| MD5 | 9fbcce21e240d7862361515cf5123229 |
| SHA1 | d36d8f53831b25c1fc2c3a3e9cfe854ef631a8ba |
| SHA256 | 0d21bb86f7fe23b64661a8a7c41cb5ba0386d1fcfd013965ceeec15793b58d7b |
| SHA512 | 06f01a8e7c5daff7617a07a283836a64efb8bb2b81e0fe852500efa46e5ba8da2cbe1310e2a2cd483744bc92f90bf63c52a09c6986b686e4cce5fd2f69aa5988 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\jimage.dll
| MD5 | a40991fb2c45b0f8ec35e5b64f1d581c |
| SHA1 | ddaa403678bf1fd7d5ca08c276060c328eb58157 |
| SHA256 | 0b96e2449bf5f119afe0bcdcb61779ccf418fad645e089ba5be81f3f1c4168f0 |
| SHA512 | 6017db2d0f46ad32420df88eeac24c8e2cdb4231bb0f3ac5c175222cbf18ad375f0591f4d672124614f381c68432726707c9ba2b0cd2ff4e56927288da3ca624 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\vcruntime140.dll
| MD5 | 1453290db80241683288f33e6dd5e80e |
| SHA1 | 29fb9af50458df43ef40bfc8f0f516d0c0a106fd |
| SHA256 | 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c |
| SHA512 | 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\vcruntime140.dll
| MD5 | 1453290db80241683288f33e6dd5e80e |
| SHA1 | 29fb9af50458df43ef40bfc8f0f516d0c0a106fd |
| SHA256 | 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c |
| SHA512 | 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91 |
C:\Users\Admin\AppData\Local\Bisq\runtime\lib\jvm.cfg
| MD5 | 7ce21bdcfa333c231d74a77394206302 |
| SHA1 | c5a940d2dee8e7bfc01a87d585ddca420d37e226 |
| SHA256 | aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0 |
| SHA512 | 8b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\java.dll
| MD5 | 9fbcce21e240d7862361515cf5123229 |
| SHA1 | d36d8f53831b25c1fc2c3a3e9cfe854ef631a8ba |
| SHA256 | 0d21bb86f7fe23b64661a8a7c41cb5ba0386d1fcfd013965ceeec15793b58d7b |
| SHA512 | 06f01a8e7c5daff7617a07a283836a64efb8bb2b81e0fe852500efa46e5ba8da2cbe1310e2a2cd483744bc92f90bf63c52a09c6986b686e4cce5fd2f69aa5988 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\msvcp140.dll
| MD5 | c1b066f9e3e2f3a6785161a8c7e0346a |
| SHA1 | 8b3b943e79c40bc81fdac1e038a276d034bbe812 |
| SHA256 | 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd |
| SHA512 | 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\net.dll
| MD5 | ccc733d04bb01b24ad28867abbcf2927 |
| SHA1 | 366dab726cfb4262c73a1ae2a80e923282c88596 |
| SHA256 | a72b46d69f7b848ac245e8f3bf2d2571953ba943f8f17ff883f633396c952c25 |
| SHA512 | c2e4d92e283a7055f961e707f77c4a79fb690a6f9c1e5cf96f0e6c804e598414b43d93dcbd838625f701c57cbb767a4c06209eb7fc6375a05eff46126de5ef03 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\net.dll
| MD5 | ccc733d04bb01b24ad28867abbcf2927 |
| SHA1 | 366dab726cfb4262c73a1ae2a80e923282c88596 |
| SHA256 | a72b46d69f7b848ac245e8f3bf2d2571953ba943f8f17ff883f633396c952c25 |
| SHA512 | c2e4d92e283a7055f961e707f77c4a79fb690a6f9c1e5cf96f0e6c804e598414b43d93dcbd838625f701c57cbb767a4c06209eb7fc6375a05eff46126de5ef03 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\nio.dll
| MD5 | a96529435bceb9db3d5eb35b01425985 |
| SHA1 | a344454259e9b77fae1ff025b76dc35ed6d16bca |
| SHA256 | 7ba60a222235233f8e6e46fa58b25968c2afe15035db5da8e5db3d6b6671cfaf |
| SHA512 | cd061cd321f2f6c459de53cd6c9847a7706ef9c924133405ab5c1caf25b1b8119be4bc00df2d25dea83ac89110f0bb045039b72abfc286ee787eaf7dd0ac2d95 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\nio.dll
| MD5 | a96529435bceb9db3d5eb35b01425985 |
| SHA1 | a344454259e9b77fae1ff025b76dc35ed6d16bca |
| SHA256 | 7ba60a222235233f8e6e46fa58b25968c2afe15035db5da8e5db3d6b6671cfaf |
| SHA512 | cd061cd321f2f6c459de53cd6c9847a7706ef9c924133405ab5c1caf25b1b8119be4bc00df2d25dea83ac89110f0bb045039b72abfc286ee787eaf7dd0ac2d95 |
C:\Users\Admin\AppData\Local\Bisq\app\desktop-1.9.9-all.jar
| MD5 | dbd077e6a77eb12028d74a2262d2d029 |
| SHA1 | 88a74d929ab1b4b9c7d891f82d1ed7dc9a8050f8 |
| SHA256 | b4d7b199d66a40a288a15276b3c6986e56e40dcdeee063dd4d23469287ae9c09 |
| SHA512 | b9ecb399549696b17eab1c919be0780ed90d7d817f7cca137d651342c926100fc0a3a9d1044e83498d50dac14d9228f25133eb51b38e46d566883accf8375e02 |
memory/4144-177-0x00000189601D0000-0x00000189611D0000-memory.dmp
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\zip.dll
| MD5 | ddbf8e42fdcbf7ebfa0133117c61229c |
| SHA1 | ac518dc7148bea6b2ddef9b19d1a50513697fa04 |
| SHA256 | 4cbbc2812f72d4a573545e8abc4679f568f58a4f97bef9db1d82ab0753ab9685 |
| SHA512 | 9f9a66e715977184457b09318e9bf41a5757b32bf38971c7a80fc3e02231459172012b3710cbbf4c6ff5ca4c81948973f9a6e34306b9575d70dd81ed1431a921 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\zip.dll
| MD5 | ddbf8e42fdcbf7ebfa0133117c61229c |
| SHA1 | ac518dc7148bea6b2ddef9b19d1a50513697fa04 |
| SHA256 | 4cbbc2812f72d4a573545e8abc4679f568f58a4f97bef9db1d82ab0753ab9685 |
| SHA512 | 9f9a66e715977184457b09318e9bf41a5757b32bf38971c7a80fc3e02231459172012b3710cbbf4c6ff5ca4c81948973f9a6e34306b9575d70dd81ed1431a921 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\verify.dll
| MD5 | ad4b10a45a5d58b4730fafad7bd78d76 |
| SHA1 | df02332eee9030675a13a00f31882196fa9c4817 |
| SHA256 | 6842bef7e00b7cb869b8b4aa964063b12604a1c395038699afebc4b4db4d97f8 |
| SHA512 | 45778fa75ae301b3747172605b8824690574b64a6871fc86b95c6bd4383b1b93da7f341cde5feb36961b2146c45b7a03ca5b5d7ce2661d3a272a1ae94bb6ecd5 |
C:\Users\Admin\AppData\Local\Bisq\runtime\bin\verify.dll
| MD5 | ad4b10a45a5d58b4730fafad7bd78d76 |
| SHA1 | df02332eee9030675a13a00f31882196fa9c4817 |
| SHA256 | 6842bef7e00b7cb869b8b4aa964063b12604a1c395038699afebc4b4db4d97f8 |
| SHA512 | 45778fa75ae301b3747172605b8824690574b64a6871fc86b95c6bd4383b1b93da7f341cde5feb36961b2146c45b7a03ca5b5d7ce2661d3a272a1ae94bb6ecd5 |
C:\Users\Admin\AppData\Local\Bisq\runtime\conf\security\java.policy
| MD5 | fbf2b55342947695aa2a15e3485ed29f |
| SHA1 | a04c23f61d2958fc1e9882509927b43cab0e799c |
| SHA256 | f2a00a1dec3b7a097f0815f338a84717ba1017d5d7aae96d842d2188d67c3250 |
| SHA512 | 35ffe47eb7d404785e5bef3f1f26629f5dc04c54f9dcb082a250da367414095b024e6486ad0332cebe0348a2f972e9d58979c8c86ab9753f72ff0727bda07c1c |
C:\Users\Admin\AppData\Local\Bisq\runtime\lib\security\default.policy
| MD5 | adfdc71d9a4c66ce448fff460534f671 |
| SHA1 | 265a3e1f4586bd88b3d7532963813806fa2e0e3b |
| SHA256 | b03da546022a97c65bc17e3bcca01177f827cfe37ab0227f342f07ea1e985fc5 |
| SHA512 | 9cf77b7a18eae6306e18545357d66cce8db51655f824bc97d4a531c5c57cc7ece8539af71691edd01a1b09e0fcb62b8bd0fc9cf02767e9717aed3a92a8e2b65c |
C:\Users\Admin\AppData\Local\Bisq\runtime\conf\security\java.security
| MD5 | ee23402a3509f2e6d0a5c622f969194d |
| SHA1 | 07029f00ac2d1dc1f2821ca86dec299c8e611e7d |
| SHA256 | 91dc4752f1b35a54e07942a546e506ebe0f285bdf2a2ff1f9821ca519ce3c2a4 |
| SHA512 | f06e0b23fddf58374c6474ed89b6aa7e494972bfb46f152df04fe200cb087d4ef6cd9a1ddaa40cdc8d78aee8d1d595881d3752566f6212068fe07ba5c3b4326a |
C:\Users\Admin\AppData\Local\Bisq\runtime\lib\tzmappings
| MD5 | af7e42914d8b91ea049ac6b0b1bc603b |
| SHA1 | fed9fa9062065156f1bc1fc041f355bbc619facf |
| SHA256 | c16ae3fa1993e297df14352209c56751d4e67d99b6769558160f292298b21e62 |
| SHA512 | ef79857e56863a78545521ca571e9e20ef90e3051b9c017a6eefae66b66ee92e43d13571b01f0185cf77b975890256d26ddb57ad5dfe20a683a72f8e79b66bf0 |
C:\Users\Admin\AppData\Local\Bisq\runtime\lib\tzdb.dat
| MD5 | 43181995f72430167ffc15b58cc56623 |
| SHA1 | afc3378a7667eb99e5528e7550a776fcc9f66d9d |
| SHA256 | 2743c0344131e00b73b2b47c1884f09f23b28b3ecd9135a460d0dd874f57bcd3 |
| SHA512 | 85ee6dbf56fc04b91315ae1568fa5e3734a29c6641ab04e58eefea3d47f1d54c90f70cb4be2c291edee9b3c2b5826d98bd858dc86d9972d70a2934322e2eade4 |
memory/4144-187-0x00000189601D0000-0x00000189611D0000-memory.dmp
memory/4144-188-0x00000189601D0000-0x00000189611D0000-memory.dmp
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-console-l1-1-0.dll
| MD5 | 2c146bc8d73b8944f35506241b9953a9 |
| SHA1 | ac64abd745418cea35c0506b9cb0331b171b51ea |
| SHA256 | 89384f8f64a9b7f67c8deccaa721e2d76b8a17026d8083630859ed0cd1a9b58b |
| SHA512 | 02713948a156baccb2e7c38646193e82fef65400c086644866b698bc3e0a8c155a8eab829463e3868ce2b8a06608c5ea6de1e390bff976c5f92e2e42dd6c04f1 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-console-l1-1-0.dll
| MD5 | 2c146bc8d73b8944f35506241b9953a9 |
| SHA1 | ac64abd745418cea35c0506b9cb0331b171b51ea |
| SHA256 | 89384f8f64a9b7f67c8deccaa721e2d76b8a17026d8083630859ed0cd1a9b58b |
| SHA512 | 02713948a156baccb2e7c38646193e82fef65400c086644866b698bc3e0a8c155a8eab829463e3868ce2b8a06608c5ea6de1e390bff976c5f92e2e42dd6c04f1 |
C:\Users\Admin\AppData\Local\Bisq\runtime\conf\logging.properties
| MD5 | 6b9bedb07c74ca75da4de770dc51e69c |
| SHA1 | 3c0629532c002fc644627bf2dc35bea5d915a2a3 |
| SHA256 | 0601d43aba712c156936b7b126a22d5e8459981e5bcf6f984e8b2ee718ab5f42 |
| SHA512 | abb25caa7a2946b644faf10dd1aa4fc1b3ffc217efc2d634b36924405f7a4c1ba4ac826b9338917f2f8acc1bba8924a3915382356dafc262c80739d3c7b74487 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | f0c9c56f56ffa3adc548173569dbd793 |
| SHA1 | 220a56b84cdb8cd403483d3f6b4bb526fe198fd9 |
| SHA256 | 12d801992bbb09d43bb90330bb96e77bf12e669c325dda4b5235942221c301c8 |
| SHA512 | 28e24a2ccedfaf01aef615c1df7f8c76ff0eb06d992eb1b422f902d6d96357ba6a353e31ca9b1fd305e7de7a437ee6a7f2f01bfdf27c4a88c805693ae2b6352c |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-console-l1-2-0.dll
| MD5 | 7a55e51d07e1f15221eb11479adbc53f |
| SHA1 | 8d8e2beff4dfa78372201b26a67b9dc4b116290f |
| SHA256 | f901b0bc8c00b3afc80e151e6f54b18f7672f932602c304fbfeedd5aa3ad63c8 |
| SHA512 | e89c0e45014abdaf7548de0352949c4ad496d97cad2f9e2f6c83a90f853b7b71354b9abbb957eff89076df79bdc9cc1c431b6f35875550bfb4198c3a68124197 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-console-l1-2-0.dll
| MD5 | 7a55e51d07e1f15221eb11479adbc53f |
| SHA1 | 8d8e2beff4dfa78372201b26a67b9dc4b116290f |
| SHA256 | f901b0bc8c00b3afc80e151e6f54b18f7672f932602c304fbfeedd5aa3ad63c8 |
| SHA512 | e89c0e45014abdaf7548de0352949c4ad496d97cad2f9e2f6c83a90f853b7b71354b9abbb957eff89076df79bdc9cc1c431b6f35875550bfb4198c3a68124197 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 02d669afdabfe420598041b848b71158 |
| SHA1 | 25c0fdbc04ffcd570db041d02842d7530afeeb6e |
| SHA256 | 64a9ac181fd91b79270bf01759749394f57be171436ed46f43d165325bb82067 |
| SHA512 | 5321290ec277fca8840e6c9cb7e77d39e820b1d98ef9c29040efaf2a7628c023209c936e08abfb6962a795130874544db25e1bac0d16256a1ebbca0fdcdaa81a |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 02d669afdabfe420598041b848b71158 |
| SHA1 | 25c0fdbc04ffcd570db041d02842d7530afeeb6e |
| SHA256 | 64a9ac181fd91b79270bf01759749394f57be171436ed46f43d165325bb82067 |
| SHA512 | 5321290ec277fca8840e6c9cb7e77d39e820b1d98ef9c29040efaf2a7628c023209c936e08abfb6962a795130874544db25e1bac0d16256a1ebbca0fdcdaa81a |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 31ffff2c6539b3d2f575500300b93d6b |
| SHA1 | e28e8919150fca0cb385f55a4ec4d23058d92fbf |
| SHA256 | 6dcbdab7fa8cf66f4a05d1f5166bed33cd88bee1d37af6128f18184e6c301709 |
| SHA512 | 716f42f0dc530774665982f189a1fbf0371aceb4087de67e5b677cb18a687900c73165a57ae8229b53744e2490d4f04a54686e09da3b5d8705e1df5b804fe27d |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 1144ced0d8198c39f62fc71c1ecf6cb1 |
| SHA1 | 43ca991199a46ca1860f8a295209dee6d32d040d |
| SHA256 | d4d86e560a22d833fcdf0ba165d3bd3f6059e69830f4d2f9748af08905b2d4c8 |
| SHA512 | 006b420d4513fd2be1e07f7512891275cb76243fd4d49855836da53ff779fa695b9bd5661fa16b1c8f83d8cec6342c9719def8d3242431b13e803bdbc2d81e4b |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-heap-l1-1-0.dll
| MD5 | c7120579bb8f56f8cd4e0d329ece3e9d |
| SHA1 | 0b35862dcc9654fc4ede338c26d0368c112d4ba9 |
| SHA256 | 2e00c0176952d7c009b93c40949f91f0ab367a1b274ee78b736bf563f0344da3 |
| SHA512 | 6172179c349f9952e6fb47a72a459ee29563a511d9da2a16a265625f1d8ca40ff9bd52f78a26d29b5297e7413bfa22a9797df2934a68ea551d0ab45914ee7822 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-heap-l1-1-0.dll
| MD5 | c7120579bb8f56f8cd4e0d329ece3e9d |
| SHA1 | 0b35862dcc9654fc4ede338c26d0368c112d4ba9 |
| SHA256 | 2e00c0176952d7c009b93c40949f91f0ab367a1b274ee78b736bf563f0344da3 |
| SHA512 | 6172179c349f9952e6fb47a72a459ee29563a511d9da2a16a265625f1d8ca40ff9bd52f78a26d29b5297e7413bfa22a9797df2934a68ea551d0ab45914ee7822 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 31ffff2c6539b3d2f575500300b93d6b |
| SHA1 | e28e8919150fca0cb385f55a4ec4d23058d92fbf |
| SHA256 | 6dcbdab7fa8cf66f4a05d1f5166bed33cd88bee1d37af6128f18184e6c301709 |
| SHA512 | 716f42f0dc530774665982f189a1fbf0371aceb4087de67e5b677cb18a687900c73165a57ae8229b53744e2490d4f04a54686e09da3b5d8705e1df5b804fe27d |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l2-1-0.dll
| MD5 | 2e8995e2320e313545c3ddb5c71dc232 |
| SHA1 | 45d079a704bec060a15f8eba3eab22ac5cf756c6 |
| SHA256 | c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c |
| SHA512 | 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l2-1-0.dll
| MD5 | 2e8995e2320e313545c3ddb5c71dc232 |
| SHA1 | 45d079a704bec060a15f8eba3eab22ac5cf756c6 |
| SHA256 | c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c |
| SHA512 | 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l1-2-0.dll
| MD5 | b5060343583e6be3b3de33ccd40398e0 |
| SHA1 | 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb |
| SHA256 | 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7 |
| SHA512 | 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l1-2-0.dll
| MD5 | b5060343583e6be3b3de33ccd40398e0 |
| SHA1 | 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb |
| SHA256 | 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7 |
| SHA512 | 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l1-1-0.dll
| MD5 | fec01082bccddadad0814f30b43ab078 |
| SHA1 | a6f6d9b61bb743651d3f65824d06427ca492c120 |
| SHA256 | c15dacec228f40ce4c5b9d69bba5e6627bc484c6e9d6550a76db6f332e9f7734 |
| SHA512 | c6039c366cb47ca31c7501423384afc0678a07abeb0ca1d97ecb5aa3c3e3acf84c9551dea1e56d1dbd4472dab70eed1c79d1c0612ba2730327ce6d0dc151c441 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l1-1-0.dll
| MD5 | fec01082bccddadad0814f30b43ab078 |
| SHA1 | a6f6d9b61bb743651d3f65824d06427ca492c120 |
| SHA256 | c15dacec228f40ce4c5b9d69bba5e6627bc484c6e9d6550a76db6f332e9f7734 |
| SHA512 | c6039c366cb47ca31c7501423384afc0678a07abeb0ca1d97ecb5aa3c3e3acf84c9551dea1e56d1dbd4472dab70eed1c79d1c0612ba2730327ce6d0dc151c441 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 944a33d971704ff815a6c90733d0a72e |
| SHA1 | 7d8b9f68a3983a1b86bf4bae085cd5ca6f464921 |
| SHA256 | 44822ae123a3d6c3a8bdf9a4d65a4dc89eb31004c72fcfcefa1dc3a53ff3eab0 |
| SHA512 | 4d93dece856a24e50f12a53155e07f1aab501b17e7bbfcce205e1b37d2799caf3681b1770c522ba986ac3badba59d5d95a7526fe19f86a7b0d3d933ea73754e2 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 944a33d971704ff815a6c90733d0a72e |
| SHA1 | 7d8b9f68a3983a1b86bf4bae085cd5ca6f464921 |
| SHA256 | 44822ae123a3d6c3a8bdf9a4d65a4dc89eb31004c72fcfcefa1dc3a53ff3eab0 |
| SHA512 | 4d93dece856a24e50f12a53155e07f1aab501b17e7bbfcce205e1b37d2799caf3681b1770c522ba986ac3badba59d5d95a7526fe19f86a7b0d3d933ea73754e2 |
C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | f0c9c56f56ffa3adc548173569dbd793 |
| SHA1 | 220a56b84cdb8cd403483d3f6b4bb526fe198fd9 |
| SHA256 | 12d801992bbb09d43bb90330bb96e77bf12e669c325dda4b5235942221c301c8 |
| SHA512 | 28e24a2ccedfaf01aef615c1df7f8c76ff0eb06d992eb1b422f902d6d96357ba6a353e31ca9b1fd305e7de7a437ee6a7f2f01bfdf27c4a88c805693ae2b6352c |