Malware Analysis Report

2025-01-02 11:46

Sample ID 230110-jz73aafd43
Target Bisq-64bit-1.9.9.exe
SHA256 f6dd1ae9db598806ca1a26b514b14c44b98ddfaf998602967c75c40992b11d54
Tags
bazarbackdoor backdoor
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f6dd1ae9db598806ca1a26b514b14c44b98ddfaf998602967c75c40992b11d54

Threat Level: Known bad

The file Bisq-64bit-1.9.9.exe was found to be: Known bad.

Malicious Activity Summary

bazarbackdoor backdoor

BazarBackdoor

Bazar/Team9 Backdoor payload

Bazarbackdoor family

Bazar/Team9 Backdoor payload

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Enumerates connected drives

Drops file in System32 directory

Drops file in Windows directory

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-10 08:08

Signatures

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A

Bazarbackdoor family

bazarbackdoor

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-10 08:07

Reported

2023-01-10 08:11

Platform

win7-20220812-es

Max time kernel

152s

Max time network

47s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\DriverStore\FileRepository\volsnap.inf_amd64_neutral_7499a4fac85b39fc\volsnap.PNF C:\Windows\system32\DrvInst.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\6e7724.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6e7724.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI7975.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\volsnap.PNF C:\Windows\system32\DrvInst.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\dnsapi.dll,-103 = "Confianza en el servidor DNS (Sistema de nombres de dominio)" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\p2pcollab.dll,-8042 = "Confianza de mismo nivel" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\system32\qagentrt.dll,-10 = "Autenticación de mantenimiento del sistema" C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\fveui.dll,-844 = "Agente de recuperación de datos BitLocker" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\LanguageList = 650073002d0045005300000065007300000065006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\63C768CF\@%SystemRoot%\System32\fveui.dll,-843 = "Cifrado de unidad BitLocker" C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe C:\Windows\system32\msiexec.exe
PID 1728 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe C:\Windows\system32\msiexec.exe
PID 1728 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe C:\Windows\system32\msiexec.exe
PID 1728 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe C:\Windows\system32\msiexec.exe
PID 1728 wrote to memory of 1732 N/A C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe C:\Windows\system32\msiexec.exe
PID 1520 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1576 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1520 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1520 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1520 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1520 wrote to memory of 1688 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\MsiExec.exe
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1520 wrote to memory of 1312 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe

"C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\7090713.tmp\main.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2749D954DDADA4DE712489BDDF2985DC C

C:\Windows\system32\MsiExec.exe

C:\Windows\system32\MsiExec.exe -Embedding 8CF5811863CC0851A991FCB620FC9D34 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002DC" "00000000000002BC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A2BB473399AA00A8A753072EB21B8186

Network

N/A

Files

memory/1732-54-0x0000000000000000-mapping.dmp

memory/1732-55-0x000007FEFB721000-0x000007FEFB723000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7090713.tmp\main.msi

MD5 529ae77f9ef8d19468f5e12e5278e09b
SHA1 ba1fd0b46f3d08cd87f2497f7ec0bf231dc02899
SHA256 8b08354621864b3500ac49fd04fbf73a73a5db7c9232afaf6dfc81fb8e15ed83
SHA512 9f71eb35a78a54e9d7e698cdaa38f96ac9fa4aaf7c1559b3a16443400c9c68b3fcaaeb22d99d8d0ddf80c26220ff7a53f930fbc9f17701a32165e4e56f26cb51

memory/1576-58-0x0000000000000000-mapping.dmp

memory/1576-59-0x0000000075781000-0x0000000075783000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIF9B.tmp

MD5 4fdd16752561cf585fed1506914d73e0
SHA1 f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256 aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA512 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

\Users\Admin\AppData\Local\Temp\MSIF9B.tmp

MD5 4fdd16752561cf585fed1506914d73e0
SHA1 f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256 aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA512 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

memory/1688-62-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MSI10B5.tmp

MD5 85442a4ac6bed1b030dd7a5c26379aec
SHA1 86f7b2a25acc9b974cf2af280022452cc7353925
SHA256 8ba4052de621b16c4d1e3c13e317572658eaa4c55782ed8ad9c2bf2ebd9dbaac
SHA512 eea5472e269df6a83262a8f17133d0f9475858c1d0ff99305e324408e5c711bed39c2f6c3e00dc20e101c9dd1e103dce879db7b1460080d3027127185f43cef2

\Users\Admin\AppData\Local\Temp\MSI10B5.tmp

MD5 85442a4ac6bed1b030dd7a5c26379aec
SHA1 86f7b2a25acc9b974cf2af280022452cc7353925
SHA256 8ba4052de621b16c4d1e3c13e317572658eaa4c55782ed8ad9c2bf2ebd9dbaac
SHA512 eea5472e269df6a83262a8f17133d0f9475858c1d0ff99305e324408e5c711bed39c2f6c3e00dc20e101c9dd1e103dce879db7b1460080d3027127185f43cef2

memory/1312-66-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI7975.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

\Windows\Installer\MSI7975.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-10 08:07

Reported

2023-01-10 08:11

Platform

win10v2004-20220812-es

Max time kernel

88s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe"

Signatures

BazarBackdoor

backdoor bazarbackdoor

Bazar/Team9 Backdoor payload

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\System32\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SYSTEM32\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\SYSTEM32\jvm.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\SYSTEM32\dll\jvm.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\SYSTEM32\symbols\dll\jvm.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\SYSTEM32\ntdll.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\SYSTEM32\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e5773c8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5773c8.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5773ca.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI757E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{90B559E8-C18E-3159-B4C8-65ADD8953B5D} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\ntdll.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI81C4.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\symbols\dll\ntdll.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\jvm.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\dll\jvm.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
File opened for modification C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.19041.1110_none_792d1c772443f647\symbols\dll\jvm.pdb C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Bisq\Bisq.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe C:\Windows\system32\msiexec.exe
PID 2260 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe C:\Windows\system32\msiexec.exe
PID 3512 wrote to memory of 116 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3512 wrote to memory of 116 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3512 wrote to memory of 116 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3512 wrote to memory of 4652 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3512 wrote to memory of 4652 N/A C:\Windows\system32\msiexec.exe C:\Windows\System32\MsiExec.exe
PID 3512 wrote to memory of 1248 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3512 wrote to memory of 1248 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3512 wrote to memory of 1100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3512 wrote to memory of 1100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3512 wrote to memory of 1100 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 116 wrote to memory of 4144 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Bisq\Bisq.exe
PID 116 wrote to memory of 4144 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Bisq\Bisq.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe

"C:\Users\Admin\AppData\Local\Temp\Bisq-64bit-1.9.9.exe"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /i C:\Users\Admin\AppData\Local\Temp\240561578.tmp\main.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2DD819E49045CA1BF2800D62378158DB C

C:\Windows\System32\MsiExec.exe

C:\Windows\System32\MsiExec.exe -Embedding 7D5BF054265A78AD1302C276691D8348 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D89A74C53F988484B073A9546AC169FE

C:\Users\Admin\AppData\Local\Bisq\Bisq.exe

"C:\Users\Admin\AppData\Local\Bisq\Bisq.exe"

Network

Country Destination Domain Proto
N/A 20.42.65.90:443 tcp
N/A 67.27.153.126:80 tcp
N/A 204.79.197.200:443 tcp

Files

memory/4796-132-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\240561578.tmp\main.msi

MD5 529ae77f9ef8d19468f5e12e5278e09b
SHA1 ba1fd0b46f3d08cd87f2497f7ec0bf231dc02899
SHA256 8b08354621864b3500ac49fd04fbf73a73a5db7c9232afaf6dfc81fb8e15ed83
SHA512 9f71eb35a78a54e9d7e698cdaa38f96ac9fa4aaf7c1559b3a16443400c9c68b3fcaaeb22d99d8d0ddf80c26220ff7a53f930fbc9f17701a32165e4e56f26cb51

memory/116-134-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MSID110.tmp

MD5 4fdd16752561cf585fed1506914d73e0
SHA1 f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256 aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA512 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

C:\Users\Admin\AppData\Local\Temp\MSID110.tmp

MD5 4fdd16752561cf585fed1506914d73e0
SHA1 f00023b9ae3c8ce5b7bb92f25011eaebe6f9d424
SHA256 aecd2d2fe766f6d439acc2bbf1346930ecc535012cf5ad7b3273d2875237b7e7
SHA512 3695e7eb1e35ec959243a91ab5b4454eb59aeef0f2699aa5de8e03de8fbb89f756a89130526da5c08815408cb700284a17936522ad2cad594c3e6e9d18a3f600

memory/4652-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\MSID8E1.tmp

MD5 85442a4ac6bed1b030dd7a5c26379aec
SHA1 86f7b2a25acc9b974cf2af280022452cc7353925
SHA256 8ba4052de621b16c4d1e3c13e317572658eaa4c55782ed8ad9c2bf2ebd9dbaac
SHA512 eea5472e269df6a83262a8f17133d0f9475858c1d0ff99305e324408e5c711bed39c2f6c3e00dc20e101c9dd1e103dce879db7b1460080d3027127185f43cef2

C:\Users\Admin\AppData\Local\Temp\MSID8E1.tmp

MD5 85442a4ac6bed1b030dd7a5c26379aec
SHA1 86f7b2a25acc9b974cf2af280022452cc7353925
SHA256 8ba4052de621b16c4d1e3c13e317572658eaa4c55782ed8ad9c2bf2ebd9dbaac
SHA512 eea5472e269df6a83262a8f17133d0f9475858c1d0ff99305e324408e5c711bed39c2f6c3e00dc20e101c9dd1e103dce879db7b1460080d3027127185f43cef2

memory/1248-140-0x0000000000000000-mapping.dmp

memory/1100-141-0x0000000000000000-mapping.dmp

C:\Windows\Installer\MSI757E.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Windows\Installer\MSI757E.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{89e641fa-e816-4781-a6f4-8794ad93f62c}_OnDiskSnapshotProp

MD5 4a7c3f89c6d8ad87586c05edc3e50da2
SHA1 cacf288c2dc7554353dcb413671630e20bdc77c2
SHA256 07681d0267060e96adacd33f60935596561c9097286ae3891aafe89f9c7e2071
SHA512 75b039acb306d1be3aae46b3ae0a490c59efbe4cb5e22bc27152d1c69235c758cd307519516d320b9d6adaf19e3ef13953349b28d537419f085680e3f6d9026d

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 226bbd867b06ec26c00befa8924f6271
SHA1 265263d81c076f11f054a5f7fe0d919858c12f2a
SHA256 d9b90eb59754087898ea9647be495e0cd5ead2543f3da137de0ae8a126de6f26
SHA512 495683961643ac06ef1a39cc03762e89c5ce0787138b6d871ebf9b7f76c24e403bc97d44184ac62cc2d675d792a5fe2ed9a436db506dceef8d653a120151d233

C:\Users\Admin\AppData\Local\Temp\MSIB855.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Users\Admin\AppData\Local\Temp\MSIB855.tmp

MD5 a3ae5d86ecf38db9427359ea37a5f646
SHA1 eb4cb5ff520717038adadcc5e1ef8f7c24b27a90
SHA256 c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74
SHA512 96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

C:\Users\Admin\AppData\Local\Bisq\Bisq.exe

MD5 3bb2e6aaf86e175558045e007dbf418c
SHA1 fb816b504dd543a55da6bdd478d1b2602da46b62
SHA256 c92f36567d4a28ad90f6eda284df827fdd1bee69f4f8bbda468469b21f9b5aca
SHA512 1c8e695968389fd8bbd30343237b9c5dcc20d65a2ba3ead6c068f9095e72c4f6fafb5ae5e0eddf6c7a6fb8d4dc4eca4365bb8529eb953f502c54a814c8de1ffd

memory/4144-149-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Bisq\Bisq.exe

MD5 3bb2e6aaf86e175558045e007dbf418c
SHA1 fb816b504dd543a55da6bdd478d1b2602da46b62
SHA256 c92f36567d4a28ad90f6eda284df827fdd1bee69f4f8bbda468469b21f9b5aca
SHA512 1c8e695968389fd8bbd30343237b9c5dcc20d65a2ba3ead6c068f9095e72c4f6fafb5ae5e0eddf6c7a6fb8d4dc4eca4365bb8529eb953f502c54a814c8de1ffd

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\jli.dll

MD5 731e3aede451c38ca2e60d91fccc1012
SHA1 b37b5763879386da4a8ad2061e08dbda30296976
SHA256 2fc3470350ef342688e417a6baf69a02c8d653ecd07f051808ffba7e5cd2d130
SHA512 9164f3e0dcf6700fd6994d41649ad6b6535951261e0099747963b3f3f357757b149a2a2c3759ce1b0b400a84d0d6321ad9010ad6671bc312ed71ea2fa2d13ee6

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\jli.dll

MD5 731e3aede451c38ca2e60d91fccc1012
SHA1 b37b5763879386da4a8ad2061e08dbda30296976
SHA256 2fc3470350ef342688e417a6baf69a02c8d653ecd07f051808ffba7e5cd2d130
SHA512 9164f3e0dcf6700fd6994d41649ad6b6535951261e0099747963b3f3f357757b149a2a2c3759ce1b0b400a84d0d6321ad9010ad6671bc312ed71ea2fa2d13ee6

C:\Users\Admin\AppData\Local\Bisq\app\Bisq.cfg

MD5 924cddfe7e5f727c5c3389aeaa7b1469
SHA1 53a58a6e35d05824712f61103c987c905a9b8ac2
SHA256 069e8c4544cd92a7cfaf9540b7a48596dc6a48ecea3b37843c03c03432b3eb40
SHA512 088770d4dc1aa691c1392df8f318af74c005f80bf44e88a9bd9c8696da3fab294c15715fab1d31781d94d2d27e03b83b3407f1a7f905b878cdfecac19fb7efce

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\msvcp140.dll

MD5 c1b066f9e3e2f3a6785161a8c7e0346a
SHA1 8b3b943e79c40bc81fdac1e038a276d034bbe812
SHA256 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA512 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\server\jvm.dll

MD5 73acea153ddb0371c2173603a6a2c5ea
SHA1 9cce36f2541b3e5b53d607a660a678113f02e1e9
SHA256 f843d050cfda8aa8c59eaa6278c7190c5932303a0176b1d388a89d7f38d4fdb7
SHA512 f2c6fcee5b36f70f9597bf47f26766313bc63cbc85bfb182ecf24d637b2f7966f24633132ed751563ed251395bce0a1199ac901c4d5df9816d29ce5e63627382

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\server\jvm.dll

MD5 73acea153ddb0371c2173603a6a2c5ea
SHA1 9cce36f2541b3e5b53d607a660a678113f02e1e9
SHA256 f843d050cfda8aa8c59eaa6278c7190c5932303a0176b1d388a89d7f38d4fdb7
SHA512 f2c6fcee5b36f70f9597bf47f26766313bc63cbc85bfb182ecf24d637b2f7966f24633132ed751563ed251395bce0a1199ac901c4d5df9816d29ce5e63627382

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\jimage.dll

MD5 a40991fb2c45b0f8ec35e5b64f1d581c
SHA1 ddaa403678bf1fd7d5ca08c276060c328eb58157
SHA256 0b96e2449bf5f119afe0bcdcb61779ccf418fad645e089ba5be81f3f1c4168f0
SHA512 6017db2d0f46ad32420df88eeac24c8e2cdb4231bb0f3ac5c175222cbf18ad375f0591f4d672124614f381c68432726707c9ba2b0cd2ff4e56927288da3ca624

C:\Users\Admin\AppData\Local\Bisq\runtime\lib\modules

MD5 29ac885f6689038b4a42c5a39126ba48
SHA1 ea04addaa724771a3915f114abac306a5cb4f44f
SHA256 cb6a40195219ab82293059ad23784547234fd0466a91cd074367e479b9a9737e
SHA512 f71fd2287e23578f40fada050ec62bfc43d9e64b634a386769c28fdf7152fdf3c19d5ce276d92226f2abc3ea39ff0cd3960647548ccfebf937f26a3cec5fbe88

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\java.dll

MD5 9fbcce21e240d7862361515cf5123229
SHA1 d36d8f53831b25c1fc2c3a3e9cfe854ef631a8ba
SHA256 0d21bb86f7fe23b64661a8a7c41cb5ba0386d1fcfd013965ceeec15793b58d7b
SHA512 06f01a8e7c5daff7617a07a283836a64efb8bb2b81e0fe852500efa46e5ba8da2cbe1310e2a2cd483744bc92f90bf63c52a09c6986b686e4cce5fd2f69aa5988

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\jimage.dll

MD5 a40991fb2c45b0f8ec35e5b64f1d581c
SHA1 ddaa403678bf1fd7d5ca08c276060c328eb58157
SHA256 0b96e2449bf5f119afe0bcdcb61779ccf418fad645e089ba5be81f3f1c4168f0
SHA512 6017db2d0f46ad32420df88eeac24c8e2cdb4231bb0f3ac5c175222cbf18ad375f0591f4d672124614f381c68432726707c9ba2b0cd2ff4e56927288da3ca624

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\vcruntime140.dll

MD5 1453290db80241683288f33e6dd5e80e
SHA1 29fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA256 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA512 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\vcruntime140.dll

MD5 1453290db80241683288f33e6dd5e80e
SHA1 29fb9af50458df43ef40bfc8f0f516d0c0a106fd
SHA256 2b7602cc1521101d116995e3e2ddfe0943349806378a0d40add81ba64e359b6c
SHA512 4ea48a11e29ea7ac3957dcab1a7912f83fd1c922c43d7b7d78523178fe236b4418729455b78ac672bb5632ecd5400746179802c6a9690adb025270b0ade84e91

C:\Users\Admin\AppData\Local\Bisq\runtime\lib\jvm.cfg

MD5 7ce21bdcfa333c231d74a77394206302
SHA1 c5a940d2dee8e7bfc01a87d585ddca420d37e226
SHA256 aa9efb969444c1484e29adecab55a122458090616e766b2f1230ef05bc3867e0
SHA512 8b37a1a5600e0a4e5832021c4db50569e33f1ddc8ac4fc2f38d5439272b955b0e3028ea10dec0743b197aa0def32d9e185066d2bac451f81b99539d34006074b

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\java.dll

MD5 9fbcce21e240d7862361515cf5123229
SHA1 d36d8f53831b25c1fc2c3a3e9cfe854ef631a8ba
SHA256 0d21bb86f7fe23b64661a8a7c41cb5ba0386d1fcfd013965ceeec15793b58d7b
SHA512 06f01a8e7c5daff7617a07a283836a64efb8bb2b81e0fe852500efa46e5ba8da2cbe1310e2a2cd483744bc92f90bf63c52a09c6986b686e4cce5fd2f69aa5988

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\msvcp140.dll

MD5 c1b066f9e3e2f3a6785161a8c7e0346a
SHA1 8b3b943e79c40bc81fdac1e038a276d034bbe812
SHA256 99e3e25cda404283fbd96b25b7683a8d213e7954674adefa2279123a8d0701fd
SHA512 36f9e6c86afbd80375295238b67e4f472eb86fcb84a590d8dba928d4e7a502d4f903971827fdc331353e5b3d06616664450759432fdc8d304a56e7dacb84b728

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\net.dll

MD5 ccc733d04bb01b24ad28867abbcf2927
SHA1 366dab726cfb4262c73a1ae2a80e923282c88596
SHA256 a72b46d69f7b848ac245e8f3bf2d2571953ba943f8f17ff883f633396c952c25
SHA512 c2e4d92e283a7055f961e707f77c4a79fb690a6f9c1e5cf96f0e6c804e598414b43d93dcbd838625f701c57cbb767a4c06209eb7fc6375a05eff46126de5ef03

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\net.dll

MD5 ccc733d04bb01b24ad28867abbcf2927
SHA1 366dab726cfb4262c73a1ae2a80e923282c88596
SHA256 a72b46d69f7b848ac245e8f3bf2d2571953ba943f8f17ff883f633396c952c25
SHA512 c2e4d92e283a7055f961e707f77c4a79fb690a6f9c1e5cf96f0e6c804e598414b43d93dcbd838625f701c57cbb767a4c06209eb7fc6375a05eff46126de5ef03

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\nio.dll

MD5 a96529435bceb9db3d5eb35b01425985
SHA1 a344454259e9b77fae1ff025b76dc35ed6d16bca
SHA256 7ba60a222235233f8e6e46fa58b25968c2afe15035db5da8e5db3d6b6671cfaf
SHA512 cd061cd321f2f6c459de53cd6c9847a7706ef9c924133405ab5c1caf25b1b8119be4bc00df2d25dea83ac89110f0bb045039b72abfc286ee787eaf7dd0ac2d95

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\nio.dll

MD5 a96529435bceb9db3d5eb35b01425985
SHA1 a344454259e9b77fae1ff025b76dc35ed6d16bca
SHA256 7ba60a222235233f8e6e46fa58b25968c2afe15035db5da8e5db3d6b6671cfaf
SHA512 cd061cd321f2f6c459de53cd6c9847a7706ef9c924133405ab5c1caf25b1b8119be4bc00df2d25dea83ac89110f0bb045039b72abfc286ee787eaf7dd0ac2d95

C:\Users\Admin\AppData\Local\Bisq\app\desktop-1.9.9-all.jar

MD5 dbd077e6a77eb12028d74a2262d2d029
SHA1 88a74d929ab1b4b9c7d891f82d1ed7dc9a8050f8
SHA256 b4d7b199d66a40a288a15276b3c6986e56e40dcdeee063dd4d23469287ae9c09
SHA512 b9ecb399549696b17eab1c919be0780ed90d7d817f7cca137d651342c926100fc0a3a9d1044e83498d50dac14d9228f25133eb51b38e46d566883accf8375e02

memory/4144-177-0x00000189601D0000-0x00000189611D0000-memory.dmp

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\zip.dll

MD5 ddbf8e42fdcbf7ebfa0133117c61229c
SHA1 ac518dc7148bea6b2ddef9b19d1a50513697fa04
SHA256 4cbbc2812f72d4a573545e8abc4679f568f58a4f97bef9db1d82ab0753ab9685
SHA512 9f9a66e715977184457b09318e9bf41a5757b32bf38971c7a80fc3e02231459172012b3710cbbf4c6ff5ca4c81948973f9a6e34306b9575d70dd81ed1431a921

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\zip.dll

MD5 ddbf8e42fdcbf7ebfa0133117c61229c
SHA1 ac518dc7148bea6b2ddef9b19d1a50513697fa04
SHA256 4cbbc2812f72d4a573545e8abc4679f568f58a4f97bef9db1d82ab0753ab9685
SHA512 9f9a66e715977184457b09318e9bf41a5757b32bf38971c7a80fc3e02231459172012b3710cbbf4c6ff5ca4c81948973f9a6e34306b9575d70dd81ed1431a921

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\verify.dll

MD5 ad4b10a45a5d58b4730fafad7bd78d76
SHA1 df02332eee9030675a13a00f31882196fa9c4817
SHA256 6842bef7e00b7cb869b8b4aa964063b12604a1c395038699afebc4b4db4d97f8
SHA512 45778fa75ae301b3747172605b8824690574b64a6871fc86b95c6bd4383b1b93da7f341cde5feb36961b2146c45b7a03ca5b5d7ce2661d3a272a1ae94bb6ecd5

C:\Users\Admin\AppData\Local\Bisq\runtime\bin\verify.dll

MD5 ad4b10a45a5d58b4730fafad7bd78d76
SHA1 df02332eee9030675a13a00f31882196fa9c4817
SHA256 6842bef7e00b7cb869b8b4aa964063b12604a1c395038699afebc4b4db4d97f8
SHA512 45778fa75ae301b3747172605b8824690574b64a6871fc86b95c6bd4383b1b93da7f341cde5feb36961b2146c45b7a03ca5b5d7ce2661d3a272a1ae94bb6ecd5

C:\Users\Admin\AppData\Local\Bisq\runtime\conf\security\java.policy

MD5 fbf2b55342947695aa2a15e3485ed29f
SHA1 a04c23f61d2958fc1e9882509927b43cab0e799c
SHA256 f2a00a1dec3b7a097f0815f338a84717ba1017d5d7aae96d842d2188d67c3250
SHA512 35ffe47eb7d404785e5bef3f1f26629f5dc04c54f9dcb082a250da367414095b024e6486ad0332cebe0348a2f972e9d58979c8c86ab9753f72ff0727bda07c1c

C:\Users\Admin\AppData\Local\Bisq\runtime\lib\security\default.policy

MD5 adfdc71d9a4c66ce448fff460534f671
SHA1 265a3e1f4586bd88b3d7532963813806fa2e0e3b
SHA256 b03da546022a97c65bc17e3bcca01177f827cfe37ab0227f342f07ea1e985fc5
SHA512 9cf77b7a18eae6306e18545357d66cce8db51655f824bc97d4a531c5c57cc7ece8539af71691edd01a1b09e0fcb62b8bd0fc9cf02767e9717aed3a92a8e2b65c

C:\Users\Admin\AppData\Local\Bisq\runtime\conf\security\java.security

MD5 ee23402a3509f2e6d0a5c622f969194d
SHA1 07029f00ac2d1dc1f2821ca86dec299c8e611e7d
SHA256 91dc4752f1b35a54e07942a546e506ebe0f285bdf2a2ff1f9821ca519ce3c2a4
SHA512 f06e0b23fddf58374c6474ed89b6aa7e494972bfb46f152df04fe200cb087d4ef6cd9a1ddaa40cdc8d78aee8d1d595881d3752566f6212068fe07ba5c3b4326a

C:\Users\Admin\AppData\Local\Bisq\runtime\lib\tzmappings

MD5 af7e42914d8b91ea049ac6b0b1bc603b
SHA1 fed9fa9062065156f1bc1fc041f355bbc619facf
SHA256 c16ae3fa1993e297df14352209c56751d4e67d99b6769558160f292298b21e62
SHA512 ef79857e56863a78545521ca571e9e20ef90e3051b9c017a6eefae66b66ee92e43d13571b01f0185cf77b975890256d26ddb57ad5dfe20a683a72f8e79b66bf0

C:\Users\Admin\AppData\Local\Bisq\runtime\lib\tzdb.dat

MD5 43181995f72430167ffc15b58cc56623
SHA1 afc3378a7667eb99e5528e7550a776fcc9f66d9d
SHA256 2743c0344131e00b73b2b47c1884f09f23b28b3ecd9135a460d0dd874f57bcd3
SHA512 85ee6dbf56fc04b91315ae1568fa5e3734a29c6641ab04e58eefea3d47f1d54c90f70cb4be2c291edee9b3c2b5826d98bd858dc86d9972d70a2934322e2eade4

memory/4144-187-0x00000189601D0000-0x00000189611D0000-memory.dmp

memory/4144-188-0x00000189601D0000-0x00000189611D0000-memory.dmp

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-console-l1-1-0.dll

MD5 2c146bc8d73b8944f35506241b9953a9
SHA1 ac64abd745418cea35c0506b9cb0331b171b51ea
SHA256 89384f8f64a9b7f67c8deccaa721e2d76b8a17026d8083630859ed0cd1a9b58b
SHA512 02713948a156baccb2e7c38646193e82fef65400c086644866b698bc3e0a8c155a8eab829463e3868ce2b8a06608c5ea6de1e390bff976c5f92e2e42dd6c04f1

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-console-l1-1-0.dll

MD5 2c146bc8d73b8944f35506241b9953a9
SHA1 ac64abd745418cea35c0506b9cb0331b171b51ea
SHA256 89384f8f64a9b7f67c8deccaa721e2d76b8a17026d8083630859ed0cd1a9b58b
SHA512 02713948a156baccb2e7c38646193e82fef65400c086644866b698bc3e0a8c155a8eab829463e3868ce2b8a06608c5ea6de1e390bff976c5f92e2e42dd6c04f1

C:\Users\Admin\AppData\Local\Bisq\runtime\conf\logging.properties

MD5 6b9bedb07c74ca75da4de770dc51e69c
SHA1 3c0629532c002fc644627bf2dc35bea5d915a2a3
SHA256 0601d43aba712c156936b7b126a22d5e8459981e5bcf6f984e8b2ee718ab5f42
SHA512 abb25caa7a2946b644faf10dd1aa4fc1b3ffc217efc2d634b36924405f7a4c1ba4ac826b9338917f2f8acc1bba8924a3915382356dafc262c80739d3c7b74487

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-datetime-l1-1-0.dll

MD5 f0c9c56f56ffa3adc548173569dbd793
SHA1 220a56b84cdb8cd403483d3f6b4bb526fe198fd9
SHA256 12d801992bbb09d43bb90330bb96e77bf12e669c325dda4b5235942221c301c8
SHA512 28e24a2ccedfaf01aef615c1df7f8c76ff0eb06d992eb1b422f902d6d96357ba6a353e31ca9b1fd305e7de7a437ee6a7f2f01bfdf27c4a88c805693ae2b6352c

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-console-l1-2-0.dll

MD5 7a55e51d07e1f15221eb11479adbc53f
SHA1 8d8e2beff4dfa78372201b26a67b9dc4b116290f
SHA256 f901b0bc8c00b3afc80e151e6f54b18f7672f932602c304fbfeedd5aa3ad63c8
SHA512 e89c0e45014abdaf7548de0352949c4ad496d97cad2f9e2f6c83a90f853b7b71354b9abbb957eff89076df79bdc9cc1c431b6f35875550bfb4198c3a68124197

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-console-l1-2-0.dll

MD5 7a55e51d07e1f15221eb11479adbc53f
SHA1 8d8e2beff4dfa78372201b26a67b9dc4b116290f
SHA256 f901b0bc8c00b3afc80e151e6f54b18f7672f932602c304fbfeedd5aa3ad63c8
SHA512 e89c0e45014abdaf7548de0352949c4ad496d97cad2f9e2f6c83a90f853b7b71354b9abbb957eff89076df79bdc9cc1c431b6f35875550bfb4198c3a68124197

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-debug-l1-1-0.dll

MD5 02d669afdabfe420598041b848b71158
SHA1 25c0fdbc04ffcd570db041d02842d7530afeeb6e
SHA256 64a9ac181fd91b79270bf01759749394f57be171436ed46f43d165325bb82067
SHA512 5321290ec277fca8840e6c9cb7e77d39e820b1d98ef9c29040efaf2a7628c023209c936e08abfb6962a795130874544db25e1bac0d16256a1ebbca0fdcdaa81a

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-debug-l1-1-0.dll

MD5 02d669afdabfe420598041b848b71158
SHA1 25c0fdbc04ffcd570db041d02842d7530afeeb6e
SHA256 64a9ac181fd91b79270bf01759749394f57be171436ed46f43d165325bb82067
SHA512 5321290ec277fca8840e6c9cb7e77d39e820b1d98ef9c29040efaf2a7628c023209c936e08abfb6962a795130874544db25e1bac0d16256a1ebbca0fdcdaa81a

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-handle-l1-1-0.dll

MD5 31ffff2c6539b3d2f575500300b93d6b
SHA1 e28e8919150fca0cb385f55a4ec4d23058d92fbf
SHA256 6dcbdab7fa8cf66f4a05d1f5166bed33cd88bee1d37af6128f18184e6c301709
SHA512 716f42f0dc530774665982f189a1fbf0371aceb4087de67e5b677cb18a687900c73165a57ae8229b53744e2490d4f04a54686e09da3b5d8705e1df5b804fe27d

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-interlocked-l1-1-0.dll

MD5 1144ced0d8198c39f62fc71c1ecf6cb1
SHA1 43ca991199a46ca1860f8a295209dee6d32d040d
SHA256 d4d86e560a22d833fcdf0ba165d3bd3f6059e69830f4d2f9748af08905b2d4c8
SHA512 006b420d4513fd2be1e07f7512891275cb76243fd4d49855836da53ff779fa695b9bd5661fa16b1c8f83d8cec6342c9719def8d3242431b13e803bdbc2d81e4b

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-heap-l1-1-0.dll

MD5 c7120579bb8f56f8cd4e0d329ece3e9d
SHA1 0b35862dcc9654fc4ede338c26d0368c112d4ba9
SHA256 2e00c0176952d7c009b93c40949f91f0ab367a1b274ee78b736bf563f0344da3
SHA512 6172179c349f9952e6fb47a72a459ee29563a511d9da2a16a265625f1d8ca40ff9bd52f78a26d29b5297e7413bfa22a9797df2934a68ea551d0ab45914ee7822

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-heap-l1-1-0.dll

MD5 c7120579bb8f56f8cd4e0d329ece3e9d
SHA1 0b35862dcc9654fc4ede338c26d0368c112d4ba9
SHA256 2e00c0176952d7c009b93c40949f91f0ab367a1b274ee78b736bf563f0344da3
SHA512 6172179c349f9952e6fb47a72a459ee29563a511d9da2a16a265625f1d8ca40ff9bd52f78a26d29b5297e7413bfa22a9797df2934a68ea551d0ab45914ee7822

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-handle-l1-1-0.dll

MD5 31ffff2c6539b3d2f575500300b93d6b
SHA1 e28e8919150fca0cb385f55a4ec4d23058d92fbf
SHA256 6dcbdab7fa8cf66f4a05d1f5166bed33cd88bee1d37af6128f18184e6c301709
SHA512 716f42f0dc530774665982f189a1fbf0371aceb4087de67e5b677cb18a687900c73165a57ae8229b53744e2490d4f04a54686e09da3b5d8705e1df5b804fe27d

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l2-1-0.dll

MD5 2e8995e2320e313545c3ddb5c71dc232
SHA1 45d079a704bec060a15f8eba3eab22ac5cf756c6
SHA256 c55eb043454ac2d460f86ea26f934ecb16bdb1d05294c168193a05090bf1c56c
SHA512 19adcc5dd98f30b4eebefe344e1939c93c284c802043ea3ac22654cf2e23692f868a00a482c9be1b1e88089a5031fa81a3f1165175224309828bd28ee12f2d49

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l1-2-0.dll

MD5 b5060343583e6be3b3de33ccd40398e0
SHA1 5b33b8db5d6cfb0e8a5bb7f209df2c6191b02edb
SHA256 27878021c6d48fb669f1822821b5934f5a2904740bebb340b6849e7635490cb7
SHA512 86610edc05aa1b756c87160f9eefe9365e3f712c5bed18c8feca3cae12aef07ccc44c45c4be19dc8f9d337a6f6709b260c89019a5efcfe9fa0847d85ab64d282

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l1-1-0.dll

MD5 fec01082bccddadad0814f30b43ab078
SHA1 a6f6d9b61bb743651d3f65824d06427ca492c120
SHA256 c15dacec228f40ce4c5b9d69bba5e6627bc484c6e9d6550a76db6f332e9f7734
SHA512 c6039c366cb47ca31c7501423384afc0678a07abeb0ca1d97ecb5aa3c3e3acf84c9551dea1e56d1dbd4472dab70eed1c79d1c0612ba2730327ce6d0dc151c441

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-file-l1-1-0.dll

MD5 fec01082bccddadad0814f30b43ab078
SHA1 a6f6d9b61bb743651d3f65824d06427ca492c120
SHA256 c15dacec228f40ce4c5b9d69bba5e6627bc484c6e9d6550a76db6f332e9f7734
SHA512 c6039c366cb47ca31c7501423384afc0678a07abeb0ca1d97ecb5aa3c3e3acf84c9551dea1e56d1dbd4472dab70eed1c79d1c0612ba2730327ce6d0dc151c441

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 944a33d971704ff815a6c90733d0a72e
SHA1 7d8b9f68a3983a1b86bf4bae085cd5ca6f464921
SHA256 44822ae123a3d6c3a8bdf9a4d65a4dc89eb31004c72fcfcefa1dc3a53ff3eab0
SHA512 4d93dece856a24e50f12a53155e07f1aab501b17e7bbfcce205e1b37d2799caf3681b1770c522ba986ac3badba59d5d95a7526fe19f86a7b0d3d933ea73754e2

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 944a33d971704ff815a6c90733d0a72e
SHA1 7d8b9f68a3983a1b86bf4bae085cd5ca6f464921
SHA256 44822ae123a3d6c3a8bdf9a4d65a4dc89eb31004c72fcfcefa1dc3a53ff3eab0
SHA512 4d93dece856a24e50f12a53155e07f1aab501b17e7bbfcce205e1b37d2799caf3681b1770c522ba986ac3badba59d5d95a7526fe19f86a7b0d3d933ea73754e2

C:\Users\Admin\.openjfx\cache\16\api-ms-win-core-datetime-l1-1-0.dll

MD5 f0c9c56f56ffa3adc548173569dbd793
SHA1 220a56b84cdb8cd403483d3f6b4bb526fe198fd9
SHA256 12d801992bbb09d43bb90330bb96e77bf12e669c325dda4b5235942221c301c8
SHA512 28e24a2ccedfaf01aef615c1df7f8c76ff0eb06d992eb1b422f902d6d96357ba6a353e31ca9b1fd305e7de7a437ee6a7f2f01bfdf27c4a88c805693ae2b6352c