Malware Analysis Report

2025-03-15 03:54

Sample ID 230630-jy7p5agf22
Target 2af655e137a695056205c6a4434dd08e1cdd6f34eb009228c38e9983306fec9b.7z
SHA256 e04fc9ffcdc408f70c80adc29531afd6fb5349e5224aa895b56d4fb9b71ff976
Tags
fatalrat discovery infostealer rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e04fc9ffcdc408f70c80adc29531afd6fb5349e5224aa895b56d4fb9b71ff976

Threat Level: Known bad

The file 2af655e137a695056205c6a4434dd08e1cdd6f34eb009228c38e9983306fec9b.7z was found to be: Known bad.

Malicious Activity Summary

fatalrat discovery infostealer rat

FatalRat

Fatal Rat payload

Blocklisted process makes network request

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops desktop.ini file(s)

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Enumerates system info in registry

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-06-30 08:05

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 08:05

Reported

2023-06-30 08:11

Platform

win10v2004-20230621-en

Max time kernel

292s

Max time network

302s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2af655e137a695056205c6a4434dd08e1cdd6f34eb009228c38e9983306fec9b.msi

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000\Control Panel\International\Geo\Nation C:\ProgramData\Mohmy\sccy.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\tsetup.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI1FE6.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC60.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE57.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{B2FCFC9D-3853-44CB-845F-3808C6F62543} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1AFF.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1B10.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1FE5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1FF7.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e57fdc9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1453.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1C98.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1DC1.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDC9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI153F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e57fdc9.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIFFEB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID1C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI15EB.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI1669.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI187E.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000081ef621b6f8a8ae20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000081ef621b0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff00000000070001000068090081ef621b000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff00000000070001000068091981ef621b000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000081ef621b00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\sccy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\sccy.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -workdir \"C:/Users/Admin/AppData/Roaming/Telegram Desktop/\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -workdir \"C:/Users/Admin/AppData/Roaming/Telegram Desktop/\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2177513644-1903222820-241662473-1000_Classes\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3724 wrote to memory of 3428 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3724 wrote to memory of 3428 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 3724 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3724 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3724 wrote to memory of 2304 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3724 wrote to memory of 4632 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3724 wrote to memory of 4632 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3724 wrote to memory of 4632 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3724 wrote to memory of 4924 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI1FE6.tmp
PID 3724 wrote to memory of 4924 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI1FE6.tmp
PID 3724 wrote to memory of 4924 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI1FE6.tmp
PID 3724 wrote to memory of 4732 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI1FE5.tmp
PID 3724 wrote to memory of 4732 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI1FE5.tmp
PID 3724 wrote to memory of 4732 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSI1FE5.tmp
PID 952 wrote to memory of 3824 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp
PID 952 wrote to memory of 3824 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp
PID 952 wrote to memory of 3824 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp
PID 2896 wrote to memory of 4780 N/A C:\ProgramData\Mohmy\sccy.exe C:\Users\Admin\AppData\Local\sccy.exe
PID 2896 wrote to memory of 4780 N/A C:\ProgramData\Mohmy\sccy.exe C:\Users\Admin\AppData\Local\sccy.exe
PID 2896 wrote to memory of 4780 N/A C:\ProgramData\Mohmy\sccy.exe C:\Users\Admin\AppData\Local\sccy.exe
PID 3824 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 3824 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2af655e137a695056205c6a4434dd08e1cdd6f34eb009228c38e9983306fec9b.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4248D0F9755E79448C7E049431A6798D

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DB7AA304304326D10A8431290AB80222 E Global\MSI0000

C:\Windows\Installer\MSI1FE5.tmp

"C:\Windows\Installer\MSI1FE5.tmp" /DontWait "C:\ProgramData\Mohmy\sccy.exe"

C:\Windows\Installer\MSI1FE6.tmp

"C:\Windows\Installer\MSI1FE6.tmp" /DontWait "C:\Program Files (x86)\Common Files\tsetup.exe"

C:\ProgramData\Mohmy\sccy.exe

"C:\ProgramData\Mohmy\sccy.exe"

C:\Program Files (x86)\Common Files\tsetup.exe

"C:\Program Files (x86)\Common Files\tsetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp" /SL5="$A0034,34326336,813568,C:\Program Files (x86)\Common Files\tsetup.exe"

C:\Users\Admin\AppData\Local\sccy.exe

"C:\Users\Admin\AppData\Local\sccy.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

C:\ProgramData\Mohmy\sccy.exe

C:\ProgramData\Mohmy\sccy.exe

Network

Country Destination Domain Proto
US 209.197.3.8:80 tcp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 20.189.173.14:443 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
GB 96.16.110.41:443 tcp
US 209.197.3.8:80 tcp
US 8.8.8.8:53 68.193.42.23.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
GB 2.22.249.210:443 assets.msn.com tcp
US 8.8.8.8:53 210.249.22.2.in-addr.arpa udp
US 8.8.8.8:53 collect.installeranalytics.com udp
US 54.198.235.9:80 collect.installeranalytics.com tcp
US 8.8.8.8:53 9.235.198.54.in-addr.arpa udp
US 8.8.8.8:53 02-07.telegramxe.org udp
US 104.233.220.94:8081 02-07.telegramxe.org tcp
US 8.8.8.8:53 94.220.233.104.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
NL 95.161.76.100:80 tcp
US 8.8.8.8:53 51.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 100.76.161.95.in-addr.arpa udp
US 8.8.8.8:53 td.telegram.org udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.99:443 td.telegram.org tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
NL 149.154.167.91:443 tcp
NL 149.154.167.41:443 tcp
NL 149.154.167.41:80 149.154.167.41 tcp
US 8.8.8.8:53 91.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 41.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

\??\Volume{1b62ef81-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0c3bdaa9-5fd2-4eda-a8a3-092bdff1cc32}_OnDiskSnapshotProp

MD5 b42755521ca96ead2c70ee37210f2f8b
SHA1 ead746f250de52016f36146ae267e96810a323d8
SHA256 13e5c3ee83d1e42fd05b375b3e2c307ca5c2341850c04fb663d3cf01ea255d85
SHA512 862c5e0d03584ace66547814e9cf2709cd39721e60a944573409c6f6fbed30d1a09465fde10bf3a90e5e68c9b7152357e75542149c7d457a02eb96c5c078dc96

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 09a26acc6ca7e8e2902743219f1f2497
SHA1 864588cd5a868587270af880415c5adeb1068193
SHA256 f5b2e1d7cfae609ba85d27bc5df4ddeb2a61e222b274c288147170315730af16
SHA512 cd32ecf6ed9f4e48ac533eaf4928d18135d679885963b963ad253ec99fbac630b8b4eee3e4542b48df839381ef24ea968429ea9665308a863c1aff1f3d2c33b2

C:\Windows\Installer\MSIFFEB.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSIFFEB.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSIC60.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSIC60.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSID1C.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSID1C.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSIDC9.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSIDC9.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSIDC9.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSIE57.tmp

MD5 6189cdcb92ab9ddbffd95facd0b631fa
SHA1 b74c72cefcb5808e2c9ae4ba976fa916ba57190d
SHA256 519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783
SHA512 ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

C:\Windows\Installer\MSIE57.tmp

MD5 6189cdcb92ab9ddbffd95facd0b631fa
SHA1 b74c72cefcb5808e2c9ae4ba976fa916ba57190d
SHA256 519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783
SHA512 ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

C:\Windows\Installer\MSI1453.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSI1453.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSI153F.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSI153F.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Users\Admin\AppData\Local\AdvinstAnalytics\6411d7593b175c29e347c2c7\36.33.25\{F239A0F9-62BB-467D-ADA2-8FCC09CCF18F}.session

MD5 98f621374920589685a5565083d3de99
SHA1 e3dfb0e713466a834e17fc531834c5e35da5c86b
SHA256 2319e0c895d3b91468a0fb074496c00f516c73687088e7c31ee7a8e71487399d
SHA512 fbf468d82667afd89f80ca7fddf76ad57abeefffe75ca5654e699e920569325ed4661b03bb1172c3768595303b489d4f24c14a04379cbdabc97a102ccb55ecac

C:\Users\Admin\AppData\Local\AdvinstAnalytics\6411d7593b175c29e347c2c7\36.33.25\{F239A0F9-62BB-467D-ADA2-8FCC09CCF18F}.session

MD5 98f621374920589685a5565083d3de99
SHA1 e3dfb0e713466a834e17fc531834c5e35da5c86b
SHA256 2319e0c895d3b91468a0fb074496c00f516c73687088e7c31ee7a8e71487399d
SHA512 fbf468d82667afd89f80ca7fddf76ad57abeefffe75ca5654e699e920569325ed4661b03bb1172c3768595303b489d4f24c14a04379cbdabc97a102ccb55ecac

C:\Users\Admin\AppData\Local\AdvinstAnalytics\6411d7593b175c29e347c2c7\36.33.25\{F239A0F9-62BB-467D-ADA2-8FCC09CCF18F}.session

MD5 98f621374920589685a5565083d3de99
SHA1 e3dfb0e713466a834e17fc531834c5e35da5c86b
SHA256 2319e0c895d3b91468a0fb074496c00f516c73687088e7c31ee7a8e71487399d
SHA512 fbf468d82667afd89f80ca7fddf76ad57abeefffe75ca5654e699e920569325ed4661b03bb1172c3768595303b489d4f24c14a04379cbdabc97a102ccb55ecac

C:\Windows\Installer\MSI153F.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSI15EB.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSI15EB.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSI1669.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSI1669.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSI187E.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSI187E.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSI1B10.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Windows\Installer\MSI1B10.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Windows\Installer\MSI1C98.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Windows\Installer\MSI1C98.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Windows\Installer\MSI1DC1.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Windows\Installer\MSI1DC1.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Windows\Installer\MSI1DC1.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Config.Msi\e57fdcc.rbs

MD5 d13f309fa11636024ff654cd8004d204
SHA1 a0ebdf5a757b1b13bbce6621df3b9a66c3c7d086
SHA256 b517a1cddde47ba5ccbff51323cf4c3d7c9d49c9d5840b50edc612a7ca422dd1
SHA512 8a43c89fec62d7d852be17910ff616b467ebd6779ccc58c088bbd297d5220120bd2c34eedc62a504121398429ce93ca9e3a1e3fba183e373a6c5bcdcea2b5c32

C:\Windows\Installer\MSI1FE6.tmp

MD5 b9545ed17695a32face8c3408a6a3553
SHA1 f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA256 1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512 f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

C:\Windows\Installer\MSI1FE5.tmp

MD5 b9545ed17695a32face8c3408a6a3553
SHA1 f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA256 1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512 f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

C:\Windows\Installer\MSI1FF7.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSI1FF7.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Users\Admin\AppData\Local\AdvinstAnalytics\6411d7593b175c29e347c2c7\36.33.25\tracking.ini

MD5 58b1e5a38c7389ecf6642fb4dfd65f32
SHA1 41237866c98e440518601c7cb6a5e7a426de58b3
SHA256 d769eea134099e7ccbe665d3c8fd98defb86be55ee1c39171a3e31e0123bf7e0
SHA512 ec8278f6f53d4a806062b4ba3bebf7a29cd2c56e5143691c59f26b018e19ad27b63c551417f0a365dc88be58272e4309af22cdb9609172855fef9ac684434d14

C:\ProgramData\Mohmy\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

C:\ProgramData\Mohmy\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

C:\ProgramData\Mohmy\XLUE.dll

MD5 0abbe96e1f7a254e23a80f06a1018c69
SHA1 0b83322fd5e18c9da8c013a0ed952cffa34381ae
SHA256 10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4
SHA512 2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

C:\ProgramData\Mohmy\XLGraphic.dll

MD5 74c75ae5b97ad708dbe6f69d3a602430
SHA1 a02764d99b44ce4b1d199ef0f8ce73431d094a6a
SHA256 89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2
SHA512 52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

C:\ProgramData\Mohmy\XLGraphic.dll

MD5 74c75ae5b97ad708dbe6f69d3a602430
SHA1 a02764d99b44ce4b1d199ef0f8ce73431d094a6a
SHA256 89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2
SHA512 52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

C:\Windows\Installer\MSI1FE6.tmp

MD5 b9545ed17695a32face8c3408a6a3553
SHA1 f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA256 1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512 f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

C:\ProgramData\Mohmy\XLLuaRuntime.dll

MD5 5362cb2efe55c6d6e9b51849ec0706b2
SHA1 d91acbe95dedc3bcac7ec0051c04ddddd5652778
SHA256 1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40
SHA512 dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

C:\ProgramData\Mohmy\XLFSIO.dll

MD5 1bc7af7a8512cf79d4f0efc5cb138ce3
SHA1 68fd202d9380cacd2f8e0ce06d8df1c03c791c5b
SHA256 ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62
SHA512 84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

C:\ProgramData\Mohmy\XLUE.dll

MD5 0abbe96e1f7a254e23a80f06a1018c69
SHA1 0b83322fd5e18c9da8c013a0ed952cffa34381ae
SHA256 10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4
SHA512 2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

C:\ProgramData\Mohmy\XLFSIO.dll

MD5 1bc7af7a8512cf79d4f0efc5cb138ce3
SHA1 68fd202d9380cacd2f8e0ce06d8df1c03c791c5b
SHA256 ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62
SHA512 84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

C:\ProgramData\Mohmy\XLLuaRuntime.dll

MD5 5362cb2efe55c6d6e9b51849ec0706b2
SHA1 d91acbe95dedc3bcac7ec0051c04ddddd5652778
SHA256 1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40
SHA512 dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

memory/2896-370-0x0000000001170000-0x00000000011A5000-memory.dmp

C:\ProgramData\Mohmy\XLGraphic.dll

MD5 74c75ae5b97ad708dbe6f69d3a602430
SHA1 a02764d99b44ce4b1d199ef0f8ce73431d094a6a
SHA256 89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2
SHA512 52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

memory/2896-376-0x00000000011B0000-0x00000000011EF000-memory.dmp

C:\Program Files (x86)\Common Files\tsetup.exe

MD5 27eda0d753e19696e11a71434f99c92a
SHA1 a9bf80e77f13caa1d5d8c5350a2b69727c9aa147
SHA256 8d76df36caa98c0cde70323fe23943c56572dbef66847663d686309b782a8df7
SHA512 f22df2a81101b72bd546b64a11ad3fe3620921b84a71891db2a92281b06416000414beffdde1869111a8c7e0a6ea34545615b20db7263cc2fa68a9b709dc45ed

memory/952-378-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\ProgramData\Mohmy\123.jpg

MD5 5fc456c6bf00bc32929b29a31b14fd13
SHA1 8de82c9165ff06d62a236f45776f422df288ad63
SHA256 a54368e4daeeb86756b36462fe1ac5ef2661f0340e8b43abf9554716a51b411a
SHA512 e020506caa1c1d9e8d437211881ad6d6b6848e5e59105e0fe290156018b1c5e1784c7b70e4f6674d184a1ed1acdb8f13fcd37e48272ed565eb4e2d928015b2c6

C:\ProgramData\Mohmy\123.jpg

MD5 5fc456c6bf00bc32929b29a31b14fd13
SHA1 8de82c9165ff06d62a236f45776f422df288ad63
SHA256 a54368e4daeeb86756b36462fe1ac5ef2661f0340e8b43abf9554716a51b411a
SHA512 e020506caa1c1d9e8d437211881ad6d6b6848e5e59105e0fe290156018b1c5e1784c7b70e4f6674d184a1ed1acdb8f13fcd37e48272ed565eb4e2d928015b2c6

C:\ProgramData\Mohmy\zlib1.dll

MD5 37163aacc5534fbab012fb505be8d647
SHA1 73de6343e52180a24c74f4629e38a62ed8ad5f81
SHA256 0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba
SHA512 c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

C:\ProgramData\Mohmy\zlib1.dll

MD5 37163aacc5534fbab012fb505be8d647
SHA1 73de6343e52180a24c74f4629e38a62ed8ad5f81
SHA256 0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba
SHA512 c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

C:\ProgramData\Mohmy\Nsjrsss.dll

MD5 bb1922dfbdd99e0b89bec66c30c31b73
SHA1 f7a561619c101ba9b335c0b3d318f965b8fc1dfb
SHA256 76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99
SHA512 3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

C:\ProgramData\Mohmy\Nsjrsss.DLL

MD5 bb1922dfbdd99e0b89bec66c30c31b73
SHA1 f7a561619c101ba9b335c0b3d318f965b8fc1dfb
SHA256 76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99
SHA512 3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

C:\ProgramData\Mohmy\libpng13.dll

MD5 830a850ad015c807eb3d6a3b2fdd815e
SHA1 caec2ab6784c6983f6fd2e782d5234aad76237a2
SHA256 7166d8727ea593a75f7acc8d55f965d8f0102a03a8c8a6a66168c1a0e54f5b3e
SHA512 5ae0e65b080c135e39305ba5ea3aa61d6b182ea8cedd57cb6e19d6e865b81381413f01cde376ee65841930791ce91fd17a824e39a0fd3e10646be7a9e3621118

C:\ProgramData\Mohmy\libpng13.dll

MD5 830a850ad015c807eb3d6a3b2fdd815e
SHA1 caec2ab6784c6983f6fd2e782d5234aad76237a2
SHA256 7166d8727ea593a75f7acc8d55f965d8f0102a03a8c8a6a66168c1a0e54f5b3e
SHA512 5ae0e65b080c135e39305ba5ea3aa61d6b182ea8cedd57cb6e19d6e865b81381413f01cde376ee65841930791ce91fd17a824e39a0fd3e10646be7a9e3621118

C:\ProgramData\Mohmy\XLLuaRuntime.dll

MD5 5362cb2efe55c6d6e9b51849ec0706b2
SHA1 d91acbe95dedc3bcac7ec0051c04ddddd5652778
SHA256 1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40
SHA512 dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

C:\Program Files (x86)\Common Files\tsetup.exe

MD5 27eda0d753e19696e11a71434f99c92a
SHA1 a9bf80e77f13caa1d5d8c5350a2b69727c9aa147
SHA256 8d76df36caa98c0cde70323fe23943c56572dbef66847663d686309b782a8df7
SHA512 f22df2a81101b72bd546b64a11ad3fe3620921b84a71891db2a92281b06416000414beffdde1869111a8c7e0a6ea34545615b20db7263cc2fa68a9b709dc45ed

memory/2896-372-0x0000000021C90000-0x0000000021D7F000-memory.dmp

C:\ProgramData\Mohmy\XLFSIO.dll

MD5 1bc7af7a8512cf79d4f0efc5cb138ce3
SHA1 68fd202d9380cacd2f8e0ce06d8df1c03c791c5b
SHA256 ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62
SHA512 84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

memory/2896-368-0x0000000001060000-0x0000000001168000-memory.dmp

C:\ProgramData\Mohmy\libexpat.dll

MD5 5ff790879aab8078884eaac71affeb4a
SHA1 59352663fdcf24bb01c1f219410e49c15b51d5c5
SHA256 cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f
SHA512 34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

C:\ProgramData\Mohmy\libexpat.dll

MD5 5ff790879aab8078884eaac71affeb4a
SHA1 59352663fdcf24bb01c1f219410e49c15b51d5c5
SHA256 cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f
SHA512 34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

C:\ProgramData\Mohmy\XLLuaRuntime.dll

MD5 5362cb2efe55c6d6e9b51849ec0706b2
SHA1 d91acbe95dedc3bcac7ec0051c04ddddd5652778
SHA256 1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40
SHA512 dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

memory/2896-391-0x0000000002BE0000-0x0000000002C11000-memory.dmp

C:\ProgramData\Mohmy\Mi.jpg

MD5 3b42f093f8529df82c9cb07659b77adb
SHA1 36f8d07e1349b7ddffc1e3b6af80bfb6f8359ee8
SHA256 1dd2a1420ad02fb0b5aa2005d90289def6195489649df1efdb203c6daa9912dd
SHA512 c11da73c522495bac3117921c4e23173550a0e3425df12167d097d03625009f6507747012ee4b783e8022b8b3c76bfa28dff20628ec513cda867bc5b0a56b75c

C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp

MD5 dc071d7f57637fe1939e72ef521a50aa
SHA1 ab78b5a9b2026b0ca3cf05ab1879019547fba197
SHA256 9a403ef2407828c2adafaaf22df04fa1528a3d7e6a53ba0a4b75d4ef34ae1567
SHA512 314cea51a6f7a16d238dc75897a29c1573ae1faae84ec998f2662fe65c5a793ab417e8e15c6d40143ada31ee7608b122e7d309e14cadf6077df10437f6d3df49

C:\Users\Admin\AppData\Local\Temp\is-102H6.tmp\tsetup.tmp

MD5 dc071d7f57637fe1939e72ef521a50aa
SHA1 ab78b5a9b2026b0ca3cf05ab1879019547fba197
SHA256 9a403ef2407828c2adafaaf22df04fa1528a3d7e6a53ba0a4b75d4ef34ae1567
SHA512 314cea51a6f7a16d238dc75897a29c1573ae1faae84ec998f2662fe65c5a793ab417e8e15c6d40143ada31ee7608b122e7d309e14cadf6077df10437f6d3df49

memory/2896-398-0x0000000002B70000-0x0000000002BA2000-memory.dmp

memory/2896-399-0x0000000002C90000-0x0000000002CBA000-memory.dmp

memory/3824-400-0x0000000000B40000-0x0000000000B41000-memory.dmp

C:\Users\Admin\AppData\Local\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

memory/4780-419-0x00000000008E0000-0x00000000009E8000-memory.dmp

memory/2896-418-0x0000000021C90000-0x0000000021D7F000-memory.dmp

memory/4780-422-0x0000000000AF0000-0x0000000000B25000-memory.dmp

memory/4780-420-0x0000000000850000-0x000000000088F000-memory.dmp

C:\ProgramData\Mohmy\XLUE.dll

MD5 0abbe96e1f7a254e23a80f06a1018c69
SHA1 0b83322fd5e18c9da8c013a0ed952cffa34381ae
SHA256 10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4
SHA512 2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

C:\Users\Admin\AppData\Local\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

C:\Users\Admin\AppData\Local\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

memory/4780-426-0x0000000021C90000-0x0000000021D7F000-memory.dmp

memory/4780-425-0x0000000002510000-0x0000000002541000-memory.dmp

memory/4780-430-0x00000000025B0000-0x00000000025DA000-memory.dmp

memory/952-435-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/3824-436-0x0000000000400000-0x000000000068A000-memory.dmp

memory/3824-438-0x0000000000B40000-0x0000000000B41000-memory.dmp

memory/4780-437-0x0000000021C90000-0x0000000021D7F000-memory.dmp

memory/3824-441-0x0000000000400000-0x000000000068A000-memory.dmp

memory/3824-449-0x0000000000400000-0x000000000068A000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 1a2036d215b958f9a357d86f01f1b9e3
SHA1 aca6165fe8125fa9b30d10dd527a88e37f136b0b
SHA256 c0edf9a25621a91f7a0f369a242113383e330470674cdb474aaf00f0967c88fd
SHA512 070a45eb81d9d6bca744accc2a695f85296f2c90616d8819fc872245b3d4763f652fe0288f057534430d6d204e3b3e64f96351ceeae33c498220348132a6d568

memory/1964-464-0x000002EE4BC50000-0x000002EE4BC60000-memory.dmp

memory/3824-472-0x0000000000400000-0x000000000068A000-memory.dmp

memory/952-473-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/1964-525-0x000002EE4BC50000-0x000002EE4BC60000-memory.dmp

memory/1876-543-0x00000000011F0000-0x00000000012F8000-memory.dmp

memory/1876-545-0x0000000000DB0000-0x0000000000DE5000-memory.dmp

memory/1876-547-0x0000000001310000-0x000000000134F000-memory.dmp

memory/1876-549-0x0000000021C90000-0x0000000021D7F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 08:05

Reported

2023-06-30 08:11

Platform

win7-20230621-en

Max time kernel

296s

Max time network

302s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2af655e137a695056205c6a4434dd08e1cdd6f34eb009228c38e9983306fec9b.msi

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\Program Files (x86)\Common Files\tsetup.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
N/A N/A N/A N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A
N/A N/A C:\ProgramData\Mohmy\sccy.exe N/A

Checks installed software on the system

discovery

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\F: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\tsetup.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSID708.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID95B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDCB7.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\6cc025.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6cc025.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICE7C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSICF76.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID283.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\6cc027.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDCB8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDEFC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE1FC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIC4F9.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID62C.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDA26.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\6cc027.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE1EC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSID8AE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIDD94.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE1DB.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\sccy.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Admin\AppData\Local\sccy.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardProduct C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\ C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tdesktop.tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tdesktop.tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tdesktop.tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tdesktop.tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -workdir \"C:/Users/Admin/AppData/Roaming/Telegram Desktop/\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg\DefaultIcon C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tdesktop.tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tdesktop.tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg\shell\open C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tdesktop.tg C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg\ = "URL:Telegram Link" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg\URL Protocol C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe,1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg\shell C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg\shell\open\command C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3518257231-2980324860-1431329550-1000_CLASSES\tg\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Telegram Desktop\\Telegram.exe\" -workdir \"C:/Users/Admin/AppData/Roaming/Telegram Desktop/\" -- \"%1\"" C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\sccy.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1412 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 888 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 1196 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 1196 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 1196 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 1196 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 1196 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 1196 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 1196 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1412 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1EC.tmp
PID 1412 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1EC.tmp
PID 1412 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1EC.tmp
PID 1412 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1EC.tmp
PID 1412 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1EC.tmp
PID 1412 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1EC.tmp
PID 1412 wrote to memory of 1164 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1EC.tmp
PID 1412 wrote to memory of 1512 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1DB.tmp
PID 1412 wrote to memory of 1512 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1DB.tmp
PID 1412 wrote to memory of 1512 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1DB.tmp
PID 1412 wrote to memory of 1512 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1DB.tmp
PID 1412 wrote to memory of 1512 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1DB.tmp
PID 1412 wrote to memory of 1512 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1DB.tmp
PID 1412 wrote to memory of 1512 N/A C:\Windows\system32\msiexec.exe C:\Windows\Installer\MSIE1DB.tmp
PID 1160 wrote to memory of 1900 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp
PID 1160 wrote to memory of 1900 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp
PID 1160 wrote to memory of 1900 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp
PID 1160 wrote to memory of 1900 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp
PID 1160 wrote to memory of 1900 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp
PID 1160 wrote to memory of 1900 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp
PID 1160 wrote to memory of 1900 N/A C:\Program Files (x86)\Common Files\tsetup.exe C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp
PID 964 wrote to memory of 612 N/A C:\ProgramData\Mohmy\sccy.exe C:\Users\Admin\AppData\Local\sccy.exe
PID 964 wrote to memory of 612 N/A C:\ProgramData\Mohmy\sccy.exe C:\Users\Admin\AppData\Local\sccy.exe
PID 964 wrote to memory of 612 N/A C:\ProgramData\Mohmy\sccy.exe C:\Users\Admin\AppData\Local\sccy.exe
PID 964 wrote to memory of 612 N/A C:\ProgramData\Mohmy\sccy.exe C:\Users\Admin\AppData\Local\sccy.exe
PID 1900 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 1900 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 1900 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 1900 wrote to memory of 468 N/A C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe
PID 1164 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Mohmy\sccy.exe
PID 1164 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Mohmy\sccy.exe
PID 1164 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Mohmy\sccy.exe
PID 1164 wrote to memory of 1684 N/A C:\Windows\system32\taskeng.exe C:\ProgramData\Mohmy\sccy.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\2af655e137a695056205c6a4434dd08e1cdd6f34eb009228c38e9983306fec9b.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000588" "0000000000000300"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5E5E866329D4A54E3C1B98D0DE36B6A4

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 9FA45652C0ADF1F247FCA722D033AD27 M Global\MSI0000

C:\Windows\Installer\MSIE1DB.tmp

"C:\Windows\Installer\MSIE1DB.tmp" /DontWait "C:\ProgramData\Mohmy\sccy.exe"

C:\Windows\Installer\MSIE1EC.tmp

"C:\Windows\Installer\MSIE1EC.tmp" /DontWait "C:\Program Files (x86)\Common Files\tsetup.exe"

C:\ProgramData\Mohmy\sccy.exe

"C:\ProgramData\Mohmy\sccy.exe"

C:\Program Files (x86)\Common Files\tsetup.exe

"C:\Program Files (x86)\Common Files\tsetup.exe"

C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp

"C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp" /SL5="$1015E,34326336,813568,C:\Program Files (x86)\Common Files\tsetup.exe"

C:\Users\Admin\AppData\Local\sccy.exe

"C:\Users\Admin\AppData\Local\sccy.exe"

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

"C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A3BBC249-9563-4045-AEB7-0CD4CCA28B17} S-1-5-21-3518257231-2980324860-1431329550-1000:VWMLZJGN\Admin:Interactive:[1]

C:\ProgramData\Mohmy\sccy.exe

C:\ProgramData\Mohmy\sccy.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 collect.installeranalytics.com udp
US 54.198.235.9:80 collect.installeranalytics.com tcp
US 8.8.8.8:53 02-07.telegramxe.org udp
US 104.233.220.94:8081 02-07.telegramxe.org tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 95.161.76.100:80 95.161.76.100 tcp
NL 149.154.167.51:80 149.154.167.51 tcp
US 149.154.175.100:443 tcp
US 149.154.175.100:80 149.154.175.100 tcp
NL 149.154.167.91:443 tcp
NL 149.154.167.51:443 tcp
NL 95.161.76.100:443 tcp
NL 95.161.76.100:80 tcp
NL 149.154.167.51:80 tcp
US 8.8.8.8:53 td.telegram.org udp
NL 149.154.167.99:443 td.telegram.org tcp
NL 149.154.167.99:443 td.telegram.org tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab4849.tmp

MD5 3ac860860707baaf32469fa7cc7c0192
SHA1 c33c2acdaba0e6fa41fd2f00f186804722477639
SHA256 d015145d551ecd14916270efad773bbc9fd57fad2228d2c24559f696c961d904
SHA512 d62ad2408c969a95550fb87efda50f988770ba5e39972041bf85924275baf156b8bec309ecc6409e5acdd37ec175dea40eff921ab58933b5b5b5d35a6147567c

C:\Users\Admin\AppData\Local\Temp\Tar4927.tmp

MD5 4ff65ad929cd9a367680e0e5b1c08166
SHA1 c0af0d4396bd1f15c45f39d3b849ba444233b3a2
SHA256 c8733c93cc5aaf5ca206d06af22ee8dbdec764fb5085019a6a9181feb9dfdee6
SHA512 f530dc0d024a5a3b8903ffaaa41b608a5ccdd6da4ba1949f2c2e55a9fca475fec5c8d2119b5763cabe7ef1c3788fb9dcac621869db51d65b1d83cfe404fb4c27

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f2f4afe0211cd5aed83c10c8f1732cde
SHA1 c71146df56e3e58c23a75029206f457b06a3d4bb
SHA256 66b4889e3d04d415ab95d1206fd2cdc5cfff4be10224bd86ec55d7c18b6acf69
SHA512 16d3d4a194fe3326a2b21369e9002c8847b38383606f020f3c6673652936b0c98609ea334abd0edecbf2440a15340d39a875264835ab75048cf47fdb4e26d973

C:\Windows\Installer\MSIC4F9.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

\Windows\Installer\MSIC4F9.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSICE7C.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

\Windows\Installer\MSICE7C.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSICF76.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

\Windows\Installer\MSICF76.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSID283.tmp

MD5 6189cdcb92ab9ddbffd95facd0b631fa
SHA1 b74c72cefcb5808e2c9ae4ba976fa916ba57190d
SHA256 519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783
SHA512 ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

\Windows\Installer\MSID283.tmp

MD5 6189cdcb92ab9ddbffd95facd0b631fa
SHA1 b74c72cefcb5808e2c9ae4ba976fa916ba57190d
SHA256 519f7ac72beba9d5d7dcf71fcac15546f5cfd3bcfc37a5129e63b4e0be91a783
SHA512 ee9ce27628e7a07849cd9717609688ca4229d47579b69e3d3b5b2e7c2433369de9557ef6a13fa59964f57fb213cd8ca205b35f5791ea126bde5a4e00f6a11caf

C:\Windows\Installer\MSID62C.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

\Windows\Installer\MSID62C.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSID708.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSID708.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

\Windows\Installer\MSID708.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Users\Admin\AppData\Local\AdvinstAnalytics\6411d7593b175c29e347c2c7\36.33.25\{55CD98D9-AA9D-46D5-B614-55AD79D44611}.session

MD5 c8ccb81959719f1780d60ca16325fbc2
SHA1 6b14404afd015eaf2929a64cda3aefe5af127c26
SHA256 4087a6e833a5aa60cfec198a29ad0eee4f2ca4b4df16bd41ca9b3ea4a479047a
SHA512 72054abd93df7b462775ce1a9b2d29fe6e4e953ef9b05962f20cc10e1881d0ee03d9ade59646e403837ea2a11c012f5cf3c6b9fec9b1db309710a8db0870ae2d

C:\Windows\Installer\MSID8AE.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSID8AE.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

\Windows\Installer\MSID8AE.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSID95B.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

\Windows\Installer\MSID95B.tmp

MD5 475d20c0ea477a35660e3f67ecf0a1df
SHA1 67340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256 426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA512 99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

C:\Windows\Installer\MSIDA26.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

\Windows\Installer\MSIDA26.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSIDCB8.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

\Windows\Installer\MSIDCB8.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

\Windows\Installer\MSIDD94.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Windows\Installer\MSIDEFC.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

\Windows\Installer\MSIDEFC.tmp

MD5 f11e8ec00dfd2d1344d8a222e65fea09
SHA1 235ed90cc729c50eb6b8a36ebcd2cf044a2d8b20
SHA256 775037d6d7de214796f2f5850440257ae7f04952b73538da2b55db45f3b26e93
SHA512 6163dd8fd18b4520d7fda0986a80f2e424fe55f5d65d67f5a3519a366e53049f902a08164ea5669476100b71bb2f0c085327b7c362174cb7a051d268f10872d3

C:\Config.Msi\6cc028.rbs

MD5 7b5359c86efcacbe6a82028ce07671e8
SHA1 33c0724f60cdff532ba7e6740e1b06c178f348f5
SHA256 86f49af5332f92533a30c997565da9c0cf8fcb6fa2d1512ac2525e5162673dc9
SHA512 5bf01e9bbfebece4d973b1ab5f73bff436b5393acee8e3067c5e1d9942a663217bfc24ce035936ca72bed8df6769690e399efed151cbad5cc82c8b51f924975d

C:\Windows\Installer\MSIE1EC.tmp

MD5 b9545ed17695a32face8c3408a6a3553
SHA1 f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA256 1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512 f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

\Windows\Installer\MSIE1FC.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

C:\Windows\Installer\MSIE1DB.tmp

MD5 b9545ed17695a32face8c3408a6a3553
SHA1 f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA256 1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512 f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

C:\Users\Admin\AppData\Local\AdvinstAnalytics\6411d7593b175c29e347c2c7\36.33.25\tracking.ini

MD5 72c25723fe3366568baf1ccffd624447
SHA1 ed913447f6d39855f0e0c26e42c0be4061d9d424
SHA256 08c9ae91f0db022d27ced7804459443cadd3f013f5c151209f12cbf0e8d86349
SHA512 f2714c39d2d1912dc2bc183e00b0148f5b9ee8a8985fc0e3cf83b1ebaf2c29a33fde5d36169c627f437a7cb462eade2bdf864e3f3fb62f731014e62eb7b47c99

C:\Windows\Installer\MSIE1EC.tmp

MD5 b9545ed17695a32face8c3408a6a3553
SHA1 f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83
SHA256 1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a
SHA512 f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

C:\Windows\Installer\MSIE1FC.tmp

MD5 356fc2c181cc37e3f8ae4d6b855ebfcb
SHA1 2ead1e69f14099ae33a3216a9312c88007b73cd1
SHA256 c92b2d9623f19f8acfeac5fd894346515631ebb590e68f22c40a35fbacbef03c
SHA512 74ea73d3206ba1c6f1963caa4866589fe86636f68815c74733644ad6c4913de3f1399770f6095a48c9d94a7d934072d8d8b409a393de644265f6e456455dcebd

memory/1164-337-0x0000000000120000-0x0000000000122000-memory.dmp

memory/1512-336-0x0000000000260000-0x0000000000262000-memory.dmp

C:\ProgramData\Mohmy\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

C:\ProgramData\Mohmy\XLUE.dll

MD5 0abbe96e1f7a254e23a80f06a1018c69
SHA1 0b83322fd5e18c9da8c013a0ed952cffa34381ae
SHA256 10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4
SHA512 2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

\ProgramData\Mohmy\XLUE.dll

MD5 0abbe96e1f7a254e23a80f06a1018c69
SHA1 0b83322fd5e18c9da8c013a0ed952cffa34381ae
SHA256 10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4
SHA512 2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

C:\ProgramData\Mohmy\XLGraphic.dll

MD5 74c75ae5b97ad708dbe6f69d3a602430
SHA1 a02764d99b44ce4b1d199ef0f8ce73431d094a6a
SHA256 89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2
SHA512 52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

memory/964-343-0x0000000000270000-0x0000000000378000-memory.dmp

\ProgramData\Mohmy\XLGraphic.dll

MD5 74c75ae5b97ad708dbe6f69d3a602430
SHA1 a02764d99b44ce4b1d199ef0f8ce73431d094a6a
SHA256 89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2
SHA512 52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

C:\ProgramData\Mohmy\libpng13.dll

MD5 830a850ad015c807eb3d6a3b2fdd815e
SHA1 caec2ab6784c6983f6fd2e782d5234aad76237a2
SHA256 7166d8727ea593a75f7acc8d55f965d8f0102a03a8c8a6a66168c1a0e54f5b3e
SHA512 5ae0e65b080c135e39305ba5ea3aa61d6b182ea8cedd57cb6e19d6e865b81381413f01cde376ee65841930791ce91fd17a824e39a0fd3e10646be7a9e3621118

\ProgramData\Mohmy\libpng13.dll

MD5 830a850ad015c807eb3d6a3b2fdd815e
SHA1 caec2ab6784c6983f6fd2e782d5234aad76237a2
SHA256 7166d8727ea593a75f7acc8d55f965d8f0102a03a8c8a6a66168c1a0e54f5b3e
SHA512 5ae0e65b080c135e39305ba5ea3aa61d6b182ea8cedd57cb6e19d6e865b81381413f01cde376ee65841930791ce91fd17a824e39a0fd3e10646be7a9e3621118

C:\ProgramData\Mohmy\Nsjrsss.DLL

MD5 bb1922dfbdd99e0b89bec66c30c31b73
SHA1 f7a561619c101ba9b335c0b3d318f965b8fc1dfb
SHA256 76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99
SHA512 3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

\ProgramData\Mohmy\Nsjrsss.dll

MD5 bb1922dfbdd99e0b89bec66c30c31b73
SHA1 f7a561619c101ba9b335c0b3d318f965b8fc1dfb
SHA256 76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99
SHA512 3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

C:\ProgramData\Mohmy\zlib1.dll

MD5 37163aacc5534fbab012fb505be8d647
SHA1 73de6343e52180a24c74f4629e38a62ed8ad5f81
SHA256 0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba
SHA512 c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

\ProgramData\Mohmy\zlib1.dll

MD5 37163aacc5534fbab012fb505be8d647
SHA1 73de6343e52180a24c74f4629e38a62ed8ad5f81
SHA256 0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba
SHA512 c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

C:\ProgramData\Mohmy\XLFSIO.dll

MD5 1bc7af7a8512cf79d4f0efc5cb138ce3
SHA1 68fd202d9380cacd2f8e0ce06d8df1c03c791c5b
SHA256 ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62
SHA512 84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

\ProgramData\Mohmy\XLFSIO.dll

MD5 1bc7af7a8512cf79d4f0efc5cb138ce3
SHA1 68fd202d9380cacd2f8e0ce06d8df1c03c791c5b
SHA256 ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62
SHA512 84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

memory/964-353-0x0000000000380000-0x00000000003B5000-memory.dmp

memory/964-357-0x0000000000470000-0x00000000004AF000-memory.dmp

\ProgramData\Mohmy\XLLuaRuntime.dll

MD5 5362cb2efe55c6d6e9b51849ec0706b2
SHA1 d91acbe95dedc3bcac7ec0051c04ddddd5652778
SHA256 1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40
SHA512 dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

C:\ProgramData\Mohmy\XLLuaRuntime.dll

MD5 5362cb2efe55c6d6e9b51849ec0706b2
SHA1 d91acbe95dedc3bcac7ec0051c04ddddd5652778
SHA256 1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40
SHA512 dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

\ProgramData\Mohmy\123.jpg

MD5 5fc456c6bf00bc32929b29a31b14fd13
SHA1 8de82c9165ff06d62a236f45776f422df288ad63
SHA256 a54368e4daeeb86756b36462fe1ac5ef2661f0340e8b43abf9554716a51b411a
SHA512 e020506caa1c1d9e8d437211881ad6d6b6848e5e59105e0fe290156018b1c5e1784c7b70e4f6674d184a1ed1acdb8f13fcd37e48272ed565eb4e2d928015b2c6

C:\ProgramData\Mohmy\123.jpg

MD5 5fc456c6bf00bc32929b29a31b14fd13
SHA1 8de82c9165ff06d62a236f45776f422df288ad63
SHA256 a54368e4daeeb86756b36462fe1ac5ef2661f0340e8b43abf9554716a51b411a
SHA512 e020506caa1c1d9e8d437211881ad6d6b6848e5e59105e0fe290156018b1c5e1784c7b70e4f6674d184a1ed1acdb8f13fcd37e48272ed565eb4e2d928015b2c6

\ProgramData\Mohmy\libexpat.dll

MD5 5ff790879aab8078884eaac71affeb4a
SHA1 59352663fdcf24bb01c1f219410e49c15b51d5c5
SHA256 cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f
SHA512 34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

C:\ProgramData\Mohmy\libexpat.dll

MD5 5ff790879aab8078884eaac71affeb4a
SHA1 59352663fdcf24bb01c1f219410e49c15b51d5c5
SHA256 cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f
SHA512 34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

C:\Program Files (x86)\Common Files\tsetup.exe

MD5 27eda0d753e19696e11a71434f99c92a
SHA1 a9bf80e77f13caa1d5d8c5350a2b69727c9aa147
SHA256 8d76df36caa98c0cde70323fe23943c56572dbef66847663d686309b782a8df7
SHA512 f22df2a81101b72bd546b64a11ad3fe3620921b84a71891db2a92281b06416000414beffdde1869111a8c7e0a6ea34545615b20db7263cc2fa68a9b709dc45ed

memory/1160-364-0x0000000000400000-0x00000000004D4000-memory.dmp

C:\Program Files (x86)\Common Files\tsetup.exe

MD5 27eda0d753e19696e11a71434f99c92a
SHA1 a9bf80e77f13caa1d5d8c5350a2b69727c9aa147
SHA256 8d76df36caa98c0cde70323fe23943c56572dbef66847663d686309b782a8df7
SHA512 f22df2a81101b72bd546b64a11ad3fe3620921b84a71891db2a92281b06416000414beffdde1869111a8c7e0a6ea34545615b20db7263cc2fa68a9b709dc45ed

C:\ProgramData\Mohmy\Mi.jpg

MD5 3b42f093f8529df82c9cb07659b77adb
SHA1 36f8d07e1349b7ddffc1e3b6af80bfb6f8359ee8
SHA256 1dd2a1420ad02fb0b5aa2005d90289def6195489649df1efdb203c6daa9912dd
SHA512 c11da73c522495bac3117921c4e23173550a0e3425df12167d097d03625009f6507747012ee4b783e8022b8b3c76bfa28dff20628ec513cda867bc5b0a56b75c

\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp

MD5 dc071d7f57637fe1939e72ef521a50aa
SHA1 ab78b5a9b2026b0ca3cf05ab1879019547fba197
SHA256 9a403ef2407828c2adafaaf22df04fa1528a3d7e6a53ba0a4b75d4ef34ae1567
SHA512 314cea51a6f7a16d238dc75897a29c1573ae1faae84ec998f2662fe65c5a793ab417e8e15c6d40143ada31ee7608b122e7d309e14cadf6077df10437f6d3df49

memory/964-369-0x0000000000570000-0x00000000005A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-TVVTO.tmp\tsetup.tmp

MD5 dc071d7f57637fe1939e72ef521a50aa
SHA1 ab78b5a9b2026b0ca3cf05ab1879019547fba197
SHA256 9a403ef2407828c2adafaaf22df04fa1528a3d7e6a53ba0a4b75d4ef34ae1567
SHA512 314cea51a6f7a16d238dc75897a29c1573ae1faae84ec998f2662fe65c5a793ab417e8e15c6d40143ada31ee7608b122e7d309e14cadf6077df10437f6d3df49

memory/964-377-0x0000000021C90000-0x0000000021D7F000-memory.dmp

memory/964-379-0x00000000004D0000-0x00000000004FA000-memory.dmp

memory/964-378-0x0000000000510000-0x0000000000542000-memory.dmp

C:\ProgramData\Mohmy\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

memory/1900-387-0x00000000001D0000-0x00000000001D1000-memory.dmp

\Users\Admin\AppData\Local\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

memory/612-396-0x00000000004D0000-0x00000000005D8000-memory.dmp

\ProgramData\Mohmy\libpng13.dll

MD5 830a850ad015c807eb3d6a3b2fdd815e
SHA1 caec2ab6784c6983f6fd2e782d5234aad76237a2
SHA256 7166d8727ea593a75f7acc8d55f965d8f0102a03a8c8a6a66168c1a0e54f5b3e
SHA512 5ae0e65b080c135e39305ba5ea3aa61d6b182ea8cedd57cb6e19d6e865b81381413f01cde376ee65841930791ce91fd17a824e39a0fd3e10646be7a9e3621118

memory/612-402-0x00000000001E0000-0x0000000000215000-memory.dmp

\ProgramData\Mohmy\XLFSIO.dll

MD5 1bc7af7a8512cf79d4f0efc5cb138ce3
SHA1 68fd202d9380cacd2f8e0ce06d8df1c03c791c5b
SHA256 ef474b18f89310c067a859d55abd4e4f42fdac732e49eafe4246545e36872a62
SHA512 84de4d193d22a305be2ba28fc67bd1cccf83616cead721e57347f1b2e0736d351fef1abf168f7914caa1bcc7a72db43769991016673cd4646def544802ee8960

\ProgramData\Mohmy\zlib1.dll

MD5 37163aacc5534fbab012fb505be8d647
SHA1 73de6343e52180a24c74f4629e38a62ed8ad5f81
SHA256 0a6357a8852daaafe7aed300e2f7e69d993cac4156e882baa8a3a56b583255ba
SHA512 c3bed1c9bc58652ed16b162ed16a93cf7479a0492db7e6ea577001dbe859affc0b20387d93d23e06e73f49f395e4c9a5a07680f000ebb82d32269742c16a5242

\ProgramData\Mohmy\Nsjrsss.dll

MD5 bb1922dfbdd99e0b89bec66c30c31b73
SHA1 f7a561619c101ba9b335c0b3d318f965b8fc1dfb
SHA256 76457f38cbbdd3dce078a40d42d9ac0dc26ae1c4bb68ab9c880eb7ffb400fd99
SHA512 3054574dd645feb1468cee53db2fd456e4f923eaf5fd686557a01c72c0572b19d70f3885d47fe42e97cdf7ccc2c674a6e966ff19668907cf7828e0a943cf474a

\ProgramData\Mohmy\XLGraphic.dll

MD5 74c75ae5b97ad708dbe6f69d3a602430
SHA1 a02764d99b44ce4b1d199ef0f8ce73431d094a6a
SHA256 89fbb6b1ca9168a452e803dbdc6343db7c661ad70860a245d76b3b08830156e2
SHA512 52c5f7e00dffb1c0719d18184da2cc8ec2ad178b222775f167b87320f0683a3c2846e30190bc506f12d14c07fa45896935b3d4ac396baa14d7564996e35c2ada

\ProgramData\Mohmy\XLUE.dll

MD5 0abbe96e1f7a254e23a80f06a1018c69
SHA1 0b83322fd5e18c9da8c013a0ed952cffa34381ae
SHA256 10f099f68741c179d5ad60b226d15233bb02d73f84ce51a5bbbbc4eb6a08e9d4
SHA512 2924e1e11e11bd655f27eb0243f87002a50a2d4b80e0b0e3ad6fd4c3d75c44222fab426fcaa695881b0093babf544e8aeee50a065ea92274145b0f88b1db0c58

memory/964-393-0x0000000021C90000-0x0000000021D7F000-memory.dmp

C:\Users\Admin\AppData\Local\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

C:\Users\Admin\AppData\Local\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

\ProgramData\Mohmy\XLLuaRuntime.dll

MD5 5362cb2efe55c6d6e9b51849ec0706b2
SHA1 d91acbe95dedc3bcac7ec0051c04ddddd5652778
SHA256 1d7519acca9c8a013c31af2064fbc599a0b14cfd1dfb793a345fab14045fed40
SHA512 dbd591c3d0b9847d9cef59277c03ec89e246db0e54b58fbbe9d492b75cdcb32d75444012cdfb1c77376d15db7fde1f74e694d2487c481ce29a2133342b91e1f5

memory/612-405-0x0000000000350000-0x000000000038F000-memory.dmp

\ProgramData\Mohmy\123.jpg

MD5 5fc456c6bf00bc32929b29a31b14fd13
SHA1 8de82c9165ff06d62a236f45776f422df288ad63
SHA256 a54368e4daeeb86756b36462fe1ac5ef2661f0340e8b43abf9554716a51b411a
SHA512 e020506caa1c1d9e8d437211881ad6d6b6848e5e59105e0fe290156018b1c5e1784c7b70e4f6674d184a1ed1acdb8f13fcd37e48272ed565eb4e2d928015b2c6

\ProgramData\Mohmy\libexpat.dll

MD5 5ff790879aab8078884eaac71affeb4a
SHA1 59352663fdcf24bb01c1f219410e49c15b51d5c5
SHA256 cceca70f34bbcec861a02c3700de79ea17d80c0a7b9f33d7edd1357a714e0f2f
SHA512 34fbaffc48912e3d3fa2d224e001121e8b36f5be7284a33eb31d306b9a5c00de6e23a9fdc1a17a61fb1371768f0b0e30b9c6e899a08c735fc70482d5aa8ea824

memory/612-416-0x0000000000620000-0x0000000000651000-memory.dmp

memory/612-421-0x00000000006C0000-0x00000000006EA000-memory.dmp

memory/612-430-0x0000000021C90000-0x0000000021D7F000-memory.dmp

C:\Users\Admin\AppData\Local\sccy.exe

MD5 d6df08cb38011fa37af21ef81b29d0c3
SHA1 01a64b84c824cd7aba8b9381bbc164ef91492842
SHA256 5c77f34f9a189d9c7a0eee1b36cf8b4a2a517b105812d40882c9961f731a2c94
SHA512 273344620cea5b7b0e373b22be1c7e42d79430da9d26214042373a4e12556d042044e1abd4620a867e78bdb4d07fa05b0fe96cca4b7ff1d222941a489ba238f1

memory/1900-445-0x0000000000400000-0x000000000068A000-memory.dmp

memory/1160-444-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/1900-446-0x00000000001D0000-0x00000000001D1000-memory.dmp

memory/1900-457-0x0000000000400000-0x000000000068A000-memory.dmp

memory/612-458-0x0000000021C90000-0x0000000021D7F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Telegram Desktop\Telegram.exe

MD5 1a2036d215b958f9a357d86f01f1b9e3
SHA1 aca6165fe8125fa9b30d10dd527a88e37f136b0b
SHA256 c0edf9a25621a91f7a0f369a242113383e330470674cdb474aaf00f0967c88fd
SHA512 070a45eb81d9d6bca744accc2a695f85296f2c90616d8819fc872245b3d4763f652fe0288f057534430d6d204e3b3e64f96351ceeae33c498220348132a6d568

memory/1900-476-0x0000000000400000-0x000000000068A000-memory.dmp

memory/468-484-0x00000000000E0000-0x00000000000F0000-memory.dmp

memory/1900-486-0x0000000000400000-0x000000000068A000-memory.dmp

memory/1160-487-0x0000000000400000-0x00000000004D4000-memory.dmp

memory/468-513-0x0000000001D40000-0x0000000001D4A000-memory.dmp

memory/468-509-0x0000000001D40000-0x0000000001D4A000-memory.dmp

memory/468-514-0x0000000001FA0000-0x0000000001FAA000-memory.dmp

memory/468-529-0x0000000001D40000-0x0000000001D4A000-memory.dmp

memory/468-569-0x0000000001D40000-0x0000000001D4A000-memory.dmp

memory/468-570-0x0000000001FA0000-0x0000000001FAA000-memory.dmp

memory/468-571-0x0000000001FA0000-0x0000000001FAA000-memory.dmp

memory/1684-582-0x0000000000440000-0x0000000000548000-memory.dmp

memory/1684-586-0x0000000000590000-0x00000000005CF000-memory.dmp

memory/1684-584-0x0000000000550000-0x0000000000585000-memory.dmp

memory/1684-588-0x0000000021C90000-0x0000000021D7F000-memory.dmp