fatalrat | 9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68

Analysis

max time kernel
105s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2023 03:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Todesk-x64.msi
Size

100.3MB
MD5

c6688985a839ddbedfcde13596a5e3bf
SHA1

eb0492b6d0cf3660a39af2309e7c7b1647868be1
SHA256

9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68
SHA512

fe9246821f5532143ebe587305db5533c3212d2e1a3b64aa16bb2948c0eea7fc29a88d8e69a4550be2dccb78baf26feaa87c89285896bf944b5a4f71da25d943
SSDEEP

3145728:hxc9Ksu9VWfhFcMiY0IapT6UE7MNQ0mByg6:h6G3GFc60IaYUoaQX

Score

10^/10

fatalrat gh0strat infostealer rat upx vmprotect

Malware Config

Signatures

FatalRat
FatalRat is a modular infostealer family written in C++ first appearing in June 2021.
infostealer rat fatalrat

Gh0st RAT payload 4 IoCs

resource	yara_rule
behavioral1/memory/1232-338-0x0000000002B20000-0x0000000002C6D000-memory.dmp	family_gh0strat
behavioral1/memory/1232-337-0x0000000002B20000-0x0000000002C6D000-memory.dmp	family_gh0strat
behavioral1/memory/1232-339-0x0000000002B20000-0x0000000002C6D000-memory.dmp	family_gh0strat
behavioral1/memory/1232-349-0x0000000002B20000-0x0000000002C6D000-memory.dmp	family_gh0strat

Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

Fatal Rat payload 1 IoCs

rat infostealer

resource	yara_rule
behavioral1/memory/1232-242-0x0000000010000000-0x000000001002A000-memory.dmp	fatalrat

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software 2 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x00080000000232a9-352.dat	acprotect
behavioral1/files/0x00080000000232a9-355.dat	acprotect

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation	shu.exe

Executes dropped EXE 4 IoCs

pid	Process
4036	shu.exe
1232	spolsvt.exe
2444	elf.exe
5052	ToDesk_Setup.exe

Loads dropped DLL 22 IoCs

pid	Process
4736	MsiExec.exe
4736	MsiExec.exe
4736	MsiExec.exe
4736	MsiExec.exe
4736	MsiExec.exe
4736	MsiExec.exe
4736	MsiExec.exe
4736	MsiExec.exe
4736	MsiExec.exe
4736	MsiExec.exe
1972	MsiExec.exe
1972	MsiExec.exe
1972	MsiExec.exe
1972	MsiExec.exe
4736	MsiExec.exe
4036	shu.exe
2444	elf.exe
4736	MsiExec.exe
4736	MsiExec.exe
5052	ToDesk_Setup.exe
5052	ToDesk_Setup.exe
5052	ToDesk_Setup.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1232-334-0x0000000002B20000-0x0000000002C6D000-memory.dmp	upx
behavioral1/memory/1232-338-0x0000000002B20000-0x0000000002C6D000-memory.dmp	upx
behavioral1/memory/1232-337-0x0000000002B20000-0x0000000002C6D000-memory.dmp	upx
behavioral1/memory/1232-339-0x0000000002B20000-0x0000000002C6D000-memory.dmp	upx
behavioral1/memory/1232-349-0x0000000002B20000-0x0000000002C6D000-memory.dmp	upx
behavioral1/files/0x00080000000232a9-352.dat	upx
behavioral1/memory/5052-356-0x00000000743D0000-0x00000000744DD000-memory.dmp	upx
behavioral1/files/0x00080000000232a9-355.dat	upx
behavioral1/memory/5052-368-0x00000000743D0000-0x00000000744DD000-memory.dmp	upx
behavioral1/memory/5052-385-0x00000000743D0000-0x00000000744DD000-memory.dmp	upx
behavioral1/memory/5052-394-0x00000000743D0000-0x00000000744DD000-memory.dmp	upx

VMProtect packed file 7 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

resource	yara_rule
behavioral1/files/0x0006000000023290-222.dat	vmprotect
behavioral1/files/0x0006000000023290-228.dat	vmprotect
behavioral1/files/0x0006000000023290-227.dat	vmprotect
behavioral1/memory/4036-229-0x0000000000400000-0x0000000000A05000-memory.dmp	vmprotect
behavioral1/memory/4036-230-0x0000000000400000-0x0000000000A05000-memory.dmp	vmprotect
behavioral1/memory/4036-321-0x0000000000400000-0x0000000000A05000-memory.dmp	vmprotect
behavioral1/memory/4036-324-0x0000000000400000-0x0000000000A05000-memory.dmp	vmprotect

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4036 set thread context of 1232	4036	shu.exe	107

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e588867.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e588865.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI896F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8A3B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8AC8.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{BA4016AA-D113-4DAC-B6BB-6DA157A87539}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI900A.tmp	msiexec.exe
File created	C:\Windows\Installer\e588865.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8B17.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007ec2211f72b7cbde0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007ec2211f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809007ec2211f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809197ec2211f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007ec2211f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	spolsvt.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	spolsvt.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793\MainFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\PackageCode = "D7A13ACC94201BE4187D79CF9EDF4DC1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7C8EF8C8BBFC7946946A44E3DC25F08	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\PackageName = "Todesk-x64.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793\jingfeng	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7C8EF8C8BBFC7946946A44E3DC25F08\AA6104AB311DCAD46BBBD61A758A5793	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\ProductName = "ToDesk"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\InstanceType = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1588	msiexec.exe
1588	msiexec.exe
4036	shu.exe
4036	shu.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe
1232	spolsvt.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1516	msiexec.exe
Token: SeSecurityPrivilege	1588	msiexec.exe
Token: SeCreateTokenPrivilege	1516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1516	msiexec.exe
Token: SeLockMemoryPrivilege	1516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1516	msiexec.exe
Token: SeMachineAccountPrivilege	1516	msiexec.exe
Token: SeTcbPrivilege	1516	msiexec.exe
Token: SeSecurityPrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeLoadDriverPrivilege	1516	msiexec.exe
Token: SeSystemProfilePrivilege	1516	msiexec.exe
Token: SeSystemtimePrivilege	1516	msiexec.exe
Token: SeProfSingleProcessPrivilege	1516	msiexec.exe
Token: SeIncBasePriorityPrivilege	1516	msiexec.exe
Token: SeCreatePagefilePrivilege	1516	msiexec.exe
Token: SeCreatePermanentPrivilege	1516	msiexec.exe
Token: SeBackupPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeShutdownPrivilege	1516	msiexec.exe
Token: SeDebugPrivilege	1516	msiexec.exe
Token: SeAuditPrivilege	1516	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1516	msiexec.exe
Token: SeChangeNotifyPrivilege	1516	msiexec.exe
Token: SeRemoteShutdownPrivilege	1516	msiexec.exe
Token: SeUndockPrivilege	1516	msiexec.exe
Token: SeSyncAgentPrivilege	1516	msiexec.exe
Token: SeEnableDelegationPrivilege	1516	msiexec.exe
Token: SeManageVolumePrivilege	1516	msiexec.exe
Token: SeImpersonatePrivilege	1516	msiexec.exe
Token: SeCreateGlobalPrivilege	1516	msiexec.exe
Token: SeCreateTokenPrivilege	1516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1516	msiexec.exe
Token: SeLockMemoryPrivilege	1516	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1516	msiexec.exe
Token: SeMachineAccountPrivilege	1516	msiexec.exe
Token: SeTcbPrivilege	1516	msiexec.exe
Token: SeSecurityPrivilege	1516	msiexec.exe
Token: SeTakeOwnershipPrivilege	1516	msiexec.exe
Token: SeLoadDriverPrivilege	1516	msiexec.exe
Token: SeSystemProfilePrivilege	1516	msiexec.exe
Token: SeSystemtimePrivilege	1516	msiexec.exe
Token: SeProfSingleProcessPrivilege	1516	msiexec.exe
Token: SeIncBasePriorityPrivilege	1516	msiexec.exe
Token: SeCreatePagefilePrivilege	1516	msiexec.exe
Token: SeCreatePermanentPrivilege	1516	msiexec.exe
Token: SeBackupPrivilege	1516	msiexec.exe
Token: SeRestorePrivilege	1516	msiexec.exe
Token: SeShutdownPrivilege	1516	msiexec.exe
Token: SeDebugPrivilege	1516	msiexec.exe
Token: SeAuditPrivilege	1516	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1516	msiexec.exe
Token: SeChangeNotifyPrivilege	1516	msiexec.exe
Token: SeRemoteShutdownPrivilege	1516	msiexec.exe
Token: SeUndockPrivilege	1516	msiexec.exe
Token: SeSyncAgentPrivilege	1516	msiexec.exe
Token: SeEnableDelegationPrivilege	1516	msiexec.exe
Token: SeManageVolumePrivilege	1516	msiexec.exe
Token: SeImpersonatePrivilege	1516	msiexec.exe
Token: SeCreateGlobalPrivilege	1516	msiexec.exe
Token: SeCreateTokenPrivilege	1516	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1516	msiexec.exe
Token: SeLockMemoryPrivilege	1516	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
1516	msiexec.exe
1516	msiexec.exe
1516	msiexec.exe
1516	msiexec.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4036	shu.exe
4036	shu.exe
5052	ToDesk_Setup.exe

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 1588 wrote to memory of 4736	1588	msiexec.exe	89
PID 1588 wrote to memory of 4736	1588	msiexec.exe	89
PID 1588 wrote to memory of 4736	1588	msiexec.exe	89
PID 1588 wrote to memory of 2420	1588	msiexec.exe	102
PID 1588 wrote to memory of 2420	1588	msiexec.exe	102
PID 1588 wrote to memory of 1972	1588	msiexec.exe	104
PID 1588 wrote to memory of 1972	1588	msiexec.exe	104
PID 1588 wrote to memory of 1972	1588	msiexec.exe	104
PID 4736 wrote to memory of 4036	4736	MsiExec.exe	106
PID 4736 wrote to memory of 4036	4736	MsiExec.exe	106
PID 4736 wrote to memory of 4036	4736	MsiExec.exe	106
PID 4036 wrote to memory of 1232	4036	shu.exe	107
PID 4036 wrote to memory of 1232	4036	shu.exe	107
PID 4036 wrote to memory of 1232	4036	shu.exe	107
PID 4036 wrote to memory of 1232	4036	shu.exe	107
PID 4036 wrote to memory of 1232	4036	shu.exe	107
PID 4036 wrote to memory of 1232	4036	shu.exe	107
PID 4036 wrote to memory of 1232	4036	shu.exe	107
PID 4036 wrote to memory of 1232	4036	shu.exe	107
PID 4036 wrote to memory of 2444	4036	shu.exe	108
PID 4036 wrote to memory of 2444	4036	shu.exe	108
PID 4036 wrote to memory of 2444	4036	shu.exe	108
PID 4036 wrote to memory of 4128	4036	shu.exe	109
PID 4036 wrote to memory of 4128	4036	shu.exe	109
PID 4036 wrote to memory of 4128	4036	shu.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Todesk-x64.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D72F28D0621475D4B577EAF8C08D04DD C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4736
- - C:\Users\Public\jingfeng\shu.exe
    "C:\Users\Public\jingfeng\shu.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Users\Public\Documents\t\spolsvt.exe
      C:\Users\Public\Documents\t\spolsvt.exe
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:1232
  - - C:\Users\Admin\Documents\robot\elf.exe
      "C:\Users\Admin\Documents\robot\elf.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del shu.exe
      4⤵
      PID:4128
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2420
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5DABD3E7FEE04559C412950B5126036D
  2⤵
  - Loads dropped DLL
  PID:1972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4652

C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe
"C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
PID:5052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e588866.rbs

Filesize
8KB

MD5
82fc647be16d4c536b6fa32e2093587a

SHA1
4a05de254cf602868c242561f4b1ccef5bc4b9ee

SHA256
74958adaaa92a5b31a5a557a206cd0edbeca3a6d048801384ce0345d086361a5

SHA512
9abdb0191ecbca674684b3419bf34f3dc360f7e2aef11b71a152b5064de3c42f33f966225223a34b4635fba0e9dcf63a675293b034d7734f62b64f3916d481ce

Download Submit
C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe

Filesize
95.8MB

MD5
7cc3660308a16f0773cfc33d3b93339f

SHA1
ce1c40cd6b20c2f3b7a92cefb83f7bfc14e41ab3

SHA256
8c4d85be29a9f88a1cd2bb24f40f16c556310c62ecfe71f52a9ad32e10c43c30

SHA512
e6345de53edc74cf5d788b63b89fe3b08d29896303c1647cc186d3112c5f9c3658157335d46450c32ddd2240d63f75fccf6a6564c7ab0d1494051f8669d056ed

Download Submit
C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe

Filesize
95.8MB

MD5
7cc3660308a16f0773cfc33d3b93339f

SHA1
ce1c40cd6b20c2f3b7a92cefb83f7bfc14e41ab3

SHA256
8c4d85be29a9f88a1cd2bb24f40f16c556310c62ecfe71f52a9ad32e10c43c30

SHA512
e6345de53edc74cf5d788b63b89fe3b08d29896303c1647cc186d3112c5f9c3658157335d46450c32ddd2240d63f75fccf6a6564c7ab0d1494051f8669d056ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI958E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI958E.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICB4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICB4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICBB3.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICBB3.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID23.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID23.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE54F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE54F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE86D.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE86D.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE91B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIE91B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC58.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC58.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC97.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC97.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIECA8.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIECA8.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF0EF.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF0EF.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\nsNiuniuSkin.dll

Filesize
351KB

MD5
57bd662862690992ac801df2f1108145

SHA1
148734b667d17afebaef2a156b7dd30adf7ba0ad

SHA256
3c97251c6ae11ea6c0bd216322d36d3c915da8f9cad25d089b0a8475132f9035

SHA512
29a18ca78387f6e25314c0bc1b9db2846afc0f72d4275359a0e0e1f9ca35e7ef0405ee4bfb27b891d68f9a01ca525c8970520d4bb2060b9de999cc7439c4785e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\nsNiuniuSkin.dll

Filesize
351KB

MD5
57bd662862690992ac801df2f1108145

SHA1
148734b667d17afebaef2a156b7dd30adf7ba0ad

SHA256
3c97251c6ae11ea6c0bd216322d36d3c915da8f9cad25d089b0a8475132f9035

SHA512
29a18ca78387f6e25314c0bc1b9db2846afc0f72d4275359a0e0e1f9ca35e7ef0405ee4bfb27b891d68f9a01ca525c8970520d4bb2060b9de999cc7439c4785e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\skin.zip

Filesize
895KB

MD5
e63c258f99dc7e3d087ec2d1f0f266da

SHA1
ab524aa30be565a9cdcadb2c10d82254b47590fb

SHA256
22f1f779244f85f5fec1d0b7dd8f316bec293a2bdfd0c9cccdfd45f6941b03b2

SHA512
66c10517e259b180f0432b57784dd3264450a3b14f8dde8e3480c0305faccb59bf5c29460d8f501c55c88319ed08a473a2f209e6c0c79c2de822ec238d7357a7

Download Submit
C:\Users\Admin\Documents\robot\LoggerCollector.dll

Filesize
510KB

MD5
47fe0ab041a9c28fe838eb1b11556e33

SHA1
b7128f679230730cf477f3c081235de118c98960

SHA256
29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf

SHA512
7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

Download Submit
C:\Users\Admin\Documents\robot\LoggerCollector.dll

Filesize
510KB

MD5
47fe0ab041a9c28fe838eb1b11556e33

SHA1
b7128f679230730cf477f3c081235de118c98960

SHA256
29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf

SHA512
7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

Download Submit
C:\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
C:\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
C:\Users\Admin\Documents\robot\elf.exe

Filesize
2.2MB

MD5
33922d12e5bb8f40ecddf816124ae93d

SHA1
28244217fa205f12cf40278e97a3a01e6d7366a3

SHA256
255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158

SHA512
1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

Download Submit
C:\Users\Admin\Documents\robot\skin\mainres.xml

Filesize
671B

MD5
47fb824e5df4deb39e5b5342e833d8e4

SHA1
3196520d4dabefd5b4eb6c689210d5ce459476da

SHA256
04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289

SHA512
fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

Download Submit
C:\Users\Admin\Documents\robot\switch.json

Filesize
142B

MD5
31469752b674290e1b5afc18c74a3999

SHA1
feff2b3d09c7a2314e80d5a9cb2778fa94cb59d2

SHA256
267c43cf3cdbcc6dd33761f04bb74bb79d553226eb44438ee85bb4b184d728dc

SHA512
7a54bd72a2adfc3b4d6a978c849cb1531bd8a8b280a840b23d2ac1a0faf33cfa8aee5156fd28823428ee23512e6815ef9b99cd5ffa87eb3b0c2409b6b574be12

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\Documents\t\spolsvt.exe

Filesize
16KB

MD5
cdce4713e784ae069d73723034a957ff

SHA1
9a393a6bab6568f1a774fb753353223f11367e09

SHA256
b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8

SHA512
0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

Download Submit
C:\Users\Public\jingfeng\UnRAR.dll

Filesize
278KB

MD5
c5587655293f83c72f0c88c74660dd10

SHA1
675d7cac72e4caebebd7c2a88403d138b69acd89

SHA256
a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe

SHA512
6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

Download Submit
C:\Users\Public\jingfeng\UnRAR.dll

Filesize
278KB

MD5
c5587655293f83c72f0c88c74660dd10

SHA1
675d7cac72e4caebebd7c2a88403d138b69acd89

SHA256
a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe

SHA512
6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

Download Submit
C:\Users\Public\jingfeng\shu.exe

Filesize
2.5MB

MD5
41c6de2534e7db0328f5fded28780395

SHA1
f9e89470d4de237dd74f11d6ae115b9a2b4f9935

SHA256
d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54

SHA512
1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66

Download Submit
C:\Users\Public\jingfeng\shu.exe

Filesize
2.5MB

MD5
41c6de2534e7db0328f5fded28780395

SHA1
f9e89470d4de237dd74f11d6ae115b9a2b4f9935

SHA256
d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54

SHA512
1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66

Download Submit
C:\Users\Public\jingfeng\shu.exe

Filesize
2.5MB

MD5
41c6de2534e7db0328f5fded28780395

SHA1
f9e89470d4de237dd74f11d6ae115b9a2b4f9935

SHA256
d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54

SHA512
1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66

Download Submit
C:\Windows\Installer\MSI896F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI896F.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI8A3B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI8A3B.tmp

Filesize
557KB

MD5
db7612f0fd6408d664185cfc81bef0cb

SHA1
19a6334ec00365b4f4e57d387ed885b32aa7c9aa

SHA256
e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

SHA512
25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

Download Submit
C:\Windows\Installer\MSI8AC8.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI8AC8.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI8B17.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\MSI8B17.tmp

Filesize
705KB

MD5
f7b1ddc86cd51e3391aa8bf4be48d994

SHA1
a0c0a4a77991d7f8df722acdd782310a6da2a904

SHA256
ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f

SHA512
f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Download Submit
C:\Windows\Installer\e588865.msi

Filesize
100.3MB

MD5
c6688985a839ddbedfcde13596a5e3bf

SHA1
eb0492b6d0cf3660a39af2309e7c7b1647868be1

SHA256
9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68

SHA512
fe9246821f5532143ebe587305db5533c3212d2e1a3b64aa16bb2948c0eea7fc29a88d8e69a4550be2dccb78baf26feaa87c89285896bf944b5a4f71da25d943

Download Submit
memory/1232-240-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1232-235-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1232-339-0x0000000002B20000-0x0000000002C6D000-memory.dmp

Filesize
1.3MB

Download
memory/1232-338-0x0000000002B20000-0x0000000002C6D000-memory.dmp

Filesize
1.3MB

Download
memory/1232-334-0x0000000002B20000-0x0000000002C6D000-memory.dmp

Filesize
1.3MB

Download
memory/1232-337-0x0000000002B20000-0x0000000002C6D000-memory.dmp

Filesize
1.3MB

Download
memory/1232-234-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1232-349-0x0000000002B20000-0x0000000002C6D000-memory.dmp

Filesize
1.3MB

Download
memory/1232-242-0x0000000010000000-0x000000001002A000-memory.dmp

Filesize
168KB

Download
memory/1232-236-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4036-324-0x0000000000400000-0x0000000000A05000-memory.dmp

Filesize
6.0MB

Download
memory/4036-321-0x0000000000400000-0x0000000000A05000-memory.dmp

Filesize
6.0MB

Download
memory/4036-230-0x0000000000400000-0x0000000000A05000-memory.dmp

Filesize
6.0MB

Download
memory/4036-229-0x0000000000400000-0x0000000000A05000-memory.dmp

Filesize
6.0MB

Download
memory/5052-356-0x00000000743D0000-0x00000000744DD000-memory.dmp

Filesize
1.1MB

Download
memory/5052-368-0x00000000743D0000-0x00000000744DD000-memory.dmp

Filesize
1.1MB

Download
memory/5052-385-0x00000000743D0000-0x00000000744DD000-memory.dmp

Filesize
1.1MB

Download
memory/5052-394-0x00000000743D0000-0x00000000744DD000-memory.dmp

Filesize
1.1MB

Download