Analysis Overview
SHA256
9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68
Threat Level: Known bad
The file Todesk-x64.msi was found to be: Known bad.
Malicious Activity Summary
Gh0strat
Gh0st RAT payload
FatalRat
Fatal Rat payload
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
ACProtect 1.3x - 1.4x DLL software
UPX packed file
Loads dropped DLL
VMProtect packed file
Enumerates connected drives
Suspicious use of SetThreadContext
Drops file in Program Files directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious use of WriteProcessMemory
Checks SCSI registry key(s)
Uses Volume Shadow Copy service COM API
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-25 03:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-25 03:41
Reported
2023-07-25 03:44
Platform
win10v2004-20230703-en
Max time kernel
105s
Max time network
118s
Command Line
Signatures
FatalRat
Gh0st RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Gh0strat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
ACProtect 1.3x - 1.4x DLL software
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation | C:\Users\Public\jingfeng\shu.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\jingfeng\shu.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\robot\elf.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe | N/A |
Loads dropped DLL
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4036 set thread context of 1232 | N/A | C:\Users\Public\jingfeng\shu.exe | C:\Users\Public\Documents\t\spolsvt.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\e588867.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e588865.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI896F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8A3B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8AC8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{BA4016AA-D113-4DAC-B6BB-6DA157A87539} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI900A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e588865.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8B17.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007ec2211f72b7cbde0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007ec2211f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809007ec2211f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809197ec2211f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007ec2211f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Version = "16777216" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793\MainFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\PackageCode = "D7A13ACC94201BE4187D79CF9EDF4DC1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Language = "2052" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7C8EF8C8BBFC7946946A44E3DC25F08 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\PackageName = "Todesk-x64.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793\jingfeng | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7C8EF8C8BBFC7946946A44E3DC25F08\AA6104AB311DCAD46BBBD61A758A5793 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\ProductName = "ToDesk" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\jingfeng\shu.exe | N/A |
| N/A | N/A | C:\Users\Public\jingfeng\shu.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Todesk-x64.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D72F28D0621475D4B577EAF8C08D04DD C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5DABD3E7FEE04559C412950B5126036D
C:\Users\Public\jingfeng\shu.exe
"C:\Users\Public\jingfeng\shu.exe"
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Admin\Documents\robot\elf.exe
"C:\Users\Admin\Documents\robot\elf.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del shu.exe
C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe
"C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.166.241.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | assets.msn.com | udp |
| NL | 88.221.24.8:443 | assets.msn.com | tcp |
| US | 8.8.8.8:53 | 8.24.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.100.206.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | jf.wccabc.com | udp |
| HK | 43.249.29.99:3927 | jf.wccabc.com | tcp |
| US | 8.8.8.8:53 | 99.29.249.43.in-addr.arpa | udp |
| US | 8.8.8.8:53 | xfer.10jqka.com.cn | udp |
| CN | 175.6.25.38:80 | xfer.10jqka.com.cn | tcp |
| US | 8.8.8.8:53 | 38.25.6.175.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shusheng1.oss-cn-hongkong.aliyuncs.com | udp |
| HK | 47.75.19.136:443 | shusheng1.oss-cn-hongkong.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 136.19.75.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.2.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:58885 | tcp | |
| HK | 43.249.29.99:3927 | jf.wccabc.com | tcp |
| US | 8.8.8.8:53 | 200.74.101.95.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSIE54F.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIE54F.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIE86D.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIE86D.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIE91B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIE91B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIEC58.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIEC58.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIEC97.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIEC97.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIECA8.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIECA8.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSICB4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSICB4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSID23.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSID23.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI896F.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI896F.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI8A3B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI8A3B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI8AC8.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8AC8.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8B17.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI8B17.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Config.Msi\e588866.rbs
| MD5 | 82fc647be16d4c536b6fa32e2093587a |
| SHA1 | 4a05de254cf602868c242561f4b1ccef5bc4b9ee |
| SHA256 | 74958adaaa92a5b31a5a557a206cd0edbeca3a6d048801384ce0345d086361a5 |
| SHA512 | 9abdb0191ecbca674684b3419bf34f3dc360f7e2aef11b71a152b5064de3c42f33f966225223a34b4635fba0e9dcf63a675293b034d7734f62b64f3916d481ce |
C:\Windows\Installer\e588865.msi
| MD5 | c6688985a839ddbedfcde13596a5e3bf |
| SHA1 | eb0492b6d0cf3660a39af2309e7c7b1647868be1 |
| SHA256 | 9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68 |
| SHA512 | fe9246821f5532143ebe587305db5533c3212d2e1a3b64aa16bb2948c0eea7fc29a88d8e69a4550be2dccb78baf26feaa87c89285896bf944b5a4f71da25d943 |
C:\Users\Admin\AppData\Local\Temp\MSI958E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI958E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Public\jingfeng\shu.exe
| MD5 | 41c6de2534e7db0328f5fded28780395 |
| SHA1 | f9e89470d4de237dd74f11d6ae115b9a2b4f9935 |
| SHA256 | d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54 |
| SHA512 | 1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66 |
C:\Users\Public\jingfeng\shu.exe
| MD5 | 41c6de2534e7db0328f5fded28780395 |
| SHA1 | f9e89470d4de237dd74f11d6ae115b9a2b4f9935 |
| SHA256 | d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54 |
| SHA512 | 1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66 |
C:\Users\Public\jingfeng\shu.exe
| MD5 | 41c6de2534e7db0328f5fded28780395 |
| SHA1 | f9e89470d4de237dd74f11d6ae115b9a2b4f9935 |
| SHA256 | d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54 |
| SHA512 | 1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66 |
memory/4036-229-0x0000000000400000-0x0000000000A05000-memory.dmp
memory/4036-230-0x0000000000400000-0x0000000000A05000-memory.dmp
memory/1232-234-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1232-236-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1232-235-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/1232-240-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/1232-242-0x0000000010000000-0x000000001002A000-memory.dmp
C:\Users\Public\jingfeng\UnRAR.dll
| MD5 | c5587655293f83c72f0c88c74660dd10 |
| SHA1 | 675d7cac72e4caebebd7c2a88403d138b69acd89 |
| SHA256 | a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe |
| SHA512 | 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1 |
C:\Users\Public\jingfeng\UnRAR.dll
| MD5 | c5587655293f83c72f0c88c74660dd10 |
| SHA1 | 675d7cac72e4caebebd7c2a88403d138b69acd89 |
| SHA256 | a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe |
| SHA512 | 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1 |
C:\Users\Admin\Documents\robot\elf.exe
| MD5 | 33922d12e5bb8f40ecddf816124ae93d |
| SHA1 | 28244217fa205f12cf40278e97a3a01e6d7366a3 |
| SHA256 | 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158 |
| SHA512 | 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973 |
C:\Users\Admin\Documents\robot\elf.exe
| MD5 | 33922d12e5bb8f40ecddf816124ae93d |
| SHA1 | 28244217fa205f12cf40278e97a3a01e6d7366a3 |
| SHA256 | 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158 |
| SHA512 | 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973 |
C:\Users\Admin\Documents\robot\elf.exe
| MD5 | 33922d12e5bb8f40ecddf816124ae93d |
| SHA1 | 28244217fa205f12cf40278e97a3a01e6d7366a3 |
| SHA256 | 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158 |
| SHA512 | 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973 |
C:\Users\Admin\Documents\robot\LoggerCollector.dll
| MD5 | 47fe0ab041a9c28fe838eb1b11556e33 |
| SHA1 | b7128f679230730cf477f3c081235de118c98960 |
| SHA256 | 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf |
| SHA512 | 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40 |
C:\Users\Admin\Documents\robot\LoggerCollector.dll
| MD5 | 47fe0ab041a9c28fe838eb1b11556e33 |
| SHA1 | b7128f679230730cf477f3c081235de118c98960 |
| SHA256 | 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf |
| SHA512 | 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40 |
C:\Users\Admin\Documents\robot\skin\mainres.xml
| MD5 | 47fb824e5df4deb39e5b5342e833d8e4 |
| SHA1 | 3196520d4dabefd5b4eb6c689210d5ce459476da |
| SHA256 | 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289 |
| SHA512 | fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42 |
C:\Users\Admin\Documents\robot\switch.json
| MD5 | 31469752b674290e1b5afc18c74a3999 |
| SHA1 | feff2b3d09c7a2314e80d5a9cb2778fa94cb59d2 |
| SHA256 | 267c43cf3cdbcc6dd33761f04bb74bb79d553226eb44438ee85bb4b184d728dc |
| SHA512 | 7a54bd72a2adfc3b4d6a978c849cb1531bd8a8b280a840b23d2ac1a0faf33cfa8aee5156fd28823428ee23512e6815ef9b99cd5ffa87eb3b0c2409b6b574be12 |
memory/4036-321-0x0000000000400000-0x0000000000A05000-memory.dmp
memory/4036-324-0x0000000000400000-0x0000000000A05000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSICBB3.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSICBB3.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
memory/1232-334-0x0000000002B20000-0x0000000002C6D000-memory.dmp
memory/1232-338-0x0000000002B20000-0x0000000002C6D000-memory.dmp
memory/1232-337-0x0000000002B20000-0x0000000002C6D000-memory.dmp
memory/1232-339-0x0000000002B20000-0x0000000002C6D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIF0EF.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIF0EF.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe
| MD5 | 7cc3660308a16f0773cfc33d3b93339f |
| SHA1 | ce1c40cd6b20c2f3b7a92cefb83f7bfc14e41ab3 |
| SHA256 | 8c4d85be29a9f88a1cd2bb24f40f16c556310c62ecfe71f52a9ad32e10c43c30 |
| SHA512 | e6345de53edc74cf5d788b63b89fe3b08d29896303c1647cc186d3112c5f9c3658157335d46450c32ddd2240d63f75fccf6a6564c7ab0d1494051f8669d056ed |
C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe
| MD5 | 7cc3660308a16f0773cfc33d3b93339f |
| SHA1 | ce1c40cd6b20c2f3b7a92cefb83f7bfc14e41ab3 |
| SHA256 | 8c4d85be29a9f88a1cd2bb24f40f16c556310c62ecfe71f52a9ad32e10c43c30 |
| SHA512 | e6345de53edc74cf5d788b63b89fe3b08d29896303c1647cc186d3112c5f9c3658157335d46450c32ddd2240d63f75fccf6a6564c7ab0d1494051f8669d056ed |
memory/1232-349-0x0000000002B20000-0x0000000002C6D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\nsNiuniuSkin.dll
| MD5 | 57bd662862690992ac801df2f1108145 |
| SHA1 | 148734b667d17afebaef2a156b7dd30adf7ba0ad |
| SHA256 | 3c97251c6ae11ea6c0bd216322d36d3c915da8f9cad25d089b0a8475132f9035 |
| SHA512 | 29a18ca78387f6e25314c0bc1b9db2846afc0f72d4275359a0e0e1f9ca35e7ef0405ee4bfb27b891d68f9a01ca525c8970520d4bb2060b9de999cc7439c4785e |
memory/5052-356-0x00000000743D0000-0x00000000744DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\nsNiuniuSkin.dll
| MD5 | 57bd662862690992ac801df2f1108145 |
| SHA1 | 148734b667d17afebaef2a156b7dd30adf7ba0ad |
| SHA256 | 3c97251c6ae11ea6c0bd216322d36d3c915da8f9cad25d089b0a8475132f9035 |
| SHA512 | 29a18ca78387f6e25314c0bc1b9db2846afc0f72d4275359a0e0e1f9ca35e7ef0405ee4bfb27b891d68f9a01ca525c8970520d4bb2060b9de999cc7439c4785e |
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\skin.zip
| MD5 | e63c258f99dc7e3d087ec2d1f0f266da |
| SHA1 | ab524aa30be565a9cdcadb2c10d82254b47590fb |
| SHA256 | 22f1f779244f85f5fec1d0b7dd8f316bec293a2bdfd0c9cccdfd45f6941b03b2 |
| SHA512 | 66c10517e259b180f0432b57784dd3264450a3b14f8dde8e3480c0305faccb59bf5c29460d8f501c55c88319ed08a473a2f209e6c0c79c2de822ec238d7357a7 |
memory/5052-368-0x00000000743D0000-0x00000000744DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll
| MD5 | 8cf2ac271d7679b1d68eefc1ae0c5618 |
| SHA1 | 7cc1caaa747ee16dc894a600a4256f64fa65a9b8 |
| SHA256 | 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba |
| SHA512 | ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3 |
memory/5052-385-0x00000000743D0000-0x00000000744DD000-memory.dmp
memory/5052-394-0x00000000743D0000-0x00000000744DD000-memory.dmp