Malware Analysis Report

2025-03-15 03:55

Sample ID 230725-d81rnsab84
Target Todesk-x64.msi
SHA256 9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68
Tags
fatalrat gh0strat infostealer rat upx vmprotect
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68

Threat Level: Known bad

The file Todesk-x64.msi was found to be: Known bad.

Malicious Activity Summary

fatalrat gh0strat infostealer rat upx vmprotect

Gh0strat

Gh0st RAT payload

FatalRat

Fatal Rat payload

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

ACProtect 1.3x - 1.4x DLL software

UPX packed file

Loads dropped DLL

VMProtect packed file

Enumerates connected drives

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-25 03:41

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-25 03:41

Reported

2023-07-25 03:44

Platform

win10v2004-20230703-en

Max time kernel

105s

Max time network

118s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Todesk-x64.msi

Signatures

FatalRat

infostealer rat fatalrat

Gh0st RAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Gh0strat

rat gh0strat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3011986978-2180659500-3669311805-1000\Control Panel\International\Geo\Nation C:\Users\Public\jingfeng\shu.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4036 set thread context of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e588867.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e588865.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI896F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8A3B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8AC8.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{BA4016AA-D113-4DAC-B6BB-6DA157A87539} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI900A.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e588865.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8B17.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007ec2211f72b7cbde0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007ec2211f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809007ec2211f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809197ec2211f000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007ec2211f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Public\Documents\t\spolsvt.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Users\Public\Documents\t\spolsvt.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Version = "16777216" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\PackageCode = "D7A13ACC94201BE4187D79CF9EDF4DC1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Language = "2052" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7C8EF8C8BBFC7946946A44E3DC25F08 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\PackageName = "Todesk-x64.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\AA6104AB311DCAD46BBBD61A758A5793\jingfeng C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\B7C8EF8C8BBFC7946946A44E3DC25F08\AA6104AB311DCAD46BBBD61A758A5793 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\ProductName = "ToDesk" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\AA6104AB311DCAD46BBBD61A758A5793\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\jingfeng\shu.exe N/A
N/A N/A C:\Users\Public\jingfeng\shu.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\jingfeng\shu.exe N/A
N/A N/A C:\Users\Public\jingfeng\shu.exe N/A
N/A N/A C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1588 wrote to memory of 4736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1588 wrote to memory of 4736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1588 wrote to memory of 4736 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1588 wrote to memory of 2420 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1588 wrote to memory of 2420 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1588 wrote to memory of 1972 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1588 wrote to memory of 1972 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1588 wrote to memory of 1972 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4736 wrote to memory of 4036 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jingfeng\shu.exe
PID 4736 wrote to memory of 4036 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jingfeng\shu.exe
PID 4736 wrote to memory of 4036 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\jingfeng\shu.exe
PID 4036 wrote to memory of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4036 wrote to memory of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4036 wrote to memory of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4036 wrote to memory of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4036 wrote to memory of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4036 wrote to memory of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4036 wrote to memory of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4036 wrote to memory of 1232 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4036 wrote to memory of 2444 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4036 wrote to memory of 2444 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4036 wrote to memory of 2444 N/A C:\Users\Public\jingfeng\shu.exe C:\Users\Admin\Documents\robot\elf.exe
PID 4036 wrote to memory of 4128 N/A C:\Users\Public\jingfeng\shu.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4128 N/A C:\Users\Public\jingfeng\shu.exe C:\Windows\SysWOW64\cmd.exe
PID 4036 wrote to memory of 4128 N/A C:\Users\Public\jingfeng\shu.exe C:\Windows\SysWOW64\cmd.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Todesk-x64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D72F28D0621475D4B577EAF8C08D04DD C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5DABD3E7FEE04559C412950B5126036D

C:\Users\Public\jingfeng\shu.exe

"C:\Users\Public\jingfeng\shu.exe"

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Admin\Documents\robot\elf.exe

"C:\Users\Admin\Documents\robot\elf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del shu.exe

C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe

"C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 126.166.241.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 assets.msn.com udp
NL 88.221.24.8:443 assets.msn.com tcp
US 8.8.8.8:53 8.24.221.88.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 182.100.206.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 jf.wccabc.com udp
HK 43.249.29.99:3927 jf.wccabc.com tcp
US 8.8.8.8:53 99.29.249.43.in-addr.arpa udp
US 8.8.8.8:53 xfer.10jqka.com.cn udp
CN 175.6.25.38:80 xfer.10jqka.com.cn tcp
US 8.8.8.8:53 38.25.6.175.in-addr.arpa udp
US 8.8.8.8:53 shusheng1.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.136:443 shusheng1.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 136.19.75.47.in-addr.arpa udp
US 8.8.8.8:53 133.2.101.151.in-addr.arpa udp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
N/A 127.0.0.1:58885 tcp
HK 43.249.29.99:3927 jf.wccabc.com tcp
US 8.8.8.8:53 200.74.101.95.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSIE54F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE54F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE86D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE86D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE8CC.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE91B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIE91B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIEC58.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIEC58.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIEC97.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIEC97.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIECA8.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIECA8.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSICB4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSICB4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSICE4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSID23.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSID23.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI896F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI896F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI8A3B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI8A3B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI8AC8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8AC8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8B17.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8B17.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Config.Msi\e588866.rbs

MD5 82fc647be16d4c536b6fa32e2093587a
SHA1 4a05de254cf602868c242561f4b1ccef5bc4b9ee
SHA256 74958adaaa92a5b31a5a557a206cd0edbeca3a6d048801384ce0345d086361a5
SHA512 9abdb0191ecbca674684b3419bf34f3dc360f7e2aef11b71a152b5064de3c42f33f966225223a34b4635fba0e9dcf63a675293b034d7734f62b64f3916d481ce

C:\Windows\Installer\e588865.msi

MD5 c6688985a839ddbedfcde13596a5e3bf
SHA1 eb0492b6d0cf3660a39af2309e7c7b1647868be1
SHA256 9801b373a5ce4c24e1d60f429cb22f7fb3806b4a84d54f5ad18a3a26ec918c68
SHA512 fe9246821f5532143ebe587305db5533c3212d2e1a3b64aa16bb2948c0eea7fc29a88d8e69a4550be2dccb78baf26feaa87c89285896bf944b5a4f71da25d943

C:\Users\Admin\AppData\Local\Temp\MSI958E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI958E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\jingfeng\shu.exe

MD5 41c6de2534e7db0328f5fded28780395
SHA1 f9e89470d4de237dd74f11d6ae115b9a2b4f9935
SHA256 d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54
SHA512 1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66

C:\Users\Public\jingfeng\shu.exe

MD5 41c6de2534e7db0328f5fded28780395
SHA1 f9e89470d4de237dd74f11d6ae115b9a2b4f9935
SHA256 d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54
SHA512 1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66

C:\Users\Public\jingfeng\shu.exe

MD5 41c6de2534e7db0328f5fded28780395
SHA1 f9e89470d4de237dd74f11d6ae115b9a2b4f9935
SHA256 d672d84219274e7ede587b0e02117420d954f72c7b60c38d5572189285718b54
SHA512 1b57c435ba0e6aa5fc17bff118be993f531fd6cecc4c380d4bf2a09bc05ef0615babe1cb400ee4e5a618cf0bcbd2d1937b43b3703d89c29795c5d098b033ea66

memory/4036-229-0x0000000000400000-0x0000000000A05000-memory.dmp

memory/4036-230-0x0000000000400000-0x0000000000A05000-memory.dmp

memory/1232-234-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1232-236-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1232-235-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/1232-240-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/1232-242-0x0000000010000000-0x000000001002A000-memory.dmp

C:\Users\Public\jingfeng\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Public\jingfeng\UnRAR.dll

MD5 c5587655293f83c72f0c88c74660dd10
SHA1 675d7cac72e4caebebd7c2a88403d138b69acd89
SHA256 a647aec65edb9736ad9bbc60a99779d18438b783b3a7045533de97ba4134f4fe
SHA512 6b275764ba29dd5d2f789107de1b98095f42fe4929b725b5599136a6a626e32432fcb223ce1cf89050874102f0d24e6911c170e4d50a023dab4604c383380fd1

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\elf.exe

MD5 33922d12e5bb8f40ecddf816124ae93d
SHA1 28244217fa205f12cf40278e97a3a01e6d7366a3
SHA256 255e4c5b81ddabc02455b7b4560e168b4064e63ec3721230201d1a7928c9f158
SHA512 1fdc906fdf3a89105d8e8996ec58e26e4d802fbbc99004d2f9a13a94cabeabde104fd55135763d5b959d1741d53e06ca18879407864c1e37e0a8764df9ea1973

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\LoggerCollector.dll

MD5 47fe0ab041a9c28fe838eb1b11556e33
SHA1 b7128f679230730cf477f3c081235de118c98960
SHA256 29fc393b56fcfa4a242c7bc5177b0861072f35c7c8be2546115e0f34d059e2bf
SHA512 7191170e244dac3b176bf89c67511b5938751471d84f73c58c3ff7fef3e6e1e70c3af5d3143cf3b66be461152b80845231fc6a3fafc31328193d47edd2961a40

C:\Users\Admin\Documents\robot\skin\mainres.xml

MD5 47fb824e5df4deb39e5b5342e833d8e4
SHA1 3196520d4dabefd5b4eb6c689210d5ce459476da
SHA256 04fb5ba3130fb6cb99ce5d5ffa11a8df2d2c02fcb9dd3517d691bf97e0369289
SHA512 fb64455995630400f73a4725e365e44c8d77dd1ccb534c2ba8a0ff50cf42c9b838abe7bf63e98596bc40466a3c7eafda29d7981564684772afd3cba136e6bb42

C:\Users\Admin\Documents\robot\switch.json

MD5 31469752b674290e1b5afc18c74a3999
SHA1 feff2b3d09c7a2314e80d5a9cb2778fa94cb59d2
SHA256 267c43cf3cdbcc6dd33761f04bb74bb79d553226eb44438ee85bb4b184d728dc
SHA512 7a54bd72a2adfc3b4d6a978c849cb1531bd8a8b280a840b23d2ac1a0faf33cfa8aee5156fd28823428ee23512e6815ef9b99cd5ffa87eb3b0c2409b6b574be12

memory/4036-321-0x0000000000400000-0x0000000000A05000-memory.dmp

memory/4036-324-0x0000000000400000-0x0000000000A05000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSICBB3.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSICBB3.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/1232-334-0x0000000002B20000-0x0000000002C6D000-memory.dmp

memory/1232-338-0x0000000002B20000-0x0000000002C6D000-memory.dmp

memory/1232-337-0x0000000002B20000-0x0000000002C6D000-memory.dmp

memory/1232-339-0x0000000002B20000-0x0000000002C6D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIF0EF.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIF0EF.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe

MD5 7cc3660308a16f0773cfc33d3b93339f
SHA1 ce1c40cd6b20c2f3b7a92cefb83f7bfc14e41ab3
SHA256 8c4d85be29a9f88a1cd2bb24f40f16c556310c62ecfe71f52a9ad32e10c43c30
SHA512 e6345de53edc74cf5d788b63b89fe3b08d29896303c1647cc186d3112c5f9c3658157335d46450c32ddd2240d63f75fccf6a6564c7ab0d1494051f8669d056ed

C:\Program Files (x86)\ToDesk\ToDesk\ToDesk_Setup.exe

MD5 7cc3660308a16f0773cfc33d3b93339f
SHA1 ce1c40cd6b20c2f3b7a92cefb83f7bfc14e41ab3
SHA256 8c4d85be29a9f88a1cd2bb24f40f16c556310c62ecfe71f52a9ad32e10c43c30
SHA512 e6345de53edc74cf5d788b63b89fe3b08d29896303c1647cc186d3112c5f9c3658157335d46450c32ddd2240d63f75fccf6a6564c7ab0d1494051f8669d056ed

memory/1232-349-0x0000000002B20000-0x0000000002C6D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\nsNiuniuSkin.dll

MD5 57bd662862690992ac801df2f1108145
SHA1 148734b667d17afebaef2a156b7dd30adf7ba0ad
SHA256 3c97251c6ae11ea6c0bd216322d36d3c915da8f9cad25d089b0a8475132f9035
SHA512 29a18ca78387f6e25314c0bc1b9db2846afc0f72d4275359a0e0e1f9ca35e7ef0405ee4bfb27b891d68f9a01ca525c8970520d4bb2060b9de999cc7439c4785e

memory/5052-356-0x00000000743D0000-0x00000000744DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\nsNiuniuSkin.dll

MD5 57bd662862690992ac801df2f1108145
SHA1 148734b667d17afebaef2a156b7dd30adf7ba0ad
SHA256 3c97251c6ae11ea6c0bd216322d36d3c915da8f9cad25d089b0a8475132f9035
SHA512 29a18ca78387f6e25314c0bc1b9db2846afc0f72d4275359a0e0e1f9ca35e7ef0405ee4bfb27b891d68f9a01ca525c8970520d4bb2060b9de999cc7439c4785e

C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\skin.zip

MD5 e63c258f99dc7e3d087ec2d1f0f266da
SHA1 ab524aa30be565a9cdcadb2c10d82254b47590fb
SHA256 22f1f779244f85f5fec1d0b7dd8f316bec293a2bdfd0c9cccdfd45f6941b03b2
SHA512 66c10517e259b180f0432b57784dd3264450a3b14f8dde8e3480c0305faccb59bf5c29460d8f501c55c88319ed08a473a2f209e6c0c79c2de822ec238d7357a7

memory/5052-368-0x00000000743D0000-0x00000000744DD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

C:\Users\Admin\AppData\Local\Temp\nsv2B6C.tmp\System.dll

MD5 8cf2ac271d7679b1d68eefc1ae0c5618
SHA1 7cc1caaa747ee16dc894a600a4256f64fa65a9b8
SHA256 6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba
SHA512 ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

memory/5052-385-0x00000000743D0000-0x00000000744DD000-memory.dmp

memory/5052-394-0x00000000743D0000-0x00000000744DD000-memory.dmp