Malware Analysis Report

2025-03-15 03:55

Sample ID 230803-k52ccsce56
Target tdesk_桌面端App Store.msi
SHA256 ed0f0e60de86f1cd6adfdf435c65ad0253187e645de7255abb0a926f722470f7
Tags
fatalrat infostealer persistence rat upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ed0f0e60de86f1cd6adfdf435c65ad0253187e645de7255abb0a926f722470f7

Threat Level: Known bad

The file tdesk_桌面端App Store.msi was found to be: Known bad.

Malicious Activity Summary

fatalrat infostealer persistence rat upx

FatalRat

Fatal Rat payload

Downloads MZ/PE file

UPX packed file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Drops file in Program Files directory

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-03 09:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-03 09:11

Reported

2023-08-03 09:50

Platform

win7-20230712-en

Max time kernel

144s

Max time network

152s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\tdesk_桌面端App Store.msi"

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\whapps\u9999.exe N/A
N/A N/A C:\Users\Public\Documents\123\VVvrst.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Hherecontinuous = "C:\\WINDOWS\\Setup\\VVvrst.exe" C:\Users\Public\Documents\123\VVvrst.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2344 set thread context of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ca.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\gu.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ms.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ro.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\SquirrelSetup.log C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\ql-win32\bin\win32-x64-87\ql-win32.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\v8_context_snapshot.bin C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\ffmpeg.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\he.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\hu.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\lv.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\pl.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sw.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\am.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\cs.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\de.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fil.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sk.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\msvcp140.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-shared-mem\bin\win32-x64-87\node-shared-mem.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_100_percent.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\chrome_200_percent.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\et.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\tr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\zh-TW.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\libEGL.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\nb.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vulkan-1.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\Update.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\mr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ta.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-focus-assist\build\Release\focus-assist.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\el.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fi.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\sr.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\node-quarantine\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\en-GB.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\fa.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\hi.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\LICENSE C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\bn.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\da.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\pt-BR.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\ql-win32\build\Release\binding.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\it.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\lt.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\bin\win32-x64-87\wavoip.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-notification-state\bin\win32-x64-87\windows-notification-state.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\vk_swiftshader.dll C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ar.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\id.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ko.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\ru.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\te.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-focus-assist\bin\win32-x64-87\windows-focus-assist.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\windows-quiet-hours\bin\win32-x64-87\windows-quiet-hours.node C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app.ico C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\icudtl.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\kn.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\locales\th.pak C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\WhatsApp\WhatsApp plus\app-2.2310.5\resources\app.asar.unpacked\node_modules\wavoip\build\Release\vcruntime140.dll C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\f787cfd.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f787cfe.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f787cfe.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSI7F3E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8086.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Setup\Mpec.mbt C:\Users\Public\whapps\u9999.exe N/A
File created C:\Windows\Setup\spolsvt.exe C:\Users\Public\whapps\u9999.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8866.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Setup\VVvrst.exe C:\Users\Public\whapps\u9999.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f787cfd.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8181.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI846F.tmp C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\whapps\u9999.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A
N/A N/A C:\WINDOWS\Setup\spolsvt.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\whapps\u9999.exe N/A
N/A N/A C:\Users\Public\whapps\u9999.exe N/A
N/A N/A C:\Users\Public\Documents\123\VVvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\VVvrst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1964 wrote to memory of 2804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2804 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1964 wrote to memory of 2376 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2804 wrote to memory of 1968 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\whapps\u9999.exe
PID 2804 wrote to memory of 1968 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\whapps\u9999.exe
PID 2804 wrote to memory of 1968 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\whapps\u9999.exe
PID 2804 wrote to memory of 1968 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\whapps\u9999.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 2344 wrote to memory of 2768 N/A C:\Users\Public\Documents\123\VVvrst.exe C:\WINDOWS\Setup\spolsvt.exe
PID 1968 wrote to memory of 3048 N/A C:\Users\Public\whapps\u9999.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 3048 N/A C:\Users\Public\whapps\u9999.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 3048 N/A C:\Users\Public\whapps\u9999.exe C:\Windows\SysWOW64\cmd.exe
PID 1968 wrote to memory of 3048 N/A C:\Users\Public\whapps\u9999.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\tdesk_桌面端App Store.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A73C27A4F517A447B624A12471D9AD85 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003DC" "00000000000004C8"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 3F96D68159C05F7D86782E1CB10F28BA

C:\Users\Public\whapps\u9999.exe

"C:\Users\Public\whapps\u9999.exe"

C:\Users\Public\Documents\123\VVvrst.exe

"C:\Users\Public\Documents\123\VVvrst.exe"

C:\WINDOWS\Setup\spolsvt.exe

C:\WINDOWS\Setup\spolsvt.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c del u9999.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 ssqqfp5fdg5df41.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.18.141:443 ssqqfp5fdg5df41.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 mc.wccabc.com udp
HK 103.68.181.221:3927 mc.wccabc.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSIBE9E.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIBE9E.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC054.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC054.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC0E1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC0E1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC0E1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC18E.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC18E.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC269.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIC269.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIC364.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

\Users\Admin\AppData\Local\Temp\MSIC364.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSIC42F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC42F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC4DC.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC4DC.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI1740.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI1740.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI17ED.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI17ED.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI17ED.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI1916.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI1916.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI7F3E.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSI7F3E.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI8086.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI8086.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI8181.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI8181.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI846F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSI846F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Program Files (x86)\WhatsApp\WhatsApp plus\WhatsApp.exe

MD5 ca99a1d65cc0da14c3248bccf09dc947
SHA1 a44d48b511a6d6b1bd9d9d0a4ca385a2ba4bb50a
SHA256 dda16363fb508dde8ef6b1ab2089ae22323e3c768d100e7ec6b5e217c65b304b
SHA512 7e8a5b8612477c29338e9f6edef7496c8647e2a3bf59aaf8ca0aa65b2bea3adb34c47dc4edde38071f2d44125431af64e9df149d6837f5bf80eca98c21ea3908

C:\Config.Msi\f787cff.rbs

MD5 94abd51b338324af9b78e13a36fceaaa
SHA1 438ebf6d5e3d71dc14abf7b8923ec82985700a0c
SHA256 a64a329cef423bdcbc5490891d0e3667548a2b40192c1cb1ead249ca47edfbef
SHA512 b4b6f62202aca1637f0fde3438b1acbdb7af84d0a2b841bbf89062afc758383a3bd93d99b1e3b4849456d8f0bc4d82cf950ac39e769871d5444f439f7eecb870

C:\Users\Admin\AppData\Local\Temp\MSIA762.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIA762.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Public\whapps\u9999.exe

MD5 58a47b55faeaba38c6539f18c3d209bc
SHA1 d81ceb07ee1d58a9668693d652aafaa1e7144740
SHA256 9ddb509ab674253832347279251d6404d9d2286d15c9e2cb424b409f4af5ba69
SHA512 aece27ed14070d1a582bcea7eae22e123ce04d84bd6becd30d9c85b52d2ec37f51a2efa18cf99109d850a6eed1e59a0aad35b7d92357839e75418862d0d05756

memory/2804-247-0x00000000029D0000-0x0000000002B0B000-memory.dmp

C:\Users\Public\whapps\u9999.exe

MD5 58a47b55faeaba38c6539f18c3d209bc
SHA1 d81ceb07ee1d58a9668693d652aafaa1e7144740
SHA256 9ddb509ab674253832347279251d6404d9d2286d15c9e2cb424b409f4af5ba69
SHA512 aece27ed14070d1a582bcea7eae22e123ce04d84bd6becd30d9c85b52d2ec37f51a2efa18cf99109d850a6eed1e59a0aad35b7d92357839e75418862d0d05756

memory/2804-266-0x00000000029D0000-0x0000000002B0B000-memory.dmp

memory/1968-268-0x0000000000400000-0x000000000053B000-memory.dmp

memory/1968-267-0x0000000000400000-0x000000000053B000-memory.dmp

C:\Users\Public\Documents\123\VVvrst.exe

MD5 424ff1d8ad9ae0ca532288b108c6895f
SHA1 bd1c09ec313232b7fe9666f90eae7a2a9879397e
SHA256 a2cd828241945e29cc4064037f5feffc17e5d701a3b8af1e295be855f5211134
SHA512 af5ef553eb1e906814efc95ff5bbc4324c9367a78fde2bca6761de3c2cfe0c63d67b141e0cba5d318fc507149326d0ac6a23d7445d2d888c449b0d7394846a10

C:\Users\Public\Documents\123\VVvrst.exe

MD5 424ff1d8ad9ae0ca532288b108c6895f
SHA1 bd1c09ec313232b7fe9666f90eae7a2a9879397e
SHA256 a2cd828241945e29cc4064037f5feffc17e5d701a3b8af1e295be855f5211134
SHA512 af5ef553eb1e906814efc95ff5bbc4324c9367a78fde2bca6761de3c2cfe0c63d67b141e0cba5d318fc507149326d0ac6a23d7445d2d888c449b0d7394846a10

C:\WINDOWS\Setup\Mpec.mbt

MD5 650f7c72b980a9943bac191ef10bf1bc
SHA1 43342174e5b7ca88734c21e9f2b343a61588cfb5
SHA256 2d5de7bee22823475e3518098822634b21fcd3b91f6e46cc1c15b1eea3e843cc
SHA512 0627ddce88095cafbafb58e94525ae167a5de72a81d5649dfe398e05004b8515d010867c6f089438bb330c75bd2440545cbdc8bfa825713a96b0fcee8ffaf096

C:\WINDOWS\Setup\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

\Windows\Setup\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2768-274-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2768-276-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2768-278-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2344-280-0x0000000000400000-0x0000000000D5F000-memory.dmp

memory/2768-282-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2768-285-0x0000000000400000-0x0000000000430000-memory.dmp

memory/2768-286-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2768-290-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Windows\Setup\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/2768-291-0x0000000010000000-0x000000001002A000-memory.dmp

memory/1968-296-0x0000000000400000-0x000000000053B000-memory.dmp

C:\Users\Public\whapps\u9999.exe

MD5 58a47b55faeaba38c6539f18c3d209bc
SHA1 d81ceb07ee1d58a9668693d652aafaa1e7144740
SHA256 9ddb509ab674253832347279251d6404d9d2286d15c9e2cb424b409f4af5ba69
SHA512 aece27ed14070d1a582bcea7eae22e123ce04d84bd6becd30d9c85b52d2ec37f51a2efa18cf99109d850a6eed1e59a0aad35b7d92357839e75418862d0d05756

C:\Users\Admin\AppData\Local\Temp\MSIDB7D.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIDB7D.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/2344-302-0x0000000000400000-0x0000000000D5F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-03 09:11

Reported

2023-08-03 09:50

Platform

win10v2004-20230703-en

Max time kernel

150s

Max time network

143s

Command Line

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\tdesk_桌面端App Store.msi"

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 5048 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4888 wrote to memory of 5048 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4888 wrote to memory of 5048 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\tdesk_桌面端App Store.msi"

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5838D93852A84C01BF77514B54CE4B81 C

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 212.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 63.141.182.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI2016.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI2016.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI32D4.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI32D4.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI33EE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI33EE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI33EE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI34AA.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI34AA.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3548.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3548.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI37C9.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI37C9.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI3838.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSI3838.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSI3962.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI3962.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI39B1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI39B1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9