Malware Analysis Report

2025-03-15 03:52

Sample ID 230810-m1jb4aea2s
Target TGx-64.msi
SHA256 05f367011689dd5ca1be21e664d913dff20e0dbe00b641f1adbf7bcd587d3a6c
Tags
fatalrat infostealer persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

05f367011689dd5ca1be21e664d913dff20e0dbe00b641f1adbf7bcd587d3a6c

Threat Level: Known bad

The file TGx-64.msi was found to be: Known bad.

Malicious Activity Summary

fatalrat infostealer persistence rat

FatalRat

Fatal Rat payload

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Enumerates connected drives

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-08-10 10:56

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-08-10 10:55

Reported

2023-08-10 11:01

Platform

win10v2004-20230703-en

Max time kernel

241s

Max time network

299s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\WINDOWS\DNomb\spolsvt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" C:\Users\Public\Documents\123\PTvrst.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3416 set thread context of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 436 set thread context of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\spoiler\text C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\467D828013FC9E09s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\key_datas C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\user_data\cache\version C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_5 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\log.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8Cs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\DB65164DA6E632FFs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\Updater.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_4 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_6 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-default.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_4 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_6 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\user_data\media_cache\version C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\unins000.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\384D52C44F53623Ds C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\prefix C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\settingss C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-custom.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\unins000.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\configs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\usertag C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\countries C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\maps C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_5 C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI5772.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI584D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Users\Public\haixia\usb.exe N/A
File opened for modification C:\Windows\Installer\MSI5F36.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Users\Public\haixia\usb.exe N/A
File opened for modification C:\Windows\Installer\MSI588D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{7F1B75D6-84D3-4544-83F1-D38737C3C8F4} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e585668.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\PTvrst.exe C:\Users\Public\haixia\usb.exe N/A
File created C:\Windows\Installer\e585668.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5978.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings C:\Users\Public\haixia\usb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2892 wrote to memory of 2848 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2848 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 2848 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 3124 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2892 wrote to memory of 3124 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2892 wrote to memory of 3368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 3368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2892 wrote to memory of 3368 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2848 wrote to memory of 4664 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 2848 wrote to memory of 4664 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 2848 wrote to memory of 4664 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3416 wrote to memory of 436 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 436 wrote to memory of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 436 wrote to memory of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 436 wrote to memory of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 436 wrote to memory of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 436 wrote to memory of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 436 wrote to memory of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 436 wrote to memory of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 436 wrote to memory of 3432 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F3076147733809E97405BE188D0C9A00 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 8F5B6A448A178484B44149242E8585D2

C:\Users\Public\haixia\usb.exe

"C:\Users\Public\haixia\usb.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 224.104.207.23.in-addr.arpa udp
US 8.8.8.8:53 sidamingzhu.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.12:443 sidamingzhu.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 12.19.75.47.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 pipi.wccabc.com udp
HK 154.23.176.188:3927 pipi.wccabc.com tcp
US 8.8.8.8:53 188.176.23.154.in-addr.arpa udp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI96B2.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI96B2.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9EF0.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9EF0.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA02B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA02B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA05B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA05B.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA29E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIA29E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIA2ED.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSIA2ED.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSIA32C.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA32C.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA36C.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIA36C.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIDC9E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIDC9E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIDE36.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIDE36.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI5772.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI5772.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI584D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI584D.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI588D.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI588D.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI5978.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI5978.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

C:\Config.Msi\e585669.rbs

MD5 843ead28eb5297b2af08b906c8322783
SHA1 b5dc5fb6f615f029c802f7647ed238abca68056f
SHA256 66b78385a9e61f587e9053d818c49abb71ad8b58c1a5396c5cc68fef46de18fe
SHA512 3eebd52093808c6ef4039e43ccde7e02b76b31376e9e42a0d73365cf248ca434e350e3e79d00adae0d09d427b36b9f1264b3c92bfbccdb1094f4d0cb19d613f8

C:\Users\Admin\AppData\Local\Temp\MSI6EDE.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI6EDE.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\haixia\usb.exe

MD5 c0b89095eac7d60bd1d2018dc6000550
SHA1 9a56f862f787d4b8a7bd0ca248ae029f07a0988a
SHA256 f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2
SHA512 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

C:\Users\Public\haixia\usb.exe

MD5 c0b89095eac7d60bd1d2018dc6000550
SHA1 9a56f862f787d4b8a7bd0ca248ae029f07a0988a
SHA256 f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2
SHA512 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

C:\Users\Public\haixia\usb.exe

MD5 c0b89095eac7d60bd1d2018dc6000550
SHA1 9a56f862f787d4b8a7bd0ca248ae029f07a0988a
SHA256 f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2
SHA512 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

memory/4664-276-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/4664-277-0x0000000077044000-0x0000000077046000-memory.dmp

memory/4664-278-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/4664-279-0x0000000004B60000-0x0000000004B61000-memory.dmp

memory/4664-280-0x0000000004B90000-0x0000000004B91000-memory.dmp

memory/4664-281-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

memory/4664-286-0x0000000004B50000-0x0000000004B52000-memory.dmp

memory/4664-285-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/4664-287-0x0000000004B80000-0x0000000004B81000-memory.dmp

memory/4664-288-0x0000000004C00000-0x0000000004C01000-memory.dmp

memory/4664-289-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

memory/4664-282-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

\??\Volume{8edfd87d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{55422517-9fd5-4848-95ee-c588d1921afb}_OnDiskSnapshotProp

MD5 4b4e91c80adfe4772ef62d374be9a35c
SHA1 cead53f71befd8a0bc7be09de3d01a84eebf0e41
SHA256 502828ea8673447972657dee4c27761087684350d98628cbb4bd75230916035d
SHA512 a2b27e679130314fd2ad220bcc3f5e313150c17aff49ff76833dd95c48a286a63017745e42094e609300d356fb9127ae19d9483a32c060e6307e03fc0cbfd161

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 7a58c348535284373981b47ff7f5b100
SHA1 71c71e541aff847e5bc4b8829e7b2735860e1203
SHA256 3d40d318db56bfd362e9b0a9458d69f351ed8884525f9f8d3c279d6151320f59
SHA512 7dad8d2f6d872df59cd7f1a74359db4889db4f9868e83839776851cf54562a86b7b87d00a366c79a82f4c0ed4fddee59a507baac741ee2c12623d6f48d7797a6

memory/4664-301-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

memory/4664-303-0x0000000004E20000-0x0000000004E22000-memory.dmp

memory/4664-305-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

memory/4664-304-0x0000000004B70000-0x0000000004B71000-memory.dmp

memory/4664-306-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

memory/4664-307-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

memory/4664-302-0x0000000004C30000-0x0000000004C31000-memory.dmp

memory/4664-308-0x0000000004CF0000-0x0000000004CF1000-memory.dmp

memory/4664-309-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/4664-311-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/4664-310-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/4664-313-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/4664-315-0x0000000000400000-0x0000000000A5C000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/4664-318-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/4664-319-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/3416-320-0x0000000000400000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIB3A8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIB3A8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/3416-325-0x00000000047F0000-0x00000000047F1000-memory.dmp

memory/3416-326-0x0000000004750000-0x0000000004751000-memory.dmp

memory/3416-327-0x00000000047A0000-0x00000000047A1000-memory.dmp

memory/3416-328-0x0000000004780000-0x0000000004781000-memory.dmp

memory/3416-329-0x00000000047E0000-0x00000000047E2000-memory.dmp

memory/3416-330-0x0000000004760000-0x0000000004761000-memory.dmp

memory/3416-331-0x0000000004800000-0x0000000004801000-memory.dmp

memory/3416-333-0x00000000047C0000-0x00000000047C1000-memory.dmp

memory/3416-332-0x0000000004790000-0x0000000004791000-memory.dmp

memory/3416-334-0x00000000047B0000-0x00000000047B1000-memory.dmp

memory/3416-335-0x0000000004810000-0x0000000004811000-memory.dmp

memory/3416-336-0x0000000004870000-0x0000000004871000-memory.dmp

memory/3416-338-0x0000000004850000-0x0000000004851000-memory.dmp

memory/3416-337-0x0000000004740000-0x0000000004741000-memory.dmp

memory/3416-339-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/3416-341-0x0000000004880000-0x0000000004881000-memory.dmp

memory/3416-340-0x00000000048F0000-0x00000000048F1000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 1d294165b61163c73a5379ca4f388d67
SHA1 10ff3c414046c66243b27c4842498f9b44ca1549
SHA256 d31736379a57748afdac7c17437f8506068c9f19e0952ce0421eeb88ad4c2a44
SHA512 d16f086ef3bab1c33529d6c7322159c84db2852288bbfd33f650aa632b6b43ede15e041be100c163a42e18e7ef759e52558b373cee5222cc5b2d3f04a456d3ee

memory/436-344-0x0000000000400000-0x0000000000516000-memory.dmp

memory/436-345-0x0000000000400000-0x0000000000516000-memory.dmp

memory/436-346-0x0000000000400000-0x0000000000516000-memory.dmp

memory/436-347-0x0000000000400000-0x0000000000516000-memory.dmp

C:\WINDOWS\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/436-352-0x0000000000400000-0x0000000000516000-memory.dmp

memory/436-351-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3432-357-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3432-358-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3432-359-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/3432-363-0x0000000000400000-0x0000000000430000-memory.dmp

memory/3432-364-0x0000000010000000-0x000000001002A000-memory.dmp

memory/3416-369-0x0000000000400000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIF68E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIF68E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Analysis: behavioral1

Detonation Overview

Submitted

2023-08-10 10:55

Reported

2023-08-10 11:01

Platform

win7-20230712-en

Max time kernel

292s

Max time network

294s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi

Signatures

Downloads MZ/PE file

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" C:\Users\Public\Documents\123\PTvrst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\WINDOWS\DNomb\spolsvt.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\WINDOWS\DNomb\spolsvt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1636 set thread context of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 set thread context of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 956 set thread context of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 set thread context of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_4 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\settingss C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\prefix C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-default.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\Updater.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\maps C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_5 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_5 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_6 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\usertag C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\384D52C44F53623Ds C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\467D828013FC9E09s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\configs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_6 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_4 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8Cs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\unins000.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\user_data\cache\version C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\unins000.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\log.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\countries C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\key_datas C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-custom.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\DB65164DA6E632FFs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\spoiler\text C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\user_data\media_cache\version C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f77a8ae.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB10A.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77a8af.ipi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Users\Public\haixia\usb.exe N/A
File created C:\Windows\DNomb\PTvrst.exe C:\Users\Public\haixia\usb.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIAEC8.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\MSIAA53.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f77a8ae.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Users\Public\haixia\usb.exe N/A
File opened for modification C:\Windows\Installer\MSIAB3E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f77a8af.ipi C:\Windows\system32\msiexec.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D C:\Windows\system32\msiexec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 2996 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1688 wrote to memory of 864 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2996 wrote to memory of 3012 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 2996 wrote to memory of 3012 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 2996 wrote to memory of 3012 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 2996 wrote to memory of 3012 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1636 wrote to memory of 956 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1284 wrote to memory of 1720 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 956 wrote to memory of 1492 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 wrote to memory of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 wrote to memory of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 wrote to memory of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 wrote to memory of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 wrote to memory of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 wrote to memory of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 wrote to memory of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 1720 wrote to memory of 2532 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E9D0E133B7B1F0C024D015B603178620 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "000000000000056C"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2EE9D9CE57B9A3819146DB71324D221B

C:\Users\Public\haixia\usb.exe

"C:\Users\Public\haixia\usb.exe"

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 sidamingzhu.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.12:443 sidamingzhu.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 pipi.wccabc.com udp
HK 154.23.176.188:3927 pipi.wccabc.com tcp
HK 154.23.176.188:3927 pipi.wccabc.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\MSI1258.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI1258.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI1508.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI1508.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI1586.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI1586.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI1586.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI1671.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI1671.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI197E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI197E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI1A59.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

\Users\Admin\AppData\Local\Temp\MSI1A59.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

\Users\Admin\AppData\Local\Temp\MSI1B34.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI1B34.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI1BE1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSI1BE1.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSI23FD.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI23FD.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI249A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI249A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI249A.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI25A4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI25A4.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIAA53.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSIAA53.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSIAB3E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSIAB3E.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSIAEC8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSIAEC8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

C:\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

C:\Config.Msi\f77a8b0.rbs

MD5 2a14467a02a3ce9b2bd7e2547707ed5b
SHA1 5c1867ac657bf085dc7901569eeb5325eacf22b2
SHA256 606b1a1677f6b26a52751a94230d15b2154c57becd7a758c28a69fbebba6d61c
SHA512 fcbbb66b5d11df5afa83225db0551018951dfa950b25fd36e55bca664217334378369428ba1d951bd3161bfa1df121e4fd8acbb797e89a7aa9230a71da257a1b

\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

C:\Users\Admin\AppData\Local\Temp\MSI1199.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI1199.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/2996-193-0x0000000002880000-0x0000000002EDC000-memory.dmp

C:\Users\Public\haixia\usb.exe

MD5 c0b89095eac7d60bd1d2018dc6000550
SHA1 9a56f862f787d4b8a7bd0ca248ae029f07a0988a
SHA256 f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2
SHA512 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

memory/3012-195-0x0000000000400000-0x0000000000A5C000-memory.dmp

\Users\Public\haixia\usb.exe

MD5 c0b89095eac7d60bd1d2018dc6000550
SHA1 9a56f862f787d4b8a7bd0ca248ae029f07a0988a
SHA256 f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2
SHA512 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

memory/2996-196-0x0000000002880000-0x0000000002EDC000-memory.dmp

memory/3012-197-0x0000000077B10000-0x0000000077B12000-memory.dmp

memory/3012-200-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/3012-201-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/3012-202-0x0000000004450000-0x0000000004451000-memory.dmp

memory/3012-204-0x0000000004500000-0x0000000004501000-memory.dmp

memory/3012-206-0x0000000004440000-0x0000000004442000-memory.dmp

memory/3012-205-0x00000000046B0000-0x00000000046B1000-memory.dmp

memory/3012-207-0x0000000004470000-0x0000000004471000-memory.dmp

memory/3012-203-0x0000000004530000-0x0000000004531000-memory.dmp

memory/3012-211-0x00000000044A0000-0x00000000044A1000-memory.dmp

memory/3012-212-0x0000000004540000-0x0000000004541000-memory.dmp

memory/3012-210-0x00000000044D0000-0x00000000044D1000-memory.dmp

memory/3012-213-0x00000000046E0000-0x00000000046E1000-memory.dmp

memory/3012-215-0x0000000004730000-0x0000000004731000-memory.dmp

memory/3012-214-0x00000000048A0000-0x00000000048A2000-memory.dmp

memory/3012-220-0x00000000044C0000-0x00000000044C1000-memory.dmp

memory/3012-219-0x00000000044B0000-0x00000000044B1000-memory.dmp

memory/3012-218-0x0000000004550000-0x0000000004551000-memory.dmp

memory/3012-217-0x0000000004510000-0x0000000004511000-memory.dmp

memory/3012-216-0x0000000004460000-0x0000000004461000-memory.dmp

memory/3012-209-0x0000000004560000-0x0000000004561000-memory.dmp

memory/3012-208-0x0000000004480000-0x0000000004481000-memory.dmp

memory/3012-221-0x0000000004490000-0x0000000004491000-memory.dmp

memory/3012-222-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/3012-236-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/3012-249-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/3012-251-0x0000000004750000-0x0000000004751000-memory.dmp

memory/3012-250-0x00000000046D0000-0x00000000046D1000-memory.dmp

memory/3012-252-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/3012-253-0x0000000000400000-0x0000000000A5C000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/1636-255-0x0000000000400000-0x00000000006A2000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/3012-257-0x00000000044E0000-0x00000000044E1000-memory.dmp

\Users\Admin\AppData\Local\Temp\MSIEC3F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIEC3F.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/3012-258-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/1284-264-0x0000000000400000-0x00000000006A2000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/1636-268-0x00000000009C0000-0x00000000009C1000-memory.dmp

memory/1636-267-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/1636-266-0x0000000004320000-0x0000000004321000-memory.dmp

memory/1636-270-0x0000000004260000-0x0000000004261000-memory.dmp

memory/1636-271-0x0000000004310000-0x0000000004311000-memory.dmp

memory/1636-269-0x00000000042A0000-0x00000000042A1000-memory.dmp

memory/1636-276-0x0000000004230000-0x0000000004231000-memory.dmp

C:\WINDOWS\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\WINDOWS\DNomb\Mpec.mbt

MD5 1d294165b61163c73a5379ca4f388d67
SHA1 10ff3c414046c66243b27c4842498f9b44ca1549
SHA256 d31736379a57748afdac7c17437f8506068c9f19e0952ce0421eeb88ad4c2a44
SHA512 d16f086ef3bab1c33529d6c7322159c84db2852288bbfd33f650aa632b6b43ede15e041be100c163a42e18e7ef759e52558b373cee5222cc5b2d3f04a456d3ee

memory/1636-272-0x0000000004300000-0x0000000004301000-memory.dmp

memory/1636-278-0x00000000042F0000-0x00000000042F2000-memory.dmp

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/956-277-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1636-280-0x0000000004090000-0x0000000004091000-memory.dmp

memory/1636-282-0x0000000004220000-0x0000000004221000-memory.dmp

memory/1636-284-0x00000000009B0000-0x00000000009B1000-memory.dmp

memory/956-281-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1636-286-0x0000000004280000-0x0000000004281000-memory.dmp

memory/956-285-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1636-288-0x00000000042E0000-0x00000000042E1000-memory.dmp

memory/1636-290-0x00000000042B0000-0x00000000042B1000-memory.dmp

memory/1636-292-0x0000000004330000-0x0000000004331000-memory.dmp

memory/956-291-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1636-294-0x0000000004290000-0x0000000004291000-memory.dmp

memory/1636-296-0x0000000000740000-0x0000000000741000-memory.dmp

memory/956-297-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1636-298-0x0000000004270000-0x0000000004271000-memory.dmp

memory/1636-300-0x00000000042C0000-0x00000000042C1000-memory.dmp

memory/956-303-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1636-302-0x0000000004350000-0x0000000004351000-memory.dmp

memory/956-305-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1636-308-0x0000000000750000-0x0000000000751000-memory.dmp

memory/1636-306-0x0000000004370000-0x0000000004371000-memory.dmp

memory/956-312-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/1284-313-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/1284-310-0x0000000004320000-0x0000000004321000-memory.dmp

memory/1636-304-0x0000000004380000-0x0000000004381000-memory.dmp

memory/1284-315-0x00000000040D0000-0x00000000040D1000-memory.dmp

memory/1284-316-0x00000000042B0000-0x00000000042B1000-memory.dmp

memory/1284-318-0x0000000004120000-0x0000000004121000-memory.dmp

memory/1284-320-0x0000000004310000-0x0000000004311000-memory.dmp

\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/1284-322-0x0000000004300000-0x0000000004301000-memory.dmp

memory/1284-324-0x0000000004100000-0x0000000004101000-memory.dmp

memory/1492-334-0x0000000000400000-0x0000000000430000-memory.dmp

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/1492-340-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1492-346-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1492-355-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1492-363-0x0000000000400000-0x0000000000430000-memory.dmp

memory/1636-366-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/1492-365-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/1492-376-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\yh.png

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

\Users\Admin\AppData\Local\Temp\MSI7EDE.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSI7EDE.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

Analysis: behavioral2

Detonation Overview

Submitted

2023-08-10 10:55

Reported

2023-08-10 11:01

Platform

win10-20230703-en

Max time kernel

232s

Max time network

300s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi

Signatures

FatalRat

infostealer rat fatalrat

Fatal Rat payload

rat infostealer
Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" C:\Users\Public\Documents\123\PTvrst.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" C:\WINDOWS\DNomb\spolsvt.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3820 set thread context of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 4836 set thread context of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Telegram中文版\tdata\usertag C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_4 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\countries C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8Cs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\key_datas C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\settingss C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\unins000.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\configs C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_5 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\Updater.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\maps C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_6 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\spoiler\text C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_6 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\prefix C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-default.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_0 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_4 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\user_data\cache\version C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\unins000.dat C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\384D52C44F53623Ds C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_5 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_1 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_2 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_3 C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-custom.json C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\user_data\media_cache\version C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\log.txt C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\467D828013FC9E09s C:\Windows\system32\msiexec.exe N/A
File created C:\Program Files (x86)\Telegram中文版\tdata\DB65164DA6E632FFs C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI5DFC.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5C63.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5D3F.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\spolsvt.exe C:\Users\Public\haixia\usb.exe N/A
File created C:\Windows\DNomb\PTvrst.exe C:\Users\Public\haixia\usb.exe N/A
File opened for modification C:\Windows\Installer\e585b89.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{7F1B75D6-84D3-4544-83F1-D38737C3C8F4} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI632E.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\DNomb\Mpec.mbt C:\Users\Public\haixia\usb.exe N/A
File created C:\Windows\Installer\e585b89.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5F06.tmp C:\Windows\system32\msiexec.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections C:\Windows\system32\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache C:\Windows\system32\svchost.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings C:\Users\Public\haixia\usb.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A
N/A N/A C:\Users\Public\Documents\t\spolsvt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\haixia\usb.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\Users\Public\Documents\123\PTvrst.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A
N/A N/A C:\WINDOWS\DNomb\spolsvt.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1408 wrote to memory of 3912 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1408 wrote to memory of 3912 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1408 wrote to memory of 3912 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1408 wrote to memory of 4792 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1408 wrote to memory of 4792 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 1408 wrote to memory of 4164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1408 wrote to memory of 4164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1408 wrote to memory of 4164 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3912 wrote to memory of 1364 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 3912 wrote to memory of 1364 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 3912 wrote to memory of 1364 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Public\haixia\usb.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 3820 wrote to memory of 4836 N/A C:\Users\Public\Documents\123\PTvrst.exe C:\WINDOWS\DNomb\spolsvt.exe
PID 4836 wrote to memory of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4836 wrote to memory of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4836 wrote to memory of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4836 wrote to memory of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4836 wrote to memory of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4836 wrote to memory of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4836 wrote to memory of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe
PID 4836 wrote to memory of 4956 N/A C:\WINDOWS\DNomb\spolsvt.exe C:\Users\Public\Documents\t\spolsvt.exe

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2343A859B88C9B1E85941606E0D00082 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 4621825AF3F02A4AF8A42815855ED68C

C:\Users\Public\haixia\usb.exe

"C:\Users\Public\haixia\usb.exe"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Public\Documents\123\PTvrst.exe

"C:\Users\Public\Documents\123\PTvrst.exe"

C:\WINDOWS\DNomb\spolsvt.exe

C:\WINDOWS\DNomb\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

C:\Users\Public\Documents\t\spolsvt.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 224.104.207.23.in-addr.arpa udp
US 8.8.8.8:53 sidamingzhu.oss-cn-hongkong.aliyuncs.com udp
HK 47.75.19.12:443 sidamingzhu.oss-cn-hongkong.aliyuncs.com tcp
US 8.8.8.8:53 12.19.75.47.in-addr.arpa udp
US 8.8.8.8:53 sidamingzhu.oss-cn-hongkong.aliyuncs.com udp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 pipi.wccabc.com udp
HK 154.23.176.188:3927 pipi.wccabc.com tcp
US 8.8.8.8:53 188.176.23.154.in-addr.arpa udp
US 8.8.8.8:53 0.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 38.148.119.40.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSIC2E2.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC2E2.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC4A9.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC4A9.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC555.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC555.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC555.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC622.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC622.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC6CE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC6CE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIC846.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIC846.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIC8F3.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

\Users\Admin\AppData\Local\Temp\MSIC8F3.tmp

MD5 48c25fba873a341b914652763cbc4f7b
SHA1 98b51420e26829bb96a963e4fb897db733c76fc0
SHA256 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd
SHA512 c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68

C:\Users\Admin\AppData\Local\Temp\MSIC9FE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSIC9FE.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSICAAB.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Users\Admin\AppData\Local\Temp\MSICAAB.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Users\Admin\AppData\Local\Temp\MSIF2D5.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIF2D5.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIF3C0.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIF3C0.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIF3C0.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Admin\AppData\Local\Temp\MSIF519.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIF519.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI5C63.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSI5C63.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI5D3F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

\Windows\Installer\MSI5D3F.tmp

MD5 db7612f0fd6408d664185cfc81bef0cb
SHA1 19a6334ec00365b4f4e57d387ed885b32aa7c9aa
SHA256 e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240
SHA512 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

C:\Windows\Installer\MSI5DFC.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI5DFC.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Windows\Installer\MSI5F06.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Windows\Installer\MSI5F06.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Program Files (x86)\Telegram中文版\Telegram.exe

MD5 dffd0738bc474639bed3a895498e4a71
SHA1 7025e03fd682fb74bccb0911fd1de6a35383b129
SHA256 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46
SHA512 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e

C:\Config.Msi\e585b8a.rbs

MD5 c7b973d438cdaaa4820ebde7d5adcc1b
SHA1 3177d0d3ca5a100e87d84d0dc88860f0ca812fbd
SHA256 e2ad1424ac61beda1e6f7201e9fbfcb3bfd24347a632bed54bebbac48b928abe
SHA512 a3bdd2929107b41eebe29906180dd939da415ab124194e2ee1b9c46d29fed0dfc5bd04f617e9bd53a52bf0addd0438980eadef1bbfb483e3ef9e711382a5b514

C:\Users\Admin\AppData\Local\Temp\MSI7A96.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI7A96.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

C:\Users\Public\haixia\usb.exe

MD5 c0b89095eac7d60bd1d2018dc6000550
SHA1 9a56f862f787d4b8a7bd0ca248ae029f07a0988a
SHA256 f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2
SHA512 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

C:\Users\Public\haixia\usb.exe

MD5 c0b89095eac7d60bd1d2018dc6000550
SHA1 9a56f862f787d4b8a7bd0ca248ae029f07a0988a
SHA256 f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2
SHA512 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d

memory/1364-263-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/1364-264-0x0000000076F64000-0x0000000076F65000-memory.dmp

memory/1364-267-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/1364-268-0x0000000004C30000-0x0000000004C31000-memory.dmp

memory/1364-269-0x0000000004C50000-0x0000000004C51000-memory.dmp

memory/1364-271-0x0000000004C80000-0x0000000004C81000-memory.dmp

memory/1364-272-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

memory/1364-270-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

memory/1364-273-0x0000000004C20000-0x0000000004C21000-memory.dmp

memory/1364-275-0x0000000004C60000-0x0000000004C61000-memory.dmp

memory/1364-274-0x0000000004C40000-0x0000000004C41000-memory.dmp

memory/1364-276-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

memory/1364-277-0x0000000004C90000-0x0000000004C91000-memory.dmp

memory/1364-278-0x0000000004E10000-0x0000000004E11000-memory.dmp

memory/1364-279-0x0000000004E00000-0x0000000004E02000-memory.dmp

memory/1364-281-0x0000000004D50000-0x0000000004D51000-memory.dmp

memory/1364-280-0x0000000004D40000-0x0000000004D41000-memory.dmp

memory/1364-282-0x0000000004D80000-0x0000000004D81000-memory.dmp

memory/1364-283-0x0000000004D90000-0x0000000004D91000-memory.dmp

\??\Volume{96faa851-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f53f6e35-1a61-4ece-a837-747c14e0195f}_OnDiskSnapshotProp

MD5 f5e22c6a1c361d372d931a51022b54dd
SHA1 1c685fc3f16897cb67c11e2f66bbb213b481f00e
SHA256 271fa5bb16d455a16d7bcfd85959a77e4a15584a46dba6958a2215aee772f234
SHA512 d18c358af877eeb7b91f91a5470294105e02bafb7e216a53e4fef22eb33b79eeeda3354e8801a25d2d1d7faff67dd00003f9d3383d361476cca012340d9ffa8e

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 a3670a783d46849d926c67a63eacd134
SHA1 f96fc9910caf65ab735e9bea81ab71feb631171f
SHA256 465277456867651cc5b15df30c6d323a3dd45d7cac0ea16d3af03084a85b9626
SHA512 35d53cf346c122f1a595ec4abee3dc6e939bef3664b080e01c23b4a0ed2208e3f43439cacddde1242f2077772909cfd22e13d55f56766ef60ea976531bef7a8e

memory/1364-284-0x0000000004CD0000-0x0000000004CD1000-memory.dmp

memory/1364-288-0x0000000004D70000-0x0000000004D71000-memory.dmp

memory/1364-287-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

memory/1364-289-0x0000000004E60000-0x0000000004E62000-memory.dmp

memory/1364-290-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/1364-291-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/1364-295-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/1364-303-0x0000000000400000-0x0000000000A5C000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/3820-307-0x0000000000400000-0x00000000006A2000-memory.dmp

C:\Users\Public\Documents\123\PTvrst.exe

MD5 d22cfb5bfaeb1503b12b07e53ef0a149
SHA1 8ea2c85e363f551a159fabd65377affed4e417a1
SHA256 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360
SHA512 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45

memory/1364-309-0x0000000004C70000-0x0000000004C71000-memory.dmp

memory/1364-310-0x0000000000400000-0x0000000000A5C000-memory.dmp

memory/1364-308-0x0000000004E70000-0x0000000004E72000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSIE315.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSIE315.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

memory/3820-316-0x00000000047B0000-0x00000000047B1000-memory.dmp

memory/3820-317-0x0000000000400000-0x00000000006A2000-memory.dmp

memory/3820-318-0x0000000004730000-0x0000000004731000-memory.dmp

memory/3820-319-0x0000000004760000-0x0000000004761000-memory.dmp

memory/3820-320-0x0000000004740000-0x0000000004741000-memory.dmp

memory/3820-322-0x00000000047C0000-0x00000000047C1000-memory.dmp

memory/3820-321-0x00000000047A0000-0x00000000047A1000-memory.dmp

memory/3820-323-0x0000000004720000-0x0000000004721000-memory.dmp

memory/3820-326-0x00000000047E0000-0x00000000047E1000-memory.dmp

memory/3820-325-0x0000000004790000-0x0000000004791000-memory.dmp

memory/3820-324-0x0000000004770000-0x0000000004771000-memory.dmp

C:\WINDOWS\DNomb\Mpec.mbt

MD5 1d294165b61163c73a5379ca4f388d67
SHA1 10ff3c414046c66243b27c4842498f9b44ca1549
SHA256 d31736379a57748afdac7c17437f8506068c9f19e0952ce0421eeb88ad4c2a44
SHA512 d16f086ef3bab1c33529d6c7322159c84db2852288bbfd33f650aa632b6b43ede15e041be100c163a42e18e7ef759e52558b373cee5222cc5b2d3f04a456d3ee

memory/3820-329-0x0000000004A80000-0x0000000004A82000-memory.dmp

memory/3820-327-0x0000000004890000-0x0000000004891000-memory.dmp

memory/4836-331-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4836-332-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4836-334-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3820-336-0x0000000004780000-0x0000000004781000-memory.dmp

memory/4836-335-0x0000000000400000-0x0000000000516000-memory.dmp

memory/3820-338-0x0000000004910000-0x0000000004911000-memory.dmp

C:\WINDOWS\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

C:\Windows\DNomb\spolsvt.exe

MD5 523d5c39f9d8d2375c3df68251fa2249
SHA1 d4ed365c44bec9246fc1a65a32a7791792647a10
SHA256 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78
SHA512 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4

memory/3820-333-0x0000000004840000-0x0000000004842000-memory.dmp

memory/3820-339-0x0000000004880000-0x0000000004882000-memory.dmp

memory/4836-342-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4836-343-0x0000000000400000-0x0000000000516000-memory.dmp

memory/4956-348-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4956-349-0x0000000000400000-0x0000000000430000-memory.dmp

memory/4956-350-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4956-354-0x0000000000400000-0x0000000000430000-memory.dmp

C:\Users\Public\Documents\t\spolsvt.exe

MD5 cdce4713e784ae069d73723034a957ff
SHA1 9a393a6bab6568f1a774fb753353223f11367e09
SHA256 b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8
SHA512 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f

memory/4956-355-0x0000000010000000-0x000000001002A000-memory.dmp

memory/3820-360-0x0000000000400000-0x00000000006A2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSI30D8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6

\Users\Admin\AppData\Local\Temp\MSI30D8.tmp

MD5 f7b1ddc86cd51e3391aa8bf4be48d994
SHA1 a0c0a4a77991d7f8df722acdd782310a6da2a904
SHA256 ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f
SHA512 f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6