Analysis Overview
SHA256
05f367011689dd5ca1be21e664d913dff20e0dbe00b641f1adbf7bcd587d3a6c
Threat Level: Known bad
The file TGx-64.msi was found to be: Known bad.
Malicious Activity Summary
FatalRat
Fatal Rat payload
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Adds Run key to start application
Enumerates connected drives
Suspicious use of SetThreadContext
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Drops file in Program Files directory
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-10 10:56
Signatures
Analysis: behavioral3
Detonation Overview
Submitted
2023-08-10 10:55
Reported
2023-08-10 11:01
Platform
win10v2004-20230703-en
Max time kernel
241s
Max time network
299s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3416 set thread context of 436 | N/A | C:\Users\Public\Documents\123\PTvrst.exe | C:\WINDOWS\DNomb\spolsvt.exe |
| PID 436 set thread context of 3432 | N/A | C:\WINDOWS\DNomb\spolsvt.exe | C:\Users\Public\Documents\t\spolsvt.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_1 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\spoiler\text | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\467D828013FC9E09s | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\key_datas | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\user_data\cache\version | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_5 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\Telegram.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\log.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8Cs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\DB65164DA6E632FFs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\Updater.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_2 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_4 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_6 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-default.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_4 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_6 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\user_data\media_cache\version | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\unins000.dat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\384D52C44F53623Ds | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_1 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\prefix | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\settingss | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-custom.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\unins000.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\configs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_2 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\usertag | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\countries | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\maps | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_5 | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI5772.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI584D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\Mpec.mbt | C:\Users\Public\haixia\usb.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5F36.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\spolsvt.exe | C:\Users\Public\haixia\usb.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI588D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{7F1B75D6-84D3-4544-83F1-D38737C3C8F4} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e585668.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\PTvrst.exe | C:\Users\Public\haixia\usb.exe | N/A |
| File created | C:\Windows\Installer\e585668.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5978.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000_Classes\Local Settings | C:\Users\Public\haixia\usb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F3076147733809E97405BE188D0C9A00 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 8F5B6A448A178484B44149242E8585D2
C:\Users\Public\haixia\usb.exe
"C:\Users\Public\haixia\usb.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 224.104.207.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sidamingzhu.oss-cn-hongkong.aliyuncs.com | udp |
| HK | 47.75.19.12:443 | sidamingzhu.oss-cn-hongkong.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 12.19.75.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.81.21.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pipi.wccabc.com | udp |
| HK | 154.23.176.188:3927 | pipi.wccabc.com | tcp |
| US | 8.8.8.8:53 | 188.176.23.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 66.112.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSI96B2.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI96B2.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI9EF0.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI9EF0.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI9FAD.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA02B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA02B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA05B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA05B.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA29E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIA29E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIA2ED.tmp
| MD5 | 48c25fba873a341b914652763cbc4f7b |
| SHA1 | 98b51420e26829bb96a963e4fb897db733c76fc0 |
| SHA256 | 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd |
| SHA512 | c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68 |
C:\Users\Admin\AppData\Local\Temp\MSIA2ED.tmp
| MD5 | 48c25fba873a341b914652763cbc4f7b |
| SHA1 | 98b51420e26829bb96a963e4fb897db733c76fc0 |
| SHA256 | 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd |
| SHA512 | c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68 |
C:\Users\Admin\AppData\Local\Temp\MSIA32C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA32C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA36C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIA36C.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIDC9E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIDC9E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIDD3B.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIDE36.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIDE36.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI5772.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI5772.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI584D.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI584D.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI588D.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI588D.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI5978.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI5978.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
C:\Config.Msi\e585669.rbs
| MD5 | 843ead28eb5297b2af08b906c8322783 |
| SHA1 | b5dc5fb6f615f029c802f7647ed238abca68056f |
| SHA256 | 66b78385a9e61f587e9053d818c49abb71ad8b58c1a5396c5cc68fef46de18fe |
| SHA512 | 3eebd52093808c6ef4039e43ccde7e02b76b31376e9e42a0d73365cf248ca434e350e3e79d00adae0d09d427b36b9f1264b3c92bfbccdb1094f4d0cb19d613f8 |
C:\Users\Admin\AppData\Local\Temp\MSI6EDE.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI6EDE.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Public\haixia\usb.exe
| MD5 | c0b89095eac7d60bd1d2018dc6000550 |
| SHA1 | 9a56f862f787d4b8a7bd0ca248ae029f07a0988a |
| SHA256 | f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2 |
| SHA512 | 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d |
C:\Users\Public\haixia\usb.exe
| MD5 | c0b89095eac7d60bd1d2018dc6000550 |
| SHA1 | 9a56f862f787d4b8a7bd0ca248ae029f07a0988a |
| SHA256 | f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2 |
| SHA512 | 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d |
C:\Users\Public\haixia\usb.exe
| MD5 | c0b89095eac7d60bd1d2018dc6000550 |
| SHA1 | 9a56f862f787d4b8a7bd0ca248ae029f07a0988a |
| SHA256 | f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2 |
| SHA512 | 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d |
memory/4664-276-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/4664-277-0x0000000077044000-0x0000000077046000-memory.dmp
memory/4664-278-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/4664-279-0x0000000004B60000-0x0000000004B61000-memory.dmp
memory/4664-280-0x0000000004B90000-0x0000000004B91000-memory.dmp
memory/4664-281-0x0000000004BF0000-0x0000000004BF1000-memory.dmp
memory/4664-286-0x0000000004B50000-0x0000000004B52000-memory.dmp
memory/4664-285-0x0000000004C10000-0x0000000004C11000-memory.dmp
memory/4664-287-0x0000000004B80000-0x0000000004B81000-memory.dmp
memory/4664-288-0x0000000004C00000-0x0000000004C01000-memory.dmp
memory/4664-289-0x0000000004BB0000-0x0000000004BB1000-memory.dmp
memory/4664-282-0x0000000004BC0000-0x0000000004BC1000-memory.dmp
\??\Volume{8edfd87d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{55422517-9fd5-4848-95ee-c588d1921afb}_OnDiskSnapshotProp
| MD5 | 4b4e91c80adfe4772ef62d374be9a35c |
| SHA1 | cead53f71befd8a0bc7be09de3d01a84eebf0e41 |
| SHA256 | 502828ea8673447972657dee4c27761087684350d98628cbb4bd75230916035d |
| SHA512 | a2b27e679130314fd2ad220bcc3f5e313150c17aff49ff76833dd95c48a286a63017745e42094e609300d356fb9127ae19d9483a32c060e6307e03fc0cbfd161 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 7a58c348535284373981b47ff7f5b100 |
| SHA1 | 71c71e541aff847e5bc4b8829e7b2735860e1203 |
| SHA256 | 3d40d318db56bfd362e9b0a9458d69f351ed8884525f9f8d3c279d6151320f59 |
| SHA512 | 7dad8d2f6d872df59cd7f1a74359db4889db4f9868e83839776851cf54562a86b7b87d00a366c79a82f4c0ed4fddee59a507baac741ee2c12623d6f48d7797a6 |
memory/4664-301-0x0000000004BA0000-0x0000000004BA1000-memory.dmp
memory/4664-303-0x0000000004E20000-0x0000000004E22000-memory.dmp
memory/4664-305-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
memory/4664-304-0x0000000004B70000-0x0000000004B71000-memory.dmp
memory/4664-306-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
memory/4664-307-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
memory/4664-302-0x0000000004C30000-0x0000000004C31000-memory.dmp
memory/4664-308-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
memory/4664-309-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
memory/4664-311-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
memory/4664-310-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/4664-313-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/4664-315-0x0000000000400000-0x0000000000A5C000-memory.dmp
C:\Users\Public\Documents\123\PTvrst.exe
| MD5 | d22cfb5bfaeb1503b12b07e53ef0a149 |
| SHA1 | 8ea2c85e363f551a159fabd65377affed4e417a1 |
| SHA256 | 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360 |
| SHA512 | 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45 |
C:\Users\Public\Documents\123\PTvrst.exe
| MD5 | d22cfb5bfaeb1503b12b07e53ef0a149 |
| SHA1 | 8ea2c85e363f551a159fabd65377affed4e417a1 |
| SHA256 | 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360 |
| SHA512 | 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45 |
memory/4664-318-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/4664-319-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/3416-320-0x0000000000400000-0x00000000006A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIB3A8.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIB3A8.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
memory/3416-325-0x00000000047F0000-0x00000000047F1000-memory.dmp
memory/3416-326-0x0000000004750000-0x0000000004751000-memory.dmp
memory/3416-327-0x00000000047A0000-0x00000000047A1000-memory.dmp
memory/3416-328-0x0000000004780000-0x0000000004781000-memory.dmp
memory/3416-329-0x00000000047E0000-0x00000000047E2000-memory.dmp
memory/3416-330-0x0000000004760000-0x0000000004761000-memory.dmp
memory/3416-331-0x0000000004800000-0x0000000004801000-memory.dmp
memory/3416-333-0x00000000047C0000-0x00000000047C1000-memory.dmp
memory/3416-332-0x0000000004790000-0x0000000004791000-memory.dmp
memory/3416-334-0x00000000047B0000-0x00000000047B1000-memory.dmp
memory/3416-335-0x0000000004810000-0x0000000004811000-memory.dmp
memory/3416-336-0x0000000004870000-0x0000000004871000-memory.dmp
memory/3416-338-0x0000000004850000-0x0000000004851000-memory.dmp
memory/3416-337-0x0000000004740000-0x0000000004741000-memory.dmp
memory/3416-339-0x0000000000400000-0x00000000006A2000-memory.dmp
memory/3416-341-0x0000000004880000-0x0000000004881000-memory.dmp
memory/3416-340-0x00000000048F0000-0x00000000048F1000-memory.dmp
C:\WINDOWS\DNomb\Mpec.mbt
| MD5 | 1d294165b61163c73a5379ca4f388d67 |
| SHA1 | 10ff3c414046c66243b27c4842498f9b44ca1549 |
| SHA256 | d31736379a57748afdac7c17437f8506068c9f19e0952ce0421eeb88ad4c2a44 |
| SHA512 | d16f086ef3bab1c33529d6c7322159c84db2852288bbfd33f650aa632b6b43ede15e041be100c163a42e18e7ef759e52558b373cee5222cc5b2d3f04a456d3ee |
memory/436-344-0x0000000000400000-0x0000000000516000-memory.dmp
memory/436-345-0x0000000000400000-0x0000000000516000-memory.dmp
memory/436-346-0x0000000000400000-0x0000000000516000-memory.dmp
memory/436-347-0x0000000000400000-0x0000000000516000-memory.dmp
C:\WINDOWS\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
memory/436-352-0x0000000000400000-0x0000000000516000-memory.dmp
memory/436-351-0x0000000000400000-0x0000000000516000-memory.dmp
memory/3432-357-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3432-358-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3432-359-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/3432-363-0x0000000000400000-0x0000000000430000-memory.dmp
memory/3432-364-0x0000000010000000-0x000000001002A000-memory.dmp
memory/3416-369-0x0000000000400000-0x00000000006A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIF68E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIF68E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-10 10:55
Reported
2023-08-10 11:01
Platform
win7-20230712-en
Max time kernel
292s
Max time network
294s
Command Line
Signatures
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1636 set thread context of 956 | N/A | C:\Users\Public\Documents\123\PTvrst.exe | C:\WINDOWS\DNomb\spolsvt.exe |
| PID 1284 set thread context of 1720 | N/A | C:\Users\Public\Documents\123\PTvrst.exe | C:\WINDOWS\DNomb\spolsvt.exe |
| PID 956 set thread context of 1492 | N/A | C:\WINDOWS\DNomb\spolsvt.exe | C:\Users\Public\Documents\t\spolsvt.exe |
| PID 1720 set thread context of 2532 | N/A | C:\WINDOWS\DNomb\spolsvt.exe | C:\Users\Public\Documents\t\spolsvt.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_2 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_4 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\settingss | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\prefix | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-default.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\Updater.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\maps | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_5 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_5 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_6 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\usertag | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\384D52C44F53623Ds | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\467D828013FC9E09s | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\configs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_6 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_4 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8Cs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\unins000.dat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\user_data\cache\version | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\unins000.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\log.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\countries | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\key_datas | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-custom.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\Telegram.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\DB65164DA6E632FFs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_1 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_2 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\spoiler\text | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_1 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\user_data\media_cache\version | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f77a8ae.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIB10A.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77a8af.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\spolsvt.exe | C:\Users\Public\haixia\usb.exe | N/A |
| File created | C:\Windows\DNomb\PTvrst.exe | C:\Users\Public\haixia\usb.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAEC8.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAA53.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77a8ae.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\Mpec.mbt | C:\Users\Public\haixia\usb.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIAB3E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f77a8af.ipi | C:\Windows\system32\msiexec.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E9D0E133B7B1F0C024D015B603178620 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A0" "000000000000056C"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2EE9D9CE57B9A3819146DB71324D221B
C:\Users\Public\haixia\usb.exe
"C:\Users\Public\haixia\usb.exe"
C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sidamingzhu.oss-cn-hongkong.aliyuncs.com | udp |
| HK | 47.75.19.12:443 | sidamingzhu.oss-cn-hongkong.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | pipi.wccabc.com | udp |
| HK | 154.23.176.188:3927 | pipi.wccabc.com | tcp |
| HK | 154.23.176.188:3927 | pipi.wccabc.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\MSI1258.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI1258.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI1508.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI1508.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI1586.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI1586.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI1586.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI1671.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI1671.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI197E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI197E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI1A59.tmp
| MD5 | 48c25fba873a341b914652763cbc4f7b |
| SHA1 | 98b51420e26829bb96a963e4fb897db733c76fc0 |
| SHA256 | 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd |
| SHA512 | c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68 |
\Users\Admin\AppData\Local\Temp\MSI1A59.tmp
| MD5 | 48c25fba873a341b914652763cbc4f7b |
| SHA1 | 98b51420e26829bb96a963e4fb897db733c76fc0 |
| SHA256 | 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd |
| SHA512 | c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68 |
\Users\Admin\AppData\Local\Temp\MSI1B34.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI1B34.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI1BE1.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSI1BE1.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSI23FD.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI23FD.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI249A.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI249A.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI249A.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI25A4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI25A4.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSIAA53.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Windows\Installer\MSIAA53.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSIAB3E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Windows\Installer\MSIAB3E.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSIAEC8.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Windows\Installer\MSIAEC8.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
C:\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
C:\Config.Msi\f77a8b0.rbs
| MD5 | 2a14467a02a3ce9b2bd7e2547707ed5b |
| SHA1 | 5c1867ac657bf085dc7901569eeb5325eacf22b2 |
| SHA256 | 606b1a1677f6b26a52751a94230d15b2154c57becd7a758c28a69fbebba6d61c |
| SHA512 | fcbbb66b5d11df5afa83225db0551018951dfa950b25fd36e55bca664217334378369428ba1d951bd3161bfa1df121e4fd8acbb797e89a7aa9230a71da257a1b |
\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
C:\Users\Admin\AppData\Local\Temp\MSI1199.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI1199.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
memory/2996-193-0x0000000002880000-0x0000000002EDC000-memory.dmp
C:\Users\Public\haixia\usb.exe
| MD5 | c0b89095eac7d60bd1d2018dc6000550 |
| SHA1 | 9a56f862f787d4b8a7bd0ca248ae029f07a0988a |
| SHA256 | f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2 |
| SHA512 | 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d |
memory/3012-195-0x0000000000400000-0x0000000000A5C000-memory.dmp
\Users\Public\haixia\usb.exe
| MD5 | c0b89095eac7d60bd1d2018dc6000550 |
| SHA1 | 9a56f862f787d4b8a7bd0ca248ae029f07a0988a |
| SHA256 | f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2 |
| SHA512 | 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d |
memory/2996-196-0x0000000002880000-0x0000000002EDC000-memory.dmp
memory/3012-197-0x0000000077B10000-0x0000000077B12000-memory.dmp
memory/3012-200-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/3012-201-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/3012-202-0x0000000004450000-0x0000000004451000-memory.dmp
memory/3012-204-0x0000000004500000-0x0000000004501000-memory.dmp
memory/3012-206-0x0000000004440000-0x0000000004442000-memory.dmp
memory/3012-205-0x00000000046B0000-0x00000000046B1000-memory.dmp
memory/3012-207-0x0000000004470000-0x0000000004471000-memory.dmp
memory/3012-203-0x0000000004530000-0x0000000004531000-memory.dmp
memory/3012-211-0x00000000044A0000-0x00000000044A1000-memory.dmp
memory/3012-212-0x0000000004540000-0x0000000004541000-memory.dmp
memory/3012-210-0x00000000044D0000-0x00000000044D1000-memory.dmp
memory/3012-213-0x00000000046E0000-0x00000000046E1000-memory.dmp
memory/3012-215-0x0000000004730000-0x0000000004731000-memory.dmp
memory/3012-214-0x00000000048A0000-0x00000000048A2000-memory.dmp
memory/3012-220-0x00000000044C0000-0x00000000044C1000-memory.dmp
memory/3012-219-0x00000000044B0000-0x00000000044B1000-memory.dmp
memory/3012-218-0x0000000004550000-0x0000000004551000-memory.dmp
memory/3012-217-0x0000000004510000-0x0000000004511000-memory.dmp
memory/3012-216-0x0000000004460000-0x0000000004461000-memory.dmp
memory/3012-209-0x0000000004560000-0x0000000004561000-memory.dmp
memory/3012-208-0x0000000004480000-0x0000000004481000-memory.dmp
memory/3012-221-0x0000000004490000-0x0000000004491000-memory.dmp
memory/3012-222-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/3012-236-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/3012-249-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/3012-251-0x0000000004750000-0x0000000004751000-memory.dmp
memory/3012-250-0x00000000046D0000-0x00000000046D1000-memory.dmp
memory/3012-252-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/3012-253-0x0000000000400000-0x0000000000A5C000-memory.dmp
C:\Users\Public\Documents\123\PTvrst.exe
| MD5 | d22cfb5bfaeb1503b12b07e53ef0a149 |
| SHA1 | 8ea2c85e363f551a159fabd65377affed4e417a1 |
| SHA256 | 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360 |
| SHA512 | 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45 |
memory/1636-255-0x0000000000400000-0x00000000006A2000-memory.dmp
C:\Users\Public\Documents\123\PTvrst.exe
| MD5 | d22cfb5bfaeb1503b12b07e53ef0a149 |
| SHA1 | 8ea2c85e363f551a159fabd65377affed4e417a1 |
| SHA256 | 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360 |
| SHA512 | 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45 |
memory/3012-257-0x00000000044E0000-0x00000000044E1000-memory.dmp
\Users\Admin\AppData\Local\Temp\MSIEC3F.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIEC3F.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
memory/3012-258-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/1284-264-0x0000000000400000-0x00000000006A2000-memory.dmp
C:\Users\Public\Documents\123\PTvrst.exe
| MD5 | d22cfb5bfaeb1503b12b07e53ef0a149 |
| SHA1 | 8ea2c85e363f551a159fabd65377affed4e417a1 |
| SHA256 | 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360 |
| SHA512 | 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45 |
memory/1636-268-0x00000000009C0000-0x00000000009C1000-memory.dmp
memory/1636-267-0x0000000000400000-0x00000000006A2000-memory.dmp
memory/1636-266-0x0000000004320000-0x0000000004321000-memory.dmp
memory/1636-270-0x0000000004260000-0x0000000004261000-memory.dmp
memory/1636-271-0x0000000004310000-0x0000000004311000-memory.dmp
memory/1636-269-0x00000000042A0000-0x00000000042A1000-memory.dmp
memory/1636-276-0x0000000004230000-0x0000000004231000-memory.dmp
C:\WINDOWS\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\WINDOWS\DNomb\Mpec.mbt
| MD5 | 1d294165b61163c73a5379ca4f388d67 |
| SHA1 | 10ff3c414046c66243b27c4842498f9b44ca1549 |
| SHA256 | d31736379a57748afdac7c17437f8506068c9f19e0952ce0421eeb88ad4c2a44 |
| SHA512 | d16f086ef3bab1c33529d6c7322159c84db2852288bbfd33f650aa632b6b43ede15e041be100c163a42e18e7ef759e52558b373cee5222cc5b2d3f04a456d3ee |
memory/1636-272-0x0000000004300000-0x0000000004301000-memory.dmp
memory/1636-278-0x00000000042F0000-0x00000000042F2000-memory.dmp
\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
memory/956-277-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1636-280-0x0000000004090000-0x0000000004091000-memory.dmp
memory/1636-282-0x0000000004220000-0x0000000004221000-memory.dmp
memory/1636-284-0x00000000009B0000-0x00000000009B1000-memory.dmp
memory/956-281-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1636-286-0x0000000004280000-0x0000000004281000-memory.dmp
memory/956-285-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1636-288-0x00000000042E0000-0x00000000042E1000-memory.dmp
memory/1636-290-0x00000000042B0000-0x00000000042B1000-memory.dmp
memory/1636-292-0x0000000004330000-0x0000000004331000-memory.dmp
memory/956-291-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1636-294-0x0000000004290000-0x0000000004291000-memory.dmp
memory/1636-296-0x0000000000740000-0x0000000000741000-memory.dmp
memory/956-297-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1636-298-0x0000000004270000-0x0000000004271000-memory.dmp
memory/1636-300-0x00000000042C0000-0x00000000042C1000-memory.dmp
memory/956-303-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1636-302-0x0000000004350000-0x0000000004351000-memory.dmp
memory/956-305-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/1636-308-0x0000000000750000-0x0000000000751000-memory.dmp
memory/1636-306-0x0000000004370000-0x0000000004371000-memory.dmp
memory/956-312-0x0000000000400000-0x0000000000516000-memory.dmp
C:\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
memory/1284-313-0x0000000000400000-0x00000000006A2000-memory.dmp
memory/1284-310-0x0000000004320000-0x0000000004321000-memory.dmp
memory/1636-304-0x0000000004380000-0x0000000004381000-memory.dmp
memory/1284-315-0x00000000040D0000-0x00000000040D1000-memory.dmp
memory/1284-316-0x00000000042B0000-0x00000000042B1000-memory.dmp
memory/1284-318-0x0000000004120000-0x0000000004121000-memory.dmp
memory/1284-320-0x0000000004310000-0x0000000004311000-memory.dmp
\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
memory/1284-322-0x0000000004300000-0x0000000004301000-memory.dmp
memory/1284-324-0x0000000004100000-0x0000000004101000-memory.dmp
memory/1492-334-0x0000000000400000-0x0000000000430000-memory.dmp
\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/1492-340-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1492-346-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1492-355-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1492-363-0x0000000000400000-0x0000000000430000-memory.dmp
memory/1636-366-0x0000000000400000-0x00000000006A2000-memory.dmp
memory/1492-365-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
C:\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
memory/1492-376-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
C:\Users\Public\Documents\t\yh.png
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
\Users\Admin\AppData\Local\Temp\MSI7EDE.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSI7EDE.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-10 10:55
Reported
2023-08-10 11:01
Platform
win10-20230703-en
Max time kernel
232s
Max time network
300s
Command Line
Signatures
FatalRat
Fatal Rat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\t\spolsvt.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Therecontinuous = "C:\\WINDOWS\\DNomb\\PTvrst.exe" | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ϵͳ×é¼þ = "C:\\Users\\Public\\Documents\\123\\PTvrst.exe" | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3820 set thread context of 4836 | N/A | C:\Users\Public\Documents\123\PTvrst.exe | C:\WINDOWS\DNomb\spolsvt.exe |
| PID 4836 set thread context of 4956 | N/A | C:\WINDOWS\DNomb\spolsvt.exe | C:\Users\Public\Documents\t\spolsvt.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\usertag | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_4 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\countries | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8Cs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_1 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\key_datas | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\settingss | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\unins000.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\configs | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_2 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_5 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\Updater.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\D877F783D5D3EF8C\maps | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_6 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\spoiler\text | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_6 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\prefix | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-default.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\Telegram.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram\Telegram中文版\Telegram.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_0 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_4 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\user_data\cache\version | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\unins000.dat | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\384D52C44F53623Ds | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_18_5 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_1 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_2 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\emoji\cache_24_3 | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\shortcuts-custom.json | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\user_data\media_cache\version | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\log.txt | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\467D828013FC9E09s | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Program Files (x86)\Telegram中文版\tdata\DB65164DA6E632FFs | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI5DFC.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5C63.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5D3F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\spolsvt.exe | C:\Users\Public\haixia\usb.exe | N/A |
| File created | C:\Windows\DNomb\PTvrst.exe | C:\Users\Public\haixia\usb.exe | N/A |
| File opened for modification | C:\Windows\Installer\e585b89.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{7F1B75D6-84D3-4544-83F1-D38737C3C8F4} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI632E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\DNomb\Mpec.mbt | C:\Users\Public\haixia\usb.exe | N/A |
| File created | C:\Windows\Installer\e585b89.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5F06.tmp | C:\Windows\system32\msiexec.exe | N/A |
Enumerates physical storage devices
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections | C:\Windows\system32\svchost.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache | C:\Windows\system32\svchost.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1148472871-1113856141-1322182616-1000_Classes\Local Settings | C:\Users\Public\haixia\usb.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\haixia\usb.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\Users\Public\Documents\123\PTvrst.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
| N/A | N/A | C:\WINDOWS\DNomb\spolsvt.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\TGx-64.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2343A859B88C9B1E85941606E0D00082 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4621825AF3F02A4AF8A42815855ED68C
C:\Users\Public\haixia\usb.exe
"C:\Users\Public\haixia\usb.exe"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Public\Documents\123\PTvrst.exe
"C:\Users\Public\Documents\123\PTvrst.exe"
C:\WINDOWS\DNomb\spolsvt.exe
C:\WINDOWS\DNomb\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
C:\Users\Public\Documents\t\spolsvt.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 224.104.207.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sidamingzhu.oss-cn-hongkong.aliyuncs.com | udp |
| HK | 47.75.19.12:443 | sidamingzhu.oss-cn-hongkong.aliyuncs.com | tcp |
| US | 8.8.8.8:53 | 12.19.75.47.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sidamingzhu.oss-cn-hongkong.aliyuncs.com | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pipi.wccabc.com | udp |
| HK | 154.23.176.188:3927 | pipi.wccabc.com | tcp |
| US | 8.8.8.8:53 | 188.176.23.154.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.77.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.109.69.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.148.119.40.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSIC2E2.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSIC2E2.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIC4A9.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSIC4A9.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIC555.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIC555.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSIC555.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIC622.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSIC622.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIC6CE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSIC6CE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIC846.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSIC846.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIC8F3.tmp
| MD5 | 48c25fba873a341b914652763cbc4f7b |
| SHA1 | 98b51420e26829bb96a963e4fb897db733c76fc0 |
| SHA256 | 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd |
| SHA512 | c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68 |
\Users\Admin\AppData\Local\Temp\MSIC8F3.tmp
| MD5 | 48c25fba873a341b914652763cbc4f7b |
| SHA1 | 98b51420e26829bb96a963e4fb897db733c76fc0 |
| SHA256 | 4595c98e419d911b31eedfc342384e78024f5e23ccfdcfde4d2d304241e7c6cd |
| SHA512 | c8931846db2b75860104d0dbf1cac5220fc2f3464cc83536b189c9bb8ccd4b1ddc490a7e7cf2f711bea086c29bf3948bd96ba81def63b752688277f0e96dbf68 |
C:\Users\Admin\AppData\Local\Temp\MSIC9FE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSIC9FE.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSICAAB.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Users\Admin\AppData\Local\Temp\MSICAAB.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Users\Admin\AppData\Local\Temp\MSIF2D5.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSIF2D5.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIF3C0.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIF3C0.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSIF3C0.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Admin\AppData\Local\Temp\MSIF519.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSIF519.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI5C63.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Windows\Installer\MSI5C63.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI5D3F.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
\Windows\Installer\MSI5D3F.tmp
| MD5 | db7612f0fd6408d664185cfc81bef0cb |
| SHA1 | 19a6334ec00365b4f4e57d387ed885b32aa7c9aa |
| SHA256 | e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240 |
| SHA512 | 25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9 |
C:\Windows\Installer\MSI5DFC.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Windows\Installer\MSI5DFC.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Windows\Installer\MSI5F06.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Windows\Installer\MSI5F06.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Program Files (x86)\Telegram中文版\Telegram.exe
| MD5 | dffd0738bc474639bed3a895498e4a71 |
| SHA1 | 7025e03fd682fb74bccb0911fd1de6a35383b129 |
| SHA256 | 090e1109df7fa7fce8b76d34028111b2a62ef48170d9b214191023de2d441f46 |
| SHA512 | 588e3972d6f9816b6022c496eaf3d246badb39380ce6e0703ab43cd7e9210ce036e524c8b7d82016a2dff4ae94e18b9a5d8ba25174c134919c6205b30f85ba5e |
C:\Config.Msi\e585b8a.rbs
| MD5 | c7b973d438cdaaa4820ebde7d5adcc1b |
| SHA1 | 3177d0d3ca5a100e87d84d0dc88860f0ca812fbd |
| SHA256 | e2ad1424ac61beda1e6f7201e9fbfcb3bfd24347a632bed54bebbac48b928abe |
| SHA512 | a3bdd2929107b41eebe29906180dd939da415ab124194e2ee1b9c46d29fed0dfc5bd04f617e9bd53a52bf0addd0438980eadef1bbfb483e3ef9e711382a5b514 |
C:\Users\Admin\AppData\Local\Temp\MSI7A96.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI7A96.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
C:\Users\Public\haixia\usb.exe
| MD5 | c0b89095eac7d60bd1d2018dc6000550 |
| SHA1 | 9a56f862f787d4b8a7bd0ca248ae029f07a0988a |
| SHA256 | f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2 |
| SHA512 | 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d |
C:\Users\Public\haixia\usb.exe
| MD5 | c0b89095eac7d60bd1d2018dc6000550 |
| SHA1 | 9a56f862f787d4b8a7bd0ca248ae029f07a0988a |
| SHA256 | f9b4a0e6e51e6857ee34657a722f38feb7ede30fbf9418f92da23c083952b5b2 |
| SHA512 | 8e71204234e0e0186120e8f5b1ffc9ca4a531802b2f1f414def4339551dccea9755c7438d036f7020ee464bdcd25602a2938a9e4fd406df438b7369c95afec2d |
memory/1364-263-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/1364-264-0x0000000076F64000-0x0000000076F65000-memory.dmp
memory/1364-267-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/1364-268-0x0000000004C30000-0x0000000004C31000-memory.dmp
memory/1364-269-0x0000000004C50000-0x0000000004C51000-memory.dmp
memory/1364-271-0x0000000004C80000-0x0000000004C81000-memory.dmp
memory/1364-272-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
memory/1364-270-0x0000000004CA0000-0x0000000004CA1000-memory.dmp
memory/1364-273-0x0000000004C20000-0x0000000004C21000-memory.dmp
memory/1364-275-0x0000000004C60000-0x0000000004C61000-memory.dmp
memory/1364-274-0x0000000004C40000-0x0000000004C41000-memory.dmp
memory/1364-276-0x0000000004CE0000-0x0000000004CE1000-memory.dmp
memory/1364-277-0x0000000004C90000-0x0000000004C91000-memory.dmp
memory/1364-278-0x0000000004E10000-0x0000000004E11000-memory.dmp
memory/1364-279-0x0000000004E00000-0x0000000004E02000-memory.dmp
memory/1364-281-0x0000000004D50000-0x0000000004D51000-memory.dmp
memory/1364-280-0x0000000004D40000-0x0000000004D41000-memory.dmp
memory/1364-282-0x0000000004D80000-0x0000000004D81000-memory.dmp
memory/1364-283-0x0000000004D90000-0x0000000004D91000-memory.dmp
\??\Volume{96faa851-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f53f6e35-1a61-4ece-a837-747c14e0195f}_OnDiskSnapshotProp
| MD5 | f5e22c6a1c361d372d931a51022b54dd |
| SHA1 | 1c685fc3f16897cb67c11e2f66bbb213b481f00e |
| SHA256 | 271fa5bb16d455a16d7bcfd85959a77e4a15584a46dba6958a2215aee772f234 |
| SHA512 | d18c358af877eeb7b91f91a5470294105e02bafb7e216a53e4fef22eb33b79eeeda3354e8801a25d2d1d7faff67dd00003f9d3383d361476cca012340d9ffa8e |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | a3670a783d46849d926c67a63eacd134 |
| SHA1 | f96fc9910caf65ab735e9bea81ab71feb631171f |
| SHA256 | 465277456867651cc5b15df30c6d323a3dd45d7cac0ea16d3af03084a85b9626 |
| SHA512 | 35d53cf346c122f1a595ec4abee3dc6e939bef3664b080e01c23b4a0ed2208e3f43439cacddde1242f2077772909cfd22e13d55f56766ef60ea976531bef7a8e |
memory/1364-284-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
memory/1364-288-0x0000000004D70000-0x0000000004D71000-memory.dmp
memory/1364-287-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
memory/1364-289-0x0000000004E60000-0x0000000004E62000-memory.dmp
memory/1364-290-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/1364-291-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/1364-295-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/1364-303-0x0000000000400000-0x0000000000A5C000-memory.dmp
C:\Users\Public\Documents\123\PTvrst.exe
| MD5 | d22cfb5bfaeb1503b12b07e53ef0a149 |
| SHA1 | 8ea2c85e363f551a159fabd65377affed4e417a1 |
| SHA256 | 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360 |
| SHA512 | 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45 |
memory/3820-307-0x0000000000400000-0x00000000006A2000-memory.dmp
C:\Users\Public\Documents\123\PTvrst.exe
| MD5 | d22cfb5bfaeb1503b12b07e53ef0a149 |
| SHA1 | 8ea2c85e363f551a159fabd65377affed4e417a1 |
| SHA256 | 260464fb05210cfb30ef7a12d568f75eb781634b251d958cae8911948f6ca360 |
| SHA512 | 151024cb2960b1ee485ded7ccbb753fe368a93fda5699af72e568667fa54bfb0d1732444e7b60efaab6d372204157cdb6abbf8862d0e89d612dd963342215e45 |
memory/1364-309-0x0000000004C70000-0x0000000004C71000-memory.dmp
memory/1364-310-0x0000000000400000-0x0000000000A5C000-memory.dmp
memory/1364-308-0x0000000004E70000-0x0000000004E72000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSIE315.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSIE315.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
memory/3820-316-0x00000000047B0000-0x00000000047B1000-memory.dmp
memory/3820-317-0x0000000000400000-0x00000000006A2000-memory.dmp
memory/3820-318-0x0000000004730000-0x0000000004731000-memory.dmp
memory/3820-319-0x0000000004760000-0x0000000004761000-memory.dmp
memory/3820-320-0x0000000004740000-0x0000000004741000-memory.dmp
memory/3820-322-0x00000000047C0000-0x00000000047C1000-memory.dmp
memory/3820-321-0x00000000047A0000-0x00000000047A1000-memory.dmp
memory/3820-323-0x0000000004720000-0x0000000004721000-memory.dmp
memory/3820-326-0x00000000047E0000-0x00000000047E1000-memory.dmp
memory/3820-325-0x0000000004790000-0x0000000004791000-memory.dmp
memory/3820-324-0x0000000004770000-0x0000000004771000-memory.dmp
C:\WINDOWS\DNomb\Mpec.mbt
| MD5 | 1d294165b61163c73a5379ca4f388d67 |
| SHA1 | 10ff3c414046c66243b27c4842498f9b44ca1549 |
| SHA256 | d31736379a57748afdac7c17437f8506068c9f19e0952ce0421eeb88ad4c2a44 |
| SHA512 | d16f086ef3bab1c33529d6c7322159c84db2852288bbfd33f650aa632b6b43ede15e041be100c163a42e18e7ef759e52558b373cee5222cc5b2d3f04a456d3ee |
memory/3820-329-0x0000000004A80000-0x0000000004A82000-memory.dmp
memory/3820-327-0x0000000004890000-0x0000000004891000-memory.dmp
memory/4836-331-0x0000000000400000-0x0000000000516000-memory.dmp
memory/4836-332-0x0000000000400000-0x0000000000516000-memory.dmp
memory/4836-334-0x0000000000400000-0x0000000000516000-memory.dmp
memory/3820-336-0x0000000004780000-0x0000000004781000-memory.dmp
memory/4836-335-0x0000000000400000-0x0000000000516000-memory.dmp
memory/3820-338-0x0000000004910000-0x0000000004911000-memory.dmp
C:\WINDOWS\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
C:\Windows\DNomb\spolsvt.exe
| MD5 | 523d5c39f9d8d2375c3df68251fa2249 |
| SHA1 | d4ed365c44bec9246fc1a65a32a7791792647a10 |
| SHA256 | 20e3dc90a3e83b6202e2a7f4603b60e5e859639cb68693426c400b13aaeabd78 |
| SHA512 | 526e1bba30d03f1ac177c6ab7409187a730969c429cebef15da68ffcf44b3b93227781eebc827b2f7a0fa17c391e00a0e532263fd0167aeaeb0456f96cfe3ae4 |
memory/3820-333-0x0000000004840000-0x0000000004842000-memory.dmp
memory/3820-339-0x0000000004880000-0x0000000004882000-memory.dmp
memory/4836-342-0x0000000000400000-0x0000000000516000-memory.dmp
memory/4836-343-0x0000000000400000-0x0000000000516000-memory.dmp
memory/4956-348-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4956-349-0x0000000000400000-0x0000000000430000-memory.dmp
memory/4956-350-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/4956-354-0x0000000000400000-0x0000000000430000-memory.dmp
C:\Users\Public\Documents\t\spolsvt.exe
| MD5 | cdce4713e784ae069d73723034a957ff |
| SHA1 | 9a393a6bab6568f1a774fb753353223f11367e09 |
| SHA256 | b29e48102ecb3d3614e8980a8b8cc63dd2b993c6346f466479244ec2b47b69d8 |
| SHA512 | 0a3a59a305cc2a6fad4e1315b0bcc5a4129595dfe1e8b703363fa02528d2d7c48d3fd22d365708be84a5557cf1916873df9563c454732f93f94a66e7e3b9fb0f |
memory/4956-355-0x0000000010000000-0x000000001002A000-memory.dmp
memory/3820-360-0x0000000000400000-0x00000000006A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSI30D8.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |
\Users\Admin\AppData\Local\Temp\MSI30D8.tmp
| MD5 | f7b1ddc86cd51e3391aa8bf4be48d994 |
| SHA1 | a0c0a4a77991d7f8df722acdd782310a6da2a904 |
| SHA256 | ac2df3283d65ab78ca399232fa090764636e0fec7ab53be28f6ee93733d8787f |
| SHA512 | f853c3cf9ec175e946dd42f7f35d130f4fb941f64bbf5780ce452fe6e87459217b80872db375ad1bbafc47ad263408e4222d81f62c7df92c77e23e77e67e6fa6 |