blackmoon | 1da26ddd2b93eec00f5b4ed407e8360f7b31a51241d8cfe108b2b88c26948b4b

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
14/11/2023, 04:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

tg.msi
Size

65.9MB
MD5

cfc82a8a640e156626dde4ca6bc3c8b1
SHA1

cc975d884ebaa3a8f1ba2050eba90c169ba70731
SHA256

1da26ddd2b93eec00f5b4ed407e8360f7b31a51241d8cfe108b2b88c26948b4b
SHA512

913125e3e8969cede39e8d92d20816c611401ba3bc2135c5c7bc8c4e752e40f6acbe5b96d04ab3856f6d6c06da6fdc2140ba64e7811f6f3f079cc81243b6c9a9
SSDEEP

1572864:7y0HNdfTIKjkuW9hSCNmMPKctkorSuHw2srpvKhzzApc:G0t5hJe5m+bOIWpv

Score

10^/10

blackmoon banker trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral3/memory/2136-127-0x0000000002D20000-0x0000000002D45000-memory.dmp	family_blackmoon
behavioral3/memory/2668-161-0x00000000030F0000-0x0000000003115000-memory.dmp	family_blackmoon

Executes dropped EXE 3 IoCs

pid	Process
224	Service.exe
2136	Service.exe
2668	Service.exe

Loads dropped DLL 16 IoCs

pid	Process
3524	MsiExec.exe
3524	MsiExec.exe
3524	MsiExec.exe
3524	MsiExec.exe
3524	MsiExec.exe
3524	MsiExec.exe
3392	MsiExec.exe
3392	MsiExec.exe
3524	MsiExec.exe
3524	MsiExec.exe
224	Service.exe
224	Service.exe
2136	Service.exe
2136	Service.exe
2668	Service.exe
2668	Service.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIFFD8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F20A49B1-CAA9-4ED3-AC24-85246FBFA881}	msiexec.exe
File created	C:\Windows\Installer\e58fc9b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58fc9b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFE7F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI400.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Service.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Service.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	MsiExec.exe
Key created	\REGISTRY\USER\S-1-5-21-3125601242-331447593-1512828465-1000_Classes\Local Settings	Service.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4752	msiexec.exe
4752	msiexec.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe
2136	Service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3488	msiexec.exe
Token: SeSecurityPrivilege	4752	msiexec.exe
Token: SeCreateTokenPrivilege	3488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3488	msiexec.exe
Token: SeLockMemoryPrivilege	3488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3488	msiexec.exe
Token: SeMachineAccountPrivilege	3488	msiexec.exe
Token: SeTcbPrivilege	3488	msiexec.exe
Token: SeSecurityPrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeLoadDriverPrivilege	3488	msiexec.exe
Token: SeSystemProfilePrivilege	3488	msiexec.exe
Token: SeSystemtimePrivilege	3488	msiexec.exe
Token: SeProfSingleProcessPrivilege	3488	msiexec.exe
Token: SeIncBasePriorityPrivilege	3488	msiexec.exe
Token: SeCreatePagefilePrivilege	3488	msiexec.exe
Token: SeCreatePermanentPrivilege	3488	msiexec.exe
Token: SeBackupPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeShutdownPrivilege	3488	msiexec.exe
Token: SeDebugPrivilege	3488	msiexec.exe
Token: SeAuditPrivilege	3488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3488	msiexec.exe
Token: SeChangeNotifyPrivilege	3488	msiexec.exe
Token: SeRemoteShutdownPrivilege	3488	msiexec.exe
Token: SeUndockPrivilege	3488	msiexec.exe
Token: SeSyncAgentPrivilege	3488	msiexec.exe
Token: SeEnableDelegationPrivilege	3488	msiexec.exe
Token: SeManageVolumePrivilege	3488	msiexec.exe
Token: SeImpersonatePrivilege	3488	msiexec.exe
Token: SeCreateGlobalPrivilege	3488	msiexec.exe
Token: SeCreateTokenPrivilege	3488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3488	msiexec.exe
Token: SeLockMemoryPrivilege	3488	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3488	msiexec.exe
Token: SeMachineAccountPrivilege	3488	msiexec.exe
Token: SeTcbPrivilege	3488	msiexec.exe
Token: SeSecurityPrivilege	3488	msiexec.exe
Token: SeTakeOwnershipPrivilege	3488	msiexec.exe
Token: SeLoadDriverPrivilege	3488	msiexec.exe
Token: SeSystemProfilePrivilege	3488	msiexec.exe
Token: SeSystemtimePrivilege	3488	msiexec.exe
Token: SeProfSingleProcessPrivilege	3488	msiexec.exe
Token: SeIncBasePriorityPrivilege	3488	msiexec.exe
Token: SeCreatePagefilePrivilege	3488	msiexec.exe
Token: SeCreatePermanentPrivilege	3488	msiexec.exe
Token: SeBackupPrivilege	3488	msiexec.exe
Token: SeRestorePrivilege	3488	msiexec.exe
Token: SeShutdownPrivilege	3488	msiexec.exe
Token: SeDebugPrivilege	3488	msiexec.exe
Token: SeAuditPrivilege	3488	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3488	msiexec.exe
Token: SeChangeNotifyPrivilege	3488	msiexec.exe
Token: SeRemoteShutdownPrivilege	3488	msiexec.exe
Token: SeUndockPrivilege	3488	msiexec.exe
Token: SeSyncAgentPrivilege	3488	msiexec.exe
Token: SeEnableDelegationPrivilege	3488	msiexec.exe
Token: SeManageVolumePrivilege	3488	msiexec.exe
Token: SeImpersonatePrivilege	3488	msiexec.exe
Token: SeCreateGlobalPrivilege	3488	msiexec.exe
Token: SeCreateTokenPrivilege	3488	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3488	msiexec.exe
Token: SeLockMemoryPrivilege	3488	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3488	msiexec.exe
3488	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4752 wrote to memory of 3524	4752	msiexec.exe	88
PID 4752 wrote to memory of 3524	4752	msiexec.exe	88
PID 4752 wrote to memory of 3524	4752	msiexec.exe	88
PID 4752 wrote to memory of 4840	4752	msiexec.exe	108
PID 4752 wrote to memory of 4840	4752	msiexec.exe	108
PID 4752 wrote to memory of 3392	4752	msiexec.exe	110
PID 4752 wrote to memory of 3392	4752	msiexec.exe	110
PID 4752 wrote to memory of 3392	4752	msiexec.exe	110
PID 3524 wrote to memory of 224	3524	MsiExec.exe	116
PID 3524 wrote to memory of 224	3524	MsiExec.exe	116
PID 3524 wrote to memory of 224	3524	MsiExec.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\tg.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3488

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4752
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BC03D51CE76706256993E03E98B82243 C
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3524
- - C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe
    "C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:224
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4840
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FC862CB7A861A635819759C1E5CF76F3
  2⤵
  - Loads dropped DLL
  PID:3392

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4516

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4000

C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe
"C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe" AAAABBAAAA
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2136

C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe
"C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe" AAAABBAAAA
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58fc9c.rbs

Filesize
4KB

MD5
e0e855f421ca8f4793029f6a21de2b9e

SHA1
e2c7b69efcfd0d7bd6744bed22220018397f7c7c

SHA256
54b27c8f4d95960eb6e4b69eaa3e29adb9c6fa596d9ff3370f5b51c7ce5734fc

SHA512
307f459ea759a5f28302dfc8b7a4c3d2fc4f4782fd189a6c88a65e0de2f8d796a8bd50e376ed458db149bf57da1cce11b7b66aa965f5c7ee38bb27748161bbee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI12D8.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI12D8.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI144F.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI144F.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1579.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1579.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1598.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1598.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1598.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI15B9.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI15B9.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1617.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1617.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1A5E.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI1A5E.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF3D6.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF3D6.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Roaming\Telegram.exe

Filesize
135.1MB

MD5
0a2c35b334695d658172aa72e06ca09b

SHA1
db5e5d2129cb2423239b17360a301c1636192c44

SHA256
ac97c0a4651ee45cb77ec4e1b2ea3b8e409ee9904e2769fd385acc537e3545f3

SHA512
42134bb9f1bb05a2d829367616f1d5b4766237afe3346599ca669adbf3a75383430c6b8577e563b8a113c90884a8997d2c7e671cce221b6a525fcd60f7a33003

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\DuiLib.png

Filesize
789KB

MD5
a9b064de7683e8f09b792d6b88800daf

SHA1
cf457585e649dcf98e9fb9fea7366075a5493290

SHA256
1157df29097c9290c88faa365c189324f1d5409fabf9a9b0c6bb3e30c4f2e3f8

SHA512
13f17053f511df7b416c9d14dbe7aa2be2afae5a38a41502b394419a30a178ea6924d0cc98958a4fd1160794fdfaaa3cd045957f83883253173aa7a225deef72

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\DuiLib_u.dll

Filesize
489KB

MD5
0b98bd6bf1956a04d626bf45c8a8f24f

SHA1
4d33a107a39071d5f3dfb0d5e6665920eea1ecf0

SHA256
d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2

SHA512
6211b41cba988de9728659f0577dc8afe774e6a7037f9447177605193c07106330ee710deae9e70beb0dcb9164b690863b905d97b3db7a19fdaae4e502f319ed

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\DuiLib_u.dll

Filesize
489KB

MD5
0b98bd6bf1956a04d626bf45c8a8f24f

SHA1
4d33a107a39071d5f3dfb0d5e6665920eea1ecf0

SHA256
d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2

SHA512
6211b41cba988de9728659f0577dc8afe774e6a7037f9447177605193c07106330ee710deae9e70beb0dcb9164b690863b905d97b3db7a19fdaae4e502f319ed

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\DuiLib_u.dll

Filesize
489KB

MD5
0b98bd6bf1956a04d626bf45c8a8f24f

SHA1
4d33a107a39071d5f3dfb0d5e6665920eea1ecf0

SHA256
d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2

SHA512
6211b41cba988de9728659f0577dc8afe774e6a7037f9447177605193c07106330ee710deae9e70beb0dcb9164b690863b905d97b3db7a19fdaae4e502f319ed

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\DuiLib_u.dll

Filesize
489KB

MD5
0b98bd6bf1956a04d626bf45c8a8f24f

SHA1
4d33a107a39071d5f3dfb0d5e6665920eea1ecf0

SHA256
d0ac4eb544bc848c6eed4ef4617b13f9ef259054fe9e35d9df02267d5a1c26b2

SHA512
6211b41cba988de9728659f0577dc8afe774e6a7037f9447177605193c07106330ee710deae9e70beb0dcb9164b690863b905d97b3db7a19fdaae4e502f319ed

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe

Filesize
1.4MB

MD5
f69465ef1bc5fcfd30a667a4eec19c66

SHA1
70074fd04a8fe4804421b215b3f13252c2fe31de

SHA256
dda4924824054c574b5a7c96b2e30f7fb6e643b510db8288b1a6721fa7ff463a

SHA512
7445615aa9798315f13da7a354898f4463792d1292dfea3be398e782964bad16150791bb07e6a9e6dbf9372657c3ca5afa3cc8eb8d3d039e846a67fdd889af83

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe

Filesize
1.4MB

MD5
f69465ef1bc5fcfd30a667a4eec19c66

SHA1
70074fd04a8fe4804421b215b3f13252c2fe31de

SHA256
dda4924824054c574b5a7c96b2e30f7fb6e643b510db8288b1a6721fa7ff463a

SHA512
7445615aa9798315f13da7a354898f4463792d1292dfea3be398e782964bad16150791bb07e6a9e6dbf9372657c3ca5afa3cc8eb8d3d039e846a67fdd889af83

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe

Filesize
1.4MB

MD5
f69465ef1bc5fcfd30a667a4eec19c66

SHA1
70074fd04a8fe4804421b215b3f13252c2fe31de

SHA256
dda4924824054c574b5a7c96b2e30f7fb6e643b510db8288b1a6721fa7ff463a

SHA512
7445615aa9798315f13da7a354898f4463792d1292dfea3be398e782964bad16150791bb07e6a9e6dbf9372657c3ca5afa3cc8eb8d3d039e846a67fdd889af83

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\Service.exe

Filesize
1.4MB

MD5
f69465ef1bc5fcfd30a667a4eec19c66

SHA1
70074fd04a8fe4804421b215b3f13252c2fe31de

SHA256
dda4924824054c574b5a7c96b2e30f7fb6e643b510db8288b1a6721fa7ff463a

SHA512
7445615aa9798315f13da7a354898f4463792d1292dfea3be398e782964bad16150791bb07e6a9e6dbf9372657c3ca5afa3cc8eb8d3d039e846a67fdd889af83

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\Utility.dll

Filesize
64.4MB

MD5
b96d148b4e040965b00a6e3d64acc6dd

SHA1
9a73d4dc1b22b8caec3395c227555aa2c2c95009

SHA256
03af5482a42522b14b491726e9cc578bd464ad8974460ce5c0d1173ac46c7376

SHA512
28b7c5654de478c1d7bb11447c3dd817badbeb275cbf1f06755345ab0af21703a41d80d32fe3a67c8f62b10a38ff8bf9dbcb0a73e65a14fba5821bda077fbfeb

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\Utility.dll

Filesize
64.4MB

MD5
b96d148b4e040965b00a6e3d64acc6dd

SHA1
9a73d4dc1b22b8caec3395c227555aa2c2c95009

SHA256
03af5482a42522b14b491726e9cc578bd464ad8974460ce5c0d1173ac46c7376

SHA512
28b7c5654de478c1d7bb11447c3dd817badbeb275cbf1f06755345ab0af21703a41d80d32fe3a67c8f62b10a38ff8bf9dbcb0a73e65a14fba5821bda077fbfeb

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\Utility.dll

Filesize
64.4MB

MD5
b96d148b4e040965b00a6e3d64acc6dd

SHA1
9a73d4dc1b22b8caec3395c227555aa2c2c95009

SHA256
03af5482a42522b14b491726e9cc578bd464ad8974460ce5c0d1173ac46c7376

SHA512
28b7c5654de478c1d7bb11447c3dd817badbeb275cbf1f06755345ab0af21703a41d80d32fe3a67c8f62b10a38ff8bf9dbcb0a73e65a14fba5821bda077fbfeb

Download Submit
C:\Users\Admin\AppData\Roaming\tdata\dumps\Utility.dll

Filesize
64.4MB

MD5
b96d148b4e040965b00a6e3d64acc6dd

SHA1
9a73d4dc1b22b8caec3395c227555aa2c2c95009

SHA256
03af5482a42522b14b491726e9cc578bd464ad8974460ce5c0d1173ac46c7376

SHA512
28b7c5654de478c1d7bb11447c3dd817badbeb275cbf1f06755345ab0af21703a41d80d32fe3a67c8f62b10a38ff8bf9dbcb0a73e65a14fba5821bda077fbfeb

Download Submit
C:\Windows\Installer\MSIFE7F.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Windows\Installer\MSIFE7F.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Windows\Installer\MSIFFD8.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Windows\Installer\MSIFFD8.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
0ea3acd1307d7219920ee18dd9149831

SHA1
382b8878fddcbb4eb01fa80c78e92496a0ecc01e

SHA256
21ab7d99b3fa43ba59170a6cf5c5d318e40a1cb155156e8f601abb1025713182

SHA512
11deeb6b4eac1a2b76638088810af5ee1851b6ac36a5f363980dd26a966eb1d48fe1ab8a361b3c92449cc0df1f327ed562ca9b4d454ff8dff768d4500390dc22

Download Submit
\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{97aede52-d9af-47ef-9f1a-6261e5ab1137}_OnDiskSnapshotProp

Filesize
5KB

MD5
ab4aca4e6ce43bc7052d27682030a30f

SHA1
a22dc69e289436e577c99c8aaf4d3fcfe5625f06

SHA256
a5786f4e7b9ff84cdc91540f8af116a29db0c99b0e0b94f5215649ab09d41956

SHA512
851dab2864ca1390801ffc975747d47c44b6576651cd53b072ca61b126885a0eaaecb6aa09ae0624a88de4e763165e63178567d689e31bf53f6f5492c251d2b2

Download Submit
memory/224-114-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2136-127-0x0000000002D20000-0x0000000002D45000-memory.dmp

Filesize
148KB

Download
memory/2136-123-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2668-157-0x0000000010000000-0x00000000100CD000-memory.dmp

Filesize
820KB

Download
memory/2668-161-0x00000000030F0000-0x0000000003115000-memory.dmp

Filesize
148KB

Download