Malware Analysis Report

2025-06-15 23:38

Sample ID 241119-epln3szmft
Target i4.msi.vir
SHA256 7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6
Tags
discovery persistence privilege_escalation blackmoon banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6

Threat Level: Known bad

The file i4.msi.vir was found to be: Known bad.

Malicious Activity Summary

discovery persistence privilege_escalation blackmoon banker trojan

Detect Blackmoon payload

Blackmoon, KrBanker

Blackmoon family

Blocklisted process makes network request

Enumerates connected drives

Suspicious use of NtSetInformationThreadHideFromDebugger

Executes dropped EXE

Loads dropped DLL

Drops file in Windows directory

Event Triggered Execution: Installer Packages

System Location Discovery: System Language Discovery

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-19 04:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-19 04:06

Reported

2024-11-19 04:11

Platform

win7-20241023-en

Max time kernel

122s

Max time network

144s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi

Signatures

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding ADA5DEC938DB1551A485271CE629C44D U

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding C1A7C0D015CF24D9BA8CFC5C2A7186B6 C

Network

Country Destination Domain Proto
US 8.8.8.8:53 collect.installeranalytics.com udp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
DE 13.32.26.76:80 ocsp.r2m02.amazontrust.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 44.219.104.77:443 collect.installeranalytics.com tcp
US 8.8.8.8:53 www.microsoft.com udp
GB 95.100.245.144:80 www.microsoft.com tcp

Files

\Users\Admin\AppData\Local\Temp\MSI27698\embeddeduiproxy.dll

MD5 6671824509f40eb0ddb8fad2a2c66886
SHA1 ab8e4380b5f0d104476793351334631e2fa6054f
SHA256 8ffa276ce0b7ceb444d1a1e898d80a46b87c5f506655f49c94b39f0a7581092f
SHA512 3b7570deeb144ead27165791c5a6eb3ab813fe19834ccb311c09aee04ab94a1fb08bae4236e5bacd02f62092689eac3292bef80a77933600cb0e3b70738b9258

\Users\Admin\AppData\Local\Temp\MSI27698\InstallerAnalytics.dll

MD5 806e65956064190d6154d5de5cc96a5e
SHA1 f2fa1b10dec6f4166b79e710d81147c9028c4198
SHA256 17f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8
SHA512 ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f

C:\Users\Admin\AppData\Local\Temp\MSIACA.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

MD5 e7b1669a13b5a37a7fe9c0c0837693b3
SHA1 c1e19a48e49e89f5cc1cea57e7350af1df537ba3
SHA256 f8bc58f64d6d7467891f750fcd6b3eda3b7d0c72974a7c371e14781d73247685
SHA512 caaef631902e79cb964467cebc7370d9ddb3f8332de4908349be7eb66611de0bfe06b5e6124a3ae878906e646b6e5157237fa25d9de463418e12a2ed83f0132f

C:\Users\Admin\AppData\Local\Temp\MSIDEA.tmp

MD5 58c6476771f68f57661d0f6533cb70ef
SHA1 8080de39939f0a8f1e0c529cca30bf38b0e6abf2
SHA256 7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f
SHA512 2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session

MD5 a4a202cbf1dea4b063414801a26b47b4
SHA1 b3dd59496028039392438ab32544202cb2459f95
SHA256 5f3eb0d0e630ced64d7006fcea373e8ed5fa33aedf6cf903d60f4977a7161681
SHA512 66be3a25bc2d4982a32d88ddd580756b2fdb56a2c2423019b868ecc2c8c9a62d0b2a4e39616480b372e3f6325ca4a12f2e80385faeb44f4fe9b991b7d4418cf7

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session

MD5 c6d312c69afbe4a25ff1e1f22c464bb5
SHA1 13dafe1f25a7fcf43d4b1ddcea46d5892bcf0926
SHA256 1a23c5f6456859b40c23ee3a5e9fcb1c7e7d9a142e3044e0ccb7cacf6c9a0f2e
SHA512 39ed19b741ee4a22c0a07bf52683f3704374b3f71835f7a621b326c6fb80dbd107911413d626d8aa8ef8e37f44b809a00721d633507af6cff6a3b023870c14b9

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session

MD5 0d21901475a17d5a64c1a409fe101ebf
SHA1 1f038bd771d07a260ce97748dc38b90169b75980
SHA256 9a0a96f4aa48ab033333dd8b6cdddbea9b736f735d3684f210d70243364d86ae
SHA512 97d612e3fa810b8a90a02efa6ae1dda21fd94a696c65b2ecc5f30c59f38db51688f491a7e4aaf235e534987138bf577694e7b4a64c594b48165a354a3398340b

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

MD5 9eae3db1b68a671c37d05767c61541b0
SHA1 069533983193ce659e58e397951688c7b018da5f
SHA256 b4191f28c6dff17c8419efb8730b96ef30bb912c179d4690e73fff8fc6fb4982
SHA512 19c6e5a5860f63448291b5584ef6bb0be128dd451e8198a30a5815030e1ce6460cbde7d5341cbac5b1f271f7b3825b19d6f333a582e97656ae1029683be48e3e

C:\Users\Admin\AppData\Local\Temp\Cab714B.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar717D.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9dde46e2217f1b0bb19c070ab033aa01
SHA1 0170deaa43c37178715372e68eab4b1dbb035dcc
SHA256 120e8cb04a322ad6ad7337fecf71b9d1345e4f03e4cbafcef9c2229a428ea954
SHA512 e31e75f918afc93192e988c0ce76379532fabb29adbc67cc7f74f80029364b14a784538dbb27962a18d93dd4cd1e646f28754b554ae3813cbd730706131bab8c

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-19 04:06

Reported

2024-11-19 04:11

Platform

win10v2004-20241007-en

Max time kernel

141s

Max time network

155s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi

Signatures

Blackmoon family

blackmoon

Blackmoon, KrBanker

trojan banker blackmoon

Detect Blackmoon payload

Description Indicator Process Target
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A
N/A N/A C:\Windows\syswow64\MsiExec.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSI4823.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A18.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI514E.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI718B.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e584253.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4A96.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{19C746AC-46B2-488C-B026-36DFC3AFFC0F} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI544D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\{19C746AC-46B2-488C-B026-36DFC3AFFC0F}\HaloTray_1.exe C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4708.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4795.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\{19C746AC-46B2-488C-B026-36DFC3AFFC0F}\HaloTray_1.exe C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e584255.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI45BE.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e584253.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI5391.tmp C:\Windows\system32\msiexec.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe N/A

Event Triggered Execution: Installer Packages

persistence privilege_escalation
Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\syswow64\MsiExec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E C:\Windows\system32\msiexec.exe N/A
Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 C:\Windows\system32\msiexec.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA647C912B64C8840B6263FD3CFACFF0 C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0 C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Language = "2052" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\AdvertiseFlags = "388" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0921AD850DC9B3489C424E569BE40D8\CA647C912B64C8840B6263FD3CFACFF0 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Clients = 3a0000000000 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\PackageCode = "3518CA3F3B7A4E34EB634866B45CFAD7" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\DeploymentFlags = "3" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0921AD850DC9B3489C424E569BE40D8 C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA647C912B64C8840B6263FD3CFACFF0\MainFeature C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Version = "136118272" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Assignment = "1" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Net C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media\DiskPrompt = "[1]" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\ProductName = "Win64-爱思助手V8.29" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\InstanceType = "0" C:\Windows\system32\msiexec.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\AuthorizedLUAApp = "0" C:\Windows\system32\msiexec.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\PackageName = "i4.msi" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media\1 = ";" C:\Windows\system32\msiexec.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 228 wrote to memory of 920 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 920 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 920 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 1364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 1364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 1364 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 4636 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 228 wrote to memory of 4636 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 228 wrote to memory of 4268 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 4268 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 4268 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 4860 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 4860 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 228 wrote to memory of 4860 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1364 wrote to memory of 548 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe
PID 1364 wrote to memory of 548 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe
PID 1364 wrote to memory of 548 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F474873D03CBB462AC3882A4F19375FD U

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 29FB2D488B911C2B813DE344086DEC42 C

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 6B809AC1C5C17B92D19E22EC806D18C0

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding A66CAFD8953347DF3F4F41FA2A5DA727 E Global\MSI0000

C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe

"C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe" -skin_ui

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 57.110.18.2.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 24.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 collect.installeranalytics.com udp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 8.8.8.8:53 28.53.210.3.in-addr.arpa udp
US 8.8.8.8:53 96.23.32.13.in-addr.arpa udp
US 8.8.8.8:53 64.39.245.18.in-addr.arpa udp
US 8.8.8.8:53 ocsp.r2m02.amazontrust.com udp
DE 13.32.26.76:80 ocsp.r2m02.amazontrust.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 8.8.8.8:53 76.26.32.13.in-addr.arpa udp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
US 3.210.53.28:443 collect.installeranalytics.com tcp
HK 45.125.49.4:27777 tcp
US 8.8.8.8:53 4.49.125.45.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\MSI27708\embeddeduiproxy.dll

MD5 6671824509f40eb0ddb8fad2a2c66886
SHA1 ab8e4380b5f0d104476793351334631e2fa6054f
SHA256 8ffa276ce0b7ceb444d1a1e898d80a46b87c5f506655f49c94b39f0a7581092f
SHA512 3b7570deeb144ead27165791c5a6eb3ab813fe19834ccb311c09aee04ab94a1fb08bae4236e5bacd02f62092689eac3292bef80a77933600cb0e3b70738b9258

C:\Users\Admin\AppData\Local\Temp\MSI27708\InstallerAnalytics.dll

MD5 806e65956064190d6154d5de5cc96a5e
SHA1 f2fa1b10dec6f4166b79e710d81147c9028c4198
SHA256 17f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8
SHA512 ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f

C:\Users\Admin\AppData\Local\Temp\MSICF17.tmp

MD5 89f70b588a48793450dd603b6cd4096f
SHA1 9b6509c031856c715d62853c4e93efbdf48d5aeb
SHA256 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281
SHA512 fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

MD5 ec95bcb6aeb25808d7b7b7816f7be13b
SHA1 6bfeb0825e8b4304e5e1643e82a318adf0581eec
SHA256 8edf77b7abe55db55a4a12bd44bd5f68cedf260832ab0d51b34c0229003dd147
SHA512 695017054ed58c421f36a6ba5e5e7e8cd067718c0c13e320e7722846027e86fe78e2ac838cd97546bc054ded75e30d4a812575f281471e8e3a878fe977407d46

C:\Users\Admin\AppData\Local\Temp\MSID363.tmp

MD5 58c6476771f68f57661d0f6533cb70ef
SHA1 8080de39939f0a8f1e0c529cca30bf38b0e6abf2
SHA256 7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f
SHA512 2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

MD5 42b35754de0de0a94d1c7043917ec717
SHA1 fcfb33889a7e51a3cfd52fe85f2b87f11308fe54
SHA256 ca24ad8e80eaa6797b4dd71ec72e29759624f3ad81a97a2642a0e26865687992
SHA512 635cd32c5c0965f3e73206e6b601f3bf88b958e7dc0cec66dd165f03a18eb52b73a00c73ac5e61b5bd1db1d3e7973737266fc99345fe34ace8b097ab7286f02f

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

MD5 83003ac1cdb306f26f80f65fe529e7f4
SHA1 da31ea9acbc284a547c0b6aa8ccaf66a0891e222
SHA256 d5b56129d3e4ce53a4fab28a9932b299e5e5a27cd903835ee86dee7eeccd5ce1
SHA512 ba0aa02076dd1fb4fb1a32e8944254069eda38e9796206ac4e5f2f1ccfbe43d27da8b4453f2a98dcfcea60549726a6ef060e10135e4011fe36f885c182a09e80

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

MD5 151254b9ce0a2013b43f774819aea0d8
SHA1 26301ec08636e2362151a0e4c8682b930be491d4
SHA256 32bfebbd6361f15ce0a5c22e606f066c7485b233fb11d0857bdaac5c81e3a58f
SHA512 15c15b4ea94180f50bee13240b9687c451eb0280aa3c041e28865e441132a33ec3ded0017587c01453c24c2a87c00436b47231627e1ed44703db016cb32e6c18

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

MD5 8d068d65054022ad94906bfbf99de622
SHA1 bf4968d0ad6e0cd44185dd3c4ede231ad50044ab
SHA256 dfc0908dbdaf485b5e9a5b6b839fd026a5d27d0bad386f2fb0721ce1d20b0735
SHA512 63ebce2d1d2ae44538c235afa022b1274bee6a25c4a95c68e944b85a0e59f0f86bedbca68247a4db16d80f8a42027a5b3ce76b88e7088cb0aacf23422de392bc

C:\Windows\Installer\MSI5391.tmp

MD5 17209841138816c79e9d11c0d61ecba1
SHA1 362a1bbb99d2900b3b4abae1f3ac848d7adb76eb
SHA256 d695712b3d54481af4c01bf7604443c7ac9ee5728671049562de35b76fae0a19
SHA512 a0ecc7a2d8102d05b10cab4064469176879340aea99dbb05e77777755fb2eb87abef00e7cb6148a83e0411d22916f1453789acdb3babe367d25a253d8fafd95d

C:\Users\Admin\AppData\Local\cache\devices_table\iPhone14Pro.svg

MD5 77cb737208ff7f38f85efb31f6482be3
SHA1 5a11798b21d406c4a642c546d3da9f7a07f4c436
SHA256 cbb1b92b25021deae953793e911d417ca87814b7c3ae3a89f614266c35a4d886
SHA512 78cfddd3a71e0c22d75c8c67e0153c3b625d0672ba98af8b76f169286f6655d0175bcc93dee2d8c740bb4ac73bf1e3110ee9d49590767ff2a8b2496ee4b3a9da

\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b8821804-5faa-4bdf-ba52-d694a32e5f7d}_OnDiskSnapshotProp

MD5 26d35da6456520a1cb4eaad8b0145b15
SHA1 ec452e7dcc509c3e0715a6068ab0c79be1edcecc
SHA256 6d1c4f659a0b906636d1ff8f923d71f1be0b2ea55b4baef3624fe3c9d36b53bb
SHA512 792e02273d44051e0e7c8315d03c1a2c94771753134bdd170a5ac391c6c50c73d50069e241bd5aab764b1319cbbcb35377951e2f8ef87d27d79f4a820e8c8750

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 1d70999a7d92435ce6e8f668d785ebaf
SHA1 36f03b92b722911a08ddb502e4a63b431fd5ce76
SHA256 83b567bb2634c46867bb2740d7f1e554ca062a1f79a46ad024dd96789d3043b3
SHA512 b8dae108e19be5ead5a03ff246fb098a0dd93398476d4bac2d6c874b63d52c694471e91963026ef911887f0ebd7a9680c386ab648399d760c587a4c325796ce7

C:\Users\Public\Desktop\爱思助手8.0.lnk

MD5 b5f3833264d709102e7eb6433bd07f57
SHA1 6fd8cec45816cdfbbbcb887c3844ee5e62e78faa
SHA256 099c1c4ef2d2484cb64ee9727d7ca6761660265d8d483886d3ea591f567d001c
SHA512 3357c9014acb3eee25f041d6b78448f64e7eb2f6bd25e4b06dd1294cf46ac8ba541c863a3f40019276586b6ea54629ad1bb95e4b89b11552c005255bb41926cb

C:\Users\Public\Desktop\爱思助手8.0.lnk~RFe587162.TMP

MD5 dce769d17de2f705608a35edee66dbd7
SHA1 3954ceb5dfdc34187872e025f0e10d9d1f74cea7
SHA256 b6b9a35a295f457d842f8b138828cda90f6e0ff1a383b6541ba63aa10ac3007f
SHA512 f71e6dfb969cb77161b09fa0e61916ba4086c641bddc68853e9ac5b4c04651779cb7b99ff0183fd566b5066d452e4af5a49344234db9ecc9ed8ecf82ac6b5a11

C:\Users\Admin\AppData\Local\HaloTray.exe

MD5 be482d41d38c6a6691010e58fb8e1876
SHA1 06b0e9638874d716c028d5fc38fa7edf349575e9
SHA256 e26eff452d61191588add27666ea8e0377bd0927ac8d327cee16b820633aba81
SHA512 99f46c4918effa367ab96497f143661826fb8f7e8ddfc30502cf69e2438ad6146b0d56c74d9d57116c2193c5637f98dbf782ea950bcf19b46d280a15a1c90ba8

C:\Config.Msi\e584254.rbs

MD5 d21e393f4c43d0b93a025f90f6ff093c
SHA1 6168af81cbac5247d3010ea6094a5e60d4f25382
SHA256 c44d827b05b65791e0eccc3b8294acde16f2fddcd96f45c894c941bfca4d630a
SHA512 18698f0d5871596882e27a7f28cb5a7920c81f04d0196788b744e54f32a2c062822143225e97ebbca587f5d9b2d1909dd447d98f71d45ef54cdfcb7341220903

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session

MD5 4e5597da7a83d458ed1586c09a30817e
SHA1 29ba95875b2bc02b2caaca76771574ede5795793
SHA256 3fda8751411748747c9b5f1efa77dde2b9e14849bb140ec4a999d10b2e6968be
SHA512 19e9ca986b3a9478e6658c02d7a861111494f832305e6cce83d629ddccee4ad1134577db07c3608a0eb5ecded2f2e1ddce3d0098084d71b0b615f5e5c330dcdf

C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe

MD5 cc6c4bfd3c92394b968e6026ef40e51a
SHA1 cb6e3548cf53b5bf102eefbb51abdafdfe634946
SHA256 6dcd14a0e77bc3db07aa2899c59d6024e2092e2f51c37856b884c54f32e85131
SHA512 1a86b80422952cf8d903fdb9bcfdec0957e77d67540ac96932498336b44b073acac2a9fec6486f7e61e844d573dc5cf71e53eb0fdca4bf9d13f49c84385cdff1

C:\Users\Admin\AppData\Local\Bin\stardict-editor.dll

MD5 75b7eff9a94923767ea1ac13cb945d14
SHA1 76b7fad58f04904c46ccfae6882fdacef8326cd7
SHA256 051bbfc721ef023bd4173eb620c680ca92e3493ba48fb010fa2570f331dbf3a8
SHA512 59f501621397c9c33d8a589a439df882fd416fc3edb12e64b9e24d70d89052658f4aecafc589cfe613210367d7e8a1c34be6c482df214367c288eb001989dac0

memory/548-833-0x0000000000A60000-0x0000000000A61000-memory.dmp

memory/548-834-0x0000000000A70000-0x0000000000A71000-memory.dmp

memory/548-835-0x0000000000A80000-0x0000000000A81000-memory.dmp

memory/548-836-0x0000000002550000-0x0000000002551000-memory.dmp

memory/548-837-0x0000000002560000-0x0000000002561000-memory.dmp

memory/548-839-0x0000000002580000-0x0000000002581000-memory.dmp

memory/548-838-0x0000000002570000-0x0000000002571000-memory.dmp

memory/548-840-0x0000000002590000-0x0000000002591000-memory.dmp

memory/548-841-0x0000000010000000-0x0000000011C53000-memory.dmp

C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

MD5 e50bff99eaa23b46eb1dfb53305ee668
SHA1 35c732e9ab3e61b82035c4fda2e730770c7f554a
SHA256 29af58b2c7130e0af68aae6fd2ce219bdf33d1728d6081e9436c31f2eebe30d2
SHA512 73ee0b15f71a949ed80b22bea16b3b6f14f82d93d3a51db80fc17cc9bd216eff4dad4e32b3928f55412b33ad6c4da3d65522087d06eaa354b9477a7571321890

C:\Users\Admin\AppData\Local\Bin\config.ini

MD5 83b15cb203aa5d3f8db433708d9aee71
SHA1 4a2207c1e6b092f78802740342e5c0a5807bbda1
SHA256 41e87dbb9b716c5c760c92b74fec2b7a9d1473d34b182272ee81d212ec4c2a2c
SHA512 b717553a2ea09d6f9730f01602d0f16608356a8486b94b8db1fe2a1980bf0a2a3b0a14f57c412791fe564c2e222de25f13daa517327be28af22f0d31ef91fcea

C:\Users\Admin\AppData\Local\Bin\res\theme\azure.she

MD5 636f6a2c1521c82a3a503be1f3f6210f
SHA1 68410eefac45eef85465db572db78362bbc16208
SHA256 3835bd02c8f252236b41ca94bf69a034e6abd34daf44dbc7d4e2d074ddeca7fd
SHA512 5904bf6054c6c07355b0121c54559aaba6a0833286b0811aca30dcdf06f1447c4ed845c6176e6ee881dd815043d584d0259d382d9f2e0993a8bc89354ca5d872

C:\Users\Admin\AppData\Local\Bin\res\theme\purple.she

MD5 99210799292be3af0d97fa8adbe7bf11
SHA1 afb7d83cb013fbad4df9c51bbc7e0d13074d3336
SHA256 b860cc992c20d581dff09c6e1d50306dfd9c7638990fdc8fc7b311d54872bd0d
SHA512 b584fef2178e28b1963d5d8c8df5217720b843d17fb7f17a7f53b313ca1095c30800d1a933beead1438239a1b33055674cfea72d9091b14f7cd879ec02c4e3b1

memory/548-872-0x0000000002B80000-0x0000000003495000-memory.dmp

memory/548-881-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-890-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-899-0x0000000003740000-0x0000000003898000-memory.dmp

memory/548-898-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-897-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-896-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-894-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-893-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-892-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-891-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-889-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-888-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-887-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-886-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-885-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-884-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-883-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-882-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-880-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-895-0x0000000004840000-0x0000000004A62000-memory.dmp

memory/548-901-0x0000000006300000-0x0000000006327000-memory.dmp

C:\Users\Admin\AppData\Roaming\config.ini

MD5 ee1a600c8079bfc88f139aa52c27347d
SHA1 c478aecf481344867822c2bb3111c2b40c1d9d5c
SHA256 9ff6a379ac980293b8d485b3a7bb1b0ed332b73886ca1d531097d73aa4d05681
SHA512 bf0d4af18be0cfb16a951f156025399ef08b99408243f8d83473594e5959a32c290fa45dac4af468f74b9cebb7025d04d08b82d30848a0c50b39fc3ed945673a

C:\Users\Admin\AppData\Local\Bin\VCRUNTIME140.dll

MD5 d0520569180accd7e17ed9697711d6ec
SHA1 46cb7e2db7efda70b9a5b75b2fe0bb6038499008
SHA256 13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c
SHA512 86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034

memory/548-904-0x0000000003740000-0x0000000003898000-memory.dmp