Analysis Overview
SHA256
7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6
Threat Level: Known bad
The file i4.msi.vir was found to be: Known bad.
Malicious Activity Summary
Detect Blackmoon payload
Blackmoon, KrBanker
Blackmoon family
Blocklisted process makes network request
Enumerates connected drives
Suspicious use of NtSetInformationThreadHideFromDebugger
Executes dropped EXE
Loads dropped DLL
Drops file in Windows directory
Event Triggered Execution: Installer Packages
System Location Discovery: System Language Discovery
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-19 04:08
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-19 04:06
Reported
2024-11-19 04:11
Platform
win7-20241023-en
Max time kernel
122s
Max time network
144s
Command Line
Signatures
Blocklisted process makes network request
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding ADA5DEC938DB1551A485271CE629C44D U
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding C1A7C0D015CF24D9BA8CFC5C2A7186B6 C
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | collect.installeranalytics.com | udp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 8.8.8.8:53 | ocsp.r2m02.amazontrust.com | udp |
| DE | 13.32.26.76:80 | ocsp.r2m02.amazontrust.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 44.219.104.77:443 | collect.installeranalytics.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| GB | 95.100.245.144:80 | www.microsoft.com | tcp |
Files
\Users\Admin\AppData\Local\Temp\MSI27698\embeddeduiproxy.dll
| MD5 | 6671824509f40eb0ddb8fad2a2c66886 |
| SHA1 | ab8e4380b5f0d104476793351334631e2fa6054f |
| SHA256 | 8ffa276ce0b7ceb444d1a1e898d80a46b87c5f506655f49c94b39f0a7581092f |
| SHA512 | 3b7570deeb144ead27165791c5a6eb3ab813fe19834ccb311c09aee04ab94a1fb08bae4236e5bacd02f62092689eac3292bef80a77933600cb0e3b70738b9258 |
\Users\Admin\AppData\Local\Temp\MSI27698\InstallerAnalytics.dll
| MD5 | 806e65956064190d6154d5de5cc96a5e |
| SHA1 | f2fa1b10dec6f4166b79e710d81147c9028c4198 |
| SHA256 | 17f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8 |
| SHA512 | ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f |
C:\Users\Admin\AppData\Local\Temp\MSIACA.tmp
| MD5 | 89f70b588a48793450dd603b6cd4096f |
| SHA1 | 9b6509c031856c715d62853c4e93efbdf48d5aeb |
| SHA256 | 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281 |
| SHA512 | fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini
| MD5 | e7b1669a13b5a37a7fe9c0c0837693b3 |
| SHA1 | c1e19a48e49e89f5cc1cea57e7350af1df537ba3 |
| SHA256 | f8bc58f64d6d7467891f750fcd6b3eda3b7d0c72974a7c371e14781d73247685 |
| SHA512 | caaef631902e79cb964467cebc7370d9ddb3f8332de4908349be7eb66611de0bfe06b5e6124a3ae878906e646b6e5157237fa25d9de463418e12a2ed83f0132f |
C:\Users\Admin\AppData\Local\Temp\MSIDEA.tmp
| MD5 | 58c6476771f68f57661d0f6533cb70ef |
| SHA1 | 8080de39939f0a8f1e0c529cca30bf38b0e6abf2 |
| SHA256 | 7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f |
| SHA512 | 2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session
| MD5 | a4a202cbf1dea4b063414801a26b47b4 |
| SHA1 | b3dd59496028039392438ab32544202cb2459f95 |
| SHA256 | 5f3eb0d0e630ced64d7006fcea373e8ed5fa33aedf6cf903d60f4977a7161681 |
| SHA512 | 66be3a25bc2d4982a32d88ddd580756b2fdb56a2c2423019b868ecc2c8c9a62d0b2a4e39616480b372e3f6325ca4a12f2e80385faeb44f4fe9b991b7d4418cf7 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session
| MD5 | c6d312c69afbe4a25ff1e1f22c464bb5 |
| SHA1 | 13dafe1f25a7fcf43d4b1ddcea46d5892bcf0926 |
| SHA256 | 1a23c5f6456859b40c23ee3a5e9fcb1c7e7d9a142e3044e0ccb7cacf6c9a0f2e |
| SHA512 | 39ed19b741ee4a22c0a07bf52683f3704374b3f71835f7a621b326c6fb80dbd107911413d626d8aa8ef8e37f44b809a00721d633507af6cff6a3b023870c14b9 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{F3BF71FA-708A-4A6C-B5AB-B8317B068282}.session
| MD5 | 0d21901475a17d5a64c1a409fe101ebf |
| SHA1 | 1f038bd771d07a260ce97748dc38b90169b75980 |
| SHA256 | 9a0a96f4aa48ab033333dd8b6cdddbea9b736f735d3684f210d70243364d86ae |
| SHA512 | 97d612e3fa810b8a90a02efa6ae1dda21fd94a696c65b2ecc5f30c59f38db51688f491a7e4aaf235e534987138bf577694e7b4a64c594b48165a354a3398340b |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini
| MD5 | 9eae3db1b68a671c37d05767c61541b0 |
| SHA1 | 069533983193ce659e58e397951688c7b018da5f |
| SHA256 | b4191f28c6dff17c8419efb8730b96ef30bb912c179d4690e73fff8fc6fb4982 |
| SHA512 | 19c6e5a5860f63448291b5584ef6bb0be128dd451e8198a30a5815030e1ce6460cbde7d5341cbac5b1f271f7b3825b19d6f333a582e97656ae1029683be48e3e |
C:\Users\Admin\AppData\Local\Temp\Cab714B.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar717D.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9dde46e2217f1b0bb19c070ab033aa01 |
| SHA1 | 0170deaa43c37178715372e68eab4b1dbb035dcc |
| SHA256 | 120e8cb04a322ad6ad7337fecf71b9d1345e4f03e4cbafcef9c2229a428ea954 |
| SHA512 | e31e75f918afc93192e988c0ce76379532fabb29adbc67cc7f74f80029364b14a784538dbb27962a18d93dd4cd1e646f28754b554ae3813cbd730706131bab8c |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-19 04:06
Reported
2024-11-19 04:11
Platform
win10v2004-20241007-en
Max time kernel
141s
Max time network
155s
Command Line
Signatures
Blackmoon family
Blackmoon, KrBanker
Detect Blackmoon payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\MSI4823.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4A18.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI514E.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI718B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e584253.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4A96.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{19C746AC-46B2-488C-B026-36DFC3AFFC0F} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI544D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\{19C746AC-46B2-488C-B026-36DFC3AFFC0F}\HaloTray_1.exe | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4708.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI4795.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\{19C746AC-46B2-488C-B026-36DFC3AFFC0F}\HaloTray_1.exe | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e584255.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI45BE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e584253.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI5391.tmp | C:\Windows\system32\msiexec.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
Loads dropped DLL
Event Triggered Execution: Installer Packages
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\syswow64\MsiExec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000038a6760542cf76680000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000038a676050000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090038a67605000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d38a67605000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000038a6760500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key deleted | \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E | C:\Windows\system32\msiexec.exe | N/A |
| Key deleted | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27 | C:\Windows\system32\msiexec.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA647C912B64C8840B6263FD3CFACFF0 | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Language = "2052" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\AdvertiseFlags = "388" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0921AD850DC9B3489C424E569BE40D8\CA647C912B64C8840B6263FD3CFACFF0 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Clients = 3a0000000000 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\PackageCode = "3518CA3F3B7A4E34EB634866B45CFAD7" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\DeploymentFlags = "3" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0921AD850DC9B3489C424E569BE40D8 | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA647C912B64C8840B6263FD3CFACFF0\MainFeature | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Version = "136118272" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Assignment = "1" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Net | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media\DiskPrompt = "[1]" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\ProductName = "Win64-爱思助手V8.29" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\InstanceType = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\AuthorizedLUAApp = "0" | C:\Windows\system32\msiexec.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\PackageName = "i4.msi" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media\1 = ";" | C:\Windows\system32\msiexec.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F474873D03CBB462AC3882A4F19375FD U
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 29FB2D488B911C2B813DE344086DEC42 C
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 6B809AC1C5C17B92D19E22EC806D18C0
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A66CAFD8953347DF3F4F41FA2A5DA727 E Global\MSI0000
C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe
"C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe" -skin_ui
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.110.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collect.installeranalytics.com | udp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 8.8.8.8:53 | 28.53.210.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.23.32.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.39.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ocsp.r2m02.amazontrust.com | udp |
| DE | 13.32.26.76:80 | ocsp.r2m02.amazontrust.com | tcp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 8.8.8.8:53 | 76.26.32.13.in-addr.arpa | udp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| US | 3.210.53.28:443 | collect.installeranalytics.com | tcp |
| HK | 45.125.49.4:27777 | tcp | |
| US | 8.8.8.8:53 | 4.49.125.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 168.117.168.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\MSI27708\embeddeduiproxy.dll
| MD5 | 6671824509f40eb0ddb8fad2a2c66886 |
| SHA1 | ab8e4380b5f0d104476793351334631e2fa6054f |
| SHA256 | 8ffa276ce0b7ceb444d1a1e898d80a46b87c5f506655f49c94b39f0a7581092f |
| SHA512 | 3b7570deeb144ead27165791c5a6eb3ab813fe19834ccb311c09aee04ab94a1fb08bae4236e5bacd02f62092689eac3292bef80a77933600cb0e3b70738b9258 |
C:\Users\Admin\AppData\Local\Temp\MSI27708\InstallerAnalytics.dll
| MD5 | 806e65956064190d6154d5de5cc96a5e |
| SHA1 | f2fa1b10dec6f4166b79e710d81147c9028c4198 |
| SHA256 | 17f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8 |
| SHA512 | ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f |
C:\Users\Admin\AppData\Local\Temp\MSICF17.tmp
| MD5 | 89f70b588a48793450dd603b6cd4096f |
| SHA1 | 9b6509c031856c715d62853c4e93efbdf48d5aeb |
| SHA256 | 066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281 |
| SHA512 | fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini
| MD5 | ec95bcb6aeb25808d7b7b7816f7be13b |
| SHA1 | 6bfeb0825e8b4304e5e1643e82a318adf0581eec |
| SHA256 | 8edf77b7abe55db55a4a12bd44bd5f68cedf260832ab0d51b34c0229003dd147 |
| SHA512 | 695017054ed58c421f36a6ba5e5e7e8cd067718c0c13e320e7722846027e86fe78e2ac838cd97546bc054ded75e30d4a812575f281471e8e3a878fe977407d46 |
C:\Users\Admin\AppData\Local\Temp\MSID363.tmp
| MD5 | 58c6476771f68f57661d0f6533cb70ef |
| SHA1 | 8080de39939f0a8f1e0c529cca30bf38b0e6abf2 |
| SHA256 | 7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f |
| SHA512 | 2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session
| MD5 | 42b35754de0de0a94d1c7043917ec717 |
| SHA1 | fcfb33889a7e51a3cfd52fe85f2b87f11308fe54 |
| SHA256 | ca24ad8e80eaa6797b4dd71ec72e29759624f3ad81a97a2642a0e26865687992 |
| SHA512 | 635cd32c5c0965f3e73206e6b601f3bf88b958e7dc0cec66dd165f03a18eb52b73a00c73ac5e61b5bd1db1d3e7973737266fc99345fe34ace8b097ab7286f02f |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session
| MD5 | 83003ac1cdb306f26f80f65fe529e7f4 |
| SHA1 | da31ea9acbc284a547c0b6aa8ccaf66a0891e222 |
| SHA256 | d5b56129d3e4ce53a4fab28a9932b299e5e5a27cd903835ee86dee7eeccd5ce1 |
| SHA512 | ba0aa02076dd1fb4fb1a32e8944254069eda38e9796206ac4e5f2f1ccfbe43d27da8b4453f2a98dcfcea60549726a6ef060e10135e4011fe36f885c182a09e80 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session
| MD5 | 151254b9ce0a2013b43f774819aea0d8 |
| SHA1 | 26301ec08636e2362151a0e4c8682b930be491d4 |
| SHA256 | 32bfebbd6361f15ce0a5c22e606f066c7485b233fb11d0857bdaac5c81e3a58f |
| SHA512 | 15c15b4ea94180f50bee13240b9687c451eb0280aa3c041e28865e441132a33ec3ded0017587c01453c24c2a87c00436b47231627e1ed44703db016cb32e6c18 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session
| MD5 | 8d068d65054022ad94906bfbf99de622 |
| SHA1 | bf4968d0ad6e0cd44185dd3c4ede231ad50044ab |
| SHA256 | dfc0908dbdaf485b5e9a5b6b839fd026a5d27d0bad386f2fb0721ce1d20b0735 |
| SHA512 | 63ebce2d1d2ae44538c235afa022b1274bee6a25c4a95c68e944b85a0e59f0f86bedbca68247a4db16d80f8a42027a5b3ce76b88e7088cb0aacf23422de392bc |
C:\Windows\Installer\MSI5391.tmp
| MD5 | 17209841138816c79e9d11c0d61ecba1 |
| SHA1 | 362a1bbb99d2900b3b4abae1f3ac848d7adb76eb |
| SHA256 | d695712b3d54481af4c01bf7604443c7ac9ee5728671049562de35b76fae0a19 |
| SHA512 | a0ecc7a2d8102d05b10cab4064469176879340aea99dbb05e77777755fb2eb87abef00e7cb6148a83e0411d22916f1453789acdb3babe367d25a253d8fafd95d |
C:\Users\Admin\AppData\Local\cache\devices_table\iPhone14Pro.svg
| MD5 | 77cb737208ff7f38f85efb31f6482be3 |
| SHA1 | 5a11798b21d406c4a642c546d3da9f7a07f4c436 |
| SHA256 | cbb1b92b25021deae953793e911d417ca87814b7c3ae3a89f614266c35a4d886 |
| SHA512 | 78cfddd3a71e0c22d75c8c67e0153c3b625d0672ba98af8b76f169286f6655d0175bcc93dee2d8c740bb4ac73bf1e3110ee9d49590767ff2a8b2496ee4b3a9da |
\??\Volume{0576a638-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b8821804-5faa-4bdf-ba52-d694a32e5f7d}_OnDiskSnapshotProp
| MD5 | 26d35da6456520a1cb4eaad8b0145b15 |
| SHA1 | ec452e7dcc509c3e0715a6068ab0c79be1edcecc |
| SHA256 | 6d1c4f659a0b906636d1ff8f923d71f1be0b2ea55b4baef3624fe3c9d36b53bb |
| SHA512 | 792e02273d44051e0e7c8315d03c1a2c94771753134bdd170a5ac391c6c50c73d50069e241bd5aab764b1319cbbcb35377951e2f8ef87d27d79f4a820e8c8750 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 1d70999a7d92435ce6e8f668d785ebaf |
| SHA1 | 36f03b92b722911a08ddb502e4a63b431fd5ce76 |
| SHA256 | 83b567bb2634c46867bb2740d7f1e554ca062a1f79a46ad024dd96789d3043b3 |
| SHA512 | b8dae108e19be5ead5a03ff246fb098a0dd93398476d4bac2d6c874b63d52c694471e91963026ef911887f0ebd7a9680c386ab648399d760c587a4c325796ce7 |
C:\Users\Public\Desktop\爱思助手8.0.lnk
| MD5 | b5f3833264d709102e7eb6433bd07f57 |
| SHA1 | 6fd8cec45816cdfbbbcb887c3844ee5e62e78faa |
| SHA256 | 099c1c4ef2d2484cb64ee9727d7ca6761660265d8d483886d3ea591f567d001c |
| SHA512 | 3357c9014acb3eee25f041d6b78448f64e7eb2f6bd25e4b06dd1294cf46ac8ba541c863a3f40019276586b6ea54629ad1bb95e4b89b11552c005255bb41926cb |
C:\Users\Public\Desktop\爱思助手8.0.lnk~RFe587162.TMP
| MD5 | dce769d17de2f705608a35edee66dbd7 |
| SHA1 | 3954ceb5dfdc34187872e025f0e10d9d1f74cea7 |
| SHA256 | b6b9a35a295f457d842f8b138828cda90f6e0ff1a383b6541ba63aa10ac3007f |
| SHA512 | f71e6dfb969cb77161b09fa0e61916ba4086c641bddc68853e9ac5b4c04651779cb7b99ff0183fd566b5066d452e4af5a49344234db9ecc9ed8ecf82ac6b5a11 |
C:\Users\Admin\AppData\Local\HaloTray.exe
| MD5 | be482d41d38c6a6691010e58fb8e1876 |
| SHA1 | 06b0e9638874d716c028d5fc38fa7edf349575e9 |
| SHA256 | e26eff452d61191588add27666ea8e0377bd0927ac8d327cee16b820633aba81 |
| SHA512 | 99f46c4918effa367ab96497f143661826fb8f7e8ddfc30502cf69e2438ad6146b0d56c74d9d57116c2193c5637f98dbf782ea950bcf19b46d280a15a1c90ba8 |
C:\Config.Msi\e584254.rbs
| MD5 | d21e393f4c43d0b93a025f90f6ff093c |
| SHA1 | 6168af81cbac5247d3010ea6094a5e60d4f25382 |
| SHA256 | c44d827b05b65791e0eccc3b8294acde16f2fddcd96f45c894c941bfca4d630a |
| SHA512 | 18698f0d5871596882e27a7f28cb5a7920c81f04d0196788b744e54f32a2c062822143225e97ebbca587f5d9b2d1909dd447d98f71d45ef54cdfcb7341220903 |
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{9909CAF2-0304-4620-B614-94718060D820}.session
| MD5 | 4e5597da7a83d458ed1586c09a30817e |
| SHA1 | 29ba95875b2bc02b2caaca76771574ede5795793 |
| SHA256 | 3fda8751411748747c9b5f1efa77dde2b9e14849bb140ec4a999d10b2e6968be |
| SHA512 | 19e9ca986b3a9478e6658c02d7a861111494f832305e6cce83d629ddccee4ad1134577db07c3608a0eb5ecded2f2e1ddce3d0098084d71b0b615f5e5c330dcdf |
C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe
| MD5 | cc6c4bfd3c92394b968e6026ef40e51a |
| SHA1 | cb6e3548cf53b5bf102eefbb51abdafdfe634946 |
| SHA256 | 6dcd14a0e77bc3db07aa2899c59d6024e2092e2f51c37856b884c54f32e85131 |
| SHA512 | 1a86b80422952cf8d903fdb9bcfdec0957e77d67540ac96932498336b44b073acac2a9fec6486f7e61e844d573dc5cf71e53eb0fdca4bf9d13f49c84385cdff1 |
C:\Users\Admin\AppData\Local\Bin\stardict-editor.dll
| MD5 | 75b7eff9a94923767ea1ac13cb945d14 |
| SHA1 | 76b7fad58f04904c46ccfae6882fdacef8326cd7 |
| SHA256 | 051bbfc721ef023bd4173eb620c680ca92e3493ba48fb010fa2570f331dbf3a8 |
| SHA512 | 59f501621397c9c33d8a589a439df882fd416fc3edb12e64b9e24d70d89052658f4aecafc589cfe613210367d7e8a1c34be6c482df214367c288eb001989dac0 |
memory/548-833-0x0000000000A60000-0x0000000000A61000-memory.dmp
memory/548-834-0x0000000000A70000-0x0000000000A71000-memory.dmp
memory/548-835-0x0000000000A80000-0x0000000000A81000-memory.dmp
memory/548-836-0x0000000002550000-0x0000000002551000-memory.dmp
memory/548-837-0x0000000002560000-0x0000000002561000-memory.dmp
memory/548-839-0x0000000002580000-0x0000000002581000-memory.dmp
memory/548-838-0x0000000002570000-0x0000000002571000-memory.dmp
memory/548-840-0x0000000002590000-0x0000000002591000-memory.dmp
memory/548-841-0x0000000010000000-0x0000000011C53000-memory.dmp
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini
| MD5 | e50bff99eaa23b46eb1dfb53305ee668 |
| SHA1 | 35c732e9ab3e61b82035c4fda2e730770c7f554a |
| SHA256 | 29af58b2c7130e0af68aae6fd2ce219bdf33d1728d6081e9436c31f2eebe30d2 |
| SHA512 | 73ee0b15f71a949ed80b22bea16b3b6f14f82d93d3a51db80fc17cc9bd216eff4dad4e32b3928f55412b33ad6c4da3d65522087d06eaa354b9477a7571321890 |
C:\Users\Admin\AppData\Local\Bin\config.ini
| MD5 | 83b15cb203aa5d3f8db433708d9aee71 |
| SHA1 | 4a2207c1e6b092f78802740342e5c0a5807bbda1 |
| SHA256 | 41e87dbb9b716c5c760c92b74fec2b7a9d1473d34b182272ee81d212ec4c2a2c |
| SHA512 | b717553a2ea09d6f9730f01602d0f16608356a8486b94b8db1fe2a1980bf0a2a3b0a14f57c412791fe564c2e222de25f13daa517327be28af22f0d31ef91fcea |
C:\Users\Admin\AppData\Local\Bin\res\theme\azure.she
| MD5 | 636f6a2c1521c82a3a503be1f3f6210f |
| SHA1 | 68410eefac45eef85465db572db78362bbc16208 |
| SHA256 | 3835bd02c8f252236b41ca94bf69a034e6abd34daf44dbc7d4e2d074ddeca7fd |
| SHA512 | 5904bf6054c6c07355b0121c54559aaba6a0833286b0811aca30dcdf06f1447c4ed845c6176e6ee881dd815043d584d0259d382d9f2e0993a8bc89354ca5d872 |
C:\Users\Admin\AppData\Local\Bin\res\theme\purple.she
| MD5 | 99210799292be3af0d97fa8adbe7bf11 |
| SHA1 | afb7d83cb013fbad4df9c51bbc7e0d13074d3336 |
| SHA256 | b860cc992c20d581dff09c6e1d50306dfd9c7638990fdc8fc7b311d54872bd0d |
| SHA512 | b584fef2178e28b1963d5d8c8df5217720b843d17fb7f17a7f53b313ca1095c30800d1a933beead1438239a1b33055674cfea72d9091b14f7cd879ec02c4e3b1 |
memory/548-872-0x0000000002B80000-0x0000000003495000-memory.dmp
memory/548-881-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-890-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-899-0x0000000003740000-0x0000000003898000-memory.dmp
memory/548-898-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-897-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-896-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-894-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-893-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-892-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-891-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-889-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-888-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-887-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-886-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-885-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-884-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-883-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-882-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-880-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-895-0x0000000004840000-0x0000000004A62000-memory.dmp
memory/548-901-0x0000000006300000-0x0000000006327000-memory.dmp
C:\Users\Admin\AppData\Roaming\config.ini
| MD5 | ee1a600c8079bfc88f139aa52c27347d |
| SHA1 | c478aecf481344867822c2bb3111c2b40c1d9d5c |
| SHA256 | 9ff6a379ac980293b8d485b3a7bb1b0ed332b73886ca1d531097d73aa4d05681 |
| SHA512 | bf0d4af18be0cfb16a951f156025399ef08b99408243f8d83473594e5959a32c290fa45dac4af468f74b9cebb7025d04d08b82d30848a0c50b39fc3ed945673a |
C:\Users\Admin\AppData\Local\Bin\VCRUNTIME140.dll
| MD5 | d0520569180accd7e17ed9697711d6ec |
| SHA1 | 46cb7e2db7efda70b9a5b75b2fe0bb6038499008 |
| SHA256 | 13026df002b3575564f32927b7f791d59b4cc571f30ccc28075c4edb4afef67c |
| SHA512 | 86e96f5648d714914469a576693a656390291a547ea9dd5903c85853ac63c68f69129e54f95e5fc7aec781b883232ffaf0d5a536302226f4243d1f2e517e2034 |
memory/548-904-0x0000000003740000-0x0000000003898000-memory.dmp