blackmoon | 7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6

Resubmissions

22-11-2024 05:12

241122-fv4mhs1kgp 10

19-11-2024 04:06

241119-epln3szmft 10

Analysis

max time kernel
188s
max time network
204s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 05:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

i4.msi
Size

414.8MB
MD5

5458ded6540ceaa02e7c1b74b38fa8ba
SHA1

77f63bfb0c37b76005b9105e3544a63dd2240f77
SHA256

7f7abbdbd82cc7e2142636e764b13547bd1e309221693a9e3d1ceab5299c0af6
SHA512

cac691c9c69e6db69e4e9d16a60aa9e01f2cf6f2fc7bafc15b9ba88d13dc0bcfb2f966e9e7b888aafa547cb49f2ca6df625fe555b6eb6d757e30aa601ea8feec
SSDEEP

12582912:kGJfvUrxERbTpxS6bJSPeXi2ffucxlgJIerR:kGq9Mp9bJSWXi2fpxOIerR

Score

10^/10

blackmoon banker bootkit discovery persistence privilege_escalation spyware stealer trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral1/memory/312-945-0x0000000003630000-0x0000000003F45000-memory.dmp	family_blackmoon
behavioral1/memory/312-948-0x0000000003630000-0x0000000003F45000-memory.dmp	family_blackmoon

Blocklisted process makes network request 5 IoCs

flow	pid	Process
44	216	MsiExec.exe
46	216	MsiExec.exe
48	216	MsiExec.exe
50	216	MsiExec.exe
52	216	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	HaloTray.exe
File opened for modification	\??\PhysicalDrive0	HaloHelper.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	QtWebEngineProcess.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
312	TomatoWallPaper.exe
312	TomatoWallPaper.exe

Drops file in Windows directory 19 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5827c7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2C7B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2CBA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI370F.tmp	msiexec.exe
File created	C:\Windows\Installer\e5827c9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5827c7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2F9C.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BBE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2EFE.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{19C746AC-46B2-488C-B026-36DFC3AFFC0F}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3963.tmp	msiexec.exe
File created	C:\Windows\Installer\{19C746AC-46B2-488C-B026-36DFC3AFFC0F}\HaloTray_1.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{19C746AC-46B2-488C-B026-36DFC3AFFC0F}\HaloTray_1.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2D29.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI38E5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5681.tmp	msiexec.exe

Executes dropped EXE 7 IoCs

pid	Process
312	TomatoWallPaper.exe
2948	HaloTray.exe
5100	HaloDesktop64.exe
4288	HaloHelper.exe
2120	QtWebEngineProcess.exe
1904	QtWebEngineProcess.exe
2400	QtWebEngineProcess.exe

Loads dropped DLL 64 IoCs

pid	Process
216	MsiExec.exe
216	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3196	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
3948	MsiExec.exe
1620	MsiExec.exe
3196	MsiExec.exe
312	TomatoWallPaper.exe
2948	HaloTray.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3800	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TomatoWallPaper.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HaloTray.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HaloHelper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\ProductName = "Win64-爱思助手V8.29"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Halo\command\ = "\\HaloDesktop64.exe --from=rmenu --mirrorPath=\"%1\""	HaloTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools\URL Protocol	HaloDesktop64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\HaloDesktop64.exe, 1"	HaloDesktop64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\InstanceType = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\开启桌面整理\command\ = "\\HaloTray.exe --from=rmenu"	HaloTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\开启桌面整理\Position = "Top"	HaloTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\shell\开启桌面整理\command	HaloTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA647C912B64C8840B6263FD3CFACFF0\MainFeature	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\PackageName = "i4.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\shell\开启桌面整理	HaloTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\HaloDesktop64.exe\" /open \"%1\""	HaloDesktop64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DesktopBackground\Shell\开启桌面整理\Icon = "\\Utils\\Install.ico"	HaloTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools\shell\open\command	HaloDesktop64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Halo\ = "映射该文件夹到桌面"	HaloTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Halo\Icon = "\\Utils\\mirror.ico"	HaloTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Halo\command	HaloTray.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\PackageCode = "3518CA3F3B7A4E34EB634866B45CFAD7"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Version = "136118272"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shell\Halo	HaloTray.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools\shell	HaloDesktop64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0921AD850DC9B3489C424E569BE40D8	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C0921AD850DC9B3489C424E569BE40D8\CA647C912B64C8840B6263FD3CFACFF0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools\DefaultIcon	HaloDesktop64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools\shell\open	HaloDesktop64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\CA647C912B64C8840B6263FD3CFACFF0	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\Language = "2052"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\CA647C912B64C8840B6263FD3CFACFF0\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools	HaloDesktop64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\PCi4Tools\ = "URL:PCi4Tools"	HaloDesktop64.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5100	HaloDesktop64.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
3196	MsiExec.exe
3196	MsiExec.exe
1912	msiexec.exe
1912	msiexec.exe
312	TomatoWallPaper.exe
312	TomatoWallPaper.exe
2948	HaloTray.exe
2948	HaloTray.exe
2948	HaloTray.exe
2948	HaloTray.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
2948	HaloTray.exe
2948	HaloTray.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
312	TomatoWallPaper.exe
312	TomatoWallPaper.exe
312	TomatoWallPaper.exe
312	TomatoWallPaper.exe
2120	QtWebEngineProcess.exe
2120	QtWebEngineProcess.exe
1904	QtWebEngineProcess.exe
1904	QtWebEngineProcess.exe
2400	QtWebEngineProcess.exe
2400	QtWebEngineProcess.exe
312	TomatoWallPaper.exe
312	TomatoWallPaper.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5100	HaloDesktop64.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3800	msiexec.exe
Token: SeSecurityPrivilege	1912	msiexec.exe
Token: SeCreateTokenPrivilege	3800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3800	msiexec.exe
Token: SeLockMemoryPrivilege	3800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3800	msiexec.exe
Token: SeMachineAccountPrivilege	3800	msiexec.exe
Token: SeTcbPrivilege	3800	msiexec.exe
Token: SeSecurityPrivilege	3800	msiexec.exe
Token: SeTakeOwnershipPrivilege	3800	msiexec.exe
Token: SeLoadDriverPrivilege	3800	msiexec.exe
Token: SeSystemProfilePrivilege	3800	msiexec.exe
Token: SeSystemtimePrivilege	3800	msiexec.exe
Token: SeProfSingleProcessPrivilege	3800	msiexec.exe
Token: SeIncBasePriorityPrivilege	3800	msiexec.exe
Token: SeCreatePagefilePrivilege	3800	msiexec.exe
Token: SeCreatePermanentPrivilege	3800	msiexec.exe
Token: SeBackupPrivilege	3800	msiexec.exe
Token: SeRestorePrivilege	3800	msiexec.exe
Token: SeShutdownPrivilege	3800	msiexec.exe
Token: SeDebugPrivilege	3800	msiexec.exe
Token: SeAuditPrivilege	3800	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3800	msiexec.exe
Token: SeChangeNotifyPrivilege	3800	msiexec.exe
Token: SeRemoteShutdownPrivilege	3800	msiexec.exe
Token: SeUndockPrivilege	3800	msiexec.exe
Token: SeSyncAgentPrivilege	3800	msiexec.exe
Token: SeEnableDelegationPrivilege	3800	msiexec.exe
Token: SeManageVolumePrivilege	3800	msiexec.exe
Token: SeImpersonatePrivilege	3800	msiexec.exe
Token: SeCreateGlobalPrivilege	3800	msiexec.exe
Token: SeCreateTokenPrivilege	3800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3800	msiexec.exe
Token: SeLockMemoryPrivilege	3800	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3800	msiexec.exe
Token: SeMachineAccountPrivilege	3800	msiexec.exe
Token: SeTcbPrivilege	3800	msiexec.exe
Token: SeSecurityPrivilege	3800	msiexec.exe
Token: SeTakeOwnershipPrivilege	3800	msiexec.exe
Token: SeLoadDriverPrivilege	3800	msiexec.exe
Token: SeSystemProfilePrivilege	3800	msiexec.exe
Token: SeSystemtimePrivilege	3800	msiexec.exe
Token: SeProfSingleProcessPrivilege	3800	msiexec.exe
Token: SeIncBasePriorityPrivilege	3800	msiexec.exe
Token: SeCreatePagefilePrivilege	3800	msiexec.exe
Token: SeCreatePermanentPrivilege	3800	msiexec.exe
Token: SeBackupPrivilege	3800	msiexec.exe
Token: SeRestorePrivilege	3800	msiexec.exe
Token: SeShutdownPrivilege	3800	msiexec.exe
Token: SeDebugPrivilege	3800	msiexec.exe
Token: SeAuditPrivilege	3800	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3800	msiexec.exe
Token: SeChangeNotifyPrivilege	3800	msiexec.exe
Token: SeRemoteShutdownPrivilege	3800	msiexec.exe
Token: SeUndockPrivilege	3800	msiexec.exe
Token: SeSyncAgentPrivilege	3800	msiexec.exe
Token: SeEnableDelegationPrivilege	3800	msiexec.exe
Token: SeManageVolumePrivilege	3800	msiexec.exe
Token: SeImpersonatePrivilege	3800	msiexec.exe
Token: SeCreateGlobalPrivilege	3800	msiexec.exe
Token: SeCreateTokenPrivilege	3800	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3800	msiexec.exe
Token: SeLockMemoryPrivilege	3800	msiexec.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3800	msiexec.exe
3800	msiexec.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
312	TomatoWallPaper.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
5100	HaloDesktop64.exe
312	TomatoWallPaper.exe
312	TomatoWallPaper.exe
2120	QtWebEngineProcess.exe
1904	QtWebEngineProcess.exe
2400	QtWebEngineProcess.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1912 wrote to memory of 216	1912	msiexec.exe	88
PID 1912 wrote to memory of 216	1912	msiexec.exe	88
PID 1912 wrote to memory of 216	1912	msiexec.exe	88
PID 1912 wrote to memory of 3196	1912	msiexec.exe	90
PID 1912 wrote to memory of 3196	1912	msiexec.exe	90
PID 1912 wrote to memory of 3196	1912	msiexec.exe	90
PID 1912 wrote to memory of 2668	1912	msiexec.exe	101
PID 1912 wrote to memory of 2668	1912	msiexec.exe	101
PID 1912 wrote to memory of 3948	1912	msiexec.exe	103
PID 1912 wrote to memory of 3948	1912	msiexec.exe	103
PID 1912 wrote to memory of 3948	1912	msiexec.exe	103
PID 1912 wrote to memory of 1620	1912	msiexec.exe	106
PID 1912 wrote to memory of 1620	1912	msiexec.exe	106
PID 1912 wrote to memory of 1620	1912	msiexec.exe	106
PID 3196 wrote to memory of 312	3196	MsiExec.exe	108
PID 3196 wrote to memory of 312	3196	MsiExec.exe	108
PID 3196 wrote to memory of 312	3196	MsiExec.exe	108
PID 2948 wrote to memory of 4288	2948	HaloTray.exe	111
PID 2948 wrote to memory of 4288	2948	HaloTray.exe	111
PID 2948 wrote to memory of 4288	2948	HaloTray.exe	111
PID 5100 wrote to memory of 2120	5100	HaloDesktop64.exe	112
PID 5100 wrote to memory of 2120	5100	HaloDesktop64.exe	112
PID 5100 wrote to memory of 1904	5100	HaloDesktop64.exe	113
PID 5100 wrote to memory of 1904	5100	HaloDesktop64.exe	113
PID 5100 wrote to memory of 2400	5100	HaloDesktop64.exe	114
PID 5100 wrote to memory of 2400	5100	HaloDesktop64.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\i4.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3800

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1912
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 72695D6126B092EA687FFBCB9CC3AA97 U
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:216
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C9753A9D35B56521DE890403BE5B9386 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3196
- - C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe
    "C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe" -skin_ui
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:312
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2668
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 47AF3BAB166A96A5ADE4FBB2CE177B07
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3948
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F13DB3B31B0D73E7909FF7A564BFCFAF E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1620

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4648

C:\Users\Admin\AppData\Local\HaloTray.exe
"C:\Users\Admin\AppData\Local\HaloTray.exe" --from
1⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Users\Admin\AppData\Local\Utils\HaloHelper.exe
  C:\Users\Admin\AppData\Local\Utils\HaloHelper.exe
  2⤵
  - Writes to the Master Boot Record (MBR)
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4288

C:\Users\Admin\AppData\Local\HaloDesktop64.exe
"C:\Users\Admin\AppData\Local\HaloDesktop64.exe" "C:\Users\Admin\AppData\Local\HaloTray.exe" --from
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100
- C:\Users\Admin\AppData\Local\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\QtWebEngineProcess.exe" --type=utility --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --lang=zh --service-sandbox-type=network --no-sandbox --application-name=i4Tools --webengine-schemes=qrc:sLV --mojo-platform-channel-handle=3328 /prefetch:8
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2120
- C:\Users\Admin\AppData\Local\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=zh --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=3 --mojo-platform-channel-handle=3676 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:1904
- C:\Users\Admin\AppData\Local\QtWebEngineProcess.exe
  "C:\Users\Admin\AppData\Local\QtWebEngineProcess.exe" --type=renderer --no-sandbox --disable-speech-api --enable-threaded-compositing --enable-features=AllowContentInitiatedDataUrlNavigations,TracingServiceInProcess --disable-features=BackgroundFetch,ConsolidatedMovementXY,DnsOverHttpsUpgrade,FormControlsRefresh,MojoVideoCapture,PictureInPicture,SmsReceiver,UseSkiaRenderer,WebPayments,WebUSB --disable-gpu-compositing --lang=zh --webengine-schemes=qrc:sLV --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2400

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5827c8.rbs

Filesize
75KB

MD5
48597968acb09c7659b5cc318e6436cd

SHA1
309484b59c4d0a59afba2fd940897ec43a14eb0c

SHA256
9aa860afd248c8a483dd9c88a2ed50d7c6ff3e2afed595591ec2c5f0be0821a0

SHA512
7cfad0fbc3c727c42414e6ba3cd378e8a7d049b83df241371a156c1e8cf303efffc1c381e6f3bf03354e7c466393b3316f3b868fb40ad9932104d6beefdf0e88

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

Filesize
84B

MD5
9c4df31e525402bc13c353031a4c4f01

SHA1
3ece4638477fecc157fc020342da9bfc098ee484

SHA256
3ca8775f25bfc15354683ba37610aae613353379dab99f4903cc6849430c09b9

SHA512
59073b5182b15a471ef2e3d3bb61befcb36ed6fdffdc21f978b91dd5020a1ee62c79d208e9daf92e9818f57f309c5458dec5b1d680283cacf9dbd91bd40c2a84

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\tracking.ini

Filesize
84B

MD5
e99dfed49518ede9c0213ae430b40c95

SHA1
91c17d67a5aa6cd1de392e5ae6aa1c2e5e3626fe

SHA256
849f34b0e391f59a26bc42e2c2fb157e2c51c05a6c6e584c2b09e82ed95caaf3

SHA512
30e337305efdd3295f8197fdbf77fb0217c431c87c91e3b789103d6d048345a48be25f5a99fa06e7eb38e2db350d15d6da59ae9732280e0a7aadaf4fffb9ee06

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{E6A53BFF-4CEC-41BC-AED0-810E1569B410}.session

Filesize
33KB

MD5
ad0038783448d00e5955d00e7146f034

SHA1
d442df5a14caffd709c53e2f8068766f58359848

SHA256
66d839ba80036768bed58d6621ef767dbd83ca7d5d28fd1052d10d2e28a04e93

SHA512
3495bfcd52e854a4f2e2bfa357eb92a1ba9f26f5b65288266585a99cf0703c94a36d08448b9957ad4095f7385ae19677a418c0ad7e0bd26b9b0a8f4da2c1127c

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{E6A53BFF-4CEC-41BC-AED0-810E1569B410}.session

Filesize
38KB

MD5
c8420cdbc6fcf99632546a68a9b7cf97

SHA1
07cb4ac70548bddb913fd9b57219edd66910014d

SHA256
367131356bb9816fdeaba81de2b4d4003eb42dc6e22f2956756e269797089ec3

SHA512
bf8a1990f1360129bba76865b7d763bbc3852e6d72c4e93a95e19d12b2dc29d7bd169b9e38b168099b6e76a3483d1a69d026d3a8b26e80b535a83a5b2611a85b

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{E6A53BFF-4CEC-41BC-AED0-810E1569B410}.session

Filesize
5KB

MD5
db86896c7e7532d4868354b0da6e4887

SHA1
d273725b308422d6ee734902234acdc9b9c55d85

SHA256
14949ee6de76015b6d0a18f51a1fa92894f0acf748fd9b22df50e7d4f2d3bdf8

SHA512
03bceb2512d979a09348c12fde76214575b4e9838073ba0159e2032a591751e8a283a2b89fad915f8b47874029fd2ce6522ca1dd288ac6b8bba8d443cf6ffc7f

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{E6A53BFF-4CEC-41BC-AED0-810E1569B410}.session

Filesize
12KB

MD5
9c8d29fd289bcb13f851e5e7f2e7806b

SHA1
0e53b2564d81abe30f4a1d061e3bf1aacf110fdd

SHA256
ae5e2133a86fd79c6798fa5155e43589eeb09f00a91c552588719adce4b976bf

SHA512
8e30f8f9d8499448490396bf487d7a872d40533e5bbfa958f34cceb55f287f1665fe5928fc075a15aae0184034e85601620779d6254b72409e63cd50ef31158a

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\66eea3460d96e6db3702e6c9\8.29\{E6A53BFF-4CEC-41BC-AED0-810E1569B410}.session

Filesize
38KB

MD5
cab1a9936414bed0537630e51f9d41fc

SHA1
8ba088281621185e0b1144be97f38e1f8213cc7f

SHA256
2ab1a87ae21a1b00d75babbd54e15d6959531e73eebc773b19d4595d50d1331e

SHA512
b6cbac40904531a66264f194dcdf92b283107ded66b45cea6e99069596b12a6fc0c2283c9630f0d1891fe44433da9b95c025a9aa73c7b1f55c3d346227823f45

Download Submit
C:\Users\Admin\AppData\Local\Bin\TomatoWallPaper.exe

Filesize
109KB

MD5
cc6c4bfd3c92394b968e6026ef40e51a

SHA1
cb6e3548cf53b5bf102eefbb51abdafdfe634946

SHA256
6dcd14a0e77bc3db07aa2899c59d6024e2092e2f51c37856b884c54f32e85131

SHA512
1a86b80422952cf8d903fdb9bcfdec0957e77d67540ac96932498336b44b073acac2a9fec6486f7e61e844d573dc5cf71e53eb0fdca4bf9d13f49c84385cdff1

Download Submit
C:\Users\Admin\AppData\Local\Bin\stardict-editor.dll

Filesize
28.2MB

MD5
75b7eff9a94923767ea1ac13cb945d14

SHA1
76b7fad58f04904c46ccfae6882fdacef8326cd7

SHA256
051bbfc721ef023bd4173eb620c680ca92e3493ba48fb010fa2570f331dbf3a8

SHA512
59f501621397c9c33d8a589a439df882fd416fc3edb12e64b9e24d70d89052658f4aecafc589cfe613210367d7e8a1c34be6c482df214367c288eb001989dac0

Download Submit
C:\Users\Admin\AppData\Local\HaloDesktop.exe

Filesize
3.0MB

MD5
ba4f92af87f25e50f27230f5b5af23a4

SHA1
c5f0034cbdc8c5bb881b1366394d00be23dca1e8

SHA256
1d2cc9caf9004a2525e9f442edae79b01b15fe645b88bf92f2d2fc0c5152e40d

SHA512
9cb856f30d5a0727c2b02bf9fb6c34071ee6c201374cfeb8f75a6080f0abc78c17eb69866d4b380ad28fce9978736345a267eb4d21f713c6ec8a072cfa64597d

Download Submit
C:\Users\Admin\AppData\Local\HaloTray.exe

Filesize
1.6MB

MD5
be482d41d38c6a6691010e58fb8e1876

SHA1
06b0e9638874d716c028d5fc38fa7edf349575e9

SHA256
e26eff452d61191588add27666ea8e0377bd0927ac8d327cee16b820633aba81

SHA512
99f46c4918effa367ab96497f143661826fb8f7e8ddfc30502cf69e2438ad6146b0d56c74d9d57116c2193c5637f98dbf782ea950bcf19b46d280a15a1c90ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2244\InstallerAnalytics.dll

Filesize
1.0MB

MD5
806e65956064190d6154d5de5cc96a5e

SHA1
f2fa1b10dec6f4166b79e710d81147c9028c4198

SHA256
17f79990c5455ac18abbca13fcd8f8584518881487f9fedcbd7cbbdbe003c6f8

SHA512
ae72ec2fe5895ca5e9e44b6c5e677356f9b7ba342d686a59be42b16027013d4b7c8c83ed0530705d792ac7b5881d10ec72dff546c2ee3c1452372d363501c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI2244\embeddeduiproxy.dll

Filesize
23KB

MD5
6671824509f40eb0ddb8fad2a2c66886

SHA1
ab8e4380b5f0d104476793351334631e2fa6054f

SHA256
8ffa276ce0b7ceb444d1a1e898d80a46b87c5f506655f49c94b39f0a7581092f

SHA512
3b7570deeb144ead27165791c5a6eb3ab813fe19834ccb311c09aee04ab94a1fb08bae4236e5bacd02f62092689eac3292bef80a77933600cb0e3b70738b9258

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC841.tmp

Filesize
719KB

MD5
89f70b588a48793450dd603b6cd4096f

SHA1
9b6509c031856c715d62853c4e93efbdf48d5aeb

SHA256
066c52ed8ebf63a33ab8290b7c58d0c13f79c14faa8bf12b1b41f643d3ebe281

SHA512
fb04c530430eea6149fd7216f64751e641394a66c0cb222f70c29361baa621a78f906e0adff19bd4cbe5de69edcea7e40bff7c2e068fd4dbd057ca6494db861a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICC20.tmp

Filesize
1.1MB

MD5
58c6476771f68f57661d0f6533cb70ef

SHA1
8080de39939f0a8f1e0c529cca30bf38b0e6abf2

SHA256
7eb240ef6e75de05b2a199bc55fdc8d13f467d5b4e58457011653312fffcc65f

SHA512
2b4b4e4466a7eea2d28631a80f257ced0a7263aa81c945105b793371534580dff1b66779bab36b9157b596c352c234a19c568e105faa1ba8681aa39feb5950c5

Download Submit
C:\Users\Admin\AppData\Local\Utils\arctrl.dll

Filesize
445KB

MD5
022d8c9edb5ca9bf91c8ed318ca07bed

SHA1
fc7be38e64db951d3643d4e60e5c558988c68ece

SHA256
351842983bd2d2c98ceafdd11f648b6b97ab5a7b732f64a068fcdc17a7f8b3e2

SHA512
909ac11870ae6b9c0ab9b9696032bed18bf2228022089bb5a965bc452aa7c2dd597113638aa4a039b7458535cc8dcc7ed9cdc3fdeb3004574508d18dd5ee47de

Download Submit
C:\Users\Admin\AppData\Local\cache\devices_table\iPhone14Pro.svg

Filesize
28KB

MD5
77cb737208ff7f38f85efb31f6482be3

SHA1
5a11798b21d406c4a642c546d3da9f7a07f4c436

SHA256
cbb1b92b25021deae953793e911d417ca87814b7c3ae3a89f614266c35a4d886

SHA512
78cfddd3a71e0c22d75c8c67e0153c3b625d0672ba98af8b76f169286f6655d0175bcc93dee2d8c740bb4ac73bf1e3110ee9d49590767ff2a8b2496ee4b3a9da

Download Submit
C:\Users\Admin\AppData\Local\cache\hometmp\1731637610515.jpg

Filesize
36KB

MD5
978cd8c60a4c3aa0050b9410df1673f1

SHA1
3c7e54c3f98f906aa6a117864d1d82428943cd2c

SHA256
53c8c873385e457a8193d416e51170d1fcffd7901f466c62162fd2b4d6721afb

SHA512
d50816a397fbfa3232a4fd5fa83f18e9612b3959a120b7c2364a8e2bc053b20e8a0f7389b090358764090a131293994d97b790a16b310157d47d6d6f0ea2d1a8

Download Submit
C:\Users\Admin\AppData\Local\config.ini

Filesize
113B

MD5
ecd23d053dc742054faa8f5cb79b5c78

SHA1
f488f96eddc6bb961efbc1e791cf527e9a13049e

SHA256
f70145c4537b13c74f80f65b56799e9d36f5c8bd734ecb9eb7bd7356388f36cc

SHA512
8523cfdbdf13495e7aa3892249080e7a9b673915954aa803753989e5cc48fb86ca26aa39a5ac479eca1c161d7c9b055b8bcc792f31e0d41fed934dad9e8fc814

Download Submit
C:\Users\Admin\AppData\Local\setting.cfg

Filesize
389B

MD5
0d167a9fd2ac459335b7b52834ebae98

SHA1
d4267c9eb7e1d5db2ea5d73886bd04a730e1e952

SHA256
93a1a3f73846c8ae8c4639fedbfba11fe3aceeae9af1e39e310a0ce4452bdb4b

SHA512
bc1630ef35e9e3ab077d6613a202f34a88ae6b91261278f0812d50895edfc5948d69d92589ed987b55f61168802c56e77b8bf67634bc77e94ada28431c7799c3

Download Submit
C:\Users\Admin\AppData\Local\setting.cfg.lock

Filesize
66B

MD5
b662aad4aa01a8b9f4cab0c5b0d9adf1

SHA1
b5a1f1646af55245113ea588bd80fc3c7b2c7a90

SHA256
9295f0df214706af5285fffb22efa067e8b45b041d7dd0f78dc971be0ae76e01

SHA512
26de1eaf5256aabba9c697ed9948a14e64880eafc756f91ca84c779280628baba70975bb87a5f3e00e3414bb60835139cf6b08458edff7d34aec3b2e3ca66c01

Download Submit
C:\Users\Admin\AppData\Local\setting.cfg.osapQY

Filesize
363B

MD5
3ea64a90fac3338aa79a1ad3bac12491

SHA1
d6eb7cb07df05d4ed7eb121eec38d158949f2c46

SHA256
8027e47a69e6b817617f15a9dc5d6f61accb325a353851f17146385e7e49cefe

SHA512
78e2ebffe552a29f69bfd442559daa55a0a5c509c289c802d9aeccdc5921f988743b74b2e6a0e17942ffca1a477752fd397b09d139a1add449e096e471631ac9

Download Submit
C:\Users\Admin\AppData\Roaming\config.ini

Filesize
83B

MD5
044d9d2ad5c8fb6b5c34947cbf632504

SHA1
df2fe5eeaa2ead9f952eef02851399671eae8f97

SHA256
072cec54545878e36617f5873df20bea2f77cfdb2f33c1ea2e965298bfcc625f

SHA512
d277ac7cc7fae06284c75a913dd03b262ee7fc6555943c6533b2b3697a3389b39626f553f02e802db7574f7b14f6db46600b4921c48e430a109c68c9564132fb

Download Submit
C:\Users\Public\Desktop\爱思助手8.0.lnk

Filesize
2KB

MD5
f58d0871adab16494535594ccbfe0b33

SHA1
9476c966bd3807f306e082f3adec4e6bd747f0e4

SHA256
439917cf08a42852aef6f76670d68f83615dba5a0e4b8f0559cee9c37eade026

SHA512
106dcbe7420925890c94121194f3565cd7a0b76986debf9709736f50c709aa251eaaf68eb05036c989da790dc459740fb3fb84f1db931fa7cc7c57b543f01291

Download Submit
C:\Users\Public\Desktop\爱思助手8.0.lnk~RFe585658.TMP

Filesize
2KB

MD5
dcb5f85e4f58926535e7fe96196198ec

SHA1
5329e188c83b2cbe5f00ed570a0fb6fcded68b1c

SHA256
bd5a427f2cd681134b2d8853b9f11818b007df9c0ca2ff262d53b387a922278c

SHA512
16d062c7caa1780eac015651c7c7a396398da83c2d471c15d8ab5433b127993b5847f1587b0ec80d33bc29adcf513bc01fb463ce37f3071c9f490102e19e3939

Download Submit
C:\Windows\Installer\MSI38E5.tmp

Filesize
399KB

MD5
17209841138816c79e9d11c0d61ecba1

SHA1
362a1bbb99d2900b3b4abae1f3ac848d7adb76eb

SHA256
d695712b3d54481af4c01bf7604443c7ac9ee5728671049562de35b76fae0a19

SHA512
a0ecc7a2d8102d05b10cab4064469176879340aea99dbb05e77777755fb2eb87abef00e7cb6148a83e0411d22916f1453789acdb3babe367d25a253d8fafd95d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
467a7d965e7c4d9e3196d08ec7c8095c

SHA1
b8e36f6b3d55bd404aa1986671c10ec5583f7e75

SHA256
7c63ae3a18ad95060435c9a6c72d87731367f22f71e3bbb95c98fd2a7f8732d7

SHA512
2bedcab1d5b7c94cdb38095b2158187bc7cfc92cf2b628de63e064ad40831798a6a7399386fa9073bdfe77d82ca3b1302030c78fb4a3dee897c3c346ddd97f87

Download Submit
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eea60a7e-8049-4902-a1d1-ffffe1cc1bda}_OnDiskSnapshotProp

Filesize
6KB

MD5
cadd7f1d7d5429c68b18bc5631048a30

SHA1
4af5f5afc855e2f3da00c6185c854029421e708d

SHA256
40cd5697585e4183d33b3f7e36a836760546fc832c7c751cafeaf90fe246a6ce

SHA512
871d3d47ecd43920c91f103db577f85820fc6f38d7988413eda1f3d8e5d694e9ade02574de4b78d561e37eddc74e57390358aa3a7048c5df2a88c4e5ff3cafaf

Download Submit
memory/312-964-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-963-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-830-0x00000000030D0000-0x00000000030D1000-memory.dmp

Filesize
4KB

Download
memory/312-832-0x00000000030F0000-0x00000000030F1000-memory.dmp

Filesize
4KB

Download
memory/312-1006-0x0000000004160000-0x00000000042B8000-memory.dmp

Filesize
1.3MB

Download
memory/312-1003-0x0000000004160000-0x00000000042B8000-memory.dmp

Filesize
1.3MB

Download
memory/312-988-0x0000000004160000-0x00000000042B8000-memory.dmp

Filesize
1.3MB

Download
memory/312-834-0x0000000003130000-0x0000000003131000-memory.dmp

Filesize
4KB

Download
memory/312-975-0x0000000006EA0000-0x0000000006EC7000-memory.dmp

Filesize
156KB

Download
memory/312-838-0x0000000010000000-0x0000000011C53000-memory.dmp

Filesize
28.3MB

Download
memory/312-837-0x0000000003160000-0x0000000003161000-memory.dmp

Filesize
4KB

Download
memory/312-836-0x0000000003150000-0x0000000003151000-memory.dmp

Filesize
4KB

Download
memory/312-945-0x0000000003630000-0x0000000003F45000-memory.dmp

Filesize
9.1MB

Download
memory/312-948-0x0000000003630000-0x0000000003F45000-memory.dmp

Filesize
9.1MB

Download
memory/312-835-0x0000000003140000-0x0000000003141000-memory.dmp

Filesize
4KB

Download
memory/312-954-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-956-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-957-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-958-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-959-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-960-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-961-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-962-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-831-0x00000000030E0000-0x00000000030E1000-memory.dmp

Filesize
4KB

Download
memory/312-965-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-967-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-969-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-971-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-973-0x0000000004160000-0x00000000042B8000-memory.dmp

Filesize
1.3MB

Download
memory/312-972-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-970-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-968-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-966-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/312-833-0x0000000003120000-0x0000000003121000-memory.dmp

Filesize
4KB

Download
memory/312-955-0x00000000050F0000-0x0000000005312000-memory.dmp

Filesize
2.1MB

Download
memory/1904-985-0x00007FF8FE5B0000-0x00007FF8FE9A0000-memory.dmp

Filesize
3.9MB

Download
memory/1904-986-0x00007FF8FE5B0000-0x00007FF8FE9A0000-memory.dmp

Filesize
3.9MB

Download
memory/2120-983-0x00007FF8FE5B0000-0x00007FF8FE9A0000-memory.dmp

Filesize
3.9MB

Download
memory/2120-984-0x00007FF8FE5B0000-0x00007FF8FE9A0000-memory.dmp

Filesize
3.9MB

Download
memory/2400-992-0x00007FF8FE5B0000-0x00007FF8FE9A0000-memory.dmp

Filesize
3.9MB

Download
memory/2400-991-0x00007FF8FE5B0000-0x00007FF8FE9A0000-memory.dmp

Filesize
3.9MB

Download
memory/5100-877-0x00007FF7E38F0000-0x00007FF7E465A000-memory.dmp

Filesize
13.4MB

Download
memory/5100-873-0x00007FF8FE5B0000-0x00007FF8FE9A0000-memory.dmp

Filesize
3.9MB

Download
memory/5100-874-0x00007FF8FE9A0000-0x00007FF8FEEDD000-memory.dmp

Filesize
5.2MB

Download
memory/5100-1002-0x000000006AC00000-0x000000006B626000-memory.dmp

Filesize
10.1MB

Download
memory/5100-875-0x00007FF7E38F0000-0x00007FF7E465A000-memory.dmp

Filesize
13.4MB

Download
memory/5100-876-0x00007FF8FE5B0000-0x00007FF8FE9A0000-memory.dmp

Filesize
3.9MB

Download
memory/5100-1013-0x000000006AC00000-0x000000006B626000-memory.dmp

Filesize
10.1MB

Download