blackmoon | a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
26/11/2024, 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Size

55.3MB
MD5

2fa4f19f9fb9e7a71d85aaf34d318178
SHA1

2061483db691163ca0b1d04667d64e37af4c2fe0
SHA256

a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769
SHA512

a311d5ba3369540927b93fca95331d0783a8c526f2df59bd4726dcb3f174311447d00f70d52d22f3d2b6fde2d599a403cf44558a578fa34cb965fdb1fbfd965e
SSDEEP

1572864:uK9/hb6GmIcUGtvclhGSjkcrABpYhpeWeiTjz:uAheec1tvclsSjsBuhpeJujz

Score

10^/10

blackmoon banker discovery evasion trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/552-968-0x00000000028F0000-0x0000000002F32000-memory.dmp	family_blackmoon
behavioral1/memory/552-990-0x00000000028F0000-0x0000000002F32000-memory.dmp	family_blackmoon
behavioral1/memory/552-967-0x00000000028F0000-0x0000000002F32000-memory.dmp	family_blackmoon

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	MsiExec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	MsiExec.exe

Executes dropped EXE 6 IoCs

pid	Process
1016	MSI293F.tmp
1332	e8a0d5af432b7e64DBD.exe
2136	e8a0d5af432b7e64DBD.exe
1108	e8a0d5af432b7e64DBD.exe
552	Bor32-update-flase.exe
2876	Haloonoroff.exe

Loads dropped DLL 42 IoCs

pid	Process
1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2556	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
2664	MsiExec.exe
1016	MSI293F.tmp
1016	MSI293F.tmp
1016	MSI293F.tmp
1016	MSI293F.tmp
1016	MSI293F.tmp
1332	e8a0d5af432b7e64DBD.exe
1016	MSI293F.tmp
1016	MSI293F.tmp
1016	MSI293F.tmp
2136	e8a0d5af432b7e64DBD.exe
1016	MSI293F.tmp
1016	MSI293F.tmp
1016	MSI293F.tmp
1108	e8a0d5af432b7e64DBD.exe
2556	MsiExec.exe
2556	MsiExec.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	2852	msiexec.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\O:	Haloonoroff.exe
File opened (read-only)	\??\Z:	Haloonoroff.exe
File opened (read-only)	\??\M:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\Z:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	Haloonoroff.exe
File opened (read-only)	\??\H:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\I:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\P:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\M:	Haloonoroff.exe
File opened (read-only)	\??\T:	Haloonoroff.exe
File opened (read-only)	\??\L:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\L:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\O:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\B:	Haloonoroff.exe
File opened (read-only)	\??\L:	Haloonoroff.exe
File opened (read-only)	\??\N:	Haloonoroff.exe
File opened (read-only)	\??\P:	Haloonoroff.exe
File opened (read-only)	\??\T:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\U:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\U:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\V:	Haloonoroff.exe
File opened (read-only)	\??\U:	Haloonoroff.exe
File opened (read-only)	\??\I:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\R:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\X:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\R:	Haloonoroff.exe
File opened (read-only)	\??\K:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\Y:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\Y:	Haloonoroff.exe
File opened (read-only)	\??\G:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	Haloonoroff.exe
File opened (read-only)	\??\Q:	Haloonoroff.exe
File opened (read-only)	\??\N:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\A:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	Haloonoroff.exe
File opened (read-only)	\??\J:	Haloonoroff.exe
File opened (read-only)	\??\B:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\E:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\Q:	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\libjyy.dll	MsiExec.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/552-963-0x0000000010000000-0x0000000010021000-memory.dmp	upx
behavioral1/memory/552-964-0x00000000028F0000-0x0000000002F32000-memory.dmp	upx
behavioral1/memory/552-968-0x00000000028F0000-0x0000000002F32000-memory.dmp	upx
behavioral1/memory/552-990-0x00000000028F0000-0x0000000002F32000-memory.dmp	upx
behavioral1/memory/552-991-0x0000000000730000-0x000000000073B000-memory.dmp	upx
behavioral1/memory/552-967-0x00000000028F0000-0x0000000002F32000-memory.dmp	upx
behavioral1/memory/552-1017-0x0000000010000000-0x0000000010021000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DnLIMGKCARTO\Sites64.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\SpeedupOpt.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\swverify64.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\FLIEAC	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\NetmLogin.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\np360SoftMgr.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\HipsdiaMain.dll	e8a0d5af432b7e64DBD.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPINFO.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\QKFJSGCGWGRQ	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\SpeedldSetting.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\TrashClean.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\WdHPFileSafe64.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp120.dll	e8a0d5af432b7e64DBD.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_1.dll	e8a0d5af432b7e64DBD.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr110.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr120.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\pluginmgr.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\safe505.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\SMLLauncher.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\SomPlugin.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp140_2.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\NetmTray64.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\7z.dll	MsiExec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\yybob\libcurl.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMEventBus.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\TroPox-E_Plus	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\safemon64.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\SomProxy.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\webprotect.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcr110.dll	e8a0d5af432b7e64DBD.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMEventBus.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\StartSD.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\svcMonitor.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\vccorlib140.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\safemonhlp.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPCONTROL.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\ntvbld.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\NewKernel.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\sysoptm.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\WindowInjection.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\SafeInstallSandbox64.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\yybob\vcruntime140.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\TroPox-Z_Plus	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\wdres.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\msvcp110.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\zeropmgr.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\sbmon.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\wdexhelperx64.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\wuhelp64.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\yhregd.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\wddisam.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\wdui3.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe	MsiExec.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\mobileflux.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\mcommu.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\SomAdvUtils.dll	msiexec.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\uniconft.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\QMDns.dll	e8a0d5af432b7e64DBD.exe
File opened for modification	C:\Program Files (x86)\DnLIMGKCARTO\yybob\TDPSTAT.dll	e8a0d5af432b7e64DBD.exe
File created	C:\Program Files (x86)\DnLIMGKCARTO\settingcentercfg.dll	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI1972.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B48.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1664.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI16C3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A0F.tmp	msiexec.exe
File created	C:\Windows\Installer\f76fc5a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI244F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI293F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76fc5a.ipi	msiexec.exe
File created	C:\Windows\Installer\f76fc59.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1598.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14DC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76fc59.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI293F.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8a0d5af432b7e64DBD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8a0d5af432b7e64DBD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e8a0d5af432b7e64DBD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bor32-update-flase.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Haloonoroff.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Haloonoroff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Haloonoroff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	Haloonoroff.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Haloonoroff.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Haloonoroff.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2556	MsiExec.exe
2556	MsiExec.exe
2852	msiexec.exe
2852	msiexec.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
552	Bor32-update-flase.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe
2876	Haloonoroff.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	Haloonoroff.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2852	msiexec.exe
Token: SeTakeOwnershipPrivilege	2852	msiexec.exe
Token: SeSecurityPrivilege	2852	msiexec.exe
Token: SeCreateTokenPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeAssignPrimaryTokenPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeLockMemoryPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeIncreaseQuotaPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeMachineAccountPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeTcbPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSecurityPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeTakeOwnershipPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeLoadDriverPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSystemProfilePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSystemtimePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeProfSingleProcessPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeIncBasePriorityPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeCreatePagefilePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeCreatePermanentPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeBackupPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeRestorePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeShutdownPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeDebugPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeAuditPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSystemEnvironmentPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeChangeNotifyPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeRemoteShutdownPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeUndockPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSyncAgentPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeEnableDelegationPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeManageVolumePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeImpersonatePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeCreateGlobalPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeCreateTokenPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeAssignPrimaryTokenPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeLockMemoryPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeIncreaseQuotaPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeMachineAccountPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeTcbPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSecurityPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeTakeOwnershipPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeLoadDriverPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSystemProfilePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSystemtimePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeProfSingleProcessPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeIncBasePriorityPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeCreatePagefilePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeCreatePermanentPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeBackupPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeRestorePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeShutdownPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeDebugPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeAuditPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSystemEnvironmentPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeChangeNotifyPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeRemoteShutdownPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeUndockPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeSyncAgentPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeEnableDelegationPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeManageVolumePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeImpersonatePrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeCreateGlobalPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeCreateTokenPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeAssignPrimaryTokenPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
Token: SeLockMemoryPrivilege	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	Haloonoroff.exe

Suspicious use of WriteProcessMemory 38 IoCs

description	pid	Process	procid_target
PID 2852 wrote to memory of 2556	2852	msiexec.exe	32
PID 2852 wrote to memory of 2556	2852	msiexec.exe	32
PID 2852 wrote to memory of 2556	2852	msiexec.exe	32
PID 2852 wrote to memory of 2556	2852	msiexec.exe	32
PID 2852 wrote to memory of 2556	2852	msiexec.exe	32
PID 2852 wrote to memory of 2556	2852	msiexec.exe	32
PID 2852 wrote to memory of 2556	2852	msiexec.exe	32
PID 1916 wrote to memory of 2448	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe	33
PID 1916 wrote to memory of 2448	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe	33
PID 1916 wrote to memory of 2448	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe	33
PID 1916 wrote to memory of 2448	1916	a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe	33
PID 2852 wrote to memory of 2664	2852	msiexec.exe	34
PID 2852 wrote to memory of 2664	2852	msiexec.exe	34
PID 2852 wrote to memory of 2664	2852	msiexec.exe	34
PID 2852 wrote to memory of 2664	2852	msiexec.exe	34
PID 2852 wrote to memory of 2664	2852	msiexec.exe	34
PID 2852 wrote to memory of 2664	2852	msiexec.exe	34
PID 2852 wrote to memory of 2664	2852	msiexec.exe	34
PID 2852 wrote to memory of 1016	2852	msiexec.exe	35
PID 2852 wrote to memory of 1016	2852	msiexec.exe	35
PID 2852 wrote to memory of 1016	2852	msiexec.exe	35
PID 2852 wrote to memory of 1016	2852	msiexec.exe	35
PID 1016 wrote to memory of 1332	1016	MSI293F.tmp	36
PID 1016 wrote to memory of 1332	1016	MSI293F.tmp	36
PID 1016 wrote to memory of 1332	1016	MSI293F.tmp	36
PID 1016 wrote to memory of 1332	1016	MSI293F.tmp	36
PID 1016 wrote to memory of 2136	1016	MSI293F.tmp	38
PID 1016 wrote to memory of 2136	1016	MSI293F.tmp	38
PID 1016 wrote to memory of 2136	1016	MSI293F.tmp	38
PID 1016 wrote to memory of 2136	1016	MSI293F.tmp	38
PID 1016 wrote to memory of 1108	1016	MSI293F.tmp	40
PID 1016 wrote to memory of 1108	1016	MSI293F.tmp	40
PID 1016 wrote to memory of 1108	1016	MSI293F.tmp	40
PID 1016 wrote to memory of 1108	1016	MSI293F.tmp	40
PID 552 wrote to memory of 2876	552	Bor32-update-flase.exe	43
PID 552 wrote to memory of 2876	552	Bor32-update-flase.exe	43
PID 552 wrote to memory of 2876	552	Bor32-update-flase.exe	43
PID 552 wrote to memory of 2876	552	Bor32-update-flase.exe	43

C:\Users\Admin\AppData\Local\Temp\a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
"C:\Users\Admin\AppData\Local\Temp\a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Users\Admin\AppData\Local\Temp\a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe
  "C:\Users\Admin\AppData\Local\Temp\a1eb610f5e8e7ace99090f6b84a63881bee52e3830b19a29562f5dfd26130769.exe" /i "C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi" AI_EUIMSI=1 APPDIR="C:\Program Files (x86)\DnLIMGKCARTO" SECONDSEQUENCE="1" CLIENTPROCESSID="1916" AI_MORE_CMD_LINE=1
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  PID:2448

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 86FCAD15567D7EC259C1C9F3528CC0D9 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2556
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E9D0F478A376855F6EF8292EDC8124D7
  2⤵
  - UAC bypass
  - Loads dropped DLL
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2664
- C:\Windows\Installer\MSI293F.tmp
  "C:\Windows\Installer\MSI293F.tmp"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
    "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU" -o"C:\Users\Admin\AppData\Roaming\446CA47456B44BCE86D0354B25ADE090" -pe6ab90d5741a3329XSJ -aos -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1332
- - C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
    "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR" -o"C:\Program Files (x86)\DnLIMGKCARTO" -pd90abf5032721ffaBCX -aos -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    PID:2136
- - C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe
    "C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe" x "C:\Program Files (x86)\DnLIMGKCARTO\7c24ad187eeb.NUX" -o"C:\Users\Admin\AppData\Roaming" -p5ccac7f27f4c789fFPK -aos -y
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1108

C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe
"C:\Program Files (x86)\DnLIMGKCARTO\yybob\Bor32-update-flase.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:552
- C:\Users\Admin\AppData\Roaming\446CA47456B44BCE86D0354B25ADE090\VGX\Haloonoroff.exe
  "C:\Users\Admin\AppData\Roaming\446CA47456B44BCE86D0354B25ADE090\VGX\Haloonoroff.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76fc5b.rbs

Filesize
227KB

MD5
4b3b8848490728e05d292828dcfe1f9e

SHA1
4588aa1d030a0ad88d11db922a5c6b6d43db33df

SHA256
6804ed088c60bf8f2d217b3ee18c5f337c6546a679c4b73ad4e97a6610b64451

SHA512
53fb3c6561fb4b29a9be4cf3c3ac6ad36081a7ac1613b0a36b55b4ae7ae3187e7fbdca09ef253766ee92a56d3a35e6371956b8602e3739896a2c06b6308dc832

Download Submit
C:\Program Files (x86)\DnLIMGKCARTO\24c6269477f0.JFU

Filesize
11.3MB

MD5
c66828d973e515acb0060cb60920de00

SHA1
17bc290b5840ff65d84e5c02183a9b2312ed9e68

SHA256
3f2d82c5582eb1be20f8d65708f19d51eca328ef675c999a84f1ca885c0ae917

SHA512
6a812dd495a237c65054c87f141dd76a5892f2bb2ea2488ee96d6b798f957492370765513baa39451ab72bf0145c3adc90a3354bc2925a1959fb20e9bc66ecde

Download Submit
C:\Program Files (x86)\DnLIMGKCARTO\408dd7481cc3.KWR

Filesize
4.6MB

MD5
190da843146c5269f9d8ec94ac1ffd38

SHA1
fa6e5aecaecfaa43e634962956220b6fdab3c12e

SHA256
f4e70d98f1de3e136172bc919e1657dea4f53b0703c07b7242f8021ce2243800

SHA512
2d831315941441ab9872e376cd205778526ba1a86845db4d4caaf278e0ec5dc8980c478dc2e15dad57611f3d0ba89109398bc3eec1143def02a49e5be3064e7d

Download Submit
C:\Program Files (x86)\DnLIMGKCARTO\7z.dll

Filesize
1.3MB

MD5
292575b19c7e7db6f1dbc8e4d6fdfedb

SHA1
7dbcd6d0483adb804ade8b2d23748a3e69197a5b

SHA256
9036b502b65379d0fe2c3204d6954e2bb322427edeefab85ecf8e98019cbc590

SHA512
d4af90688d412bd497b8885e154ee428af66119d62faf73d90adffc3eef086cf3a25b0380ec6fdc8a3d2f7c7048050ef57fcea33229a615c5dcda8b7022fa237

Download Submit
C:\Program Files (x86)\DnLIMGKCARTO\QKFJSGCGWGRQ

Filesize
177B

MD5
eab9552fb070d7c48b31fe6a7a9cb0b3

SHA1
a8f7e04f0c10082a3a66a6d8ad3bf7815d51744b

SHA256
edc57321d853b03cdffc2f4021834b57bccb4080d477f5499b01255b5ce8bca3

SHA512
800d26529897047a7b584f3219ca56af9ade591949ce8f2504d25bde4595515413454a597f9c3a5496d57c3eab3d514b871021a3b709908002afbadb68a1fc60

Download Submit
C:\Program Files (x86)\DnLIMGKCARTO\TroPox-B_Plus

Filesize
694KB

MD5
c4a08b391245561157aefd0fe7c40a11

SHA1
28d15d43a1bdebc83701afd89e6ea9c24f90db33

SHA256
53d7c8f2fd109e85fc9302b7424875bad22a148d6edc6c7fd8e4589e97259bfa

SHA512
24c7608346b76694bf9d8227ff6a794b26d73c0da93fd231a2331cd371acc86f293fb9093850f5513dfbe1d269114a56f47dcadba11bd98c691ab38472a6ccc6

Download Submit
C:\Program Files (x86)\DnLIMGKCARTO\TroPox-E_Plus

Filesize
53KB

MD5
1999663102e57d49faceab3360cefe8a

SHA1
32f38d84ed4b762213b0beabed0f22e727988a20

SHA256
4daca1889e9ca478550d22dca129e68f4d808c5f91cd1a069c9e0015b2d611f7

SHA512
eded16f83960f9ec438ef08be7092cc07418bd98a6400f9212be2a92c04399b347ba0edfb5f0cafb1bbb23b2a7b4ecdd425a695c70851aba42bb1031e91a061a

Download Submit
C:\Program Files (x86)\DnLIMGKCARTO\TroPox-Z_Plus

Filesize
1.3MB

MD5
c77ee913c46510a705a9dddd91de8302

SHA1
cb5e045fa27186b9f23e4919590387478b9343d5

SHA256
092689651db7b81a6816b1f78f8cf81476945d493e9566762f5791adfc5bda31

SHA512
a6c080d04c92efbf8a1a4a1d1423837b1282e4cfc0e77d9da4bc9f78e235aa6cd8ae3468b588fd9d35ba656a7a1b27aae805662eb6c84b053d0149855f4a6514

Download Submit
C:\Program Files (x86)\DnLIMGKCARTO\e8a0d5af432b7e64DBD.exe

Filesize
694KB

MD5
fae7d0a530279838c8a5731b086a081b

SHA1
6ee61ea6e44bc43a9ed78b0d92f0dbe2c91fc48b

SHA256
eea393bc31ae7a7da3dba99a60d8c3ffccbc5b9063cc2a70111de5a6c7113439

SHA512
e75c8592137edd3b74b6d8388a446d5d2739559b707c9f3db0c78e5c30312f9fccd9bbb727b7334114e8edcbb2418bdc3b4c00a3a634af339c9d4156c47314b4

Download Submit
C:\Program Files (x86)\WindowsInstallerFQ\DAN_127.msi

Filesize
3.4MB

MD5
1710ca6f5df19a22d1567959de401886

SHA1
1c0788860a40e4ae60b0afb8589c5b2083b2cca2

SHA256
826ab605e90d51a715c05d91dd249958d56be5b053b8b9bab1f61480c506c3f1

SHA512
ae33b8131db853b48c34877b977d47f701cf99daca8faadbda703e97857aa1ac557d199ce3a1dc10e3115affd5603eb1e5468cd7d31a1b59745726ade6870875

Download Submit
C:\Program Files (x86)\WindowsInstallerFQ\DAN_1271.cab

Filesize
48.8MB

MD5
e2ee5973ceeaeec5837de3c99d4933bd

SHA1
58725c93c676fffc44a59f74c8c7f9942a52b2ff

SHA256
8404ba9f3312b0d92bd64cfb92a7b3ccd2b2d4358a5f4be6ac008ecb4416253c

SHA512
ba41beb1ab9d7a8fc947584ad4f4ef371706e96c7c8fb856820f1cc1811f2bc7aa33bc891214684e885eca0825a817692c5bca6176d98de3f93cc2456970ae01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e1ec9b818c82a4d7a5f4488a38b6af35

SHA1
931b17b0cbb02060c825011835aeed1834579736

SHA256
b087b8b71a4be587a1c639c021852810b983061ec3cca7667ee313a58550a5ea

SHA512
ff1686895ebc03cdcb6016d7044f47b8e0246ec24e6070a09bcd6c664c8e87b1ecb34894b0f3010dcbd24acf9401c99948222d23755a8252f6e6e1d5af106318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
837ef87f7775be06a709d79d8e8ea724

SHA1
a69037f77a913f1ee8ee66f44d48a0dc43f59173

SHA256
f95f87b10ecd3516d178a8775d0af4aee049f5369d2b7e72ca290537cf502863

SHA512
8595cefc16b88cf45f32e634fda5594fade840c445ba4b116740d74d3a1163e35842788aef95701c8c8d1a05732ea850e91fda39910a52432905851cc7ced0ba

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

Filesize
69B

MD5
168db06a111d6f4a938c721a58367e36

SHA1
5955ccca48ed11a2c18f15c4d6be98989dbd9090

SHA256
a14062d2a6ae5b74cc7c0fa2b9dbae7bb40c2d3b12dfd0c1c386a0d73aa45ffd

SHA512
e5a8aa81d257ec5ead8a0bbc9b6fd840d595e3f665a339c87ff00f83342e0801e271373b6e0a362d63884f81bc7ad9b967b00f172a96d84e63468114a2420a1f

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\tracking.ini

Filesize
85B

MD5
c5dba15a643add464271c4bb92200e7f

SHA1
02c47d3911940e95399f585ab0404c010e9debea

SHA256
138d1ce8d3238db4bf99334cfa7f0c28230b28794cd3fdf49b6a07cf93017bbf

SHA512
27b7b75afa23fbdec60d0d7af74da1189d5cd0155a47b96c7eea43ac10ce74c074175e5ffae7ed3fc044de4397b01e2dbd7ccab6a05f05a49c541f84a96d3322

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\{CD4CD076-321B-4627-991A-7762D885E1BA}.session

Filesize
7KB

MD5
f4d83c65e4c2d79ef7da25109d1b11ed

SHA1
a80391303fb4a956d3f0a9de93e81e1040270a77

SHA256
93cf4f52ff8a82d2abf07d67da1573de8eb5c7d7ba1894d9ea2d74edfd20f32c

SHA512
94423813490a36087217c67144f74e3ca163c61d346b48c9191a5e1fb7c77838fd8797e4832471830784e5fb81f1e7197d025da88da75b113f0b2302b39cc3ee

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\{CD4CD076-321B-4627-991A-7762D885E1BA}.session

Filesize
5KB

MD5
7e9922e91f549412b1f210512a43348f

SHA1
1c4114fb80500b1603db9a2bb288910b34973a95

SHA256
4bf4e775c28821e029d060d1e4d6b4b69c3636425a35b26934f45461b7e2d6e9

SHA512
45a63fbde33479f20227cc0a9cc44adf4399c59618955b15d13abaf47bb979e3eebf03629317fa91dbc0b90a087cf6b876e5b9d0f0334c66a432c3d1d55bcf4b

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\6627be3e20a59ade4c1add8b\1.1.6\{CD4CD076-321B-4627-991A-7762D885E1BA}.session

Filesize
19KB

MD5
557da079d3a1ad9b9138991e7f1a2ea3

SHA1
11cec17a92eb9eb3aabd2af43331c359cfb7cf61

SHA256
5bacaee7ef3f6b0748bc99ee608777cc427d1609c114ab4f7170b53ea9901435

SHA512
66f819c0a016e20307b7613ab822a1335868657176b0743584c6cdcf7d1aca21d61aa6fbe2702540c5a9e688e8709605b7eface0a22379394303978fe3269713

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1916\blue.jpg

Filesize
7KB

MD5
6f1b5342d1b781596a4fec79112dcb0c

SHA1
08bdedc9f65fc3a5f6d13d3ef0502769abe4bd05

SHA256
3986699b9b4be2f8c1747a37e74943f78870623701f08c90caa007b4de17924c

SHA512
fae8a651e1daf872a24fae87d477f286cad599dc232a716dbbad7f091236da80c71c30b990b6e2f4ff7e06d4414876db756b452272a9a3e4b3ec1bc32b9e30d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1916\externalui.ico

Filesize
14KB

MD5
235e54eb7acea02dc322f4065498165d

SHA1
ad825997ec58a33a164b471fe3bd4b7c74614d9a

SHA256
b294edf73cc936610cc81bca6b95d1c7d6091595ec074c6b334eca45d2dc354f

SHA512
5ac20371fd09e6a1f8c134fb24c045c36d835544d04e681fb6a51adff12a6bf8225c53d865b601ea5452024abe7c02204a759b317d7410cf59f66adfbe089d5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1916\three_colors.jpg

Filesize
25KB

MD5
718cafa7e04a8d4d98116bcb4c377d7f

SHA1
38a1eac1e72997ffa9fb01bde2540b18f046a3f5

SHA256
fbe48ba8af8cc23a66906a1e94ac10d86ce91b86a18531ce1c96d6061387c2b5

SHA512
0feceb6c7ac536b985198c63008668424da51e628656706de30e472daea49380f5d25187a268e8bf2e3740aab6a8ed1171ec4e2c6a69699bab7db5b619cb36eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF1C0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF38C.tmp

Filesize
550KB

MD5
0dd1f1ff906c4d1fc7ad962e994cad7f

SHA1
4d1549cf7ef6a63baf83280143d7797d4df4fa2d

SHA256
140f578569adbf831f87275091af9ca200ed8b2453cbe729a0249b9b6f6b4588

SHA512
8d5622bb299bf6bebf3eaa266a9fcbbc953a729e9d9ca20f8f358d7a14599d0a017feef58aa8d3aadc075c6211478bbac2d38e38e36e34096d4dceb51ffd00cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIF448.tmp

Filesize
927KB

MD5
8c98fc0407681eac7fd69ea06dbf29ea

SHA1
109c8e1bcf375f6fdcfa5b00f02e092e0678595b

SHA256
b4c7b684ddceec5d4a809d8a7f4b8d2cf87e5b866e0d83f389018f423295ec4e

SHA512
0a24d27b7982f314047977d4d219f53d7f4cbeda9a2e72e4d328604e1fa183bfa670f0391cc70a5888e5c0747177b7ae5a1298e8f884fd8fd8515ea2ff9683d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF250.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\446CA47456B44BCE86D0354B25ADE090\VGX\plugins\Microsoft.VC80.ATL.manifest

Filesize
376B

MD5
0bc6649277383985213ae31dbf1f031c

SHA1
7095f33dd568291d75284f1f8e48c45c14974588

SHA256
c06fa0f404df8b4bb365d864e613a151d0f86deef03e86019a068ed89fd05158

SHA512
6cb2008b46efef5af8dd2b2efcf203917a6738354a9a925b9593406192e635c84c6d0bea5d68bde324c421d2eba79b891538f6f2f2514846b9db70c312421d06

Download Submit
C:\Users\Admin\AppData\Roaming\446CA47456B44BCE86D0354B25ADE090\VGX\plugins\Microsoft.VC80.CRT.manifest

Filesize
314B

MD5
710c54c37d7ec902a5d3cdd5a4cf6ab5

SHA1
9e291d80a8707c81e644354a1e378aeca295d4c7

SHA256
ef893cb48c0ebe25465fbc05c055a42554452139b4ec78e25ec43237d0b53f80

SHA512
4d2ec03ff54a3bf129fb762fc64a910d0e104cd826acd4ab84ed191e6cc6a0fec3627e494c44d91b09feba5539ad7725f18158755d6b0016a50de9d29891c7e5

Download Submit
C:\Users\Admin\AppData\Roaming\446CA47456B44BCE86D0354B25ADE090\VGX\plugins\version

Filesize
4B

MD5
f1d3ff8443297732862df21dc4e57262

SHA1
9069ca78e7450a285173431b3e52c5c25299e473

SHA256
df3f619804a92fdb4057192dc43dd748ea778adc52bc498ce80524c014b81119

SHA512
ec2d57691d9b2d40182ac565032054b7d784ba96b18bcb5be0bb4e70e3fb041eff582c8af66ee50256539f2181d7f9e53627c0189da7e75a4d5ef10ea93b20b3

Download Submit
C:\Windows\Installer\MSI16C3.tmp

Filesize
632KB

MD5
9b4b4ea6509e4db1e2a8f09a7c6f8f04

SHA1
512880abe3c9696edb042599bd199f1d05210aa2

SHA256
3774c31039cb87ed0327f49a00abd7b4211ac938a46378b8661cd5d8b3b34f94

SHA512
63b4788a3ad000c08582f55532dc06bf88bc4111837a63e8157e0f5f668225f46758f9481b6e526a5a813f4f0cc9be65fb4107d2135c61083274592af03ba608

Download Submit
C:\Windows\Installer\MSI244F.tmp

Filesize
38KB

MD5
c2b7a27ed1c7d3c27bfe77afa27df236

SHA1
be2751e2e04d3c1daa17952bfbd5304e9a5a7741

SHA256
91ca317876b50d35bf2b8957c5745a13b57620fde5ce49bd5f7f3166c16db0ee

SHA512
649b447058045b0311f458552dfa51ce0086275aa32ff8ef3c6e6e2c25d59b3cddb67cce5b51a4b5df5b76a348c79ce78ec9b5fcaa44f6fe64d6f3af9597c91f

Download Submit
C:\Windows\Installer\MSI293F.tmp

Filesize
171KB

MD5
be4ed0d3aa0b2573927a046620106b13

SHA1
0b81544cd5e66a36d90a033f60a0ece1cd3506a8

SHA256
79bf3258e03fd1acb395dc184fbe5496dfa4b3d6a3f9f4598c5df13422cc600d

SHA512
bd4e0447c47eea3d457b4c0e8264c1a315ee796cf29e721e9e6b7ab396802e3ccc633488f8beeb8d2cf42a300367f76dedda74174c0b687fb8a328d197132753

Download Submit
\Users\Admin\AppData\Local\Temp\INAF35C.tmp

Filesize
803KB

MD5
2e25b7dc66fc65d92c998d6fb1d09ef6

SHA1
719cc9c0bbe12f040e169984851e3abea03d9cf8

SHA256
a01fb6763b11ba0cbf9b26fc8d45e933c2a6ad313bc9b12ed41ac67baf2aa8c2

SHA512
7d4af029a01ce60fc0787599c031c0dbff7069311832a5587f003ea68ef739b22c8b01832e00801b0d17c12983c4d0e7877cde58de371886cfb6be5b490f4c33

Download Submit
\Windows\SysWOW64\libjyy.dll

Filesize
53KB

MD5
8c7f64ab09c9c05d7b98c9f57354d251

SHA1
f346ca309363d57d6f4b58161e892461fa255579

SHA256
2cab655d163cc554cb584766191c53d80a1d8676363c0e6a9c44854fe3faf242

SHA512
789df191a936bd20d9033b0f608717ea33fe2fae8044559f1650cd84b99f4a999b3a5c4287a820c9dda38754ee4addc252480afca876df7cc51f0ff8c6808fb8

Download Submit
memory/552-1010-0x0000000000400000-0x00000000004AF000-memory.dmp

Filesize
700KB

Download
memory/552-1011-0x00000000002C0000-0x00000000003E3000-memory.dmp

Filesize
1.1MB

Download
memory/552-1012-0x000000006B240000-0x000000006B29A000-memory.dmp

Filesize
360KB

Download
memory/552-960-0x00000000002C0000-0x00000000003E3000-memory.dmp

Filesize
1.1MB

Download
memory/552-961-0x0000000000620000-0x000000000072A000-memory.dmp

Filesize
1.0MB

Download
memory/552-962-0x00000000004B0000-0x0000000000515000-memory.dmp

Filesize
404KB

Download
memory/552-963-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/552-964-0x00000000028F0000-0x0000000002F32000-memory.dmp

Filesize
6.3MB

Download
memory/552-968-0x00000000028F0000-0x0000000002F32000-memory.dmp

Filesize
6.3MB

Download
memory/552-990-0x00000000028F0000-0x0000000002F32000-memory.dmp

Filesize
6.3MB

Download
memory/552-991-0x0000000000730000-0x000000000073B000-memory.dmp

Filesize
44KB

Download
memory/552-967-0x00000000028F0000-0x0000000002F32000-memory.dmp

Filesize
6.3MB

Download
memory/552-1013-0x0000000000620000-0x000000000072A000-memory.dmp

Filesize
1.0MB

Download
memory/552-1016-0x0000000073A90000-0x0000000073AA0000-memory.dmp

Filesize
64KB

Download
memory/552-1014-0x00000000004B0000-0x0000000000515000-memory.dmp

Filesize
404KB

Download
memory/552-1017-0x0000000010000000-0x0000000010021000-memory.dmp

Filesize
132KB

Download
memory/1916-0-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1916-336-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/2556-951-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download
memory/2876-994-0x0000000010000000-0x000000001005D000-memory.dmp

Filesize
372KB

Download
memory/2876-1018-0x0000000000260000-0x000000000028A000-memory.dmp

Filesize
168KB

Download
memory/2876-1019-0x0000000074C20000-0x0000000074C4A000-memory.dmp

Filesize
168KB

Download
memory/2876-1020-0x0000000074B70000-0x0000000074C18000-memory.dmp

Filesize
672KB

Download
memory/2876-1039-0x0000000074C20000-0x0000000074C4A000-memory.dmp

Filesize
168KB

Download
memory/2876-1040-0x0000000074B70000-0x0000000074C18000-memory.dmp

Filesize
672KB

Download