6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70

Resubmissions

27-07-2023 11:12

230727-nbajbsec22 10

27-07-2023 08:08

230727-j1rfxscg7s 10

Analysis

max time kernel
129s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
27-07-2023 11:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
Size

1.8MB
MD5

247a8cc39384e93d258360a11381000f
SHA1

23893f035f8564dfea5030b9fdd54120d96072bb
SHA256

6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
SHA512

336eca9569c0072e92ce16743f47ba9d6be06390a196f8e81654d6a42642ff5c99e423bfed00a8396bb0b037d5b54df8c3bde53757646e7e1a204f3be271c998
SSDEEP

24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 4224 created 3564	4224	Autoit3.exe	57
PID 4552 created 2616	4552	AcroRd32.exe	62

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kebbdck.lnk	AcroRd32.exe

Executes dropped EXE 1 IoCs

pid	Process
4224	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
3736	MsiExec.exe
3736	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5132	ICACLS.EXE
1552	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI345A.tmp	msiexec.exe
File created	C:\Windows\Installer\e5813e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5813e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI14CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI346B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000489fc6cecf0f0900000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000489fc6c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d012000000000000000032000000ffffffff0000000007000100006809000489fc6c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01232000000000020ed0d000000ffffffff0000000007000100006809190489fc6c000000000000d0123200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000489fc6c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4412	msiexec.exe
4412	msiexec.exe
4224	Autoit3.exe
4224	Autoit3.exe
4224	Autoit3.exe
4224	Autoit3.exe
4552	AcroRd32.exe
4552	AcroRd32.exe
4552	AcroRd32.exe
4552	AcroRd32.exe
5424	AcroRd32.exe
5424	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4552	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1928	msiexec.exe
Token: SeSecurityPrivilege	4412	msiexec.exe
Token: SeCreateTokenPrivilege	1928	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1928	msiexec.exe
Token: SeLockMemoryPrivilege	1928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1928	msiexec.exe
Token: SeMachineAccountPrivilege	1928	msiexec.exe
Token: SeTcbPrivilege	1928	msiexec.exe
Token: SeSecurityPrivilege	1928	msiexec.exe
Token: SeTakeOwnershipPrivilege	1928	msiexec.exe
Token: SeLoadDriverPrivilege	1928	msiexec.exe
Token: SeSystemProfilePrivilege	1928	msiexec.exe
Token: SeSystemtimePrivilege	1928	msiexec.exe
Token: SeProfSingleProcessPrivilege	1928	msiexec.exe
Token: SeIncBasePriorityPrivilege	1928	msiexec.exe
Token: SeCreatePagefilePrivilege	1928	msiexec.exe
Token: SeCreatePermanentPrivilege	1928	msiexec.exe
Token: SeBackupPrivilege	1928	msiexec.exe
Token: SeRestorePrivilege	1928	msiexec.exe
Token: SeShutdownPrivilege	1928	msiexec.exe
Token: SeDebugPrivilege	1928	msiexec.exe
Token: SeAuditPrivilege	1928	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1928	msiexec.exe
Token: SeChangeNotifyPrivilege	1928	msiexec.exe
Token: SeRemoteShutdownPrivilege	1928	msiexec.exe
Token: SeUndockPrivilege	1928	msiexec.exe
Token: SeSyncAgentPrivilege	1928	msiexec.exe
Token: SeEnableDelegationPrivilege	1928	msiexec.exe
Token: SeManageVolumePrivilege	1928	msiexec.exe
Token: SeImpersonatePrivilege	1928	msiexec.exe
Token: SeCreateGlobalPrivilege	1928	msiexec.exe
Token: SeBackupPrivilege	544	vssvc.exe
Token: SeRestorePrivilege	544	vssvc.exe
Token: SeAuditPrivilege	544	vssvc.exe
Token: SeBackupPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeBackupPrivilege	4156	srtasks.exe
Token: SeRestorePrivilege	4156	srtasks.exe
Token: SeSecurityPrivilege	4156	srtasks.exe
Token: SeTakeOwnershipPrivilege	4156	srtasks.exe
Token: SeBackupPrivilege	4156	srtasks.exe
Token: SeRestorePrivilege	4156	srtasks.exe
Token: SeSecurityPrivilege	4156	srtasks.exe
Token: SeTakeOwnershipPrivilege	4156	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1928	msiexec.exe
1928	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 4156	4412	msiexec.exe	97
PID 4412 wrote to memory of 4156	4412	msiexec.exe	97
PID 4412 wrote to memory of 3736	4412	msiexec.exe	99
PID 4412 wrote to memory of 3736	4412	msiexec.exe	99
PID 4412 wrote to memory of 3736	4412	msiexec.exe	99
PID 3736 wrote to memory of 1552	3736	MsiExec.exe	100
PID 3736 wrote to memory of 1552	3736	MsiExec.exe	100
PID 3736 wrote to memory of 1552	3736	MsiExec.exe	100
PID 3736 wrote to memory of 2988	3736	MsiExec.exe	102
PID 3736 wrote to memory of 2988	3736	MsiExec.exe	102
PID 3736 wrote to memory of 2988	3736	MsiExec.exe	102
PID 3736 wrote to memory of 4224	3736	MsiExec.exe	104
PID 3736 wrote to memory of 4224	3736	MsiExec.exe	104
PID 3736 wrote to memory of 4224	3736	MsiExec.exe	104
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106
PID 4224 wrote to memory of 4552	4224	Autoit3.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3564
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  PID:4552

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2616
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5424

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4156
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F7AF605E0D846032D184546CF97C3607
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3736
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1552
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2988
- - C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\files\Autoit3.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\files\Autoit3.exe" UGtZgHHT.au3
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4224
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:5132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\kbdcbke\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\kbdcbke\cegefcb\hghehhe

Filesize
129B

MD5
668418e796a423db8d9e0c621e6f8b09

SHA1
3a874c52d4b3feb0d02732e9eef97f768c74f351

SHA256
7661c506667d8169f9cef6fd8a1bf9a6a8f5877f43926f0dae40fa2fb390712b

SHA512
1f44200028cc4bcfaf9ab7e8fd0ac0542cc556c91ec484b390cfbbbeeca389c3a23bd44a5771eaba08d3378dec6c09802d8e54782d4b8c5386f9d95caf4dc5a0

Download Submit
C:\ProgramData\kbdcbke\cegefcb\hghehhe

Filesize
129B

MD5
e85f6c99b7bff5ee111702a2d40b4684

SHA1
18fdacd0e45686c8526454deacd12227e2a54757

SHA256
e078b12abd2688ea37c971ea1f9778e7948af4211f18cdd25e3f530c2f200a67

SHA512
9635033a2a12cea88dd303ea225e3956c1bef83161782ad492a6effaaeb24309d6e81ed56e8f41aec699ec38b2a408c2ee34f129a0b6990a4a706b38c0157977

Download Submit
C:\ProgramData\kbdcbke\hffagdd.au3

Filesize
769KB

MD5
272828dbafd0b43c07fb32535f9ad248

SHA1
0e3ffac563ea416a5d6684082013ebf2892f2bd1

SHA256
f588467b597b6e08c34741250fc9c64790e7a3e4646ad343b6976fe318a695d0

SHA512
82ffa68675ade1e80a199492b1d2b130d386e6c936eb67c812c45a1de6207ab3fb5a6b828c44764c1f7476afc5ab368cbc4f14fc5a8bf7a6488242f09cb1b176

Download Submit
C:\ProgramData\kbdcbke\hffagdd.au3

Filesize
769KB

MD5
272828dbafd0b43c07fb32535f9ad248

SHA1
0e3ffac563ea416a5d6684082013ebf2892f2bd1

SHA256
f588467b597b6e08c34741250fc9c64790e7a3e4646ad343b6976fe318a695d0

SHA512
82ffa68675ade1e80a199492b1d2b130d386e6c936eb67c812c45a1de6207ab3fb5a6b828c44764c1f7476afc5ab368cbc4f14fc5a8bf7a6488242f09cb1b176

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\files.cab

Filesize
1.6MB

MD5
e7c3b16ed93b760546ae6756b12644da

SHA1
99b3b1af70b45b4b815a814f61f9b6e509cd3bb6

SHA256
659733a584c52078ac6b568dfb34a089bef2b3835a5ea737d32c1623a468b743

SHA512
b6eeaaeeb1f7c8335076075bc8033d5d4744544f3937eeaddcbef5f7ba257a64c20a47f8388c1e8f10c5821da8abe0683be8fd60c3e1a9aea25e4a705e2f8b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\files\UGtZgHHT.au3

Filesize
757KB

MD5
1b524d03b27b94906c1a87b207e08179

SHA1
8fbad6275708a69b764992b05126e053134fb9e9

SHA256
1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622

SHA512
1e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\msiwrapper.ini

Filesize
438B

MD5
3c81bacd5f633825885c49aefa5d9073

SHA1
213a68c08b7f1e438ee08c76381057acfc17c6bc

SHA256
e615746719038c3da702783e69b4c919c1b03b4fb81d5e466a0268ece46c708a

SHA512
85c9b51088a802258a75220dcbd0ff26b99529de1b04566c4cf151a20b6b4b90228ddd0a8b0940732ad5ea733dbc73a43db910a13b75245a899b8dd37a0b82e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\msiwrapper.ini

Filesize
1KB

MD5
06c98e289d395b866e398ffba36736dd

SHA1
de421c6137fa613dc3a4eca4fc07f9a9297d1eb5

SHA256
ccbfca6c71b8399b7c8ea37190fb1c9761c5ca313c0cb1cbcd97bdcbc22fa933

SHA512
54b5f06ea436832b96525ab0ff4da6ad26b4f8195919269e7b524c38d29f75b79e54f9d15047a1d2a11c2e0148d71d9ed9383acfe44f7fd856bcb19fe953e46f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\msiwrapper.ini

Filesize
1KB

MD5
b81984224531bc1c21ebbdc2dc6d620e

SHA1
19fb5f56c1ce54aeb1bf673aef8c9bd67babda12

SHA256
b87ddb746477112840895c173e3c751a066dc57ef0c5853d853be7db5258ac5a

SHA512
221dbc87926a3a94afcfbf55d224837a5e5735837b6fbbd8ff49ddc97ce9dab52dfe1bb4db7672ae3190ee6ce7e85d71926a1b9c6b4f4e4fcd8132494af51ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\msiwrapper.ini

Filesize
1KB

MD5
b81984224531bc1c21ebbdc2dc6d620e

SHA1
19fb5f56c1ce54aeb1bf673aef8c9bd67babda12

SHA256
b87ddb746477112840895c173e3c751a066dc57ef0c5853d853be7db5258ac5a

SHA512
221dbc87926a3a94afcfbf55d224837a5e5735837b6fbbd8ff49ddc97ce9dab52dfe1bb4db7672ae3190ee6ce7e85d71926a1b9c6b4f4e4fcd8132494af51ced

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1554ca25-b22c-4111-8294-45a378067bca\msiwrapper.ini

Filesize
1KB

MD5
f22479a96c546c28d8ece20b9b30e5b3

SHA1
e221d25acc9387f41910c818d25bceb3ebbf5a55

SHA256
e7cc8d9fb32cd90f8830d883af51f61fe8eff8f5f90cf749a81d8ca00ba2e3bb

SHA512
153f0b9a51588db4e37bb33c736385bf4e289ffe95a22919064b2aca58a4b0f26a7811216a8e1f211ab5ebcf3c3ab8d86940f7f47ea39697cf6b6074411b4065

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kebbdck.lnk

Filesize
647B

MD5
d3cc93773b106aa083a7a0b6b12c4e9f

SHA1
b7abf6fb1eb4fedef44f088704abbdaf6f1be48e

SHA256
0477e02f74d7b79ff966be28d8fa9d2c331f9b2d1e6b5d6b3b5ec91cdaa4297a

SHA512
91c617283b692f5307b90b7b756ef7dd10491efcdd364516c0c7df51a09e6bdd5c60e64dd8775f9b489f696de8da341ee53fcda2a813f4521465121fc280ef15

Download Submit
C:\Windows\Installer\MSI14CB.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI14CB.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI346B.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI346B.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
a278568c62b26216949fd6996edcd05d

SHA1
3273459127dc18f52f8b0d4285f1e3d9ec1a454f

SHA256
9ced6d1aad3a446eef7a0cd4958ce1e4a62165cc6edcc7640ff3704a0f15f81c

SHA512
ec7eec874dd31641f67adf1d578631de1292cdf733715f8f2465797aa79899c234920be2a7d5071590f860ebf4a698044f791c5a517d68cca1438f1feb3e5785

Download Submit
\??\Volume{6cfc8904-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{52af9053-c5e8-4501-b672-7475f7fa860b}_OnDiskSnapshotProp

Filesize
5KB

MD5
c7d38bf144093a64c859b8600a2d295a

SHA1
b3c933969c21d3bae1b4f8945e7554f9ecf45833

SHA256
26e539729cbfd409553d1db20ab96c30f5bd623188fc61382fa64f1c3812002b

SHA512
410158865683acc814f3d6a82819dda8f81cbf0e499fda012a01695a097caae79ab1a12f3c79312a650362ad36940db088ab09b2760b010a0d37ae0839c9fa9d

Download Submit
\??\c:\temp\hffagdd.au3

Filesize
757KB

MD5
1b524d03b27b94906c1a87b207e08179

SHA1
8fbad6275708a69b764992b05126e053134fb9e9

SHA256
1af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622

SHA512
1e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e

Download Submit
memory/4224-801-0x0000000004810000-0x00000000049E9000-memory.dmp

Filesize
1.8MB

Download
memory/4224-212-0x0000000004810000-0x00000000049E9000-memory.dmp

Filesize
1.8MB

Download
memory/4224-211-0x0000000004810000-0x00000000049E9000-memory.dmp

Filesize
1.8MB

Download
memory/4224-207-0x0000000003FE0000-0x00000000040D5000-memory.dmp

Filesize
980KB

Download
memory/4224-206-0x0000000001370000-0x0000000001770000-memory.dmp

Filesize
4.0MB

Download
memory/4552-800-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/4552-215-0x0000000000C20000-0x0000000000C21000-memory.dmp

Filesize
4KB

Download
memory/4552-214-0x00000000009D0000-0x00000000009D1000-memory.dmp

Filesize
4KB

Download
memory/4552-1441-0x0000000010410000-0x000000001048E000-memory.dmp

Filesize
504KB

Download
memory/5424-833-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/5424-832-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/5424-1430-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download
memory/5424-1452-0x0000000010490000-0x000000001050E000-memory.dmp

Filesize
504KB

Download