0130e9d398cc202f042ac8c8712712950b5e29842993260517a79b983e8f090a

Analysis

max time kernel
270s
max time network
272s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
19/09/2023, 05:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

win_download.msi
Size

2.2MB
MD5

08f0c81fae67afcf6d98421626adf921
SHA1

235694f7c549e5653dfffdf4578b9b53f014b730
SHA256

0130e9d398cc202f042ac8c8712712950b5e29842993260517a79b983e8f090a
SHA512

060c61d8e64ac67a635fbc6c808fefcb263efe1acb7012883349a96d44a7db3799530303a1dfca43773f56a622390e0a59a128fd470bafbe04b14ef84835c544
SSDEEP

49152:BpUPhUTtpSD6TtYRNs2BwFJ0Tdu6Tsf3xqi2w8yjYa:BpgytID6JY1BwCdu64fhq/w8yz

Score

10^/10

discovery

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 4552 created 2180	4552	Autoit3.exe	25
PID 4552 created 3872	4552	Autoit3.exe	39
PID 5956 created 2568	5956	vbc.exe	52
PID 5956 created 3784	5956	vbc.exe	15

Blocklisted process makes network request 3 IoCs

flow	pid	Process
3	4616	msiexec.exe
5	4616	msiexec.exe
9	4616	msiexec.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkhgfec.lnk	vbc.exe

Executes dropped EXE 2 IoCs

pid	Process
1604	KeyScramblerLogon.exe
4552	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
1576	MsiExec.exe
1604	KeyScramblerLogon.exe
1576	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
988	ICACLS.EXE
3948	ICACLS.EXE

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4552 set thread context of 5956	4552	Autoit3.exe	120

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{97B29F6C-C0F4-4F21-91C2-E74D48E4E087}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2100.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI3C0B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C1C.tmp	msiexec.exe
File created	C:\Windows\Installer\e581ece.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581ece.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5640	1804	WerFault.exe	108
5692	1804	WerFault.exe	108

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002320b-162.dat	nsis_installer_1
behavioral2/files/0x000600000002320b-162.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d5202569a554c8040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d52025690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d5202569000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd5202569000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d520256900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	KeyScramblerLogon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vbc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vbc.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	KeyScramblerLogon.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2740	msiexec.exe
2740	msiexec.exe
4552	Autoit3.exe
4552	Autoit3.exe
4552	Autoit3.exe
4552	Autoit3.exe
4552	Autoit3.exe
4552	Autoit3.exe
4552	Autoit3.exe
4552	Autoit3.exe
4552	Autoit3.exe
4552	Autoit3.exe
5956	vbc.exe
5956	vbc.exe
5956	vbc.exe
5956	vbc.exe
5956	vbc.exe
5956	vbc.exe
6028	TabTip32.exe
6028	TabTip32.exe
5152	TabTip32.exe
5152	TabTip32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5956	vbc.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4616	msiexec.exe
Token: SeSecurityPrivilege	2740	msiexec.exe
Token: SeCreateTokenPrivilege	4616	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4616	msiexec.exe
Token: SeLockMemoryPrivilege	4616	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4616	msiexec.exe
Token: SeMachineAccountPrivilege	4616	msiexec.exe
Token: SeTcbPrivilege	4616	msiexec.exe
Token: SeSecurityPrivilege	4616	msiexec.exe
Token: SeTakeOwnershipPrivilege	4616	msiexec.exe
Token: SeLoadDriverPrivilege	4616	msiexec.exe
Token: SeSystemProfilePrivilege	4616	msiexec.exe
Token: SeSystemtimePrivilege	4616	msiexec.exe
Token: SeProfSingleProcessPrivilege	4616	msiexec.exe
Token: SeIncBasePriorityPrivilege	4616	msiexec.exe
Token: SeCreatePagefilePrivilege	4616	msiexec.exe
Token: SeCreatePermanentPrivilege	4616	msiexec.exe
Token: SeBackupPrivilege	4616	msiexec.exe
Token: SeRestorePrivilege	4616	msiexec.exe
Token: SeShutdownPrivilege	4616	msiexec.exe
Token: SeDebugPrivilege	4616	msiexec.exe
Token: SeAuditPrivilege	4616	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4616	msiexec.exe
Token: SeChangeNotifyPrivilege	4616	msiexec.exe
Token: SeRemoteShutdownPrivilege	4616	msiexec.exe
Token: SeUndockPrivilege	4616	msiexec.exe
Token: SeSyncAgentPrivilege	4616	msiexec.exe
Token: SeEnableDelegationPrivilege	4616	msiexec.exe
Token: SeManageVolumePrivilege	4616	msiexec.exe
Token: SeImpersonatePrivilege	4616	msiexec.exe
Token: SeCreateGlobalPrivilege	4616	msiexec.exe
Token: SeBackupPrivilege	4456	vssvc.exe
Token: SeRestorePrivilege	4456	vssvc.exe
Token: SeAuditPrivilege	4456	vssvc.exe
Token: SeBackupPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeRestorePrivilege	2740	msiexec.exe
Token: SeTakeOwnershipPrivilege	2740	msiexec.exe
Token: SeBackupPrivilege	4212	srtasks.exe
Token: SeRestorePrivilege	4212	srtasks.exe
Token: SeSecurityPrivilege	4212	srtasks.exe
Token: SeTakeOwnershipPrivilege	4212	srtasks.exe
Token: SeBackupPrivilege	4212	srtasks.exe
Token: SeRestorePrivilege	4212	srtasks.exe
Token: SeSecurityPrivilege	4212	srtasks.exe
Token: SeTakeOwnershipPrivilege	4212	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4616	msiexec.exe
4616	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 4212	2740	msiexec.exe	93
PID 2740 wrote to memory of 4212	2740	msiexec.exe	93
PID 2740 wrote to memory of 1576	2740	msiexec.exe	95
PID 2740 wrote to memory of 1576	2740	msiexec.exe	95
PID 2740 wrote to memory of 1576	2740	msiexec.exe	95
PID 1576 wrote to memory of 988	1576	MsiExec.exe	98
PID 1576 wrote to memory of 988	1576	MsiExec.exe	98
PID 1576 wrote to memory of 988	1576	MsiExec.exe	98
PID 1576 wrote to memory of 2008	1576	MsiExec.exe	100
PID 1576 wrote to memory of 2008	1576	MsiExec.exe	100
PID 1576 wrote to memory of 2008	1576	MsiExec.exe	100
PID 1576 wrote to memory of 1604	1576	MsiExec.exe	102
PID 1576 wrote to memory of 1604	1576	MsiExec.exe	102
PID 1576 wrote to memory of 1604	1576	MsiExec.exe	102
PID 1604 wrote to memory of 4552	1604	KeyScramblerLogon.exe	107
PID 1604 wrote to memory of 4552	1604	KeyScramblerLogon.exe	107
PID 1604 wrote to memory of 4552	1604	KeyScramblerLogon.exe	107
PID 1576 wrote to memory of 3948	1576	MsiExec.exe	106
PID 1576 wrote to memory of 3948	1576	MsiExec.exe	106
PID 1576 wrote to memory of 3948	1576	MsiExec.exe	106
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108
PID 4552 wrote to memory of 1804	4552	Autoit3.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3784
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5152

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2180
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  PID:1804
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 464
    3⤵
    - Program crash
    PID:5640
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1804 -s 484
    3⤵
    - Program crash
    PID:5692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3872
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  PID:5872

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\win_download.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4616

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2568
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:6028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4212
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 948D8EDA4836507C655B9AEA7A05FE02
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1576
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:988
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2008
- - C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4552
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5908
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5916
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5924
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5932
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5940
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe
        5⤵
        
        PID:5948
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Drops startup file
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:5956
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:3948

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1804 -ip 1804
1⤵
PID:5616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 1804 -ip 1804
1⤵
PID:5672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Scripting

T1064

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bebdced\bgdfacd\heekbbb

Filesize
127B

MD5
91c1e909dc5747af3e577ebb6715b988

SHA1
bda5e5d2dfedebf4060db5c4299d31efaedb981c

SHA256
68391da4c9723b7645e57ff941500b37552e820cc145730de0ff2ca2bdc8bad9

SHA512
b3b1c9e17e71579e0a0abe0bfcd78ded2e7134a64898834f2773b03263759eed649a9f5edda86cf3c1e310244b8634d209d4f1712e6895f8283d24d3b68ec5fb

Download Submit
C:\ProgramData\bebdced\bgdfacd\heekbbb

Filesize
127B

MD5
0c39a628e4374740e27ea2ca83e45385

SHA1
458b9306746803f3e61afec1dba664e3d6fe3334

SHA256
1933af211b64a532c1897cf4fe203dc24138ea3c0e482a88380bec93e5200848

SHA512
eb344adf961d0f73214027da164567149bb48467e2e81080f2c83e9d232765b12afc98db560d2f058bcfc3cb566f0aa953615fa0e22c62b4aad4417f5dfe4aa2

Download Submit
C:\ProgramData\bebdced\bgdfacd\heekbbb

Filesize
127B

MD5
7b26d637c06eda42ce90d1e35792aacb

SHA1
f456164a66f7738711380ead2bdf81ddbd522d50

SHA256
0a47619613427ac2356a74eecab40880b1a3d8972087647a49eefd077526d96b

SHA512
2ac8102d1b8db8fa5baab3a8151eb20dec60109907278c8a9b55e3789ede2e2c2c068bb2da836c00ce0f4e60097da84e539bf25abbf2c5c0b869e29921a17763

Download Submit
C:\ProgramData\bebdced\hbdcebc.au3

Filesize
930KB

MD5
6a33e1d926dca1c7cb41d1d7f4c5c355

SHA1
8b56d4d22e61c9a847d42e52cc4e420e7d7c063f

SHA256
c56b65f5d4b192e9e27b965bc6283b3fd50c42b50cefe04b7178609a484e3ba0

SHA512
910fcf6ca6463ef2282faacd07a120bffb0bc5974f902884f02f21c13c2c1d952f3dc9f1de9b847246fa8475f7019e3ebb3ca0485c66bd1a4cdf6586e09c25b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
1KB

MD5
23344b6442a19c5ceff3a05e9bbcb534

SHA1
0c6d0b6ff80f2751166b13f21c2704c1ccb5ae30

SHA256
7fbff0a8d73c508f84c9fe9d1c76181419a8f3156a9de25edd254c19ffe31850

SHA512
14f609f10ee8289aa1ea2d98fcf087b6807740192fe67358bb614056b80c92ccec0eed569e7279a97fc5121299414be3e3a880c8433dc2908fcb3f63acc250a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
6cfaa9c2da60b1a1418c7e503d76b968

SHA1
d1478e360c1a341fd624b487dc76f21f78adfbb8

SHA256
7c5177227957100be40183b333ef0e49e4c656838eadb863eb455fdb66ccdca2

SHA512
1629b819647247fd22a3e8a246094300a6e599138bd6abfc5a83cfc18c52b115431bb620862b637b0bf229a4e15c5da5bc0fdc2c7013ab64294b747410686cb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
540B

MD5
76f5d6958f76df1f5cc3323eeb52b46b

SHA1
a244da39894e1c1274613c82c7b7fdd29dd02a68

SHA256
301100a62fcb6896849d8aac4db115d2fd96e23f9973738be794d152776fb53b

SHA512
4bc5519a8bdf61759d956eafd57663275f1f67e23573ab70185f6274daccd5a28aef62a1c722e7002937404c47cdef557c36d7e29e43c614cf1bce785785873e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
4d2c69f672bdf92293a8cb6c2b0ee1d5

SHA1
fe5e32bec918361dd6121ad5d2c481c6cce36fbf

SHA256
4c5f0df2445f6071dbe65b515e18a9aa4127a2814eac1dbe6c3476ff18a53bd5

SHA512
593988b6c3608ae07e86dc14e6c4871700d0b3e0a694ca2c0642bf7f847faf6f415e4738e02cae1a20982dd9542b143676289120685cc5a7e6f23e01615c2842

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files.cab

Filesize
1.9MB

MD5
41d56d66ccb1c89a5a664de4e536edcb

SHA1
f48fa93e59b1f63710d3ec2cd833107ca9b51088

SHA256
0e849961bbbb9d57c9a803c60209078d8ccdf68224a90e3f3d73e37196953c03

SHA512
f14bf505be1924dd73d9ceffa5f24b2527fafb7e13158da0f342319ef0b8fd935eda44aa40f7bd8bfd032c694612e572667190af7bb98a1dff958790dff01fa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\EMCOMSI.pbproj

Filesize
28KB

MD5
2d190d00ca9f4a0da4ea26e6da13307e

SHA1
72cfa041994c30b527cc7f1cf6f4f5877edb35b9

SHA256
7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025

SHA512
e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\KeyScramblerIE.DLL

Filesize
535KB

MD5
999b04412635ed77a5b69179cb62ee5b

SHA1
19e2a6a001242c9dc101f714ba5ca111b51531de

SHA256
fb4d37d2e2db94352f7b3975e79e34831c9879e31f403d96a0c6edf39597ded9

SHA512
12c9f4954f05fcb973ea0e1a57839e598e5a695578511febe5e1f44253938dc3d5c864679cf03559ef9eca7068acd187da91e8affa4f8e9904047084c511d3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\KeyScramblerIE.dll

Filesize
535KB

MD5
999b04412635ed77a5b69179cb62ee5b

SHA1
19e2a6a001242c9dc101f714ba5ca111b51531de

SHA256
fb4d37d2e2db94352f7b3975e79e34831c9879e31f403d96a0c6edf39597ded9

SHA512
12c9f4954f05fcb973ea0e1a57839e598e5a695578511febe5e1f44253938dc3d5c864679cf03559ef9eca7068acd187da91e8affa4f8e9904047084c511d3af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\KeyScramblerLogon.dll

Filesize
92KB

MD5
760aa6f15db378dda44f262e1349e28d

SHA1
9bb9a0caa54e8b2560245430f33985996b2d40f3

SHA256
ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

SHA512
c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Languages\KSLangCHT.dll

Filesize
14KB

MD5
07e327539ff319611d858a4c9575ed02

SHA1
53d74091a51d96bb9b946a06803e16d3a9139df6

SHA256
d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e

SHA512
906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Languages\KSLangJPN.dll

Filesize
14KB

MD5
bc5feb50bc7a25e4c08e3bcd8d2bc1c5

SHA1
fb703a62a503ce8a697e8d8c648f6c09408b2f53

SHA256
d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9

SHA512
84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\QFXUpdateService.exe

Filesize
768KB

MD5
4ed21ae3ae981538ab61f199d4477b92

SHA1
d7266d30270bce21dffb62ed7f2e47fee9890fc2

SHA256
7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b

SHA512
f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\ReadMe.txt

Filesize
13KB

MD5
06a5df751eb0765e69bfb15e12f4c665

SHA1
7394bf7df2dda47bf8d55bfbc880d2a2316054ac

SHA256
8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f

SHA512
aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Sounds\Error.wav

Filesize
35KB

MD5
efad8c5d6cc6cae180ebe01ce3a60c88

SHA1
614839975c1f07161f3c26ba2af08ae910b21c61

SHA256
acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd

SHA512
d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Sounds\Success.wav

Filesize
66KB

MD5
fd8177d61c8dd032dd262bf979d852f6

SHA1
ac64e21b7c80e996bcb369b6023bec4191568a52

SHA256
8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c

SHA512
39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\Uninstall.exe

Filesize
72KB

MD5
eff839d29dbb06677a85117d036e29c6

SHA1
473823c718f3db95d27f14b783e68c08f13caded

SHA256
1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80

SHA512
cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\getting_started.html

Filesize
1KB

MD5
da033601ee343eaa7f5d609a854b4baa

SHA1
e279b127a9ce7582a626c29dd02a0b88ff10d966

SHA256
e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da

SHA512
b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\keyscrambler.ico

Filesize
39KB

MD5
fde5504bbf7620aca9f3850511c13a45

SHA1
484382ecc232cedc1651fba5f9311e9164f43369

SHA256
932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

SHA512
6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\keyscrambler.sys

Filesize
225KB

MD5
9baf5236d65a36ed2c388cf04108ab9f

SHA1
f5e28edea04a00b5e8806130cd2736336c6e3792

SHA256
9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

SHA512
1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\license.htm

Filesize
6KB

MD5
fbe23ef8575dd46ea36f06dd627e94ab

SHA1
d80929568026e2d1db891742331229f1fd0c7e34

SHA256
104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab

SHA512
caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\project.xml

Filesize
1KB

MD5
189dc774be74d9453606a7a80cd730e6

SHA1
1a70d362b8bd78cdfe7949f3438b346fe8c69adb

SHA256
3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6

SHA512
68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\riclolb

Filesize
8B

MD5
7cafb9b75db8fe048e6c95ac0f52af83

SHA1
b2974349bc630fbaf33b4b7ee95d8fc2e51838cd

SHA256
978b283e38ab7a3a3deeb2a221f870f48fca8c33c98f0e0220f37a770415aadd

SHA512
b25863dc56fb82afe72faf16e18fc1e88dc949ab94c0827e555c35bbdfdb96d1271974c22c7fc89921ae2f4da9815edbfe2894803aea077f385569695d92af6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\script.au3

Filesize
922KB

MD5
9428887faa8cd47f11a2533080a4ff01

SHA1
3c84e7ce0613787a5e0254758d89512c655c607c

SHA256
f90868d8da8d60f70243d120ee89590ce598467cd532725a4d2c99457805cbeb

SHA512
f24585e4c811723f4742c67da1078dc2f19682d1da2838d7a4e66afc049e6756d042b8c15ccb318e00218e6dc86dafc4831afef8b64dbb967ffa1476b9dd26da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\files\zehstkpz

Filesize
1.8MB

MD5
b12af69b0a1743a2abd3d124d1f4f954

SHA1
698736597791b0ac07eb1477ed1a36e1b6a7f363

SHA256
b26e8f69abe9c0d7f52ed12c75abe343ec7596fd921f58c8a8e72535a21bf0fe

SHA512
d22b385026a8244b9e68ff5b52556f8a50e0c9f77a234662a801a39e52064ac97e24f1acaeb0d1d0bc9ca20c538fd1a6d33cd550007414a3b8d959d87afed182

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\msiwrapper.ini

Filesize
1KB

MD5
732c17e0fa409d724259b81b77d051b4

SHA1
cd5b329004c42cf12fa24b40b2cd4bf94db819fd

SHA256
f218c27c7a47ebc4d930e27b1771c54056903704c264ab79f019ae4821b14d48

SHA512
8a018bba6ef0ce033372bc358bba05cbd9165bbf6cbd7f9a48bde4df64a8cefd330d89e596001f787406de93cf23820f7bfda67920f761d534372b7f733eeb04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\msiwrapper.ini

Filesize
458B

MD5
639b938b4938b09328e4d3e7c669272f

SHA1
bd8988a15fa401aeb3d3b8cbb47112a7a216887b

SHA256
0cc0b429372fdecfa076176585f150bc566309a4203f643254c7e4e2a3b601a7

SHA512
ab429a7a6d42164047232179a9e32dc847e97a65d772c3e2338f7ea1761341bbb7136ad3607317ad7d07adfff36ee38244397d3dc255921af265415f71cb132b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\msiwrapper.ini

Filesize
1KB

MD5
06b8a4db9fc3e385681a876602ebbd95

SHA1
060f7cc50581ea587cbdc89547d9c8643ab3a146

SHA256
0faf1c88b85fda5d4892c92ba1e5e3c2f285fe37cfe50f6f482f23bd62df5120

SHA512
f0fb38dd39d9a5e3a97ddc2caaf99b9d4131d6e1a5549cd298e2909e8fd56982cbaab30d33c29b317988e2c299fc5aff9207d4695ee2cc8731498a86830e0053

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\msiwrapper.ini

Filesize
1KB

MD5
30a5a85ddbfec6b42b1f133f7bb19a30

SHA1
baf892aeb7a1f11c3c1042a9528f98e2291d2ac2

SHA256
2dddcdf7f3473a3269827c3538a900d5c7c2c5d20b3e954bfd8af62547d2d65f

SHA512
ff183419560d0e7e2e79ca595fb1b44c2bf4becee60b2fe5a97f51e0d60672d26ec663fbf4e2ad4e589e306b6a44735ecd06212d50a81520257c56d577fcb7c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ddb1f754-b4d2-4b9e-905c-d35c846effef\msiwrapper.ini

Filesize
1KB

MD5
30a5a85ddbfec6b42b1f133f7bb19a30

SHA1
baf892aeb7a1f11c3c1042a9528f98e2291d2ac2

SHA256
2dddcdf7f3473a3269827c3538a900d5c7c2c5d20b3e954bfd8af62547d2d65f

SHA512
ff183419560d0e7e2e79ca595fb1b44c2bf4becee60b2fe5a97f51e0d60672d26ec663fbf4e2ad4e589e306b6a44735ecd06212d50a81520257c56d577fcb7c3

Download Submit
C:\Windows\Installer\MSI2100.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI2100.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI3C1C.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI3C1C.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\ckbgbbe

Filesize
4B

MD5
6da53a643febe3f037db59dd56a01d26

SHA1
20cb08205076487aa2de21b2791d4bd55287fdfb

SHA256
46356426f205ae975b8df38a43ce3ad95300875d6523e3234c345a2e44de67dc

SHA512
28d282e4ec652ca8e96abfae628309c12baf60cc628e1e316b36e89cdb0cfb27f313b9490a36afbb6d1a21992524bd20e65fd4b8be5e2bbaf53a7b4918522045

Download Submit
C:\temp\ckbgbbe

Filesize
4B

MD5
5927b25ceb97475d0075047d04a06553

SHA1
281499e465b38b601d0455f79187c453857d8089

SHA256
8df242d8536c73d2dc7f3ee36a74fd629efba680c9f03216f6e2457f2284f11c

SHA512
093556de68ccfe4a4f046b85f4c6a3d6be5860c0ef772f19aa585a5a8eb105391690acf361dccf4bfd91801956bc225fa7cb720175c24f89014a26e527661713

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
3f6d6ebe52585443901d1e1f80782d39

SHA1
ac354f344d63bdf96fe155ec41e73f225874cbe3

SHA256
e81266c498c39e2579464398a22c1566ad2256df6318513f1bd6ec7f8f9e5e49

SHA512
78becf53d1f2a2b1aa827a7426040bca54b25bca6354a962f130facffdcb60ffdc80d30fc0e03e0ebb3f94b6d1bf2f4050bdc49bbdb141e8077474f16afda892

Download Submit
\??\Volume{692520d5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ccb693b5-167a-4f26-99e8-d5dfa93643ff}_OnDiskSnapshotProp

Filesize
5KB

MD5
914ccda72982d8a855346078d16990a4

SHA1
4c39bebfeee766b77b0c13f9abf0b7f4d6b9f360

SHA256
13cb585f8dab1addba266e20dac68fe9878b9b02229b4d7d5b85695019bb0b84

SHA512
b590f7394fff50c16386b1743c4c02bf604f543c19d36cc951e189859364a2c90c909d303a956a55e90b189a4b5c3951f509e616b86cb0602f90e3294167a484

Download Submit
\??\c:\temp\hbdcebc.au3

Filesize
922KB

MD5
9428887faa8cd47f11a2533080a4ff01

SHA1
3c84e7ce0613787a5e0254758d89512c655c607c

SHA256
f90868d8da8d60f70243d120ee89590ce598467cd532725a4d2c99457805cbeb

SHA512
f24585e4c811723f4742c67da1078dc2f19682d1da2838d7a4e66afc049e6756d042b8c15ccb318e00218e6dc86dafc4831afef8b64dbb967ffa1476b9dd26da

Download Submit
memory/1604-146-0x00000000037D0000-0x00000000038C5000-memory.dmp

Filesize
980KB

Download
memory/1604-147-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/1604-142-0x0000000002EC0000-0x0000000003600000-memory.dmp

Filesize
7.2MB

Download
memory/1804-184-0x0000000000910000-0x0000000000911000-memory.dmp

Filesize
4KB

Download
memory/1804-183-0x0000000000560000-0x0000000000561000-memory.dmp

Filesize
4KB

Download
memory/1804-770-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/4552-180-0x0000000003DD0000-0x0000000004192000-memory.dmp

Filesize
3.8MB

Download
memory/4552-205-0x0000000003DD0000-0x0000000004192000-memory.dmp

Filesize
3.8MB

Download
memory/4552-175-0x0000000003DD0000-0x0000000004192000-memory.dmp

Filesize
3.8MB

Download
memory/4552-800-0x0000000003DD0000-0x0000000004192000-memory.dmp

Filesize
3.8MB

Download
memory/4552-197-0x0000000000B10000-0x0000000000F10000-memory.dmp

Filesize
4.0MB

Download
memory/4552-201-0x00000000034E0000-0x00000000035D5000-memory.dmp

Filesize
980KB

Download
memory/4552-174-0x00000000034E0000-0x00000000035D5000-memory.dmp

Filesize
980KB

Download
memory/4552-173-0x0000000000B10000-0x0000000000F10000-memory.dmp

Filesize
4.0MB

Download
memory/5152-1999-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/5152-2024-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/5956-839-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/5956-801-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/6028-1409-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/6028-1434-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/6028-816-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download
memory/6028-811-0x0000000000800000-0x0000000000801000-memory.dmp

Filesize
4KB

Download