darkgate | 965f0fd494fedd05e104edf761a575459ad467081ec96464511cb8038f173846

Analysis

max time kernel
252s
max time network
299s
platform
windows10-1703_x64
resource
win10-20230915-en
resource tags

arch:x64arch:x86image:win10-20230915-enlocale:en-usos:windows10-1703-x64system
submitted
12-10-2023 15:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

gffdgfdgfdg.msi
Size

1.7MB
MD5

d5e7a19ebeaa041c09162cac95747cd1
SHA1

1b249f8a6c26c0146886d7e1f82773c0dd26e3bc
SHA256

965f0fd494fedd05e104edf761a575459ad467081ec96464511cb8038f173846
SHA512

1d060bf4511de52b4320fddba169a9e2347dcd9df526dfc3e240515b6a1033374557946bbae8a605403b8c443e5af98f8ce6f3ae3fdde2af717058820ffff72d
SSDEEP

24576:YtncpVGPJoEHtMBIdyGhemi1rmmMNxwWO/op8/HkfQ6V8T:xpUPJ1GSfsK39kop8vkR8T

Score

10^/10

darkgate usr_871663321 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

usr_871663321

http://greadeaoptimalle.com

Attributes

alternative_c2_port
443
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
ydRJJaNjgOUdLb
internal_mutex
txtMut
minimum_disk
40
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
usr_871663321

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
3440	KeyScramblerLogon.exe
1400	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
3020	MsiExec.exe
3440	KeyScramblerLogon.exe
3020	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2420	ICACLS.EXE
4100	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIB16A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB17B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{764667B7-778B-4660-9C1B-339EB9357D23}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9CF7.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\e589b8f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e589b8f.msi	msiexec.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x000600000001af61-116.dat	nsis_installer_1
behavioral1/files/0x000600000001af61-116.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4444	msiexec.exe
4444	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3420	msiexec.exe
Token: SeSecurityPrivilege	4444	msiexec.exe
Token: SeCreateTokenPrivilege	3420	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3420	msiexec.exe
Token: SeLockMemoryPrivilege	3420	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3420	msiexec.exe
Token: SeMachineAccountPrivilege	3420	msiexec.exe
Token: SeTcbPrivilege	3420	msiexec.exe
Token: SeSecurityPrivilege	3420	msiexec.exe
Token: SeTakeOwnershipPrivilege	3420	msiexec.exe
Token: SeLoadDriverPrivilege	3420	msiexec.exe
Token: SeSystemProfilePrivilege	3420	msiexec.exe
Token: SeSystemtimePrivilege	3420	msiexec.exe
Token: SeProfSingleProcessPrivilege	3420	msiexec.exe
Token: SeIncBasePriorityPrivilege	3420	msiexec.exe
Token: SeCreatePagefilePrivilege	3420	msiexec.exe
Token: SeCreatePermanentPrivilege	3420	msiexec.exe
Token: SeBackupPrivilege	3420	msiexec.exe
Token: SeRestorePrivilege	3420	msiexec.exe
Token: SeShutdownPrivilege	3420	msiexec.exe
Token: SeDebugPrivilege	3420	msiexec.exe
Token: SeAuditPrivilege	3420	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3420	msiexec.exe
Token: SeChangeNotifyPrivilege	3420	msiexec.exe
Token: SeRemoteShutdownPrivilege	3420	msiexec.exe
Token: SeUndockPrivilege	3420	msiexec.exe
Token: SeSyncAgentPrivilege	3420	msiexec.exe
Token: SeEnableDelegationPrivilege	3420	msiexec.exe
Token: SeManageVolumePrivilege	3420	msiexec.exe
Token: SeImpersonatePrivilege	3420	msiexec.exe
Token: SeCreateGlobalPrivilege	3420	msiexec.exe
Token: SeBackupPrivilege	3124	vssvc.exe
Token: SeRestorePrivilege	3124	vssvc.exe
Token: SeAuditPrivilege	3124	vssvc.exe
Token: SeBackupPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeRestorePrivilege	4444	msiexec.exe
Token: SeTakeOwnershipPrivilege	4444	msiexec.exe
Token: SeBackupPrivilege	3712	srtasks.exe
Token: SeRestorePrivilege	3712	srtasks.exe
Token: SeSecurityPrivilege	3712	srtasks.exe
Token: SeTakeOwnershipPrivilege	3712	srtasks.exe
Token: SeBackupPrivilege	3712	srtasks.exe
Token: SeRestorePrivilege	3712	srtasks.exe
Token: SeSecurityPrivilege	3712	srtasks.exe
Token: SeTakeOwnershipPrivilege	3712	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3420	msiexec.exe
3420	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 3712	4444	msiexec.exe	74
PID 4444 wrote to memory of 3712	4444	msiexec.exe	74
PID 4444 wrote to memory of 3020	4444	msiexec.exe	76
PID 4444 wrote to memory of 3020	4444	msiexec.exe	76
PID 4444 wrote to memory of 3020	4444	msiexec.exe	76
PID 3020 wrote to memory of 2420	3020	MsiExec.exe	77
PID 3020 wrote to memory of 2420	3020	MsiExec.exe	77
PID 3020 wrote to memory of 2420	3020	MsiExec.exe	77
PID 3020 wrote to memory of 2676	3020	MsiExec.exe	79
PID 3020 wrote to memory of 2676	3020	MsiExec.exe	79
PID 3020 wrote to memory of 2676	3020	MsiExec.exe	79
PID 3020 wrote to memory of 3440	3020	MsiExec.exe	81
PID 3020 wrote to memory of 3440	3020	MsiExec.exe	81
PID 3020 wrote to memory of 3440	3020	MsiExec.exe	81
PID 3440 wrote to memory of 1400	3440	KeyScramblerLogon.exe	82
PID 3440 wrote to memory of 1400	3440	KeyScramblerLogon.exe	82
PID 3440 wrote to memory of 1400	3440	KeyScramblerLogon.exe	82
PID 3020 wrote to memory of 4100	3020	MsiExec.exe	83
PID 3020 wrote to memory of 4100	3020	MsiExec.exe	83
PID 3020 wrote to memory of 4100	3020	MsiExec.exe	83

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\gffdgfdgfdg.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3712
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 10C6081ABD9B9334BD95E53061B5AB05
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2420
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3440
  - - C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1400
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:2384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files.cab

Filesize
1.5MB

MD5
816a26e1088f762510057e9a0529834d

SHA1
039517050d6f448c2a82a907f083a6895ce26905

SHA256
38214ef3cbb084cacf845f4ad19d2725a5c85bf9870bade3e0e684c99f051aee

SHA512
fb7e12af209fd32dafd7c65dcdcc6124eb75988a9db0d459585284de46747801ac94dd0c5d10f56ccb642d30e2abf037abac2947895a522fa5a8610f7bcf2cf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\KeyScramblerIE.DLL

Filesize
620KB

MD5
8f94193b1d8d80ead4fb1b4eb12878b5

SHA1
2271f7235cb196e4a3239162325c76a4d0542dd1

SHA256
ab23d057dabc8c9f723b6ed6c76c99681a1836dc2965dc994dd5834351c4e212

SHA512
e241c817860b65ef9ce0660b95b8423249a69dc754b791a7b7adc1fef36437b30197cf8c397959ab5be5b84a73b07240a9a88f597f700976e1bc3557222cf7a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\KeyScramblerLogon.dll

Filesize
92KB

MD5
760aa6f15db378dda44f262e1349e28d

SHA1
9bb9a0caa54e8b2560245430f33985996b2d40f3

SHA256
ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

SHA512
c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\Uninstall.exe

Filesize
88KB

MD5
6de8cb9727907a59bcaf9871cc493c70

SHA1
a0ea933423c48d36718dca842994b83e5ffc4756

SHA256
408c0fbf2992f89b058bdb228670ff27a68ef0a7a3b648a33ff86ecc39139a11

SHA512
a48d97a7862eeda211a59d1023071641c91c3065a347ad060c40f86532db36010f5c89b0f6ab427a783ccce45485e42cf6443a14c72faa118c9b0a4c34b5c21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\bphmlfy

Filesize
8B

MD5
02c12011cf4f1ee00ddad653c2bfc9d7

SHA1
0dc2e0a69a83e83a652cf4104a4eaf269620a921

SHA256
b68f6fef6b875d7278a49dd5f046c6844367864622873c4f55bd42dfbd42fc78

SHA512
ba62e8671855325323be64124c5d0c8c3d90e6e5972922fb8f98a54f59a861ac9f061ad2e65be459110c9e3ea21212150edb990e3c8c0788d7fa2d05ada2aed5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\keyscrambler.ico

Filesize
39KB

MD5
fde5504bbf7620aca9f3850511c13a45

SHA1
484382ecc232cedc1651fba5f9311e9164f43369

SHA256
932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

SHA512
6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\keyscrambler.sys

Filesize
225KB

MD5
9baf5236d65a36ed2c388cf04108ab9f

SHA1
f5e28edea04a00b5e8806130cd2736336c6e3792

SHA256
9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

SHA512
1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\script.au3

Filesize
916KB

MD5
cc4655caf08277c08c58adfd0d463324

SHA1
416fc6bf9bdeff2e872e5f358e7de5133680a761

SHA256
e014a6468cc7e2725eb1ae153ace693709935ec6b8d41dd64befba5c8250242e

SHA512
024fb130735d7d480be32965f2ed6955a0e69a17e804220ed32a52dae44859f015d45f0449726596cd6ef7368ce2ed0aa12fabe16439654f1b4ed0d3d015f571

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\toxyletp

Filesize
1.8MB

MD5
caef14454989a87a6016452c01a6370e

SHA1
49e47bfeb573dbe93c5d1c1ec64a71a34312b0ba

SHA256
6d54a84c457fd7ac9f5e52c87e1b868d27c566b381c1979239624afd020a545d

SHA512
3b12311b712fb39d2e2645807d0a7ff688797a2f39a638986a6d3362abfabe68e49603b6a08e1a5aad5039b7e7b29eddd21b68f3312a5f564243299dcfaed63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\msiwrapper.ini

Filesize
1KB

MD5
807fc7f0249345dfb2f61f599d39a142

SHA1
91ec138f1d0cbfe945cb7be4dd12e13b404d2b10

SHA256
c84e87664722fc50c0f0f275e0f4be084f94549f4c77f1f85897bc7aa8371afd

SHA512
99d0b21f00cf309d3294bcfebc4cc7c9db9befc4e9873d9dd90d9b9315831b56a8a1acd010b6794e672ebee19cfbead078668e22209350a93c6b391976f92c93

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\msiwrapper.ini

Filesize
458B

MD5
1a817489f7b5807bdde98fb007365413

SHA1
9182a369376cfd2bf2eccc902581a4cd7f814a6e

SHA256
6f888bd5c6e60393932b78fb8d38e8cb98adea62db7d9122023a8912c37ff068

SHA512
e5fcc0dafb6a69d6098e2ce098186eb1b98bc9e49084c001e46b6f9f96d48b0b4d319cdc7b2fb7e6a69ff44e5535b9288c2c42d0c5fc096de69a533334895662

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\msiwrapper.ini

Filesize
1KB

MD5
ae41e3a69bb47441c47c580caf3ced5c

SHA1
28059cdd7a99f16cb1f6caa0fb35322547f9189b

SHA256
2b22c71854d9510449979c295bea25bcaaf264d1a4640c4fcf30821a566fe1f5

SHA512
b7d03ee4961160bbea1247ecbeaa51bb9dbbc0d27831376711d4dbdc8d3924c1843fc42c33a471d1044c9fcfa036b635c6743bd78fb40bdb56c22a5f1ca08a64

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\msiwrapper.ini

Filesize
1KB

MD5
ae41e3a69bb47441c47c580caf3ced5c

SHA1
28059cdd7a99f16cb1f6caa0fb35322547f9189b

SHA256
2b22c71854d9510449979c295bea25bcaaf264d1a4640c4fcf30821a566fe1f5

SHA512
b7d03ee4961160bbea1247ecbeaa51bb9dbbc0d27831376711d4dbdc8d3924c1843fc42c33a471d1044c9fcfa036b635c6743bd78fb40bdb56c22a5f1ca08a64

Download Submit
C:\Windows\Installer\MSI9CF7.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIB17B.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
94be7c247fea9ea990c37dfe5cbfc391

SHA1
b37c920f5c12eb3d7fba669d61594b0654968a03

SHA256
3c837ff2522cdc1de5ef1ecda030353e4061fc8b5963b4cba2e957c4114277f3

SHA512
d34ffe6dceed8d3df9a99e12b6e8d59fd5d67ea7c283645f0e53f31fc727f54ff1b4be2f401f3d0514dbde22b16bde2bfaf28ab33e956e190470a46ca9de685d

Download Submit
\??\Volume{90ceb0bd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{677ba390-d3b6-4568-a924-c2923ff6f5f3}_OnDiskSnapshotProp

Filesize
5KB

MD5
d59751df1bc3f1b2305dbad7236cb626

SHA1
021fe76508d8d632ed9cf9aa10c91b489a1e2f68

SHA256
5baef613bc13f963821b57c0110ad9a62167dab6be567d93d166ebe0aa103d0f

SHA512
6e2f45165df4a4cbd8d816cf5b9fcb3c1aa7a00c32b33557c5ff4d0317bbb852bbb9a6b7f88cf3e5f0d21d1b340049541833acae653795444a36adc7edefe51c

Download Submit
\Users\Admin\AppData\Local\Temp\MW-5246c811-bbba-419c-a5af-4caad7dd21e3\files\KeyScramblerIE.dll

Filesize
620KB

MD5
8f94193b1d8d80ead4fb1b4eb12878b5

SHA1
2271f7235cb196e4a3239162325c76a4d0542dd1

SHA256
ab23d057dabc8c9f723b6ed6c76c99681a1836dc2965dc994dd5834351c4e212

SHA512
e241c817860b65ef9ce0660b95b8423249a69dc754b791a7b7adc1fef36437b30197cf8c397959ab5be5b84a73b07240a9a88f597f700976e1bc3557222cf7a8

Download Submit
\Windows\Installer\MSI9CF7.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\Windows\Installer\MSIB17B.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
memory/1400-127-0x0000000000B70000-0x0000000000F70000-memory.dmp

Filesize
4.0MB

Download
memory/1400-128-0x0000000003310000-0x0000000003405000-memory.dmp

Filesize
980KB

Download
memory/1400-130-0x0000000003C00000-0x0000000003FC3000-memory.dmp

Filesize
3.8MB

Download
memory/1400-129-0x0000000003310000-0x0000000003405000-memory.dmp

Filesize
980KB

Download
memory/1400-131-0x0000000003C00000-0x0000000003FC3000-memory.dmp

Filesize
3.8MB

Download
memory/3440-108-0x0000000003710000-0x0000000003E40000-memory.dmp

Filesize
7.2MB

Download
memory/3440-110-0x0000000004110000-0x0000000004205000-memory.dmp

Filesize
980KB

Download
memory/3440-109-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download