darkgate | 8ce6620ef7346fbb807b72293ce965b05b5cd37036a9d3a17c834b79e15910f4

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2023 03:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

w_verion_6.1.1_x86.msi
Size

2.2MB
MD5

27a14ed7a94bbbf8dabacd509cb4bf0f
SHA1

097c6021a05ae5dc95a3b6e4dc4deb2583a8b26a
SHA256

8ce6620ef7346fbb807b72293ce965b05b5cd37036a9d3a17c834b79e15910f4
SHA512

78c9d918d17eff9b5662c97adae0942722f64a3864c61e8cd3999dd7210ca9a2b34ab1380ae61091c4fee3602a45f6b6034b9b34580977801de8e2e5beee5f70
SSDEEP

49152:QpUPhzTtpSD6TmCFMZ9Iv1s6kXhH3jtG1+iH4nDcGdi2gzblP9QNIT5QBtg2:QpgntID67vvLkX5BGVOfcblFQCS

Score

10^/10

darkgate ioeooow8ur discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

ioeooow8ur

http://cdn-ext.net

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
nEtvEVFAjZwGiB
internal_mutex
cbdKcC
minimum_disk
50
minimum_ram
4000
ping_interval
4
rootkit
true
startup_persistence
true
username
ioeooow8ur

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 2308 created 3608	2308	Autoit3.exe	73
PID 2960 created 2940	2960	MicrosoftEdgeUpdate.exe	78
PID 2960 created 3924	2960	MicrosoftEdgeUpdate.exe	71

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fgkfbeb.lnk	MicrosoftEdgeUpdate.exe

Executes dropped EXE 2 IoCs

pid	Process
3304	KeyScramblerLogon.exe
2308	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
3476	MsiExec.exe
3304	KeyScramblerLogon.exe
3476	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
116	ICACLS.EXE
4896	ICACLS.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
7	644	msiexec.exe
8	644	msiexec.exe
10	644	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\e586d6b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{245B51AF-B11C-49EE-991C-8D19FE709204}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6FCC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5470.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5491.tmp	msiexec.exe
File created	C:\Windows\Installer\e586d6b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x00060000000232b6-177.dat	nsis_installer_1
behavioral2/files/0x00060000000232b6-177.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002d5e0d994d17e0d40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002d5e0d990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002d5e0d99000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2d5e0d99000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002d5e0d9900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	MicrosoftEdgeUpdate.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	MicrosoftEdgeUpdate.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	KeyScramblerLogon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	KeyScramblerLogon.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1560	msiexec.exe
1560	msiexec.exe
2308	Autoit3.exe
2308	Autoit3.exe
2308	Autoit3.exe
2308	Autoit3.exe
2308	Autoit3.exe
2308	Autoit3.exe
2960	MicrosoftEdgeUpdate.exe
2960	MicrosoftEdgeUpdate.exe
2960	MicrosoftEdgeUpdate.exe
2960	MicrosoftEdgeUpdate.exe
2960	MicrosoftEdgeUpdate.exe
2960	MicrosoftEdgeUpdate.exe
2700	MicrosoftEdgeUpdate.exe
2700	MicrosoftEdgeUpdate.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	644	msiexec.exe
Token: SeSecurityPrivilege	1560	msiexec.exe
Token: SeCreateTokenPrivilege	644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	644	msiexec.exe
Token: SeLockMemoryPrivilege	644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	644	msiexec.exe
Token: SeMachineAccountPrivilege	644	msiexec.exe
Token: SeTcbPrivilege	644	msiexec.exe
Token: SeSecurityPrivilege	644	msiexec.exe
Token: SeTakeOwnershipPrivilege	644	msiexec.exe
Token: SeLoadDriverPrivilege	644	msiexec.exe
Token: SeSystemProfilePrivilege	644	msiexec.exe
Token: SeSystemtimePrivilege	644	msiexec.exe
Token: SeProfSingleProcessPrivilege	644	msiexec.exe
Token: SeIncBasePriorityPrivilege	644	msiexec.exe
Token: SeCreatePagefilePrivilege	644	msiexec.exe
Token: SeCreatePermanentPrivilege	644	msiexec.exe
Token: SeBackupPrivilege	644	msiexec.exe
Token: SeRestorePrivilege	644	msiexec.exe
Token: SeShutdownPrivilege	644	msiexec.exe
Token: SeDebugPrivilege	644	msiexec.exe
Token: SeAuditPrivilege	644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	644	msiexec.exe
Token: SeChangeNotifyPrivilege	644	msiexec.exe
Token: SeRemoteShutdownPrivilege	644	msiexec.exe
Token: SeUndockPrivilege	644	msiexec.exe
Token: SeSyncAgentPrivilege	644	msiexec.exe
Token: SeEnableDelegationPrivilege	644	msiexec.exe
Token: SeManageVolumePrivilege	644	msiexec.exe
Token: SeImpersonatePrivilege	644	msiexec.exe
Token: SeCreateGlobalPrivilege	644	msiexec.exe
Token: SeBackupPrivilege	3852	vssvc.exe
Token: SeRestorePrivilege	3852	vssvc.exe
Token: SeAuditPrivilege	3852	vssvc.exe
Token: SeBackupPrivilege	1560	msiexec.exe
Token: SeRestorePrivilege	1560	msiexec.exe
Token: SeRestorePrivilege	1560	msiexec.exe
Token: SeTakeOwnershipPrivilege	1560	msiexec.exe
Token: SeRestorePrivilege	1560	msiexec.exe
Token: SeTakeOwnershipPrivilege	1560	msiexec.exe
Token: SeBackupPrivilege	3160	srtasks.exe
Token: SeRestorePrivilege	3160	srtasks.exe
Token: SeSecurityPrivilege	3160	srtasks.exe
Token: SeTakeOwnershipPrivilege	3160	srtasks.exe
Token: SeBackupPrivilege	3160	srtasks.exe
Token: SeRestorePrivilege	3160	srtasks.exe
Token: SeSecurityPrivilege	3160	srtasks.exe
Token: SeTakeOwnershipPrivilege	3160	srtasks.exe
Token: SeRestorePrivilege	1560	msiexec.exe
Token: SeTakeOwnershipPrivilege	1560	msiexec.exe
Token: SeRestorePrivilege	1560	msiexec.exe
Token: SeTakeOwnershipPrivilege	1560	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
644	msiexec.exe
644	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 3160	1560	msiexec.exe	96
PID 1560 wrote to memory of 3160	1560	msiexec.exe	96
PID 1560 wrote to memory of 3476	1560	msiexec.exe	98
PID 1560 wrote to memory of 3476	1560	msiexec.exe	98
PID 1560 wrote to memory of 3476	1560	msiexec.exe	98
PID 3476 wrote to memory of 4896	3476	MsiExec.exe	99
PID 3476 wrote to memory of 4896	3476	MsiExec.exe	99
PID 3476 wrote to memory of 4896	3476	MsiExec.exe	99
PID 3476 wrote to memory of 2632	3476	MsiExec.exe	101
PID 3476 wrote to memory of 2632	3476	MsiExec.exe	101
PID 3476 wrote to memory of 2632	3476	MsiExec.exe	101
PID 3476 wrote to memory of 3304	3476	MsiExec.exe	103
PID 3476 wrote to memory of 3304	3476	MsiExec.exe	103
PID 3476 wrote to memory of 3304	3476	MsiExec.exe	103
PID 3304 wrote to memory of 2308	3304	KeyScramblerLogon.exe	104
PID 3304 wrote to memory of 2308	3304	KeyScramblerLogon.exe	104
PID 3304 wrote to memory of 2308	3304	KeyScramblerLogon.exe	104
PID 3476 wrote to memory of 116	3476	MsiExec.exe	105
PID 3476 wrote to memory of 116	3476	MsiExec.exe	105
PID 3476 wrote to memory of 116	3476	MsiExec.exe	105
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107
PID 2308 wrote to memory of 2960	2308	Autoit3.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3924
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
  2⤵
  PID:1780

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3608
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2960

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2940
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\w_verion_6.1.1_x86.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3160
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CCCCBAAA744AB7ECB7CA11F91E3C7C11
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3476
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4896
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2632
- - C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:3304
  - - C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2308
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:116

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cgdhfba\fbbaaae\ffgeack

Filesize
127B

MD5
b164b95ebea1ea5edebe8ae5b62e294b

SHA1
b7c20a9edcbab89dc278da928739d71ea04b4ba9

SHA256
81954663393548429fd0ca720181c6c9bba20722aa7185a2acf9984ac2b40b87

SHA512
79d5a7d55c1f0118b9964362109f7f1d24d1acdc751e0afa89697da82bf4af7a4d1c08bacf48ba6360190db4876763996ea66d69870a9f6962d6018011538b3b

Download Submit
C:\ProgramData\cgdhfba\fbbaaae\ffgeack

Filesize
127B

MD5
403d4eae1c51627f3fe502ead9dd736b

SHA1
a72b35dad16248c527c0edaf769dba1b00307a80

SHA256
71ed44ad41dad387769b2410ee7f5526b581e08e8330db91ac00a6a9bd759730

SHA512
9dfa3f7dbe1207663c34061fc525bd797ce31e7bdf200978f6d304c516974c24e473ed75b1eef81cc121dc91ad6d51192b867030c5bb47b00ad25c02cd1ffb9a

Download Submit
C:\ProgramData\cgdhfba\gdhakea.au3

Filesize
930KB

MD5
8daa773c732270717d988eed65efeae2

SHA1
a7c1f89b5a59f3d4615ebc6f9be004e0707cf030

SHA256
3633403c236ad0d4539c66b7c98d8c04121e62aca14142ac950ff244f44e8b16

SHA512
ec999d9b64fa81d35fca9a156511bb6eaf17e0a67b5f180989e5206cebd83efd5f33bbc91d430e03f3c298b1bd04ee889e47861339db9f1123dbb46e57f66867

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
1KB

MD5
d59282dce9050bc5907f2fe0ce720e5f

SHA1
fb0c04792766e810cd6c3e12823b52ae61d4ed7a

SHA256
8f1cee23ec817556fd9950281a8267bcfa97e35b9f700806d84fc547cc1552e8

SHA512
287b66d45a6fd99906c16e93419afc3e54bb1f9111ae8fffc5518d7359a22a01e5420cb8ea4782fc68da12760fe0cb81b34fb7ab589d648e05b5c09aef084a2d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
5ceb760fe2681f49d5690324604cd51b

SHA1
f2fe609929d37e26b453235438622e688a5bb603

SHA256
2b69d275d3cd182188223295f029ac2d119663c07af112b5e70ae7781be8acce

SHA512
191fe8542480f082c4097bbd2448afeee151ca65e563449b7fde3fe557268ef3f2735568db7b302c727561631d85feb1952c1368c599e560fed4947b69c2375d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
540B

MD5
413507a68e93806076466fd96a0ef073

SHA1
26d0867e00b539209224d0e11842f9001f6a2ce5

SHA256
5d7e64683e4049e42c170b84db8668356cef0674b8115dd34abb5e299236bc88

SHA512
001fc17a044146bea3fbc62332a582fa3f09ce3051abfe9c187d6e3a9d6fd6601285850b1f4d6e8b11a03bc772d7ed8fe32cb2dc93176c6fd3ec7b1421dcbee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
6c8806e385cae278ebc465b6a79357fe

SHA1
3b304967c6f698ffb028e778f088a384a0bffbb1

SHA256
b7aaf2fada8586a8021a1cd28485bd14aa925fb0082fcd3ba9669a70e4023ee8

SHA512
2c950232eb50a586f11aa0ebc2c4c95d654802353c462bafe33575254f27cd8b7a32bc32027f3b189a25b9a91244dffb30969382cfa6c5b3ab193ce7b622cad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files.cab

Filesize
1.9MB

MD5
fa5784b487396848f38c1cd8e59c86a9

SHA1
ff3dea4d31a14dbd20466004a4dfa5e8507abfaf

SHA256
d469079bffbd78c1530c711b438d5602979c037c42cba1b533a4515f7bdba564

SHA512
a89edc0dac70f4dccb53c46ac2b1aacd8d0a07e8d0f072b93aeedd1875f8de6b37847309120f2817f5db41d0a8809e1e48af488b7eca08bf7b1c33ed864124ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\EMCOMSI.pbproj

Filesize
28KB

MD5
2d190d00ca9f4a0da4ea26e6da13307e

SHA1
72cfa041994c30b527cc7f1cf6f4f5877edb35b9

SHA256
7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025

SHA512
e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\KeyScramblerIE.DLL

Filesize
535KB

MD5
49207f39ea019df265de0a970c9dbf39

SHA1
e952619e83d60fb5ecdb2fe1be4c0fee9b324a36

SHA256
12f0e69f8eb4f198ca85cbcafa9c2534437fcc68c256afd58708e6f4ebc2a9c2

SHA512
544643d4ecc354b51e2f80a01c0131cbeb05c79a1f0e0089cc351de26c52b33a16eb82960b330809593324b2ac85dd6f1bf5e62619acfefd733f336065c0e428

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\KeyScramblerIE.dll

Filesize
535KB

MD5
49207f39ea019df265de0a970c9dbf39

SHA1
e952619e83d60fb5ecdb2fe1be4c0fee9b324a36

SHA256
12f0e69f8eb4f198ca85cbcafa9c2534437fcc68c256afd58708e6f4ebc2a9c2

SHA512
544643d4ecc354b51e2f80a01c0131cbeb05c79a1f0e0089cc351de26c52b33a16eb82960b330809593324b2ac85dd6f1bf5e62619acfefd733f336065c0e428

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\KeyScramblerLogon.dll

Filesize
92KB

MD5
760aa6f15db378dda44f262e1349e28d

SHA1
9bb9a0caa54e8b2560245430f33985996b2d40f3

SHA256
ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

SHA512
c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Languages\KSLangCHT.dll

Filesize
14KB

MD5
07e327539ff319611d858a4c9575ed02

SHA1
53d74091a51d96bb9b946a06803e16d3a9139df6

SHA256
d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e

SHA512
906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Languages\KSLangJPN.dll

Filesize
14KB

MD5
bc5feb50bc7a25e4c08e3bcd8d2bc1c5

SHA1
fb703a62a503ce8a697e8d8c648f6c09408b2f53

SHA256
d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9

SHA512
84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\QFXUpdateService.exe

Filesize
768KB

MD5
4ed21ae3ae981538ab61f199d4477b92

SHA1
d7266d30270bce21dffb62ed7f2e47fee9890fc2

SHA256
7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b

SHA512
f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\ReadMe.txt

Filesize
13KB

MD5
06a5df751eb0765e69bfb15e12f4c665

SHA1
7394bf7df2dda47bf8d55bfbc880d2a2316054ac

SHA256
8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f

SHA512
aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Sounds\Error.wav

Filesize
35KB

MD5
efad8c5d6cc6cae180ebe01ce3a60c88

SHA1
614839975c1f07161f3c26ba2af08ae910b21c61

SHA256
acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd

SHA512
d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Sounds\Success.wav

Filesize
66KB

MD5
fd8177d61c8dd032dd262bf979d852f6

SHA1
ac64e21b7c80e996bcb369b6023bec4191568a52

SHA256
8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c

SHA512
39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\Uninstall.exe

Filesize
72KB

MD5
eff839d29dbb06677a85117d036e29c6

SHA1
473823c718f3db95d27f14b783e68c08f13caded

SHA256
1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80

SHA512
cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\getting_started.html

Filesize
1KB

MD5
da033601ee343eaa7f5d609a854b4baa

SHA1
e279b127a9ce7582a626c29dd02a0b88ff10d966

SHA256
e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da

SHA512
b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\keyscrambler.ico

Filesize
39KB

MD5
fde5504bbf7620aca9f3850511c13a45

SHA1
484382ecc232cedc1651fba5f9311e9164f43369

SHA256
932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

SHA512
6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\keyscrambler.sys

Filesize
225KB

MD5
9baf5236d65a36ed2c388cf04108ab9f

SHA1
f5e28edea04a00b5e8806130cd2736336c6e3792

SHA256
9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

SHA512
1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\kqbpzitz

Filesize
1.8MB

MD5
50ad06759e5aa64cb8588bed11c65ef5

SHA1
2d3bf6629717a95ec1eda69f00fbebd07068e858

SHA256
e22b37f8a2f0b3519d9621cbe0bca1567a4906f5dc02154114c8b5f340cb5c0e

SHA512
cc6958a799cc15c0e8c13038b744b968602766540f8406bf843a7e632d16fc3dd64edc45ca6843cb41fda79924d66b4a4a42942e16a64918b8e28e2f41a20b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\license.htm

Filesize
6KB

MD5
fbe23ef8575dd46ea36f06dd627e94ab

SHA1
d80929568026e2d1db891742331229f1fd0c7e34

SHA256
104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab

SHA512
caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\oguvxab

Filesize
8B

MD5
1a0581fdffd18f73da39a55753c3ade9

SHA1
0078f670b0e0be1a86a4c41a85cce33e2de43199

SHA256
e49500acda87654eb89b9f227bdc8491efae08c571299111e0b42e3a8f43c58e

SHA512
37371b9556edf1dc64e6fa1452b8ed0f857d32bf6fabf86e4cc4420f1ab2ffaec6006a7ff40cb08f5cc4dddbecf2e494e0585b6616bb384d54577a96609e382f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\project.xml

Filesize
1KB

MD5
189dc774be74d9453606a7a80cd730e6

SHA1
1a70d362b8bd78cdfe7949f3438b346fe8c69adb

SHA256
3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6

SHA512
68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\files\script.au3

Filesize
922KB

MD5
1369ca7e6ea003bd4e2e48c2038c5ce5

SHA1
2881545960ef471b60eb7d06526b857e019b987c

SHA256
0745b4cc573beb18e0bc2757afbcda4a163b839b2e88cf76ca4c5ffdbfbe9445

SHA512
35131be8cfd009bf1f965e0984783eab94e92aea5a2a2b45a944087aeb19ca7445144b262ff0a8fa5b6c5e8cda393af9b52c46792dc5ce60993dd5a19337558a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\msiwrapper.ini

Filesize
1KB

MD5
8b15b3c01f1c23e4ae71e99741847b72

SHA1
07694809477d974d3631b7d2720485948ad86162

SHA256
b0353d7dae39fab0d4153a9d84a1aa8819901604a8b2f614dbfa92cefab39e33

SHA512
86c6acca5f462ee79deb5d98567d672d7ce77e7c416e29819d2adb7407a52597af2c2cd08a5918c778a50d39f71492c31ef6e49deaeb717c53aa63c261d7ce18

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\msiwrapper.ini

Filesize
1KB

MD5
2f72eaa2490de1ff8465beb2e26b108b

SHA1
14ab01861b42dd7b754bf1fa6ba0b5ae7377fdb4

SHA256
83996dc1ae6e3b77649baba4c5505e2cd0555ad49e0f6158ae7024fdd796aecc

SHA512
6590c2d2231c51173d905e527b581c1bf6ee0d3060b9ae5c3e1092735af11b18973644361b612c7644a08424fece53ce72bd9c01b10ecd273757c20033741b2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-bf2eb90b-0732-4982-927f-5994375b256c\msiwrapper.ini

Filesize
1KB

MD5
2f72eaa2490de1ff8465beb2e26b108b

SHA1
14ab01861b42dd7b754bf1fa6ba0b5ae7377fdb4

SHA256
83996dc1ae6e3b77649baba4c5505e2cd0555ad49e0f6158ae7024fdd796aecc

SHA512
6590c2d2231c51173d905e527b581c1bf6ee0d3060b9ae5c3e1092735af11b18973644361b612c7644a08424fece53ce72bd9c01b10ecd273757c20033741b2e

Download Submit
C:\Windows\Installer\MSI5491.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI5491.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI6FCC.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI6FCC.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\dkkdead

Filesize
4B

MD5
224cb2c7eb724266898c4c5c878fd70e

SHA1
a5f72b59d74f6092c6d19d4709b1f9cf8201cfe0

SHA256
730207a3bd7a334bf692db6c9a13b78daada7f86a0f947f5910ffe4068d183ee

SHA512
49eb834df931531e88c90fd4e319330b2cd15c204fe0a4c75f2d27e542c6ba717915893802b3e72d3cd7e87398258024de269f4149e821187c6e72750f08ab48

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
348dbba6b6bd8f80624707f48eaeef44

SHA1
1647d7425d8fca10109e9c6f7ccf1f4d4b543d0b

SHA256
6eb6ce3167e7e4683967fe8ecaa36d72ac37525ee9f179eb9167a5b345c84d56

SHA512
c1b6316c2d8b542d7263bc1f4e38759711f7bc75d545088b43ef0a2ce758ceab48a998cc6f8831fcd15a24232b47de7ac7903dcbfd37ff377411ce5914d97980

Download Submit
\??\Volume{990d5e2d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e8e4276e-5646-42b0-acc4-efc81511e98a}_OnDiskSnapshotProp

Filesize
6KB

MD5
7ae7240cd6c48bc57b5b21664d0e5f4f

SHA1
70f4989cfbe8d895755eb1eafb6a7614e5e22f27

SHA256
48e1cc3b7f12f15bdee0c1ea597fa09b88d0f6658fe3b28670c6745822ea8591

SHA512
adf87a2c9a109967506cef4abcc14af52537464b4f973c5f5fe27d8cd689514bded83b1ce4b11fe95b08693ca950dedd84e60800d3ec0119fcfecf2735e7f913

Download Submit
\??\c:\temp\gdhakea.au3

Filesize
922KB

MD5
1369ca7e6ea003bd4e2e48c2038c5ce5

SHA1
2881545960ef471b60eb7d06526b857e019b987c

SHA256
0745b4cc573beb18e0bc2757afbcda4a163b839b2e88cf76ca4c5ffdbfbe9445

SHA512
35131be8cfd009bf1f965e0984783eab94e92aea5a2a2b45a944087aeb19ca7445144b262ff0a8fa5b6c5e8cda393af9b52c46792dc5ce60993dd5a19337558a

Download Submit
memory/2308-214-0x0000000004AE0000-0x0000000004EA2000-memory.dmp

Filesize
3.8MB

Download
memory/2308-783-0x0000000004AE0000-0x0000000004EA2000-memory.dmp

Filesize
3.8MB

Download
memory/2308-163-0x00000000041E0000-0x00000000042D5000-memory.dmp

Filesize
980KB

Download
memory/2308-192-0x0000000004AE0000-0x0000000004EA2000-memory.dmp

Filesize
3.8MB

Download
memory/2308-162-0x00000000018A0000-0x0000000001CA0000-memory.dmp

Filesize
4.0MB

Download
memory/2308-180-0x0000000004AE0000-0x0000000004EA2000-memory.dmp

Filesize
3.8MB

Download
memory/2308-209-0x00000000018A0000-0x0000000001CA0000-memory.dmp

Filesize
4.0MB

Download
memory/2308-210-0x00000000041E0000-0x00000000042D5000-memory.dmp

Filesize
980KB

Download
memory/2700-1389-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/2700-1415-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/2700-792-0x00000000009C0000-0x00000000009C1000-memory.dmp

Filesize
4KB

Download
memory/2700-794-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download
memory/2960-195-0x0000000000E00000-0x0000000000E01000-memory.dmp

Filesize
4KB

Download
memory/2960-781-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/2960-196-0x0000000000FC0000-0x0000000000FC1000-memory.dmp

Filesize
4KB

Download
memory/2960-820-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/3304-155-0x00000000010C0000-0x00000000011B5000-memory.dmp

Filesize
980KB

Download
memory/3304-153-0x0000000003140000-0x0000000003880000-memory.dmp

Filesize
7.2MB

Download
memory/3304-141-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/3304-159-0x00000000010C0000-0x00000000011B5000-memory.dmp

Filesize
980KB

Download
memory/3304-158-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download