Overview

overview

10

Static

static

1

S_install_x86.msi

windows7-x64

10

S_install_x86.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    152s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-10-2023 01:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    S_install_x86.msi

  • Size

    2.2MB

  • MD5

    4159d454a06b07465a42fdc2ed3d1575

  • SHA1

    c90d572f7f160dd8a3ae6e825eeb2a9d6628cef5

  • SHA256

    0c43398c9b643823f879aaaa2e3cc9f4511cb1e45687bf673812ac55f527ff12

  • SHA512

    e83b2eb3d2340b2e8d36430bffcb7af89ffd97fd2a3db92b1cbc7fca58137389b34f965e5b129e3706cd41f4d9b2abd39e38c2e987c293bef2d96b8b3dbc20f8

  • SSDEEP

    49152:kpUPh1lqpM8LVFlZRUGJGV0Ar3mhAijKtORfjBHbioVvboWQRJna:kpg1pejUoGa1HWuvmJa

Score
10/10
darkgateioeooow8urdiscoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

ioeooow8ur

C2

http://178.236.247.102

Attributes
  • alternative_c2_port

    9999

  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    27850

  • check_disk

    true

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    true

  • crypter_dll

    false

  • crypter_rawstub

    false

  • crypto_key

    GaLIXVJblVcqxs

  • internal_mutex

    cbdKcC

  • minimum_disk

    50

  • minimum_ram

    4096

  • ping_interval

    4

  • rootkit

    true

  • startup_persistence

    true

  • username

    ioeooow8ur

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Drops startup file 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Blocklisted process makes network request 3 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 11 IoCs
  • Program crash 2 IoCs
  • NSIS installer 2 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of AdjustPrivilegeToken 53 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2616
      • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
        2⤵
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4380
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:3712
        • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
          "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
          2⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Drops startup file
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          PID:4488
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
        1⤵
          PID:4740
          • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
            "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe"
            2⤵
              PID:4132
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 460
                3⤵
                • Program crash
                PID:6724
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 468
                3⤵
                • Program crash
                PID:6820
          • C:\Windows\system32\msiexec.exe
            msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\S_install_x86.msi
            1⤵
            • Blocklisted process makes network request
            • Enumerates connected drives
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of FindShellTrayWindow
            PID:3216
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
            • Enumerates connected drives
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2828
            • C:\Windows\system32\srtasks.exe
              C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
              2⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1192
            • C:\Windows\syswow64\MsiExec.exe
              C:\Windows\syswow64\MsiExec.exe -Embedding B4089B0B024AF55A43EE7EC09D464021
              2⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2560
              • C:\Windows\SysWOW64\ICACLS.EXE
                "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
                3⤵
                • Modifies file permissions
                PID:3056
              • C:\Windows\SysWOW64\EXPAND.EXE
                "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
                3⤵
                • Drops file in Windows directory
                PID:2972
              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\KeyScramblerLogon.exe
                "C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\KeyScramblerLogon.exe"
                3⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • Checks processor information in registry
                • Enumerates system info in registry
                • Suspicious use of WriteProcessMemory
                PID:1112
                • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Autoit3.exe
                  "C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\script.au3
                  4⤵
                  • Suspicious use of NtCreateUserProcessOtherParentProcess
                  • Executes dropped EXE
                  • Checks processor information in registry
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:2236
              • C:\Windows\SysWOW64\ICACLS.EXE
                "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\." /SETINTEGRITYLEVEL (CI)(OI)LOW
                3⤵
                • Modifies file permissions
                PID:4328
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
            • Checks SCSI registry key(s)
            • Suspicious use of AdjustPrivilegeToken
            PID:4336
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4132 -ip 4132
            1⤵
              PID:6684
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4132 -ip 4132
              1⤵
                PID:6772

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\ProgramData\cgdhfba\fbbaaae\ffgeack
                Filesize

                135B

                MD5

                353a618d1c61687972f7be64fab8ea84

                SHA1

                558bc0bf0b74dfe7e43c3cd7c017105e0113bb42

                SHA256

                730bb9adeecb8ce5e6326c1b34250da0a8c8be7cf8ac94ded8ef5b048c4c15a3

                SHA512

                ecf539f87c075aa20001fb0dc8b77935c6eb9856bd515a026d63d9c748a0afdef9520aaae445f8f8bf8af376c66e6c37370461eedc4e8ea6c8b705914a12332f

                Download Submit

              • C:\ProgramData\cgdhfba\fbbaaae\ffgeack
                Filesize

                135B

                MD5

                08a1747b5f17870b3f5622d9e3d376a6

                SHA1

                bc45359c6bfc0cf25a2a60dae155ffbb248d33fa

                SHA256

                35ad1fe95264bfb0455bd34d5c122b4452b538edacfd53af1992f1204533af6c

                SHA512

                0759c8e313875c92c7192090d6269e3ad76414e19e13b903fc6a35411ced0874255e4ad0691b46db98c0734ac22c3ad54d9843a5c84ba1100a82bad529c84524

                Download Submit

              • C:\ProgramData\cgdhfba\gdhakea.au3
                Filesize

                942KB

                MD5

                5a66e10880609415cadb01978b1a0429

                SHA1

                87a8723905ea034cc2f7b60b0a63bd63f92dc465

                SHA256

                02f9e71812be96dc59ac01c3a7c8c6c80052eaee3e860bffaf2b51d58e35acf6

                SHA512

                59b4415f8b28ea592e01b435c1ab3644480ec5adf7f62d09c279cb00dc9e7ed5df34edfa842aedb1c1a525d2471aa34aecc75faa67cfbbd406a15928e86995cc

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073
                Filesize

                1KB

                MD5

                059544dc530257a61776bf9658d1117c

                SHA1

                11475796de2714ba13838bf09a040c42ef57b96a

                SHA256

                0ac3e3d39657b9fc7e86ec24f1a8768827c9096ed3daef6f303b0a12515999c2

                SHA512

                ff3ad33240a2f3e9f08588f75ea16bbb3e1ae54f400b10a48d25e8bdaa3aae2f259a67003843f825cf8e97eece18f4c84a0c5e933e9bcc0076c9f2dbdfda09e8

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
                Filesize

                1KB

                MD5

                653205e2a842f5f19032f8640501cfc5

                SHA1

                ea068b3b7386afa02fb1382549abcb776880b3a6

                SHA256

                884dd9e295fcca264f42f6ba580b0ee2c1af8ba8a21b530f1e26b08bca1cbda7

                SHA512

                b2424f00b7b779847256b046396b04834ac776a3a5530f59a058a45537517a07c818fe919c3a3b067efff633575290c408104c2e2cb5528f470bed943b960e62

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073
                Filesize

                540B

                MD5

                bfe16da83b2838a68aee85409d9edfd7

                SHA1

                82b24650de6a648583e3fd99afe9a752e678f415

                SHA256

                ee180628f9d227083bc4eaa6e882196d5eee9e9c637babf55ce95b1fc4ed9d54

                SHA512

                27231a8d67e1b6f4b48102c23f381bb0d5811bd224540e6e5a93185a3a25d4793fe501a177a42120ff2da59855cfcc0d3c62d28f2f089ab9ea7fba82ee1ecadb

                Download Submit

              • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
                Filesize

                536B

                MD5

                926da91d93b6fb4e29e847d3446f9cbe

                SHA1

                7ad5e79aaa3bc36bc25450ccd682961e3a30da39

                SHA256

                a0481effc230b65a960772f5591f6c969cac4376fa47851a5347faea7279003f

                SHA512

                aad220fc9d56310028548a1abf24ccd921fa2bb7db018b51040412836041b4fd15608c4ead77f4aa9051e93de33b2e3331c45e3f64210048411875995683e9f6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files.cab
                Filesize

                1.9MB

                MD5

                bb3767c1ad43f6a2116ee97bb683506a

                SHA1

                642f6260214ba0107d3e05c7f3d28a32b287af46

                SHA256

                7ae4997b56876de2f7530d3d2a8f2336df19c2b8b746e6908b3cd6c65be55f44

                SHA512

                32798a59be2df0b0d027c6d93b693a73c9bec5f7e5dfb0693296c3e3d634e6885b061263263489cc127785e9a21198c671909ebd19262640e0e427b45c58f953

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Autoit3.exe
                Filesize

                872KB

                MD5

                c56b5f0201a3b3de53e561fe76912bfd

                SHA1

                2a4062e10a5de813f5688221dbeb3f3ff33eb417

                SHA256

                237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                SHA512

                195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Autoit3.exe
                Filesize

                872KB

                MD5

                c56b5f0201a3b3de53e561fe76912bfd

                SHA1

                2a4062e10a5de813f5688221dbeb3f3ff33eb417

                SHA256

                237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                SHA512

                195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\EMCOMSI.pbproj
                Filesize

                28KB

                MD5

                2d190d00ca9f4a0da4ea26e6da13307e

                SHA1

                72cfa041994c30b527cc7f1cf6f4f5877edb35b9

                SHA256

                7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025

                SHA512

                e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\KeyScramblerIE.DLL
                Filesize

                535KB

                MD5

                6b373e22e8d95fe7b354e62c6658b01e

                SHA1

                75e688644005098e61b0221aa4e5a85ab556fa48

                SHA256

                c01053205d8b955f4f746caff2f94ab320fa628872b1805eda1c2b964b4bb5ae

                SHA512

                f951b235f4dd5d8903c50c7d731273a7c055013c73c61f42fe5fab470eb4e21f0d1a28122428e695c770e84af856dce3442a1e2eb34f87854de6890cd79a438c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\KeyScramblerIE.dll
                Filesize

                535KB

                MD5

                6b373e22e8d95fe7b354e62c6658b01e

                SHA1

                75e688644005098e61b0221aa4e5a85ab556fa48

                SHA256

                c01053205d8b955f4f746caff2f94ab320fa628872b1805eda1c2b964b4bb5ae

                SHA512

                f951b235f4dd5d8903c50c7d731273a7c055013c73c61f42fe5fab470eb4e21f0d1a28122428e695c770e84af856dce3442a1e2eb34f87854de6890cd79a438c

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\KeyScramblerLogon.dll
                Filesize

                92KB

                MD5

                760aa6f15db378dda44f262e1349e28d

                SHA1

                9bb9a0caa54e8b2560245430f33985996b2d40f3

                SHA256

                ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

                SHA512

                c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\KeyScramblerLogon.exe
                Filesize

                500KB

                MD5

                c790ebfcb6a34953a371e32c9174fe46

                SHA1

                3ead08d8bbdb3afd851877cb50507b77ae18a4d8

                SHA256

                fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

                SHA512

                74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\KeyScramblerLogon.exe
                Filesize

                500KB

                MD5

                c790ebfcb6a34953a371e32c9174fe46

                SHA1

                3ead08d8bbdb3afd851877cb50507b77ae18a4d8

                SHA256

                fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

                SHA512

                74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Languages\KSLangCHT.dll
                Filesize

                14KB

                MD5

                07e327539ff319611d858a4c9575ed02

                SHA1

                53d74091a51d96bb9b946a06803e16d3a9139df6

                SHA256

                d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e

                SHA512

                906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Languages\KSLangJPN.dll
                Filesize

                14KB

                MD5

                bc5feb50bc7a25e4c08e3bcd8d2bc1c5

                SHA1

                fb703a62a503ce8a697e8d8c648f6c09408b2f53

                SHA256

                d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9

                SHA512

                84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\QFXUpdateService.exe
                Filesize

                768KB

                MD5

                4ed21ae3ae981538ab61f199d4477b92

                SHA1

                d7266d30270bce21dffb62ed7f2e47fee9890fc2

                SHA256

                7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b

                SHA512

                f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\ReadMe.txt
                Filesize

                13KB

                MD5

                06a5df751eb0765e69bfb15e12f4c665

                SHA1

                7394bf7df2dda47bf8d55bfbc880d2a2316054ac

                SHA256

                8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f

                SHA512

                aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Sounds\Error.wav
                Filesize

                35KB

                MD5

                efad8c5d6cc6cae180ebe01ce3a60c88

                SHA1

                614839975c1f07161f3c26ba2af08ae910b21c61

                SHA256

                acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd

                SHA512

                d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Sounds\Success.wav
                Filesize

                66KB

                MD5

                fd8177d61c8dd032dd262bf979d852f6

                SHA1

                ac64e21b7c80e996bcb369b6023bec4191568a52

                SHA256

                8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c

                SHA512

                39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\Uninstall.exe
                Filesize

                72KB

                MD5

                eff839d29dbb06677a85117d036e29c6

                SHA1

                473823c718f3db95d27f14b783e68c08f13caded

                SHA256

                1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80

                SHA512

                cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\dvqgwtu
                Filesize

                8B

                MD5

                f7332f8af707d8cd9a1036eb2d59a185

                SHA1

                0aaaf0d7ae6235b43c66d99c4173f478650942c6

                SHA256

                2eb4efdfc288e2ed49b54a2a53119bd7322289d0c9def0696a3f3166375083ac

                SHA512

                80beae3e505790148a621b448dd1470a10de3482402fd148819fb046e856583fa3e0ad0fbac6c9807a6e7d245aba49fafee4d347df4eabb7d9d45085471a54af

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\getting_started.html
                Filesize

                1KB

                MD5

                da033601ee343eaa7f5d609a854b4baa

                SHA1

                e279b127a9ce7582a626c29dd02a0b88ff10d966

                SHA256

                e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da

                SHA512

                b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\keyscrambler.ico
                Filesize

                39KB

                MD5

                fde5504bbf7620aca9f3850511c13a45

                SHA1

                484382ecc232cedc1651fba5f9311e9164f43369

                SHA256

                932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

                SHA512

                6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\keyscrambler.sys
                Filesize

                225KB

                MD5

                9baf5236d65a36ed2c388cf04108ab9f

                SHA1

                f5e28edea04a00b5e8806130cd2736336c6e3792

                SHA256

                9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

                SHA512

                1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\license.htm
                Filesize

                6KB

                MD5

                fbe23ef8575dd46ea36f06dd627e94ab

                SHA1

                d80929568026e2d1db891742331229f1fd0c7e34

                SHA256

                104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab

                SHA512

                caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\project.xml
                Filesize

                1KB

                MD5

                189dc774be74d9453606a7a80cd730e6

                SHA1

                1a70d362b8bd78cdfe7949f3438b346fe8c69adb

                SHA256

                3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6

                SHA512

                68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\rbnctjaq
                Filesize

                1.8MB

                MD5

                910a3049862142fb2c612c15a7b5ffb5

                SHA1

                b37f61ad8d9c475f101679151a5ca54da8f57f02

                SHA256

                fbb4c72906410829a34f5f69352d29fdf03c8837774bb9bee804142804a20c33

                SHA512

                5ac978aa7ee2f82efd72579d2bd5886892467be28e3b44f810a1e3e8c4abd07a15701573857f5ba0cf3168f035d1f4d447662df943662bc156eb05e653307a84

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\files\script.au3
                Filesize

                925KB

                MD5

                8aee7a62c3c8220bc81ed2ff733b0259

                SHA1

                d6e36bdc8a3c7f0a21b0b4a71d9974a826525211

                SHA256

                f456b2a003a5c20952fd2c1f5b97b7ced9297b734475bcb9e15e68df3b2509cb

                SHA512

                00fab79996b6a2be16c11ed097c54fecc71b69db04a00fc929240e43f24ffcba7fe8900c4887e2c416a623a8e1e704a25685d526a064066c51dbc3578430cace

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\msiwrapper.ini
                Filesize

                1KB

                MD5

                395d671890e06c5a5cee88f965a42c49

                SHA1

                c4b31893412571cc68298312c0a7db9d90254279

                SHA256

                980484972e5bc6dd2fb505fa87e91475ae02285ad59334fc8c8e6ebeba4c42fb

                SHA512

                cb9fcb7881c83a03d29aa327d8680312f668c5c6c397ab118ae4dcf50478c1732e6902eb03a7dcc8334825ce3fb02a999e93397698d8af2dedb6f6510c1c5c9d

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\msiwrapper.ini
                Filesize

                1KB

                MD5

                96d73aceabae3bf10897a39a88501a06

                SHA1

                d83f563495888cbdaf441ec48562fef3edfb0c1e

                SHA256

                0ccb39a94a8c5bc7de524cd3d32b1d2a9c791d954253c990d0a24bd9416d4cf2

                SHA512

                95e654376c1fba74ce6f117b8dae37323f40e5da2cf0254497c5851c3bdfd00b19ba791bbdf33224c57a13c309e9af6f46fe0b140a586db4388e0a7ea83f9b82

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\msiwrapper.ini
                Filesize

                1KB

                MD5

                45994ddba91a9d9f395b6ec851415d82

                SHA1

                60b528c43c6e2b767ad476a21b461cc1a0361c8e

                SHA256

                9fbd349c5f76500e25a09f34f1d8edf99cbab720eed872b83c50280ea51a3bd4

                SHA512

                29358b8ae111f9c764913c6b924fc2dba62c1dacb8cccba50118c2be99452ac55db4ef1e695531ed4df87bf60a4f5bacab5897b5f884e1e3b7494be5ed195cca

                Download Submit

              • C:\Users\Admin\AppData\Local\Temp\MW-d425db52-8ecd-4b1b-b32b-39ae9742e4cc\msiwrapper.ini
                Filesize

                1KB

                MD5

                45994ddba91a9d9f395b6ec851415d82

                SHA1

                60b528c43c6e2b767ad476a21b461cc1a0361c8e

                SHA256

                9fbd349c5f76500e25a09f34f1d8edf99cbab720eed872b83c50280ea51a3bd4

                SHA512

                29358b8ae111f9c764913c6b924fc2dba62c1dacb8cccba50118c2be99452ac55db4ef1e695531ed4df87bf60a4f5bacab5897b5f884e1e3b7494be5ed195cca

                Download Submit

              • C:\Windows\Installer\MSI7901.tmp
                Filesize

                208KB

                MD5

                d82b3fb861129c5d71f0cd2874f97216

                SHA1

                f3fe341d79224126e950d2691d574d147102b18d

                SHA256

                107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

                SHA512

                244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

                Download Submit

              • C:\Windows\Installer\MSI7901.tmp
                Filesize

                208KB

                MD5

                d82b3fb861129c5d71f0cd2874f97216

                SHA1

                f3fe341d79224126e950d2691d574d147102b18d

                SHA256

                107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

                SHA512

                244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

                Download Submit

              • C:\Windows\Installer\MSI91DB.tmp
                Filesize

                208KB

                MD5

                d82b3fb861129c5d71f0cd2874f97216

                SHA1

                f3fe341d79224126e950d2691d574d147102b18d

                SHA256

                107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

                SHA512

                244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

                Download Submit

              • C:\Windows\Installer\MSI91DB.tmp
                Filesize

                208KB

                MD5

                d82b3fb861129c5d71f0cd2874f97216

                SHA1

                f3fe341d79224126e950d2691d574d147102b18d

                SHA256

                107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

                SHA512

                244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

                Download Submit

              • C:\temp\dkkdead
                Filesize

                4B

                MD5

                0c3d804e9cd08aaef80863bc4dd97063

                SHA1

                a5f14ae35fdb004dc2c032c4aec8445206b71e2d

                SHA256

                ca06e832e736d277a7268dd293916beab438f7765c1b00760f622b53332a46c6

                SHA512

                c6bb9d13683686c970d90f62d4a1a82743aeb8e7fffb735f934d2a1e542207a8748a84bb79a2667f41c77e43cc7e65793ee427fd0a71095453b23cb3ca7c34c5

                Download Submit

              • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                Filesize

                23.0MB

                MD5

                0f6604350dac589dd79b00f6a8145166

                SHA1

                8c47e4c174d3bf072877bf1aad9d5711484b93c0

                SHA256

                6d2e365bc8b02c5bc1ad0c369ef93cad41ecfd371957a02b70a7e6efff641e39

                SHA512

                d54e2cda63f2790b504e82f1fee984be6ca4005eb36b194f98c577219ad932d0751feaeaf403e068a01e66ef8d8e02e09e98f5d303143fc838a6c615ea5afd94

                Download Submit

              • \??\Volume{990d5e2d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0e68b653-516d-44af-bc12-d9d1e5537b95}_OnDiskSnapshotProp
                Filesize

                6KB

                MD5

                c6eeb2a35fc9cea9061f8516ce7f7a93

                SHA1

                22688412167bd66926eededf5b1351e85497e629

                SHA256

                bde41b05f61ace19f128432e8610b80109bb300be5c13efd19c4eee599121c97

                SHA512

                3747b762d1b4d6e4c8603468a98256f77a0f3661c9cee9a6484e3180dcedd9b86e38fb7131c79486a3d2e9ce0f32e54072d4f6a8a32dcb447333b7ec9a229106

                Download Submit

              • \??\c:\temp\gdhakea.au3
                Filesize

                925KB

                MD5

                8aee7a62c3c8220bc81ed2ff733b0259

                SHA1

                d6e36bdc8a3c7f0a21b0b4a71d9974a826525211

                SHA256

                f456b2a003a5c20952fd2c1f5b97b7ced9297b734475bcb9e15e68df3b2509cb

                SHA512

                00fab79996b6a2be16c11ed097c54fecc71b69db04a00fc929240e43f24ffcba7fe8900c4887e2c416a623a8e1e704a25685d526a064066c51dbc3578430cace

                Download Submit

              • memory/1112-150-0x00000000031D0000-0x0000000003910000-memory.dmp

                Filesize

                7.2MB

                Download

              • memory/1112-156-0x0000000003910000-0x0000000003A05000-memory.dmp

                Filesize

                980KB

                Download

              • memory/1112-155-0x0000000000400000-0x0000000000490000-memory.dmp

                Filesize

                576KB

                Download

              • memory/1112-145-0x0000000000400000-0x0000000000490000-memory.dmp

                Filesize

                576KB

                Download

              • memory/2236-190-0x0000000004740000-0x0000000004B03000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2236-161-0x0000000003E30000-0x0000000003F25000-memory.dmp

                Filesize

                980KB

                Download

              • memory/2236-210-0x0000000003E30000-0x0000000003F25000-memory.dmp

                Filesize

                980KB

                Download

              • memory/2236-214-0x0000000004740000-0x0000000004B03000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2236-182-0x0000000004740000-0x0000000004B03000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2236-781-0x0000000004740000-0x0000000004B03000-memory.dmp

                Filesize

                3.8MB

                Download

              • memory/2236-160-0x0000000001450000-0x0000000001850000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/2236-209-0x0000000001450000-0x0000000001850000-memory.dmp

                Filesize

                4.0MB

                Download

              • memory/4132-1993-0x0000000010510000-0x0000000010590000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4132-1972-0x0000000010510000-0x0000000010590000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4380-791-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4380-1382-0x0000000010490000-0x0000000010510000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4380-1408-0x0000000010490000-0x0000000010510000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4380-790-0x0000000000E10000-0x0000000000E11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4488-806-0x0000000010410000-0x0000000010490000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4488-193-0x0000000000E10000-0x0000000000E11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/4488-780-0x0000000010410000-0x0000000010490000-memory.dmp

                Filesize

                512KB

                Download

              • memory/4488-194-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

                Filesize

                4KB

                Download