darkgate | be69add1213202bc7a038a2cfb2cf8ece07eeaaf163c2e17873c54d303e3abfa

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

p_terminal_x86_install.msi
Size

2.2MB
MD5

40804163b8e3cb4cfb6dc6984a1e228f
SHA1

41f971c1cbb03545225fa7816708bfb322fbba95
SHA256

be69add1213202bc7a038a2cfb2cf8ece07eeaaf163c2e17873c54d303e3abfa
SHA512

e1e751f0e82e464ab084222ba662aa9d756e4c99a60322dc52c39a216ceb68d94599c90fb98368ea3eb392a2ca8670bf449fb347855c7446db1045c3553d3c38
SSDEEP

49152:hpUPh/aSZVfoL5/esFPZPEN5YYCusbwy19m3zca16l+:hpg/NHAosF6N5YYubNjCM+

Score

10^/10

darkgate ioeooow8ur discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

ioeooow8ur

http://178.236.247.102

Attributes

alternative_c2_port
9999
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
27850
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
tBtKaLevvIIJyE
internal_mutex
cbdKcC
minimum_disk
50
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
ioeooow8ur

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 4 IoCs

description	pid	Process	procid_target
PID 4304 created 2852	4304	Autoit3.exe	67
PID 1296 created 3692	1296	TabTip32.exe	36
PID 1296 created 3604	1296	TabTip32.exe	60
PID 1296 created 5148	1296	TabTip32.exe	119

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkhgfec.lnk	TabTip32.exe

Executes dropped EXE 2 IoCs

pid	Process
3308	KeyScramblerLogon.exe
4304	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
4752	MsiExec.exe
3308	KeyScramblerLogon.exe
3308	KeyScramblerLogon.exe
4752	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3556	ICACLS.EXE
1624	ICACLS.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	1368	msiexec.exe
7	1368	msiexec.exe
9	1368	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI5BF6.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIBD12.tmp	msiexec.exe
File created	C:\Windows\Installer\e5858f8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIBD61.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e5858f8.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{CF2847B4-D959-447A-BFC9-FD13573DA518}	msiexec.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
5788	5740	WerFault.exe	116
4496	5740	WerFault.exe	116

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0006000000023324-172.dat	nsis_installer_1
behavioral2/files/0x0006000000023324-172.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d5202569a554c8040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d52025690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d5202569000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd5202569000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d520256900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	KeyScramblerLogon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	KeyScramblerLogon.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2344688013-2965468717-2034126-1000_Classes\Local Settings\MuiCache	StartMenuExperienceHost.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4192	msiexec.exe
4192	msiexec.exe
4304	Autoit3.exe
4304	Autoit3.exe
4304	Autoit3.exe
4304	Autoit3.exe
4304	Autoit3.exe
4304	Autoit3.exe
1296	TabTip32.exe
1296	TabTip32.exe
1296	TabTip32.exe
1296	TabTip32.exe
1296	TabTip32.exe
1296	TabTip32.exe
1296	TabTip32.exe
1296	TabTip32.exe
5148	TabTip32.exe
5148	TabTip32.exe
6672	TabTip32.exe
6672	TabTip32.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1368	msiexec.exe
Token: SeSecurityPrivilege	4192	msiexec.exe
Token: SeCreateTokenPrivilege	1368	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1368	msiexec.exe
Token: SeLockMemoryPrivilege	1368	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1368	msiexec.exe
Token: SeMachineAccountPrivilege	1368	msiexec.exe
Token: SeTcbPrivilege	1368	msiexec.exe
Token: SeSecurityPrivilege	1368	msiexec.exe
Token: SeTakeOwnershipPrivilege	1368	msiexec.exe
Token: SeLoadDriverPrivilege	1368	msiexec.exe
Token: SeSystemProfilePrivilege	1368	msiexec.exe
Token: SeSystemtimePrivilege	1368	msiexec.exe
Token: SeProfSingleProcessPrivilege	1368	msiexec.exe
Token: SeIncBasePriorityPrivilege	1368	msiexec.exe
Token: SeCreatePagefilePrivilege	1368	msiexec.exe
Token: SeCreatePermanentPrivilege	1368	msiexec.exe
Token: SeBackupPrivilege	1368	msiexec.exe
Token: SeRestorePrivilege	1368	msiexec.exe
Token: SeShutdownPrivilege	1368	msiexec.exe
Token: SeDebugPrivilege	1368	msiexec.exe
Token: SeAuditPrivilege	1368	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1368	msiexec.exe
Token: SeChangeNotifyPrivilege	1368	msiexec.exe
Token: SeRemoteShutdownPrivilege	1368	msiexec.exe
Token: SeUndockPrivilege	1368	msiexec.exe
Token: SeSyncAgentPrivilege	1368	msiexec.exe
Token: SeEnableDelegationPrivilege	1368	msiexec.exe
Token: SeManageVolumePrivilege	1368	msiexec.exe
Token: SeImpersonatePrivilege	1368	msiexec.exe
Token: SeCreateGlobalPrivilege	1368	msiexec.exe
Token: SeBackupPrivilege	5000	vssvc.exe
Token: SeRestorePrivilege	5000	vssvc.exe
Token: SeAuditPrivilege	5000	vssvc.exe
Token: SeBackupPrivilege	4192	msiexec.exe
Token: SeRestorePrivilege	4192	msiexec.exe
Token: SeRestorePrivilege	4192	msiexec.exe
Token: SeTakeOwnershipPrivilege	4192	msiexec.exe
Token: SeRestorePrivilege	4192	msiexec.exe
Token: SeTakeOwnershipPrivilege	4192	msiexec.exe
Token: SeBackupPrivilege	4088	srtasks.exe
Token: SeRestorePrivilege	4088	srtasks.exe
Token: SeSecurityPrivilege	4088	srtasks.exe
Token: SeTakeOwnershipPrivilege	4088	srtasks.exe
Token: SeRestorePrivilege	4192	msiexec.exe
Token: SeTakeOwnershipPrivilege	4192	msiexec.exe
Token: SeRestorePrivilege	4192	msiexec.exe
Token: SeTakeOwnershipPrivilege	4192	msiexec.exe
Token: SeBackupPrivilege	4088	srtasks.exe
Token: SeRestorePrivilege	4088	srtasks.exe
Token: SeSecurityPrivilege	4088	srtasks.exe
Token: SeTakeOwnershipPrivilege	4088	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1368	msiexec.exe
1368	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
7764	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4192 wrote to memory of 4088	4192	msiexec.exe	102
PID 4192 wrote to memory of 4088	4192	msiexec.exe	102
PID 4192 wrote to memory of 4752	4192	msiexec.exe	104
PID 4192 wrote to memory of 4752	4192	msiexec.exe	104
PID 4192 wrote to memory of 4752	4192	msiexec.exe	104
PID 4752 wrote to memory of 3556	4752	MsiExec.exe	105
PID 4752 wrote to memory of 3556	4752	MsiExec.exe	105
PID 4752 wrote to memory of 3556	4752	MsiExec.exe	105
PID 4752 wrote to memory of 1936	4752	MsiExec.exe	108
PID 4752 wrote to memory of 1936	4752	MsiExec.exe	108
PID 4752 wrote to memory of 1936	4752	MsiExec.exe	108
PID 4752 wrote to memory of 3308	4752	MsiExec.exe	111
PID 4752 wrote to memory of 3308	4752	MsiExec.exe	111
PID 4752 wrote to memory of 3308	4752	MsiExec.exe	111
PID 3308 wrote to memory of 4304	3308	KeyScramblerLogon.exe	112
PID 3308 wrote to memory of 4304	3308	KeyScramblerLogon.exe	112
PID 3308 wrote to memory of 4304	3308	KeyScramblerLogon.exe	112
PID 4752 wrote to memory of 1624	4752	MsiExec.exe	113
PID 4752 wrote to memory of 1624	4752	MsiExec.exe	113
PID 4752 wrote to memory of 1624	4752	MsiExec.exe	113
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115
PID 4304 wrote to memory of 1296	4304	Autoit3.exe	115

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3692
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  PID:5740
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 472
    3⤵
    - Program crash
    PID:5788
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 5740 -s 456
    3⤵
    - Program crash
    PID:4496

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\p_terminal_x86_install.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1368

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3604
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5148
- - C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
    3⤵
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    PID:6672

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2852
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1296

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4192
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 8900FA07D76A69E4481074BE4F0A42C1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4752
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3556
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:4304
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5000

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 5740 -ip 5740
1⤵
PID:4212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5740 -ip 5740
1⤵
PID:1760

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:7764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bebdced\bgdfacd\heekbbb

Filesize
135B

MD5
c2b00bb2fd0ac6c3ce301f0315a66475

SHA1
335da8fdb5cdd2ada03e82498152b25ca156a388

SHA256
4fba2ac0fe09c2f93533ca199a50ba8ce9c331ef2422e88505909aeaa38e0ec3

SHA512
a3df56c268c4c16f58a716988eb2ca66b819efb08616b37ce6242a54182a82bb4f10baada7860d4877e2c03015557e212e0fc6917a28503c577404f4237d1d6f

Download Submit
C:\ProgramData\bebdced\bgdfacd\heekbbb

Filesize
135B

MD5
31cc26516fecbe017b339cc9bdc5e374

SHA1
17f55c5349f202d9b7279ab528917b070954e570

SHA256
87b23c5874c867c0d02e95850500462116f56e184bd46042e92612758a32e06f

SHA512
d2436d4d4865af62c855b044060c7bba54f9257c52c7d1a1fec6031188bf6dc36f782bdfc7732d2d2d1ef3ede914beabfa0a618f711a0cc9f3eb2faebe8e0f8f

Download Submit
C:\ProgramData\bebdced\bgdfacd\heekbbb

Filesize
135B

MD5
bcd256beea3c57148c6834c4887d965a

SHA1
e34a5aacbc5044301f1b79f353f7183c30bb2cd4

SHA256
996ba7285ff7c401c7866c649d86ab71374dcfb5578e8c6e000698ab7a7c9d97

SHA512
9f1b989803d7519f48da9265c65b9aed849a452e52cec9fc589c9c8082cfeb186d667ed042cdaaed981576320565b2bb865e6c02bc3e2aa92890ea747fdee050

Download Submit
C:\ProgramData\bebdced\hbdcebc.au3

Filesize
933KB

MD5
d878ebf8585dda658efb355726500b43

SHA1
206b8ac8b7687d7f371b797ca90e4825a901f38c

SHA256
0f1358f7bcdac2e74192e6a863a31d72472f489526d7a6c3b2d75b2fa6d25fcc

SHA512
06161bdc6b3155ce725631bef8a2e6fb4dac4522b5c6db16d0ccfdb9675295db12dcbc3913feb65e6cad7d23f9cc11a194583b5dfb44b675e79a26a50253a2df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
1KB

MD5
98ae020fc14fac80edc63dbf6082a5da

SHA1
e32406596ffca4678e6f918c300db29abad5f83e

SHA256
0f8a6ae54c6b53e546b03b15ac2f708102032edebb5674b470eab76592ae2564

SHA512
81e32923819b7e01983c4d20305664a1116bd77aa02a45ecda76ba64924e05b26c0d6187f67bd3fdf839d30267837713582240868fa03d040984cc9288051931

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
047195c4ef848bca8543cd81c95f2a65

SHA1
263e86fa8d529cfeb22a85ead8b7d90556d0e098

SHA256
90f93341d0bc56243747bae0f9d405b9af442afb42b0d4dac2039baedd4cf5ca

SHA512
eb911ce40ea7ece8e97f5e40144e872a8be3d292fe2d620e10cc50c152400f9cd12d4c531b120cb605cf280abf6b0a9478b72d57964d73e511c74cee50eb9427

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
540B

MD5
16e43c9709297387ecd5935473a45248

SHA1
83e1d0b6dcc73b6cf2ee7ec48be32e1c2186c320

SHA256
73ef2a8dda0f3efddeb25a2f4bdfa0be5aeb84c21ef84f34d0891ab5d08e8217

SHA512
c6ef12f73fc3a343d9a749a768bd0cf4ddc61886bcf3ac1849e51e8fe2e5fbcfdeb6fb8e28af7a2a3deae627111439e5ccc56f5da67264e7a5a7b2cae4034fa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
f310be4196e5d13f419ceeed038ccc63

SHA1
a9f7ee0b27081db9354b779ee8efdd8cfdbb0438

SHA256
997257ab04e38ab6227a1b2c3563d80baea2d9fcd67347bf3fc6734a1072d36e

SHA512
f4f632497274602bf6799e9e68ed565d5755a6ea59f762d767f0e251b9276b8a74db23174d7c39b76057bd260d9fff18b066107123e6bbad4230d87cb1dac5ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files.cab

Filesize
1.9MB

MD5
13a7c70d662f83aec639881aa9abe54d

SHA1
3b10a2e499b368d274f6e3a2d93bc48d81d74307

SHA256
f7007063a4c457c8f3646c5dd48fe90f0cf16cf257d50048eec7ea99f0410e32

SHA512
0b16dafdc50aff712b0c8550a0268e690b3e8cae2ab8c0d1969ea4717d296d7ea7839da0180d7acafd1279d077a18a956f139d595e0c21b3206bd80ba914b937

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\EMCOMSI.pbproj

Filesize
28KB

MD5
2d190d00ca9f4a0da4ea26e6da13307e

SHA1
72cfa041994c30b527cc7f1cf6f4f5877edb35b9

SHA256
7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025

SHA512
e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\KeyScramblerIE.DLL

Filesize
535KB

MD5
50ef3b54ac9f90677632f72c797126b4

SHA1
f4195b1cc0327835ac68e10dcaa560a300a05ce9

SHA256
ea16cb51139082c0b10ae0c1f5565c2ff27b753b947752aed9f8867b5ed58755

SHA512
ee56be4366dfe505cff335a2a035638c9d85bf7761a40032072a2773ea903bb3127d3f0a6ffd04ea6e8a1666ecaef5ed55e65d422e92715c9475eb7b1271f07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\KeyScramblerIE.dll

Filesize
535KB

MD5
50ef3b54ac9f90677632f72c797126b4

SHA1
f4195b1cc0327835ac68e10dcaa560a300a05ce9

SHA256
ea16cb51139082c0b10ae0c1f5565c2ff27b753b947752aed9f8867b5ed58755

SHA512
ee56be4366dfe505cff335a2a035638c9d85bf7761a40032072a2773ea903bb3127d3f0a6ffd04ea6e8a1666ecaef5ed55e65d422e92715c9475eb7b1271f07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\KeyScramblerIE.dll

Filesize
535KB

MD5
50ef3b54ac9f90677632f72c797126b4

SHA1
f4195b1cc0327835ac68e10dcaa560a300a05ce9

SHA256
ea16cb51139082c0b10ae0c1f5565c2ff27b753b947752aed9f8867b5ed58755

SHA512
ee56be4366dfe505cff335a2a035638c9d85bf7761a40032072a2773ea903bb3127d3f0a6ffd04ea6e8a1666ecaef5ed55e65d422e92715c9475eb7b1271f07d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\KeyScramblerLogon.dll

Filesize
92KB

MD5
760aa6f15db378dda44f262e1349e28d

SHA1
9bb9a0caa54e8b2560245430f33985996b2d40f3

SHA256
ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

SHA512
c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Languages\KSLangCHT.dll

Filesize
14KB

MD5
07e327539ff319611d858a4c9575ed02

SHA1
53d74091a51d96bb9b946a06803e16d3a9139df6

SHA256
d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e

SHA512
906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Languages\KSLangJPN.dll

Filesize
14KB

MD5
bc5feb50bc7a25e4c08e3bcd8d2bc1c5

SHA1
fb703a62a503ce8a697e8d8c648f6c09408b2f53

SHA256
d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9

SHA512
84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\QFXUpdateService.exe

Filesize
768KB

MD5
4ed21ae3ae981538ab61f199d4477b92

SHA1
d7266d30270bce21dffb62ed7f2e47fee9890fc2

SHA256
7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b

SHA512
f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\ReadMe.txt

Filesize
13KB

MD5
06a5df751eb0765e69bfb15e12f4c665

SHA1
7394bf7df2dda47bf8d55bfbc880d2a2316054ac

SHA256
8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f

SHA512
aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Sounds\Error.wav

Filesize
35KB

MD5
efad8c5d6cc6cae180ebe01ce3a60c88

SHA1
614839975c1f07161f3c26ba2af08ae910b21c61

SHA256
acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd

SHA512
d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Sounds\Success.wav

Filesize
66KB

MD5
fd8177d61c8dd032dd262bf979d852f6

SHA1
ac64e21b7c80e996bcb369b6023bec4191568a52

SHA256
8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c

SHA512
39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\Uninstall.exe

Filesize
72KB

MD5
eff839d29dbb06677a85117d036e29c6

SHA1
473823c718f3db95d27f14b783e68c08f13caded

SHA256
1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80

SHA512
cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\easqvgvm

Filesize
1.8MB

MD5
306b7d7cb7f625223c8730f50ec85edf

SHA1
229f89edb9e1794882e11568c943787429e8cac8

SHA256
d6887921e0dc160a622b0566b86ef3bf87cf2796b7660cfdfd0e302a035e7b4c

SHA512
3475bb647089ff652a90624312052917dfd3ecaf073a491c057af37fa115eb63ec8e916070187310b4d9696d72853ca6376d8ddc65ff576a4ef4dcecfda1d88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\getting_started.html

Filesize
1KB

MD5
da033601ee343eaa7f5d609a854b4baa

SHA1
e279b127a9ce7582a626c29dd02a0b88ff10d966

SHA256
e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da

SHA512
b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\keyscrambler.ico

Filesize
39KB

MD5
fde5504bbf7620aca9f3850511c13a45

SHA1
484382ecc232cedc1651fba5f9311e9164f43369

SHA256
932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

SHA512
6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\keyscrambler.sys

Filesize
225KB

MD5
9baf5236d65a36ed2c388cf04108ab9f

SHA1
f5e28edea04a00b5e8806130cd2736336c6e3792

SHA256
9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

SHA512
1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\license.htm

Filesize
6KB

MD5
fbe23ef8575dd46ea36f06dd627e94ab

SHA1
d80929568026e2d1db891742331229f1fd0c7e34

SHA256
104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab

SHA512
caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\project.xml

Filesize
1KB

MD5
189dc774be74d9453606a7a80cd730e6

SHA1
1a70d362b8bd78cdfe7949f3438b346fe8c69adb

SHA256
3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6

SHA512
68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\script.au3

Filesize
921KB

MD5
07635b3f8a24f950159abc1459500de4

SHA1
a27bd83122bd4fc70b398fa564240f68771fd3a5

SHA256
1571f02b9f471e3ad77c8042cbe509920e0d4fd2ae7e3d79e69289955b035066

SHA512
bb9bcdb07d5f792f2266411f8370ffbf46614774e6b22427ff1dee131a1cfac9b4685bc375691b71c18dd5f621c1644ddb3d70d1b01f3a17a5b6fcf4abb28126

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\files\symbnlb

Filesize
8B

MD5
8ba3039d9f1ffb901efab50057252658

SHA1
ea72613037f67be08c835017b35799e58ad4fdd8

SHA256
22f1de41df782e77dc6590f1b7e788ca4f8b3a013b05a93b0546483e43445aaf

SHA512
019dc28eb97100b1c474bf4cf0b6ab089170b87113a9fbb2af1a10b2e9609df172056c7a7801b354571e7dc8465de5b766c5b318715fbc0bd36b1ef4e90fdff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\msiwrapper.ini

Filesize
1KB

MD5
84eda898533b603e7e988c48e271eb1e

SHA1
8631e1bf159ebbebdc7de0f45fba450d337e91c7

SHA256
b70369d1beb25ed8ab38a86fa90d37271e6afc484246615bd37aaa59f0239fbf

SHA512
b61ddc00ce7c55d334dbbd2d2e354b5829cb3f3bcc5223c66074011baef03769a3c3e14aaaaf56d9c6f6d3982872e21cb20e1993ffde10285505c44759c986ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\msiwrapper.ini

Filesize
458B

MD5
8a12216922210baffc79f5fd2c5c3c7e

SHA1
d7ef578865b2184a89880123c58aa571695cd9fc

SHA256
ec33ff997937bb7ea018e10640629738800367265a8f53a9cf0f00151bfcc567

SHA512
76a914785c8a0691a757ff947465a1bbe5c9b6300d1464d5d7869ecaafa71e926bc322bb3136fc3d33d35ef835982affd2bec49d01f87ecc63b5fc70db7f2327

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\msiwrapper.ini

Filesize
1KB

MD5
20cdf9898e65c86ee018925a959db6f6

SHA1
d8fa0bebabbd2de78dfea306dd3795f20445f892

SHA256
b5cdb8e09f485fb89e5ca1ffe4e21b176d6ab236abf4db79a3d9462948edfb33

SHA512
7fc73675fa6666c59291855db622c11b4888ec7c2a5462222cb8eee7522b1e126b3d086de22b167eb123714db7ad18bebbf5916e5d66de46e657d47f421aad6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-301e7a24-b103-437a-8841-1f3f081f85c8\msiwrapper.ini

Filesize
1KB

MD5
20cdf9898e65c86ee018925a959db6f6

SHA1
d8fa0bebabbd2de78dfea306dd3795f20445f892

SHA256
b5cdb8e09f485fb89e5ca1ffe4e21b176d6ab236abf4db79a3d9462948edfb33

SHA512
7fc73675fa6666c59291855db622c11b4888ec7c2a5462222cb8eee7522b1e126b3d086de22b167eb123714db7ad18bebbf5916e5d66de46e657d47f421aad6c

Download Submit
C:\Windows\Installer\MSI5BF6.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI5BF6.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIBD61.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIBD61.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
23b2233bf80c06c3157e114d55334c5f

SHA1
278d7230e226802ebd0467b4bc7c1e83d089761b

SHA256
488ebdf6ce27023b854b1909d23081cec334fe17736eb202eb612fb9ebb9986a

SHA512
80457ea06e7d3605b9c0e47366cf3057b9ec04622595d19d2990d99421354505ec5a8d64f79da54a46c8376918abbe683cd8bc93095a4e49028786bef89fc11f

Download Submit
\??\Volume{692520d5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c2a11e26-f12f-441d-9270-588269747590}_OnDiskSnapshotProp

Filesize
5KB

MD5
afe1795211102030b7871281d7ecefc2

SHA1
138ed097ba4ea86abcf173248b00f205c38725e6

SHA256
ac5ab8cb68f7aec3af7eb0cc08ad0d7023f490a6f215b53c8294c7fff47f642d

SHA512
7b57e8dfac883938ff62ddfe472987059487d209f9e62630dd16e5a6c5f10634573ad882ef47a6ce1708ece146cdd2ef999f543e034a246147f0a8f32d7c5ad5

Download Submit
\??\c:\temp\ckbgbbe

Filesize
4B

MD5
dd1a5a7f6a058ffbaa513886046548ac

SHA1
f8f8602e371d79690c26e24e9871a63538765808

SHA256
14bf312b1d8646fc8c18c335e01bc81fca81ec5bf73e30e0b1644da8d10916d1

SHA512
aa54a56554568ea11d6f26ab82071f1d820038dcc164f17ee6c65094b8e15a3c6a8d275e13666a4060aa5a88f03511e1078e15d2852911d47a5ba12112552a3b

Download Submit
\??\c:\temp\ckbgbbe

Filesize
4B

MD5
2e0a09b0229b063fddd1dfa43ff85838

SHA1
9b88e99a272c71ef9749ca14c833b630d7f7a235

SHA256
3d5bcefd70f2d19fe2158002ba6df3961699aacd4d8fff66b8788a3954e076b0

SHA512
3f1999fc6f394fd3d9dea68249e2660def44a8171d6c556579b3c9c319bf69a166b75c8719c84f4f48c66108c14a304408b5d020ece6c06672b83c17597fc94b

Download Submit
\??\c:\temp\hbdcebc.au3

Filesize
921KB

MD5
07635b3f8a24f950159abc1459500de4

SHA1
a27bd83122bd4fc70b398fa564240f68771fd3a5

SHA256
1571f02b9f471e3ad77c8042cbe509920e0d4fd2ae7e3d79e69289955b035066

SHA512
bb9bcdb07d5f792f2266411f8370ffbf46614774e6b22427ff1dee131a1cfac9b4685bc375691b71c18dd5f621c1644ddb3d70d1b01f3a17a5b6fcf4abb28126

Download Submit
memory/1296-816-0x0000000010410000-0x0000000010490000-memory.dmp

Filesize
512KB

Download
memory/1296-192-0x0000000000920000-0x0000000000921000-memory.dmp

Filesize
4KB

Download
memory/1296-193-0x0000000000C40000-0x0000000000C41000-memory.dmp

Filesize
4KB

Download
memory/1296-776-0x0000000010410000-0x0000000010490000-memory.dmp

Filesize
512KB

Download
memory/3308-142-0x00000000009C0000-0x0000000000A50000-memory.dmp

Filesize
576KB

Download
memory/3308-157-0x0000000003360000-0x0000000003455000-memory.dmp

Filesize
980KB

Download
memory/3308-152-0x00000000009C0000-0x0000000000A50000-memory.dmp

Filesize
576KB

Download
memory/3308-151-0x0000000003360000-0x0000000003455000-memory.dmp

Filesize
980KB

Download
memory/3308-150-0x0000000002960000-0x0000000003090000-memory.dmp

Filesize
7.2MB

Download
memory/4304-198-0x0000000004840000-0x0000000004C03000-memory.dmp

Filesize
3.8MB

Download
memory/4304-179-0x0000000003F50000-0x0000000004045000-memory.dmp

Filesize
980KB

Download
memory/4304-190-0x0000000001390000-0x0000000001790000-memory.dmp

Filesize
4.0MB

Download
memory/4304-195-0x0000000003F50000-0x0000000004045000-memory.dmp

Filesize
980KB

Download
memory/4304-178-0x0000000001390000-0x0000000001790000-memory.dmp

Filesize
4.0MB

Download
memory/4304-187-0x0000000004840000-0x0000000004C03000-memory.dmp

Filesize
3.8MB

Download
memory/4304-181-0x0000000004840000-0x0000000004C03000-memory.dmp

Filesize
3.8MB

Download
memory/4304-790-0x0000000004840000-0x0000000004C03000-memory.dmp

Filesize
3.8MB

Download
memory/5148-1987-0x0000000010510000-0x0000000010590000-memory.dmp

Filesize
512KB

Download
memory/5148-2010-0x0000000010510000-0x0000000010590000-memory.dmp

Filesize
512KB

Download
memory/5740-1381-0x0000000010490000-0x0000000010510000-memory.dmp

Filesize
512KB

Download
memory/5740-794-0x00000000010B0000-0x00000000010B1000-memory.dmp

Filesize
4KB

Download
memory/5740-791-0x0000000000DF0000-0x0000000000DF1000-memory.dmp

Filesize
4KB

Download
memory/6672-2574-0x0000000010590000-0x0000000010610000-memory.dmp

Filesize
512KB

Download
memory/6672-2599-0x0000000010590000-0x0000000010610000-memory.dmp

Filesize
512KB

Download