darkgate | 4b43e46ada9ab339f93065a0941356523b96906becfdce37779629f6f57852d0

Analysis

max time kernel
152s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
14-10-2023 03:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

510af6dd87757c71cf084db4d924f5c7b6ff8cdfffc5084b98256b42078bcd5f.msi
Size

2.2MB
MD5

eb6c9dd67ac627ad54d1d9d98f6b779b
SHA1

253d0ec6919bffc194e1574806e3c8b1a7e7fcfc
SHA256

510af6dd87757c71cf084db4d924f5c7b6ff8cdfffc5084b98256b42078bcd5f
SHA512

9ba437b075964d45f1f48f5fdfae4259d7480dfbc511ca567d054c0ec5c56df4a90867ed00d1955d2686100a12ad91c11136c7a657d85146578fe9251e094bc0
SSDEEP

49152:ypUPhpzVy45pV1KnCx9HYMLEnYnHzIEdsvtyOABCRv4hMh:ypgpzVhpTKnC/4MLEizIbtUBCRv4q

Score

10^/10

darkgate ioeooow8ur discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

ioeooow8ur

http://178.236.247.102

Attributes

alternative_c2_port
9999
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
27850
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
RjRZGzBFKKciHs
internal_mutex
cbdKcC
minimum_disk
50
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
ioeooow8ur

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs

description	pid	Process	procid_target
PID 3680 created 3812	3680	Autoit3.exe	39
PID 2700 created 3012	2700	TabTip32.exe	46
PID 2700 created 3708	2700	TabTip32.exe	40

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bkhgfec.lnk	TabTip32.exe

Executes dropped EXE 2 IoCs

pid	Process
4728	KeyScramblerLogon.exe
3680	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
1780	MsiExec.exe
4728	KeyScramblerLogon.exe
1780	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3928	ICACLS.EXE
660	ICACLS.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	3920	msiexec.exe
12	3920	msiexec.exe
20	3920	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e5951c0.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1E03555A-C16C-42E9-81FA-9AF03EFBD089}	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI995A.tmp	msiexec.exe
File created	C:\Windows\Installer\e5951c0.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI574E.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI9959.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
6500	2744	WerFault.exe	115

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023218-171.dat	nsis_installer_1
behavioral2/files/0x0007000000023218-171.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d5202569a554c8040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d52025690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d5202569000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd5202569000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d520256900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	KeyScramblerLogon.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	KeyScramblerLogon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	KeyScramblerLogon.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
468	msiexec.exe
468	msiexec.exe
3680	Autoit3.exe
3680	Autoit3.exe
3680	Autoit3.exe
3680	Autoit3.exe
3680	Autoit3.exe
3680	Autoit3.exe
2700	TabTip32.exe
2700	TabTip32.exe
2700	TabTip32.exe
2700	TabTip32.exe
2700	TabTip32.exe
2700	TabTip32.exe
1212	TabTip32.exe
1212	TabTip32.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3920	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3920	msiexec.exe
Token: SeSecurityPrivilege	468	msiexec.exe
Token: SeCreateTokenPrivilege	3920	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3920	msiexec.exe
Token: SeLockMemoryPrivilege	3920	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3920	msiexec.exe
Token: SeMachineAccountPrivilege	3920	msiexec.exe
Token: SeTcbPrivilege	3920	msiexec.exe
Token: SeSecurityPrivilege	3920	msiexec.exe
Token: SeTakeOwnershipPrivilege	3920	msiexec.exe
Token: SeLoadDriverPrivilege	3920	msiexec.exe
Token: SeSystemProfilePrivilege	3920	msiexec.exe
Token: SeSystemtimePrivilege	3920	msiexec.exe
Token: SeProfSingleProcessPrivilege	3920	msiexec.exe
Token: SeIncBasePriorityPrivilege	3920	msiexec.exe
Token: SeCreatePagefilePrivilege	3920	msiexec.exe
Token: SeCreatePermanentPrivilege	3920	msiexec.exe
Token: SeBackupPrivilege	3920	msiexec.exe
Token: SeRestorePrivilege	3920	msiexec.exe
Token: SeShutdownPrivilege	3920	msiexec.exe
Token: SeDebugPrivilege	3920	msiexec.exe
Token: SeAuditPrivilege	3920	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3920	msiexec.exe
Token: SeChangeNotifyPrivilege	3920	msiexec.exe
Token: SeRemoteShutdownPrivilege	3920	msiexec.exe
Token: SeUndockPrivilege	3920	msiexec.exe
Token: SeSyncAgentPrivilege	3920	msiexec.exe
Token: SeEnableDelegationPrivilege	3920	msiexec.exe
Token: SeManageVolumePrivilege	3920	msiexec.exe
Token: SeImpersonatePrivilege	3920	msiexec.exe
Token: SeCreateGlobalPrivilege	3920	msiexec.exe
Token: SeBackupPrivilege	4140	vssvc.exe
Token: SeRestorePrivilege	4140	vssvc.exe
Token: SeAuditPrivilege	4140	vssvc.exe
Token: SeBackupPrivilege	468	msiexec.exe
Token: SeRestorePrivilege	468	msiexec.exe
Token: SeRestorePrivilege	468	msiexec.exe
Token: SeTakeOwnershipPrivilege	468	msiexec.exe
Token: SeRestorePrivilege	468	msiexec.exe
Token: SeTakeOwnershipPrivilege	468	msiexec.exe
Token: SeBackupPrivilege	5108	srtasks.exe
Token: SeRestorePrivilege	5108	srtasks.exe
Token: SeSecurityPrivilege	5108	srtasks.exe
Token: SeTakeOwnershipPrivilege	5108	srtasks.exe
Token: SeBackupPrivilege	5108	srtasks.exe
Token: SeRestorePrivilege	5108	srtasks.exe
Token: SeSecurityPrivilege	5108	srtasks.exe
Token: SeTakeOwnershipPrivilege	5108	srtasks.exe
Token: SeRestorePrivilege	468	msiexec.exe
Token: SeTakeOwnershipPrivilege	468	msiexec.exe
Token: SeRestorePrivilege	468	msiexec.exe
Token: SeTakeOwnershipPrivilege	468	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3920	msiexec.exe
3920	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 5108	468	msiexec.exe	102
PID 468 wrote to memory of 5108	468	msiexec.exe	102
PID 468 wrote to memory of 1780	468	msiexec.exe	104
PID 468 wrote to memory of 1780	468	msiexec.exe	104
PID 468 wrote to memory of 1780	468	msiexec.exe	104
PID 1780 wrote to memory of 3928	1780	MsiExec.exe	105
PID 1780 wrote to memory of 3928	1780	MsiExec.exe	105
PID 1780 wrote to memory of 3928	1780	MsiExec.exe	105
PID 1780 wrote to memory of 2744	1780	MsiExec.exe	107
PID 1780 wrote to memory of 2744	1780	MsiExec.exe	107
PID 1780 wrote to memory of 2744	1780	MsiExec.exe	107
PID 1780 wrote to memory of 4728	1780	MsiExec.exe	109
PID 1780 wrote to memory of 4728	1780	MsiExec.exe	109
PID 1780 wrote to memory of 4728	1780	MsiExec.exe	109
PID 4728 wrote to memory of 3680	4728	KeyScramblerLogon.exe	110
PID 4728 wrote to memory of 3680	4728	KeyScramblerLogon.exe	110
PID 4728 wrote to memory of 3680	4728	KeyScramblerLogon.exe	110
PID 1780 wrote to memory of 660	1780	MsiExec.exe	112
PID 1780 wrote to memory of 660	1780	MsiExec.exe	112
PID 1780 wrote to memory of 660	1780	MsiExec.exe	112
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113
PID 3680 wrote to memory of 2700	3680	Autoit3.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3812
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2700

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3708
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  PID:2744
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2744 -s 472
    3⤵
    - Program crash
    PID:6500

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:3012
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1212

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\510af6dd87757c71cf084db4d924f5c7b6ff8cdfffc5084b98256b42078bcd5f.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5108
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71FB947021DEEDE6D7A2A5A974762F1B
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1780
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3928
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2744
- - C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:4728
  - - C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3680
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:660

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 180 -p 2744 -ip 2744
1⤵
PID:6468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\bebdced\bgdfacd\heekbbb

Filesize
135B

MD5
5c234ef9374333c88320feaa1cb485c9

SHA1
26971eb24ef7d883dc95a4e7e2c47917806209d1

SHA256
e891f4564050384f7a5acb7bb251522e53f54a0974b185c239d7cff22b2fd6ce

SHA512
59de595a51c39d3c49115692bcbe7e276775131e7fff16eec3ec580d3f8e87f52a60b704626ce51ce3208a84d71766a74c76d9679aa8119f211b75fb750c8bde

Download Submit
C:\ProgramData\bebdced\bgdfacd\heekbbb

Filesize
135B

MD5
961addbc4aff36cb2b589648d887d8f5

SHA1
45df00f66e604c08570c2824f8f192efdb06d41e

SHA256
f17f0c63d873b0d48f8a30ec31297bc30029a3d73fb4f9f02fed94d9168a4d47

SHA512
39e55917285d2708b8fb0d6ec6d45b5457df2b0f8f737b685b9a22fa768f9e729ec8cfeeb9bd8b2c31f39b333a4a0843798894e9072c8308fcf6809743c70077

Download Submit
C:\ProgramData\bebdced\hbdcebc.au3

Filesize
928KB

MD5
7381f33c217809bb4a400b4039b46959

SHA1
becea3dc7bbeb4be48ca3eade93a5f97db2589a4

SHA256
af3318c20fefdadb3f56a096d74137622231c1642009d71ceaada5f1f68f05a3

SHA512
1fc86a698bfb5adb15ee8c4bdff107c638343b25055167b8f37501161e20a16f87fdeb4048d33edc367c9022ef7bac47169df1c9e0bf3f4617862041fb7a59c4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
1KB

MD5
059544dc530257a61776bf9658d1117c

SHA1
11475796de2714ba13838bf09a040c42ef57b96a

SHA256
0ac3e3d39657b9fc7e86ec24f1a8768827c9096ed3daef6f303b0a12515999c2

SHA512
ff3ad33240a2f3e9f08588f75ea16bbb3e1ae54f400b10a48d25e8bdaa3aae2f259a67003843f825cf8e97eece18f4c84a0c5e933e9bcc0076c9f2dbdfda09e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
4c3f0f30bcea6f9bc1342580bee22967

SHA1
3cefbc40b66d7830a11115af3dce2970e14df823

SHA256
8a8976ff7909b3d0eb981851e8d42c9b8beafcf1864ecfe7af6e7ca6bd7de08c

SHA512
27e7a2f092284f33688e5a6b6392848d81ee023d0c7ec949ddbce462079f485a7df63763fccc89ad5584757013ee354a5fb279a6e76093837b6344e188f28e79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_90CA53BF93380499933443132F1E0073

Filesize
540B

MD5
8023510aad8f21088305d78d44e056bf

SHA1
7aa87b45f3e41ffb72c61d15779b0daf6854d6a2

SHA256
cf7cffe445add351d9a8dd60a88b7926c75f4a1126222dcc726d2905c40cfbcb

SHA512
4d3e47a40863234aaf9c5c4ab7ac44b0afc3496d25b190f3aa508e0fc98b042611b65332db1c9c24a71f1c21934582aafdab129baf9f96fc947efc4027e60037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
ac6931fd26350277537f338cf624e6cd

SHA1
2d689fb625b0abb8190bcb2b5e4bbe7ceecfe586

SHA256
8d39f61d2576a9441e30342de61e0bb63a13efb54b6657cd75e82aeaee0a5c1b

SHA512
31947a7ab882f0a29986dc1abb5baf2cc3e7dbe24ba1d86ac6e079f1c4173bca737adbcc83f9d6c9f39b37374d59f95a853537d7ff1945fef9e348a739368726

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files.cab

Filesize
1.9MB

MD5
6374e57090a340047962b08a822a7ee0

SHA1
5ebc82cce2a0551ed89aa15e8981a3a281ddb510

SHA256
b9eabc270f756512d043a34e46f23f9cc6c599c4de38b6dae4e1f673bcf3d335

SHA512
8e0abf786d32e6e9784bb1892575f993ddd703de385c6c15a160617dd601733aa830ad61bbb04bb92b0555d73a2d6ae3c8d841f86c987fe27df93ce4f515be43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\EMCOMSI.pbproj

Filesize
28KB

MD5
2d190d00ca9f4a0da4ea26e6da13307e

SHA1
72cfa041994c30b527cc7f1cf6f4f5877edb35b9

SHA256
7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025

SHA512
e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\KeyScramblerIE.DLL

Filesize
535KB

MD5
85dd61ec4125ba45a136a5b40b7250de

SHA1
11b62716042d0552cba90ec3b04845750ed83e06

SHA256
9a74f605370ec682ff056e54e5e514c23fe1d2ca41f697a36ab2456f424479c6

SHA512
fd935077c5d627b11214452a92e54edce8fd89d04d0bbe282e89a3dc7f458caf75125f26e72009bf487e1e59cc48474cd40e1ce319b8bdf30e6ef107eb023c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\KeyScramblerIE.dll

Filesize
535KB

MD5
85dd61ec4125ba45a136a5b40b7250de

SHA1
11b62716042d0552cba90ec3b04845750ed83e06

SHA256
9a74f605370ec682ff056e54e5e514c23fe1d2ca41f697a36ab2456f424479c6

SHA512
fd935077c5d627b11214452a92e54edce8fd89d04d0bbe282e89a3dc7f458caf75125f26e72009bf487e1e59cc48474cd40e1ce319b8bdf30e6ef107eb023c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\KeyScramblerLogon.dll

Filesize
92KB

MD5
760aa6f15db378dda44f262e1349e28d

SHA1
9bb9a0caa54e8b2560245430f33985996b2d40f3

SHA256
ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

SHA512
c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Languages\KSLangCHT.dll

Filesize
14KB

MD5
07e327539ff319611d858a4c9575ed02

SHA1
53d74091a51d96bb9b946a06803e16d3a9139df6

SHA256
d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e

SHA512
906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Languages\KSLangJPN.dll

Filesize
14KB

MD5
bc5feb50bc7a25e4c08e3bcd8d2bc1c5

SHA1
fb703a62a503ce8a697e8d8c648f6c09408b2f53

SHA256
d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9

SHA512
84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\QFXUpdateService.exe

Filesize
768KB

MD5
4ed21ae3ae981538ab61f199d4477b92

SHA1
d7266d30270bce21dffb62ed7f2e47fee9890fc2

SHA256
7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b

SHA512
f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\ReadMe.txt

Filesize
13KB

MD5
06a5df751eb0765e69bfb15e12f4c665

SHA1
7394bf7df2dda47bf8d55bfbc880d2a2316054ac

SHA256
8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f

SHA512
aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Sounds\Error.wav

Filesize
35KB

MD5
efad8c5d6cc6cae180ebe01ce3a60c88

SHA1
614839975c1f07161f3c26ba2af08ae910b21c61

SHA256
acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd

SHA512
d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Sounds\Success.wav

Filesize
66KB

MD5
fd8177d61c8dd032dd262bf979d852f6

SHA1
ac64e21b7c80e996bcb369b6023bec4191568a52

SHA256
8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c

SHA512
39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\Uninstall.exe

Filesize
72KB

MD5
eff839d29dbb06677a85117d036e29c6

SHA1
473823c718f3db95d27f14b783e68c08f13caded

SHA256
1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80

SHA512
cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\dovnsofg

Filesize
1.8MB

MD5
ce0baa21adf46c7255218d5132516d48

SHA1
fbf33659e32651e34cf29f8fc31fde28bdfe9ec5

SHA256
3d74052bd69614f113b811ba6acb6e91c4806206374fd7c68ceb9ca013d2d8c6

SHA512
b2004787b666116f819d78a1465f1f8418cee817271b94dbdb3512bca8845647bdbee72ce70a5675d871e34063dbbb94092d784f12f95e46b2a110332b321b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\getting_started.html

Filesize
1KB

MD5
da033601ee343eaa7f5d609a854b4baa

SHA1
e279b127a9ce7582a626c29dd02a0b88ff10d966

SHA256
e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da

SHA512
b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\ilwjlhe

Filesize
8B

MD5
e5cacaac83e54c922eecccfeba630570

SHA1
bbb016ee23db1b7547ab0cbb0db8b2d6d2817502

SHA256
82b6974b2ac2f589827e5cfe7861272425075d0fa2ca429e3fcb17434a18a2e2

SHA512
b8ec7350977c915734c85344c08cc9cc4ba2ced39e2816fc23ff900933b3828b748bff54356c7d34e3720cf128c0ee4cfa74598c071167b4e4840b631261e5f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\keyscrambler.ico

Filesize
39KB

MD5
fde5504bbf7620aca9f3850511c13a45

SHA1
484382ecc232cedc1651fba5f9311e9164f43369

SHA256
932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

SHA512
6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\keyscrambler.sys

Filesize
225KB

MD5
9baf5236d65a36ed2c388cf04108ab9f

SHA1
f5e28edea04a00b5e8806130cd2736336c6e3792

SHA256
9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

SHA512
1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\license.htm

Filesize
6KB

MD5
fbe23ef8575dd46ea36f06dd627e94ab

SHA1
d80929568026e2d1db891742331229f1fd0c7e34

SHA256
104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab

SHA512
caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\project.xml

Filesize
1KB

MD5
189dc774be74d9453606a7a80cd730e6

SHA1
1a70d362b8bd78cdfe7949f3438b346fe8c69adb

SHA256
3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6

SHA512
68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\files\script.au3

Filesize
923KB

MD5
d92075b54be976df517365e5e0095035

SHA1
c8ae12874c7d29a7bd27028663aa1806e95e5868

SHA256
b32496316b452bfd67c51ca0aa66f842fe0bb786cf456fa307f143672c605d68

SHA512
c4d2bcffbf535711e3e0dfca089a6aae66cae8acca49b51a52a714533c42c058a7ba39cfc8f10acc1bacd99e69420f30024708ef0171321f3578e9c50cf8a14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\msiwrapper.ini

Filesize
1KB

MD5
b375fc1c5bd22034478ebe205b6aca4b

SHA1
ccdd108eef54911139a7558b3ca398b6f7abf01a

SHA256
ab3b64717324e16350bceb3243bf8be40279d5bde5c253bb06f66f6db7f5d671

SHA512
4e7992ac46945df62edf7792cb1d17ee568356cd2e38e2bb31eaca157cd6f64b30f68a596301fcbe9e0efb614cd866c0ff6fc7c4e30f611e408b76bbbd25afe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\msiwrapper.ini

Filesize
1KB

MD5
d41639e6ee33033b2867e68c6bdbf3d7

SHA1
40f21b69b7ec0133bf11b41862257cc17aecc0e8

SHA256
fb8acf6eab8b91b6e9ce0ea2e3b791d93102821667ba23b7d72b247e1b090d63

SHA512
271e3cf90cf56a2ba6d43b00b9c99312dbdddf0d6beb5cf7fb7d6fe472b0d4ad0658719a7c28eeb57423cf9243b1b5337fa2abefbf5bafd5e889bbbec37a7a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\msiwrapper.ini

Filesize
1KB

MD5
7147316d788d87571896ca9a0a9b1c82

SHA1
a8335532cdb179e08492dce2afe2998b78f353a1

SHA256
5bce0eea2d3aff495dbc62eaff8ef10822ba29607f5db4af4ba3a78522e3431b

SHA512
2dc3287ea4a6d3a3d7e29caa2e448c8083c4af08abf167512b309bdce2ba7d14cd6cdec8df7386bf8776c3d788aa95b62475d3b215e747ed8a902b1939b8cd15

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c417fc42-21df-4f06-a604-9606435fd09c\msiwrapper.ini

Filesize
1KB

MD5
7147316d788d87571896ca9a0a9b1c82

SHA1
a8335532cdb179e08492dce2afe2998b78f353a1

SHA256
5bce0eea2d3aff495dbc62eaff8ef10822ba29607f5db4af4ba3a78522e3431b

SHA512
2dc3287ea4a6d3a3d7e29caa2e448c8083c4af08abf167512b309bdce2ba7d14cd6cdec8df7386bf8776c3d788aa95b62475d3b215e747ed8a902b1939b8cd15

Download Submit
C:\Windows\Installer\MSI574E.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI574E.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI995A.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI995A.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\ckbgbbe

Filesize
4B

MD5
a306e997ca7b311023c4473c3e642f0b

SHA1
548576ff1bc1637e1ebccec38fd9d6d542d4c89d

SHA256
8af54700696935c73b780331494a9ff6b4bce1e838bbb559092271fcbfb08d29

SHA512
7139cc4d1e62f1b17ae83f82d5aeca7e082595cd49275320feab94927255c9af269ff42996082ccd10a2250f86646dfe2edc939c817a29b1ffbcbad8fb6df1b4

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
1060a4f60a0fd6c9807f2ab67df5936f

SHA1
ff54231fb099a5602d1dcb95d7924aed0164887d

SHA256
6dd736d1d7f19402c0b9fa452bdb4cfd418318652341969bce8a6cb3a4d76ad3

SHA512
7abf595f58035671108cfc0bcb55cb34f0cf6042e3c891973e059a7dcc15b64e92f6d1e295f159f4c4c8afd7de0554dbac682f29e02a73a41ad88f485d2e265f

Download Submit
\??\Volume{692520d5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e00e7e70-0cfc-4b8d-9338-24303f595d8b}_OnDiskSnapshotProp

Filesize
5KB

MD5
0f2f4b8440c73a698ab36a45920f85d8

SHA1
db774ba4ab91304557803fea2466da37bae463c8

SHA256
3690fc5d109ffdc70ac6d5b5fe3835759bb9e2abf14c7f6f89cf74ad4a020dba

SHA512
304668010d7f3cfc1ea125520d3c79ad06d29cbc3a3ffb18d3f0183339c80ccf044b799054955ef176fc446b76d67cd108a42585d04c8dad1300cc48fa89669d

Download Submit
\??\c:\temp\hbdcebc.au3

Filesize
923KB

MD5
d92075b54be976df517365e5e0095035

SHA1
c8ae12874c7d29a7bd27028663aa1806e95e5868

SHA256
b32496316b452bfd67c51ca0aa66f842fe0bb786cf456fa307f143672c605d68

SHA512
c4d2bcffbf535711e3e0dfca089a6aae66cae8acca49b51a52a714533c42c058a7ba39cfc8f10acc1bacd99e69420f30024708ef0171321f3578e9c50cf8a14b

Download Submit
memory/1212-1405-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/1212-1382-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/1212-792-0x0000000000D50000-0x0000000000D51000-memory.dmp

Filesize
4KB

Download
memory/1212-789-0x00000000009E0000-0x00000000009E1000-memory.dmp

Filesize
4KB

Download
memory/2700-778-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/2700-194-0x0000000000F10000-0x0000000000F11000-memory.dmp

Filesize
4KB

Download
memory/2700-818-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/2700-193-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/2744-1972-0x0000000010510000-0x000000001058F000-memory.dmp

Filesize
508KB

Download
memory/3680-183-0x0000000004060000-0x0000000004155000-memory.dmp

Filesize
980KB

Download
memory/3680-190-0x0000000004940000-0x0000000004D02000-memory.dmp

Filesize
3.8MB

Download
memory/3680-800-0x0000000004940000-0x0000000004D02000-memory.dmp

Filesize
3.8MB

Download
memory/3680-204-0x0000000004940000-0x0000000004D02000-memory.dmp

Filesize
3.8MB

Download
memory/3680-185-0x0000000004940000-0x0000000004D02000-memory.dmp

Filesize
3.8MB

Download
memory/3680-196-0x0000000001240000-0x0000000001640000-memory.dmp

Filesize
4.0MB

Download
memory/3680-182-0x0000000001240000-0x0000000001640000-memory.dmp

Filesize
4.0MB

Download
memory/3680-199-0x0000000004060000-0x0000000004155000-memory.dmp

Filesize
980KB

Download
memory/4728-154-0x0000000000400000-0x0000000000490000-memory.dmp

Filesize
576KB

Download
memory/4728-156-0x0000000003B10000-0x0000000003C05000-memory.dmp

Filesize
980KB

Download
memory/4728-151-0x0000000003B10000-0x0000000003C05000-memory.dmp

Filesize
980KB

Download
memory/4728-150-0x0000000003200000-0x0000000003940000-memory.dmp

Filesize
7.2MB

Download