darkgate | 6dc4038ca3be24398610616685e954a5ce843ebcc08d3bd97ca472f6d0834b2c

Analysis

max time kernel
269s
max time network
269s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2023 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

paytowin.msi
Size

7.7MB
MD5

18c9c1bebd252bab26e3c70ab68b42a7
SHA1

4dc001042ed6f010791afe5cd70bfaf62b3f16af
SHA256

6dc4038ca3be24398610616685e954a5ce843ebcc08d3bd97ca472f6d0834b2c
SHA512

52d48a5c4f97978828afbdf691e494583cd9d60b34567ad1df45fe6ba5eca681541d89be7b1e701eb71181a52c2252d0a2d2b172b7bc05a440afe252009cb1d2
SSDEEP

98304:6pNKjsEZcgsdUqakFRFawTV82ASqQBW9vpWzxjFycvniqy33XglSB2CiU39hItDb:71NsUqai/pTOryNnxyXxBTiWKmbSQMR

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://onlineserviceboonkers.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
yBhTbTZsxrLjqz
internal_mutex
txtMut
minimum_disk
35
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 7 IoCs

pid	Process
3496	windbg.exe
3512	Autoit3.exe
1368	windbg.exe
4940	Autoit3.exe
3992	windbg.exe
1632	Autoit3.exe
3784	Autoit3.exe

Loads dropped DLL 10 IoCs

pid	Process
4856	MsiExec.exe
3496	windbg.exe
3496	windbg.exe
4856	MsiExec.exe
2276	MsiExec.exe
1368	windbg.exe
2276	MsiExec.exe
1952	MsiExec.exe
3992	windbg.exe
1952	MsiExec.exe

Modifies file permissions 1 TTPs 6 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4132	ICACLS.EXE
4640	ICACLS.EXE
5060	ICACLS.EXE
3688	ICACLS.EXE
3956	ICACLS.EXE
4780	ICACLS.EXE

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 25 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI20A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI20A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fec3.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6A37F133-3E50-4D72-9E18-01829758E96D}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A1.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIB159.tmp	msiexec.exe
File created	C:\Windows\Installer\e57fec3.msi	msiexec.exe
File created	C:\Windows\Installer\e57fec4.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88D1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fec5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\e57fec4.msi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI9B5F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1D7.tmp	msiexec.exe
File created	C:\Windows\Installer\e57fec5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI749B.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI88D0.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000326c22034809cb6a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000326c22030000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900326c2203000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d326c2203000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000326c220300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 29 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202020202	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\2	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Autoit3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-984744499-3605095035-265325720-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1840	msiexec.exe
1840	msiexec.exe
1840	msiexec.exe
1840	msiexec.exe
1840	msiexec.exe
1840	msiexec.exe
3088	msedge.exe
3088	msedge.exe
3116	msedge.exe
3116	msedge.exe
4356	identity_helper.exe
4356	identity_helper.exe
5068	msedge.exe
5068	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1564	msiexec.exe
Token: SeSecurityPrivilege	1840	msiexec.exe
Token: SeCreateTokenPrivilege	1564	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1564	msiexec.exe
Token: SeLockMemoryPrivilege	1564	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1564	msiexec.exe
Token: SeMachineAccountPrivilege	1564	msiexec.exe
Token: SeTcbPrivilege	1564	msiexec.exe
Token: SeSecurityPrivilege	1564	msiexec.exe
Token: SeTakeOwnershipPrivilege	1564	msiexec.exe
Token: SeLoadDriverPrivilege	1564	msiexec.exe
Token: SeSystemProfilePrivilege	1564	msiexec.exe
Token: SeSystemtimePrivilege	1564	msiexec.exe
Token: SeProfSingleProcessPrivilege	1564	msiexec.exe
Token: SeIncBasePriorityPrivilege	1564	msiexec.exe
Token: SeCreatePagefilePrivilege	1564	msiexec.exe
Token: SeCreatePermanentPrivilege	1564	msiexec.exe
Token: SeBackupPrivilege	1564	msiexec.exe
Token: SeRestorePrivilege	1564	msiexec.exe
Token: SeShutdownPrivilege	1564	msiexec.exe
Token: SeDebugPrivilege	1564	msiexec.exe
Token: SeAuditPrivilege	1564	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1564	msiexec.exe
Token: SeChangeNotifyPrivilege	1564	msiexec.exe
Token: SeRemoteShutdownPrivilege	1564	msiexec.exe
Token: SeUndockPrivilege	1564	msiexec.exe
Token: SeSyncAgentPrivilege	1564	msiexec.exe
Token: SeEnableDelegationPrivilege	1564	msiexec.exe
Token: SeManageVolumePrivilege	1564	msiexec.exe
Token: SeImpersonatePrivilege	1564	msiexec.exe
Token: SeCreateGlobalPrivilege	1564	msiexec.exe
Token: SeBackupPrivilege	1012	vssvc.exe
Token: SeRestorePrivilege	1012	vssvc.exe
Token: SeAuditPrivilege	1012	vssvc.exe
Token: SeBackupPrivilege	1840	msiexec.exe
Token: SeRestorePrivilege	1840	msiexec.exe
Token: SeRestorePrivilege	1840	msiexec.exe
Token: SeTakeOwnershipPrivilege	1840	msiexec.exe
Token: SeRestorePrivilege	1840	msiexec.exe
Token: SeTakeOwnershipPrivilege	1840	msiexec.exe
Token: SeRestorePrivilege	1840	msiexec.exe
Token: SeTakeOwnershipPrivilege	1840	msiexec.exe
Token: SeRestorePrivilege	1840	msiexec.exe
Token: SeTakeOwnershipPrivilege	1840	msiexec.exe
Token: SeBackupPrivilege	4120	srtasks.exe
Token: SeRestorePrivilege	4120	srtasks.exe
Token: SeSecurityPrivilege	4120	srtasks.exe
Token: SeTakeOwnershipPrivilege	4120	srtasks.exe
Token: SeBackupPrivilege	4120	srtasks.exe
Token: SeRestorePrivilege	4120	srtasks.exe
Token: SeSecurityPrivilege	4120	srtasks.exe
Token: SeTakeOwnershipPrivilege	4120	srtasks.exe
Token: SeShutdownPrivilege	4216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4216	msiexec.exe
Token: SeCreateTokenPrivilege	4216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4216	msiexec.exe
Token: SeLockMemoryPrivilege	4216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4216	msiexec.exe
Token: SeMachineAccountPrivilege	4216	msiexec.exe
Token: SeTcbPrivilege	4216	msiexec.exe
Token: SeSecurityPrivilege	4216	msiexec.exe
Token: SeTakeOwnershipPrivilege	4216	msiexec.exe
Token: SeLoadDriverPrivilege	4216	msiexec.exe

Suspicious use of FindShellTrayWindow 59 IoCs

pid	Process
1564	msiexec.exe
1564	msiexec.exe
1564	msiexec.exe
4216	msiexec.exe
4216	msiexec.exe
4072	msiexec.exe
4072	msiexec.exe
4072	msiexec.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
3116	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe
2520	msedge.exe

Suspicious use of SetWindowsHookEx 18 IoCs

pid	Process
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
1612	OpenWith.exe
3784	Autoit3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 4120	1840	msiexec.exe	103
PID 1840 wrote to memory of 4120	1840	msiexec.exe	103
PID 1840 wrote to memory of 4856	1840	msiexec.exe	107
PID 1840 wrote to memory of 4856	1840	msiexec.exe	107
PID 1840 wrote to memory of 4856	1840	msiexec.exe	107
PID 4856 wrote to memory of 4640	4856	MsiExec.exe	109
PID 4856 wrote to memory of 4640	4856	MsiExec.exe	109
PID 4856 wrote to memory of 4640	4856	MsiExec.exe	109
PID 4856 wrote to memory of 5056	4856	MsiExec.exe	112
PID 4856 wrote to memory of 5056	4856	MsiExec.exe	112
PID 4856 wrote to memory of 5056	4856	MsiExec.exe	112
PID 4856 wrote to memory of 3496	4856	MsiExec.exe	113
PID 4856 wrote to memory of 3496	4856	MsiExec.exe	113
PID 4856 wrote to memory of 3496	4856	MsiExec.exe	113
PID 3496 wrote to memory of 3512	3496	windbg.exe	114
PID 3496 wrote to memory of 3512	3496	windbg.exe	114
PID 3496 wrote to memory of 3512	3496	windbg.exe	114
PID 4856 wrote to memory of 5060	4856	MsiExec.exe	115
PID 4856 wrote to memory of 5060	4856	MsiExec.exe	115
PID 4856 wrote to memory of 5060	4856	MsiExec.exe	115
PID 1612 wrote to memory of 1848	1612	OpenWith.exe	118
PID 1612 wrote to memory of 1848	1612	OpenWith.exe	118
PID 1840 wrote to memory of 2276	1840	msiexec.exe	123
PID 1840 wrote to memory of 2276	1840	msiexec.exe	123
PID 1840 wrote to memory of 2276	1840	msiexec.exe	123
PID 2276 wrote to memory of 3688	2276	MsiExec.exe	124
PID 2276 wrote to memory of 3688	2276	MsiExec.exe	124
PID 2276 wrote to memory of 3688	2276	MsiExec.exe	124
PID 2276 wrote to memory of 3996	2276	MsiExec.exe	126
PID 2276 wrote to memory of 3996	2276	MsiExec.exe	126
PID 2276 wrote to memory of 3996	2276	MsiExec.exe	126
PID 2276 wrote to memory of 1368	2276	MsiExec.exe	128
PID 2276 wrote to memory of 1368	2276	MsiExec.exe	128
PID 2276 wrote to memory of 1368	2276	MsiExec.exe	128
PID 1368 wrote to memory of 4940	1368	windbg.exe	129
PID 1368 wrote to memory of 4940	1368	windbg.exe	129
PID 1368 wrote to memory of 4940	1368	windbg.exe	129
PID 2276 wrote to memory of 3956	2276	MsiExec.exe	130
PID 2276 wrote to memory of 3956	2276	MsiExec.exe	130
PID 2276 wrote to memory of 3956	2276	MsiExec.exe	130
PID 1840 wrote to memory of 1952	1840	msiexec.exe	135
PID 1840 wrote to memory of 1952	1840	msiexec.exe	135
PID 1840 wrote to memory of 1952	1840	msiexec.exe	135
PID 1952 wrote to memory of 4780	1952	MsiExec.exe	136
PID 1952 wrote to memory of 4780	1952	MsiExec.exe	136
PID 1952 wrote to memory of 4780	1952	MsiExec.exe	136
PID 1952 wrote to memory of 1120	1952	MsiExec.exe	138
PID 1952 wrote to memory of 1120	1952	MsiExec.exe	138
PID 1952 wrote to memory of 1120	1952	MsiExec.exe	138
PID 1952 wrote to memory of 3992	1952	MsiExec.exe	140
PID 1952 wrote to memory of 3992	1952	MsiExec.exe	140
PID 1952 wrote to memory of 3992	1952	MsiExec.exe	140
PID 3992 wrote to memory of 1632	3992	windbg.exe	141
PID 3992 wrote to memory of 1632	3992	windbg.exe	141
PID 3992 wrote to memory of 1632	3992	windbg.exe	141
PID 1952 wrote to memory of 4132	1952	MsiExec.exe	142
PID 1952 wrote to memory of 4132	1952	MsiExec.exe	142
PID 1952 wrote to memory of 4132	1952	MsiExec.exe	142
PID 3116 wrote to memory of 1944	3116	msedge.exe	147
PID 3116 wrote to memory of 1944	3116	msedge.exe	147
PID 3116 wrote to memory of 4216	3116	msedge.exe	149
PID 3116 wrote to memory of 4216	3116	msedge.exe	149
PID 3116 wrote to memory of 4216	3116	msedge.exe	149
PID 3116 wrote to memory of 4216	3116	msedge.exe	149

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\paytowin.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1564

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4120
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33B67DD61B09F6B2C7EB5E65FD67760B
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4640
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:5056
- - C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3496
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      Modifies registry class
      PID:3512
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:5060
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B507A1D5C132C445286AB184787FDEA1
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3688
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3996
- - C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1368
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:4940
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:3956
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 21C8E2F60C10FBE5B3E64E2140DFBD8B
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4780
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1120
- - C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1632
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4132

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\data.bin
  2⤵
  PID:1848

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\paytowin.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4216

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\paytowin.msi"
1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4072

C:\tmpa\Autoit3.exe
"C:\tmpa\Autoit3.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jawshtml.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff847f546f8,0x7ff847f54708,0x7ff847f54718
  2⤵
  PID:1944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:1548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5324 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,6233643246881864260,12897232850148781912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\jawshtml.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff847f546f8,0x7ff847f54708,0x7ff847f54718
  2⤵
  PID:2200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2196,4644980379364846842,8116035942648532365,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2196,4644980379364846842,8116035942648532365,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2208 /prefetch:2
  2⤵
  PID:672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2196,4644980379364846842,8116035942648532365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4644980379364846842,8116035942648532365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2196,4644980379364846842,8116035942648532365,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
  2⤵
  PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
84df16093540d8d88a327b849dd35f8c

SHA1
c6207d32a8e44863142213697984de5e238ce644

SHA256
220f89151a0f978b8bbe338b937af90417ae8c17b72a53f2acea7be2ac171a8c

SHA512
3077ccda8f86f47c41978d6cbb1dcad344e36f236251c8fd8c58d1c48a59106aecfdbe306357b7ebcfe3300bec8ea10ee0e59434c799e8c40e40e6c3c1bd4098

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a5d2dbb5b6455ca85a0ccfb9f3f19232

SHA1
65119747332a04bcab57d159eb25a423362fba81

SHA256
33a14babc85c9f5fc119694fc6c34afbd0f487263b5f0500e94e9061d5275df3

SHA512
654c782f32f8ad110bb42871b756339419d52d2528cf772535639cc4b95192831fe05127789549c5c57ae0aa6c0022414c33d77e22c1609859c8daf55a45aab8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
0d3646f83fb8ff5f52bb6a2f9f2f6daa

SHA1
b4bcc4473c8b0a19ba8dea2fb8b725ad8f60423f

SHA256
27058a3ac4083d92a31e0564ce2f1d7766f72397456fb9dc9d7349639a9a1588

SHA512
608d12ebbad7f3424c712dc385eae32bdee45dfc13af9933f20e034d19006775f2d5a17ad6cee3b92087344c34d68b33a776db53f70a12ea3e22d5e36fbc9b62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0a73acdd191b05af21159a86b55f7ca1

SHA1
ad5ce39d90aa875f2f56966a197d899e8583ad6d

SHA256
dc74fdb974348235dd38caa9b146c494ce65b46c17a75caa360de1e89e3d91af

SHA512
2ac913d3b54ae6d9d5f005cee71c0840c0854a89b24207888261441a956afaf6d2065567127af1a1298e644a2ff02a0434306cf348d55c3e719c7f1d487d830c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c79fcae43bb90b15a82c3f96c3f722b7

SHA1
07aa2d3000f242af34ebe8ae5a84a98304d2d611

SHA256
75a712717b2d02e24432ba4cca0a8deaac315002d96e7e72d6a7573e0b4a9bd7

SHA512
5c2d8426cc47adc63f014888c62e1c700a6a9595c14159f6a0809170d941164a025d9f95e42748b4d02ced64e991afd29811f5b1371b7701fe48dceb7cd32597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e8e086202d102042d2c0b12c7f2deb70

SHA1
d6aa8e3d309756f424384944f78e3042f4cbe41b

SHA256
b53a4594fa31666493c011c7043a4cff2a6c75aab61393691ce94b20502ebfb2

SHA512
e73a861b243941c0606aa6cea8e9c4db2ba5289787d46a749f7f77689ec99ed18f67485661ec0e0652be4606dcf2fbbe6d5c232616461212154980880982826d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
16625c4b50d1186fbc2b53b02464a69f

SHA1
2827f587b83beffb2bac09f305e582aec69cb50d

SHA256
23ad6a372200022eaafd442d6b078eb7c422b3a83c52b788094b0671a3c051ad

SHA512
a089d4fdd5d89e72f85e079fd5110f2b9635d8efaca0e5c0c3c6155e97bae132bdbce84ce47a1ec7a8d8c93808e2f7b6688fc38c41850e8cf4e494a957f388e4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
5de436d086677beb9694d86ee28af1f8

SHA1
d4f1e259f840a75d55e82bfac9efa2b7ec2fb514

SHA256
066f70814baffb7035e9c872cbdc51dec5c986e5d75e16e9363fb78da1177be8

SHA512
6eec0d895d212e415a8fe334501a2228f4af620269a16e8a82097725c7492ca7739a7f834f31033dc33b6c2c31c8269dcd08c3bd67efa926e5c71d325a2d0c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
9e198baa62dd68b97fee9f5320214939

SHA1
dd2a05f941f2ddaa5ca24c0020004ba7aaa6009a

SHA256
dc21ad90dcd24b3ce9542c849437731e4dc0ec1da2ebaf098afb557188587876

SHA512
a45990afb20e0e9b1818417ea896a7e33dac5b7464d340c343f310ee96234ed91bdfa57edbfb10a0b3535daee76acefeb22dcf2e9fd0be8bcd93684da6d749a0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
612f300771f590969a08eb51bc9479c2

SHA1
8eab69b0a34d25a567db77a6698cdbd67fc25dcb

SHA256
38d9f1453608f6926cc4bc4451c68f05e6100261a1ae4075dc4c3fadf82b7080

SHA512
bf96f7544efa34cee13243c3d13be54978a676807eaa453c162562d6864ce9d38753689132610f8aca66aded125d4d75c5f049d2d181361ac532d2e144ec51aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files.cab

Filesize
7.4MB

MD5
b83947df52d309721510bf9a81e0c416

SHA1
ae184a1470f38799b1160b583fbd698f8b862dbc

SHA256
e1614873f215ac19d3cc4249c716e85cf999153a5418855f27dca5bb1563454e

SHA512
5867df7177256f8679d3cb4579e75e97c1643054fa434d19a8a3a920a9a1cfea8f0e05283f64c017c14e520619045129d21e168fea1bb94f5a84e55a2be353c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00147-1040811655.png

Filesize
1.3MB

MD5
7ec930b1536750116c13b06313286cf5

SHA1
adc543581e4acbaffd5593d07346296bbda1ede5

SHA256
1d18677415ff9d03c8e3accde3ab0786d33985f3d6b3855eca632c07fc4de547

SHA512
531887e99339aa19cef104226074cdbfb74d8e31cb535cf232b241f4cb05550ac33504ad58dc9b3eaa2c5dbb0a2eb32e9cc06a754b00618485d625ca4c3415db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00147-1040811655.png

Filesize
1.3MB

MD5
7ec930b1536750116c13b06313286cf5

SHA1
adc543581e4acbaffd5593d07346296bbda1ede5

SHA256
1d18677415ff9d03c8e3accde3ab0786d33985f3d6b3855eca632c07fc4de547

SHA512
531887e99339aa19cef104226074cdbfb74d8e31cb535cf232b241f4cb05550ac33504ad58dc9b3eaa2c5dbb0a2eb32e9cc06a754b00618485d625ca4c3415db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00148-1040811656.png

Filesize
1.2MB

MD5
bb581ea56d0940dc4d002a902e0fb0c9

SHA1
226afeb98300bc51a4e80e112b38bfbf9ef8f706

SHA256
84e19377a78d441de940eb1943edddc5720aafb67aed7dc30c281b98c3d0a201

SHA512
3237d3a234549704af058e64c4e190f07023e44164bae66e31c87a733ed215c827d2c29facce53a1dc781cc31f538f8f17e4a389ca21354c111ed9da04429511

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00148-1040811656.png

Filesize
1.2MB

MD5
bb581ea56d0940dc4d002a902e0fb0c9

SHA1
226afeb98300bc51a4e80e112b38bfbf9ef8f706

SHA256
84e19377a78d441de940eb1943edddc5720aafb67aed7dc30c281b98c3d0a201

SHA512
3237d3a234549704af058e64c4e190f07023e44164bae66e31c87a733ed215c827d2c29facce53a1dc781cc31f538f8f17e4a389ca21354c111ed9da04429511

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00149-438824465.png

Filesize
1.2MB

MD5
5cf577304c7231e35ab9296db1207993

SHA1
6deec1a72be8e657dcb484d58e81d138cfd8f25d

SHA256
ad7544c407ec1655adc699e70b75b5d75c3a7f28538a9738925b5f020b5e571c

SHA512
e1615432911024c9ad9abca3f851a94647f22b2600160dca9ad6ac18c2830d78e6e87f96cc4ecb2d9b597b66b0a7ddf5774299415cc0bd40d4e19741352aa37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00149-438824465.png

Filesize
1.2MB

MD5
5cf577304c7231e35ab9296db1207993

SHA1
6deec1a72be8e657dcb484d58e81d138cfd8f25d

SHA256
ad7544c407ec1655adc699e70b75b5d75c3a7f28538a9738925b5f020b5e571c

SHA512
e1615432911024c9ad9abca3f851a94647f22b2600160dca9ad6ac18c2830d78e6e87f96cc4ecb2d9b597b66b0a7ddf5774299415cc0bd40d4e19741352aa37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00150-438824466.png

Filesize
1.2MB

MD5
09f104f5af838fc714ba3d17623008b9

SHA1
842bcd3e250ab2ee598947ba241cafb274dda591

SHA256
caf1252510b1be93214fc9d464a20fdbf81a89839f7e0bc9156190762af3714f

SHA512
c37105eeaf8659546922066ffc712f88527adb59954c74381a53afa3623b8bedbdad548f26d3ecfd43cb0f0eca7f052ddf953358ece96d1199ff1e5e76e5604c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00150-438824466.png

Filesize
1.2MB

MD5
09f104f5af838fc714ba3d17623008b9

SHA1
842bcd3e250ab2ee598947ba241cafb274dda591

SHA256
caf1252510b1be93214fc9d464a20fdbf81a89839f7e0bc9156190762af3714f

SHA512
c37105eeaf8659546922066ffc712f88527adb59954c74381a53afa3623b8bedbdad548f26d3ecfd43cb0f0eca7f052ddf953358ece96d1199ff1e5e76e5604c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00151-438824467.png

Filesize
1.1MB

MD5
64d144051485b81b8a7c83476ba59427

SHA1
044bd6b794414b82d1579d309d3762d02e39d292

SHA256
f63482d06fbe08336aa1b7b7ec813bad196bba9f60a6a27363a82c9da9cc17f0

SHA512
d38f9ca097277cf6500258e16cb183deaa07b10e2060d93810af3eb97e8c97285817b32ab5876d5f42b0ca504dd5b562f421b7eb2ad65be5d950eb52f6ead1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\00151-438824467.png

Filesize
1.1MB

MD5
64d144051485b81b8a7c83476ba59427

SHA1
044bd6b794414b82d1579d309d3762d02e39d292

SHA256
f63482d06fbe08336aa1b7b7ec813bad196bba9f60a6a27363a82c9da9cc17f0

SHA512
d38f9ca097277cf6500258e16cb183deaa07b10e2060d93810af3eb97e8c97285817b32ab5876d5f42b0ca504dd5b562f421b7eb2ad65be5d950eb52f6ead1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\data2.bin

Filesize
1.8MB

MD5
78ed007015a6be04035921a5c9881a3e

SHA1
3a3a7a8c84f192eaf3e399aacd630b95ee848005

SHA256
43ebb3f62d6ddfc43ffea5b7de0c4992db1920591f19552148c36863ef16f454

SHA512
6b8453a28db2a154667c794c12c73f9426fc145f56f7a3d884eef8d7fff9076feec202f1c2e90899701caf952c6778266e851c852c1858b5aef0caafd3bb3e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\data2.bin

Filesize
1.8MB

MD5
78ed007015a6be04035921a5c9881a3e

SHA1
3a3a7a8c84f192eaf3e399aacd630b95ee848005

SHA256
43ebb3f62d6ddfc43ffea5b7de0c4992db1920591f19552148c36863ef16f454

SHA512
6b8453a28db2a154667c794c12c73f9426fc145f56f7a3d884eef8d7fff9076feec202f1c2e90899701caf952c6778266e851c852c1858b5aef0caafd3bb3e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\msiwrapper.ini

Filesize
370B

MD5
a34abe22961f6aee60f521350c309fe5

SHA1
e35a90dcc795030cc398e5805747b44fc93b9874

SHA256
45459a0045616ff0e0925110880961cf10c2d8b6f427f63052351405d4a8c6de

SHA512
477b03cbae975830ba93991dc5590b8b1100b3aeb8482535b453190663a4f6075f164ba97b78174cda5cb24790f78f4982490d817a8f2ab58dc538d24b566381

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\msiwrapper.ini

Filesize
1KB

MD5
9768852360356713a1e068fe061bae96

SHA1
1640ea9af128aaa24a383321472e236f6a27c847

SHA256
e44e7189a3a0361ca05656fff0ceef600cec40aa8127bdf10a9cbc3b043889a5

SHA512
00ce5061437c285bef06eb55aac4a290f6f5c31e34960a8eea22824afac43455e012228faa16e830ab5a6342d035b663ed358e3ee8e99ae95becc5cc811acce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\msiwrapper.ini

Filesize
1KB

MD5
9768852360356713a1e068fe061bae96

SHA1
1640ea9af128aaa24a383321472e236f6a27c847

SHA256
e44e7189a3a0361ca05656fff0ceef600cec40aa8127bdf10a9cbc3b043889a5

SHA512
00ce5061437c285bef06eb55aac4a290f6f5c31e34960a8eea22824afac43455e012228faa16e830ab5a6342d035b663ed358e3ee8e99ae95becc5cc811acce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-04d66c7d-4117-47fe-977b-4c6f28213822\msiwrapper.ini

Filesize
1KB

MD5
accfb1256cec7e574fd79b4384a61268

SHA1
357fe3928e1890b22c38c50e6255351d81d68d0a

SHA256
d878c3136da36b8ed85fd639f7e2238d1864cffd5e4e56092fcb156c7cda3f90

SHA512
ff306b8640ccb6be5885dd3edb17ca75399efd5113a797bd1e1518994f15cb000e1f3d36d6df272599cacad9b7363b1c393aa0b5f495c10adc788c40329c99e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files.cab

Filesize
7.4MB

MD5
b83947df52d309721510bf9a81e0c416

SHA1
ae184a1470f38799b1160b583fbd698f8b862dbc

SHA256
e1614873f215ac19d3cc4249c716e85cf999153a5418855f27dca5bb1563454e

SHA512
5867df7177256f8679d3cb4579e75e97c1643054fa434d19a8a3a920a9a1cfea8f0e05283f64c017c14e520619045129d21e168fea1bb94f5a84e55a2be353c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\00147-1040811655.png

Filesize
1.3MB

MD5
7ec930b1536750116c13b06313286cf5

SHA1
adc543581e4acbaffd5593d07346296bbda1ede5

SHA256
1d18677415ff9d03c8e3accde3ab0786d33985f3d6b3855eca632c07fc4de547

SHA512
531887e99339aa19cef104226074cdbfb74d8e31cb535cf232b241f4cb05550ac33504ad58dc9b3eaa2c5dbb0a2eb32e9cc06a754b00618485d625ca4c3415db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\00148-1040811656.png

Filesize
1.2MB

MD5
bb581ea56d0940dc4d002a902e0fb0c9

SHA1
226afeb98300bc51a4e80e112b38bfbf9ef8f706

SHA256
84e19377a78d441de940eb1943edddc5720aafb67aed7dc30c281b98c3d0a201

SHA512
3237d3a234549704af058e64c4e190f07023e44164bae66e31c87a733ed215c827d2c29facce53a1dc781cc31f538f8f17e4a389ca21354c111ed9da04429511

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\00149-438824465.png

Filesize
1.2MB

MD5
5cf577304c7231e35ab9296db1207993

SHA1
6deec1a72be8e657dcb484d58e81d138cfd8f25d

SHA256
ad7544c407ec1655adc699e70b75b5d75c3a7f28538a9738925b5f020b5e571c

SHA512
e1615432911024c9ad9abca3f851a94647f22b2600160dca9ad6ac18c2830d78e6e87f96cc4ecb2d9b597b66b0a7ddf5774299415cc0bd40d4e19741352aa37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\00150-438824466.png

Filesize
1.2MB

MD5
09f104f5af838fc714ba3d17623008b9

SHA1
842bcd3e250ab2ee598947ba241cafb274dda591

SHA256
caf1252510b1be93214fc9d464a20fdbf81a89839f7e0bc9156190762af3714f

SHA512
c37105eeaf8659546922066ffc712f88527adb59954c74381a53afa3623b8bedbdad548f26d3ecfd43cb0f0eca7f052ddf953358ece96d1199ff1e5e76e5604c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\00151-438824467.png

Filesize
1.1MB

MD5
64d144051485b81b8a7c83476ba59427

SHA1
044bd6b794414b82d1579d309d3762d02e39d292

SHA256
f63482d06fbe08336aa1b7b7ec813bad196bba9f60a6a27363a82c9da9cc17f0

SHA512
d38f9ca097277cf6500258e16cb183deaa07b10e2060d93810af3eb97e8c97285817b32ab5876d5f42b0ca504dd5b562f421b7eb2ad65be5d950eb52f6ead1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\data2.bin

Filesize
1.8MB

MD5
78ed007015a6be04035921a5c9881a3e

SHA1
3a3a7a8c84f192eaf3e399aacd630b95ee848005

SHA256
43ebb3f62d6ddfc43ffea5b7de0c4992db1920591f19552148c36863ef16f454

SHA512
6b8453a28db2a154667c794c12c73f9426fc145f56f7a3d884eef8d7fff9076feec202f1c2e90899701caf952c6778266e851c852c1858b5aef0caafd3bb3e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\msiwrapper.ini

Filesize
1KB

MD5
b23f8ab0d76f1d37cfcdff22eb1d7477

SHA1
952fb7a68143fe653ebaab0bb9a94daac8ac42bf

SHA256
d25b8ca008d32689876b3b341da913fb8534dcd20b55b072cb54023507e44dbe

SHA512
304d933b95416f40494029e369208f90f0bd646064f3026a4202ecfec483905d19b6bf001f4a90cfed31a4aca78d85a9f38d75f486b73b240c5d6029daff610e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\msiwrapper.ini

Filesize
1010B

MD5
33e5d41f1aff949691628ea12adb25b7

SHA1
dfd8232d6b9a4799ab2ef2df78b634656b560159

SHA256
7224852d93652dd5f5f5f7d5e2736f79f2e4a19706f46033031d11b88a6157d3

SHA512
d7f3565b0e3656846515cb8d6e52029d22ffec89eb2be5625ad0c852ff0423db43a5bb701339612972c19f5ee27f5aca47e822ecb77a4d3edf71986dc81c1968

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\msiwrapper.ini

Filesize
1KB

MD5
f927a1637e715a8a3bf198fcbc951882

SHA1
0aaa420845bacb83178fa5afd128e9858eaa33a7

SHA256
301c7e6f344e328d2b4784ddd18d944db937d16bf995fead48a30735ea1ed481

SHA512
e4d7017a0f57e4c3268361bc14e7bedd9af25bc4d176895c9731aa534f18f188cb2633b9b95021fb4ecce5262555a2ff3acd765e48e05c8f882f9d73d6243b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9e7b9500-cd4a-4727-8cb9-73bdc114d02a\msiwrapper.ini

Filesize
1KB

MD5
f927a1637e715a8a3bf198fcbc951882

SHA1
0aaa420845bacb83178fa5afd128e9858eaa33a7

SHA256
301c7e6f344e328d2b4784ddd18d944db937d16bf995fead48a30735ea1ed481

SHA512
e4d7017a0f57e4c3268361bc14e7bedd9af25bc4d176895c9731aa534f18f188cb2633b9b95021fb4ecce5262555a2ff3acd765e48e05c8f882f9d73d6243b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files.cab

Filesize
7.4MB

MD5
b83947df52d309721510bf9a81e0c416

SHA1
ae184a1470f38799b1160b583fbd698f8b862dbc

SHA256
e1614873f215ac19d3cc4249c716e85cf999153a5418855f27dca5bb1563454e

SHA512
5867df7177256f8679d3cb4579e75e97c1643054fa434d19a8a3a920a9a1cfea8f0e05283f64c017c14e520619045129d21e168fea1bb94f5a84e55a2be353c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\00147-1040811655.png

Filesize
1.3MB

MD5
7ec930b1536750116c13b06313286cf5

SHA1
adc543581e4acbaffd5593d07346296bbda1ede5

SHA256
1d18677415ff9d03c8e3accde3ab0786d33985f3d6b3855eca632c07fc4de547

SHA512
531887e99339aa19cef104226074cdbfb74d8e31cb535cf232b241f4cb05550ac33504ad58dc9b3eaa2c5dbb0a2eb32e9cc06a754b00618485d625ca4c3415db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\data2.bin

Filesize
1.8MB

MD5
78ed007015a6be04035921a5c9881a3e

SHA1
3a3a7a8c84f192eaf3e399aacd630b95ee848005

SHA256
43ebb3f62d6ddfc43ffea5b7de0c4992db1920591f19552148c36863ef16f454

SHA512
6b8453a28db2a154667c794c12c73f9426fc145f56f7a3d884eef8d7fff9076feec202f1c2e90899701caf952c6778266e851c852c1858b5aef0caafd3bb3e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\msiwrapper.ini

Filesize
1010B

MD5
83cb7e58ff3fb3e2a4f6f24a1c69a947

SHA1
2f660518e55c2f22692e1cfb8674826d96d8f4b0

SHA256
41b7b5fcd04ce0a3ba6fc177ebabaa4e22208d54d77dd9d2f614015bf5fa8094

SHA512
3ad5ae3d3c4d8628113ba7c7178c4ee2262b69585c474711767daec1131347be1b4249cff6164718b2f24d8eace01cfddc699053e929ab35c472ac4a2d72efda

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\msiwrapper.ini

Filesize
1KB

MD5
09c95845d22b6f50229856396a2b1671

SHA1
9ff8537f205f53abbc3a536e73a7a15dcab7179e

SHA256
7822cf163d8bb323fcabe16e17c80baf3045e4c4575b5ce6b5e65af60b8b7f18

SHA512
b6ae200555dcdaea60fb003b54e000f356c32e677c41647aab78adbc557b9020fdd9cabf2c4f97e548ec2e8345c4252e6757c536b2c27c3d0be674d73bbb21e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d925dbca-4b59-46f9-aa0c-f3766f78fa29\msiwrapper.ini

Filesize
1KB

MD5
09c95845d22b6f50229856396a2b1671

SHA1
9ff8537f205f53abbc3a536e73a7a15dcab7179e

SHA256
7822cf163d8bb323fcabe16e17c80baf3045e4c4575b5ce6b5e65af60b8b7f18

SHA512
b6ae200555dcdaea60fb003b54e000f356c32e677c41647aab78adbc557b9020fdd9cabf2c4f97e548ec2e8345c4252e6757c536b2c27c3d0be674d73bbb21e6

Download Submit
C:\Windows\Installer\MSI1A1.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI1A1.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI20A4.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI20A4.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI749B.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI749B.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI9B5F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI9B5F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI9B5F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIB1D7.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIB1D7.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\e57fec5.msi

Filesize
7.7MB

MD5
18c9c1bebd252bab26e3c70ab68b42a7

SHA1
4dc001042ed6f010791afe5cd70bfaf62b3f16af

SHA256
6dc4038ca3be24398610616685e954a5ce843ebcc08d3bd97ca472f6d0834b2c

SHA512
52d48a5c4f97978828afbdf691e494583cd9d60b34567ad1df45fe6ba5eca681541d89be7b1e701eb71181a52c2252d0a2d2b172b7bc05a440afe252009cb1d2

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
168KB

MD5
42ab2fa00ca86805bf0546ba570394d8

SHA1
a8380f7909820e201e9db83dcd16e071802400e2

SHA256
7c8d314bdef3a4736dcb15d00f2db45aa39ebe2ead61100d86d34091f80a5395

SHA512
638e539429c56a9dd3d39c874c9555e893d5df47754f148fa5fa8facdc65b5eaea057d7e99c710a4185e5a906b150e5b4d27e9ecd9205c54c185a2a014923153

Download Submit
C:\Windows\LOGS\DPX\setupact.log

Filesize
169KB

MD5
393edc1835ee617529218cd29cc297d0

SHA1
34376838873799b6b353372a08d71b25e9da4618

SHA256
11ed773a7c2a627c2f735f3bcc2c634d0ac73ace45eb3c3d171b05962011667a

SHA512
4d0d143a63ab660c092242bf378023a0ad4652ede24b245727ce5f7c083747c9ec9edd195867b3ced7fd1417e48b425087f863ca25abd3e1d691d2e08acd510b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
1bc381940e49d4f915824529cd2b850a

SHA1
df451dc30c4a3bb3a4e68edc39822fa2b1b01d7e

SHA256
49f7ae4a28baf33bf811f01e6b3e8ef32b9eff28c53a1c9264aa0e91a3d00ead

SHA512
ca9d4b0d8ffd8babb51db43573a60d5085a8abaca6b526b65189416fa7922d4eb5f7d56819c2df4f17563ea72eec0b1c559e0f28c97dc9311afffbaa4b7d8ca0

Download Submit
\??\Volume{03226c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1c7860a1-6bb7-4af5-8153-8cac53def83c}_OnDiskSnapshotProp

Filesize
5KB

MD5
42c7a6dd2b52bcde5f0b2ab2c2cd8a0d

SHA1
7fa4b3b1d44aa83ffa13db265c1e28eb325b5684

SHA256
f77d5d06932e7300edbdd5bd13bb977f4b6ede99fdc136603047e5fd187f142c

SHA512
df5dbcb3415417c87ce86e10510113038de62cff6cf4b55968401246ae6d9dd0643dda834b0c19d4f279e3cbb4a58a754b72a57049a7555870a7a938e88ac18a

Download Submit
\??\c:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
499KB

MD5
dadd841301a9e91a1f2fee0ac37a94a5

SHA1
64f43876eeaae2b091cfc820353bf903290482d3

SHA256
53e48b6b1edb8299333b19bca07327a3e706d42ee57bc44e239e7de642405fe5

SHA512
c6b26acea5ff78ec9d03db93b27ef864ba0fae1b7b5ee724c8be208d51dbedd7ef380b6aace17a1b3641308c75a538ee6c2259adb073b4fdef9ae1f54cd3e30e

Download Submit
\??\c:\tmpa\script.au3

Filesize
499KB

MD5
dadd841301a9e91a1f2fee0ac37a94a5

SHA1
64f43876eeaae2b091cfc820353bf903290482d3

SHA256
53e48b6b1edb8299333b19bca07327a3e706d42ee57bc44e239e7de642405fe5

SHA512
c6b26acea5ff78ec9d03db93b27ef864ba0fae1b7b5ee724c8be208d51dbedd7ef380b6aace17a1b3641308c75a538ee6c2259adb073b4fdef9ae1f54cd3e30e

Download Submit
\??\c:\tmpa\script.au3

Filesize
499KB

MD5
dadd841301a9e91a1f2fee0ac37a94a5

SHA1
64f43876eeaae2b091cfc820353bf903290482d3

SHA256
53e48b6b1edb8299333b19bca07327a3e706d42ee57bc44e239e7de642405fe5

SHA512
c6b26acea5ff78ec9d03db93b27ef864ba0fae1b7b5ee724c8be208d51dbedd7ef380b6aace17a1b3641308c75a538ee6c2259adb073b4fdef9ae1f54cd3e30e

Download Submit
memory/1368-222-0x0000000002830000-0x0000000002930000-memory.dmp

Filesize
1024KB

Download
memory/1368-228-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1632-351-0x0000000000F60000-0x0000000001360000-memory.dmp

Filesize
4.0MB

Download
memory/1632-358-0x0000000003E00000-0x000000000412A000-memory.dmp

Filesize
3.2MB

Download
memory/1632-359-0x0000000003E00000-0x000000000412A000-memory.dmp

Filesize
3.2MB

Download
memory/3496-95-0x0000000001380000-0x000000000143D000-memory.dmp

Filesize
756KB

Download
memory/3496-99-0x0000000002C30000-0x0000000002D30000-memory.dmp

Filesize
1024KB

Download
memory/3496-104-0x0000000001380000-0x000000000143D000-memory.dmp

Filesize
756KB

Download
memory/3512-124-0x0000000004BC0000-0x0000000004EEA000-memory.dmp

Filesize
3.2MB

Download
memory/3512-123-0x0000000004BC0000-0x0000000004EEA000-memory.dmp

Filesize
3.2MB

Download
memory/3512-107-0x00000000019F0000-0x0000000001DF0000-memory.dmp

Filesize
4.0MB

Download
memory/3784-365-0x000000000B3B0000-0x000000000B6DA000-memory.dmp

Filesize
3.2MB

Download
memory/3784-362-0x000000000B3B0000-0x000000000B6DA000-memory.dmp

Filesize
3.2MB

Download
memory/3784-361-0x0000000003CF0000-0x0000000003EF0000-memory.dmp

Filesize
2.0MB

Download
memory/3992-347-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3992-341-0x0000000002490000-0x0000000002590000-memory.dmp

Filesize
1024KB

Download
memory/4940-231-0x00000000014E0000-0x00000000018E0000-memory.dmp

Filesize
4.0MB

Download
memory/4940-232-0x00000000043B0000-0x00000000046DA000-memory.dmp

Filesize
3.2MB

Download