Analysis Overview
SHA256
b85d5fa9ff6d33988a931233a84a3545f0066dc0fc6c066d3465f0e090fd1c1a
Threat Level: Known bad
The file 01112023_2235_InstallerStart.msi was found to be: Known bad.
Malicious Activity Summary
DarkGate
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
Enumerates connected drives
Drops file in Windows directory
Suspicious use of AdjustPrivilegeToken
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-01 14:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-01 14:35
Reported
2023-11-01 14:38
Platform
win7-20231025-en
Max time kernel
121s
Max time network
127s
Command Line
Signatures
DarkGate
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\f77474e.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI513C.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\f77474e.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f77474d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f77474d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\01112023_2235_InstallerStart.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003D8" "00000000000005B4"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7DD0B19FA3A417C0FC05E929862481D0
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe"
\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files"
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Network
Files
C:\Windows\Installer\MSI513C.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\Windows\Installer\MSI513C.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\msiwrapper.ini
| MD5 | 9463c6f1dc90ad7d44eea24e1c13d4b8 |
| SHA1 | a772d2f546bf8a8bd7c5e3721056d1eb0358c4c7 |
| SHA256 | 83af6407539fd87d6192466d5148cc6c6dca5bfc4963f95c98e0b9aa2955e3d0 |
| SHA512 | c29a30771d50c5d096126e76c81087bf709de6cfa1d564fdbfb558e199bbc5d7989c6698121b78e6a654889e872097226e8f6abd62810b6e051287f0f56693af |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\msiwrapper.ini
| MD5 | 76e3f0a3e5ffa39f1f251977d5dce26d |
| SHA1 | 5b79459ebb787a8b014f3a9e1413f7e2d9be21d1 |
| SHA256 | 4f42abe124cf0a469b2981324bceb8f390da9cb55f0970181fb92c441bb589c4 |
| SHA512 | b2e54497c54d975ec8a354fd08f36d44e3ab06bb6a54cc9d51eb8b56422db8842d7dc71c34e1a71bb8efc9a9b28e27417a3e90f4f222d260ce927cbfb9334258 |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\msiwrapper.ini
| MD5 | 76e3f0a3e5ffa39f1f251977d5dce26d |
| SHA1 | 5b79459ebb787a8b014f3a9e1413f7e2d9be21d1 |
| SHA256 | 4f42abe124cf0a469b2981324bceb8f390da9cb55f0970181fb92c441bb589c4 |
| SHA512 | b2e54497c54d975ec8a354fd08f36d44e3ab06bb6a54cc9d51eb8b56422db8842d7dc71c34e1a71bb8efc9a9b28e27417a3e90f4f222d260ce927cbfb9334258 |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files.cab
| MD5 | d12b07b0baf7a9307bf9c5ef48406ddf |
| SHA1 | 0e4e90ae55fea3e60a1714a742f6376a4d0b6af7 |
| SHA256 | ae53c62cc179058592d26ced614afd45f7199480593635de1e09b425497f7936 |
| SHA512 | 6cd66886f4749558d8a026221f0a941f98d7c0424e5b8d3d89a4a1890118749681f043015cefed7573bedd038dd6ab434a80c047a39e1ee3238a8ce4e22fb40f |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
memory/2200-103-0x0000000000170000-0x00000000001CE000-memory.dmp
\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\data.bin
| MD5 | 8b305b67e45165844d2f8547a085d782 |
| SHA1 | 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722 |
| SHA256 | 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b |
| SHA512 | 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6 |
memory/2200-106-0x0000000000410000-0x000000000049A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\data2.bin
| MD5 | 7c1cb3e8b4c0b5d1dc3c84e413071ecc |
| SHA1 | b0c6cedb7b67c6df7120784f8deee4f6e4f9bc94 |
| SHA256 | a8ed76f33565320c28e8a52b049aae1c1e3183b1e2d2ff0fbdee1d01b6c9ac4a |
| SHA512 | 7af347a8e1a1c3d185a714d7c07036b45c085a2e9f72b62aaaa1e4688c29d28570a30604e528ddae0ccd77ed538018b59c2fe8b0521d4ffbd5d269e692e48966 |
\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2200-113-0x0000000000170000-0x00000000001CE000-memory.dmp
memory/2200-114-0x0000000000410000-0x000000000049A000-memory.dmp
\??\c:\tmpa\script.au3
| MD5 | b3f867e0aa0c58ee7cf0756b0db3d7e2 |
| SHA1 | cda0192ef1aedbb4712f140dead1fb3209b35e32 |
| SHA256 | 524383695520433a4bbd44ef0581fce81ec2458b6743f3aedec5157179f42008 |
| SHA512 | 3c17b6593da4c2b6a5a5e0a88aa1f36182469763d77783fdee0fc2b8dfbcb6221e7eff029ee30def4655e26b6c560b2f4ed66a2c9c533e0a2e5d7ba301484a0e |
memory/1376-120-0x0000000000A70000-0x0000000000E70000-memory.dmp
memory/1376-119-0x0000000002F70000-0x0000000003105000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\00000-~1.PNG
| MD5 | c5f6eb13db175fbcd0925434424df781 |
| SHA1 | 2197137928fff79f8b11e966ffb6a9eb5112a3c8 |
| SHA256 | 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50 |
| SHA512 | 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4 |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\00005-~1.PNG
| MD5 | 66732fccbeee97415b033c017e594196 |
| SHA1 | 6db8fada912e6ea219b526cbe1a136a6afdabffb |
| SHA256 | dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc |
| SHA512 | 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248 |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\00004-~1.PNG
| MD5 | 2ccc17c1a5bb5e656e7f3bb09ff0beff |
| SHA1 | 05866cf7dd5fa99ea852b01c2791b30e7741ea19 |
| SHA256 | 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2 |
| SHA512 | 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5 |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\00003-~1.PNG
| MD5 | 3f3788816f75078edb9817a98259a223 |
| SHA1 | 1eb191dd0dcff72f5922aa775dc95dced7967bd5 |
| SHA256 | a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0 |
| SHA512 | 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62 |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\00002-~1.PNG
| MD5 | 92028b5b43ea981f2172f2e9ce6556bf |
| SHA1 | 6da86abe3bc0caf500908ec7b8e841b797948fec |
| SHA256 | 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed |
| SHA512 | 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f |
C:\Users\Admin\AppData\Local\Temp\MW-dd291f4c-71c3-4ebb-91fc-3be7771eaaac\files\00001-~1.PNG
| MD5 | a384c8b03d6d72e9f9e268d265e8b435 |
| SHA1 | 3b238b66b33e2dc191da037973a79f01d50ee2d4 |
| SHA256 | 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b |
| SHA512 | 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565 |
memory/1376-129-0x0000000000A70000-0x0000000000E70000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-01 14:35
Reported
2023-11-01 14:38
Platform
win10v2004-20231023-en
Max time kernel
141s
Max time network
148s
Command Line
Signatures
DarkGate
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\windbg.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\windbg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\windbg.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIDF01.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIF27B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58d898.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\MSIF26B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58d898.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{5E874B2C-AA19-4184-B9DB-463F73B129F6} | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000326c22034809cb6a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000326c22030000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900326c2203000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d326c2203000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000326c220300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\01112023_2235_InstallerStart.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding B8C60151F7A7BA8B2A4D4A00CEE98051
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\windbg.exe"
\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.1.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 170.117.168.52.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSIDF01.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSIDF01.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\msiwrapper.ini
| MD5 | 8cf5993cd4b2ba7d54f43e7036347557 |
| SHA1 | 9199e9862eacd056c8f0ac7922a691d7fe818766 |
| SHA256 | a1da1f1b222f5cda24e79c85039b7582d680a80f5846df344287aa2e867a6877 |
| SHA512 | 1ac29b16c2b9767bb2c5e2a1ed6acdd2c99ca6c5998e86ef12a9432f74fb7dab4ea3dfae32fb15f0e1046554a3ff8b8bf02efa63b7b416584c62eccc0622e9bf |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\msiwrapper.ini
| MD5 | 4f0539cdbde82bb0786bfe38489be4c3 |
| SHA1 | 7703828a00d7bb1869e10ce8095e768cfadc1686 |
| SHA256 | d7643251d7e249893ba8d4a5d2a4bd4b5273489903445f2961c39707ee63e053 |
| SHA512 | 3573a792fff537c86fcf05117f4060e856b84b50a571daf5d3d6f8b74ace3be5ba2ba25a50f270eac221955e0860a70b25e84bfd34bf1830cf18b92d00ae2b9d |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files.cab
| MD5 | d12b07b0baf7a9307bf9c5ef48406ddf |
| SHA1 | 0e4e90ae55fea3e60a1714a742f6376a4d0b6af7 |
| SHA256 | ae53c62cc179058592d26ced614afd45f7199480593635de1e09b425497f7936 |
| SHA512 | 6cd66886f4749558d8a026221f0a941f98d7c0424e5b8d3d89a4a1890118749681f043015cefed7573bedd038dd6ab434a80c047a39e1ee3238a8ce4e22fb40f |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\msiwrapper.ini
| MD5 | 4f0539cdbde82bb0786bfe38489be4c3 |
| SHA1 | 7703828a00d7bb1869e10ce8095e768cfadc1686 |
| SHA256 | d7643251d7e249893ba8d4a5d2a4bd4b5273489903445f2961c39707ee63e053 |
| SHA512 | 3573a792fff537c86fcf05117f4060e856b84b50a571daf5d3d6f8b74ace3be5ba2ba25a50f270eac221955e0860a70b25e84bfd34bf1830cf18b92d00ae2b9d |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
memory/4624-102-0x0000000000770000-0x00000000007CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\data.bin
| MD5 | 8b305b67e45165844d2f8547a085d782 |
| SHA1 | 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722 |
| SHA256 | 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b |
| SHA512 | 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6 |
memory/4624-105-0x0000000002280000-0x000000000230A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\data2.bin
| MD5 | 7c1cb3e8b4c0b5d1dc3c84e413071ecc |
| SHA1 | b0c6cedb7b67c6df7120784f8deee4f6e4f9bc94 |
| SHA256 | a8ed76f33565320c28e8a52b049aae1c1e3183b1e2d2ff0fbdee1d01b6c9ac4a |
| SHA512 | 7af347a8e1a1c3d185a714d7c07036b45c085a2e9f72b62aaaa1e4688c29d28570a30604e528ddae0ccd77ed538018b59c2fe8b0521d4ffbd5d269e692e48966 |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/4624-110-0x0000000000770000-0x00000000007CE000-memory.dmp
memory/4624-111-0x0000000002280000-0x000000000230A000-memory.dmp
\??\c:\tmpa\script.au3
| MD5 | b3f867e0aa0c58ee7cf0756b0db3d7e2 |
| SHA1 | cda0192ef1aedbb4712f140dead1fb3209b35e32 |
| SHA256 | 524383695520433a4bbd44ef0581fce81ec2458b6743f3aedec5157179f42008 |
| SHA512 | 3c17b6593da4c2b6a5a5e0a88aa1f36182469763d77783fdee0fc2b8dfbcb6221e7eff029ee30def4655e26b6c560b2f4ed66a2c9c533e0a2e5d7ba301484a0e |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\00005-3931689802.png
| MD5 | 66732fccbeee97415b033c017e594196 |
| SHA1 | 6db8fada912e6ea219b526cbe1a136a6afdabffb |
| SHA256 | dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc |
| SHA512 | 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248 |
memory/2524-121-0x0000000001450000-0x0000000001850000-memory.dmp
memory/2524-122-0x0000000004250000-0x00000000043E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\00004-4001132497.png
| MD5 | 2ccc17c1a5bb5e656e7f3bb09ff0beff |
| SHA1 | 05866cf7dd5fa99ea852b01c2791b30e7741ea19 |
| SHA256 | 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2 |
| SHA512 | 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5 |
C:\Windows\Installer\MSIF27B.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSIF27B.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\00003-1310450276.png
| MD5 | 3f3788816f75078edb9817a98259a223 |
| SHA1 | 1eb191dd0dcff72f5922aa775dc95dced7967bd5 |
| SHA256 | a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0 |
| SHA512 | 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62 |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\00002-1969081335.png
| MD5 | 92028b5b43ea981f2172f2e9ce6556bf |
| SHA1 | 6da86abe3bc0caf500908ec7b8e841b797948fec |
| SHA256 | 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed |
| SHA512 | 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\msiwrapper.ini
| MD5 | 356991b5418340e0cf604b19a4e9beb3 |
| SHA1 | f9688bcdfdf727dd626b777ad83fc4fd3055dc61 |
| SHA256 | 6c33946be4f7d355d20f801ea45fd875656122df34297c4c62510d7dc3106214 |
| SHA512 | d79692b0ca1c273a45f37ba6f500933b9af9c6e7f661c7205df2be112430bd46daf6a023dce75a7851ccfcd72c8f9343b5c81241476243b43b78adbbf9a38693 |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\00001-3764640629.png
| MD5 | a384c8b03d6d72e9f9e268d265e8b435 |
| SHA1 | 3b238b66b33e2dc191da037973a79f01d50ee2d4 |
| SHA256 | 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b |
| SHA512 | 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565 |
C:\Users\Admin\AppData\Local\Temp\MW-3bdb337a-392e-4ca7-944b-098dcd6f89cb\files\00000-602071660.png
| MD5 | c5f6eb13db175fbcd0925434424df781 |
| SHA1 | 2197137928fff79f8b11e966ffb6a9eb5112a3c8 |
| SHA256 | 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50 |
| SHA512 | 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4 |
\??\Volume{03226c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bcd618c9-10d2-44a4-9393-ae2e8ba9c8d9}_OnDiskSnapshotProp
| MD5 | f440b183bebeeb0b70e917c779835b8f |
| SHA1 | 132cc2df6f64bed249ace8b7c97646aa163a4b49 |
| SHA256 | 3d730894a77e3a7aff8570fa0058eb09e7028c4bd1b7ff689646e2abab9801bd |
| SHA512 | 90c14d48139b335fa0e365308c82fb3e5962f900d8f8b75f2725197cc7f5b5e6773b1933502dd76e557077fd115493ffeb86db50f974499000d9a928f500b65c |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 1cc611f0225fb0c9bd111741bb0afece |
| SHA1 | a5688c51a8d4c50cd48d82bbec246ec6bd09709c |
| SHA256 | 75294e90c4c793228301024cd2f9105e3cc26ba8518fefdf277cda70a799f148 |
| SHA512 | a7a8e39085eef55610b25acecb77b08e2c09574b66c4e19c107418dd9848664fc95327ec859618d06810c413fb82e210d2f674de538cfac56858f04a916d5514 |
memory/2524-133-0x0000000004250000-0x00000000043E5000-memory.dmp