Analysis Overview
SHA256
32039dccac205468c9f43636815e636f4dc821081f495f4bacebbbaa6f05818d
Threat Level: Known bad
The file 02112023_2233_00pack.msi was found to be: Known bad.
Malicious Activity Summary
DarkGate
Loads dropped DLL
Executes dropped EXE
Modifies file permissions
Enumerates connected drives
Drops file in Windows directory
Uses Volume Shadow Copy service COM API
Checks processor information in registry
Suspicious use of AdjustPrivilegeToken
Checks SCSI registry key(s)
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-02 14:33
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-02 14:33
Reported
2023-11-02 14:36
Platform
win7-20231020-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
DarkGate
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f768ec9.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f768ec8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f768ec8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI9138.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\f768ec9.ipi | C:\Windows\system32\msiexec.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\02112023_2233_00pack.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "0000000000000060"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E9BADD34C05C8ED70E05D033ADDE8651
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe"
\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files"
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Network
Files
C:\Windows\Installer\MSI9138.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\Windows\Installer\MSI9138.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\msiwrapper.ini
| MD5 | 8435bc2220b68c99adcf0bfd36e24d8e |
| SHA1 | be75d523e4d440254f8d80f6ebe4346c978419cb |
| SHA256 | 11bb2fee41943ec796ea1ee7bdfeb49aaa19ffef20f60eb668699f9e6541a61f |
| SHA512 | 717f730de3b125dd5c6f03fd9e5233ca4012efae56a5e037aee6bfe69a28de5430e2999f5e399ec19133fc45d0d3d795328ef7f958ec95b035a9d41b6202ef3b |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\msiwrapper.ini
| MD5 | 7de2863163798786b1f14301e13ebc8b |
| SHA1 | a99b4ad536d4e6593b9f76eb845d04cfe9e4b324 |
| SHA256 | da135c23897f7564b19452e7411b465fa7f3330943a6ce5d0375c569207f9fec |
| SHA512 | 984023faeb532857c1b69ebff6a241447eaa687bb7a65f48fa55e1f611f2689ddd761b5949101f80ad2d5014810550af89d5e215d44eb25285d1072e67d25ad8 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\msiwrapper.ini
| MD5 | 7de2863163798786b1f14301e13ebc8b |
| SHA1 | a99b4ad536d4e6593b9f76eb845d04cfe9e4b324 |
| SHA256 | da135c23897f7564b19452e7411b465fa7f3330943a6ce5d0375c569207f9fec |
| SHA512 | 984023faeb532857c1b69ebff6a241447eaa687bb7a65f48fa55e1f611f2689ddd761b5949101f80ad2d5014810550af89d5e215d44eb25285d1072e67d25ad8 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files.cab
| MD5 | f8ceecca1884b37c9042a24286112b40 |
| SHA1 | 917c4066ca6071aa29ac51a09038bc6a451cd43a |
| SHA256 | 59b366a3c5a6132530fb9fbba7cd60d0558865e3e1d7c98e22c820608d13dc5d |
| SHA512 | 2d880cf0dafc731acd986c8d7b63fc18b86690aefae4f669438aae1134942b02a177d78677d7558eb1c7073fe891d830db49437913f7937bf201c7b5cb4b01d6 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\data.bin
| MD5 | 8b305b67e45165844d2f8547a085d782 |
| SHA1 | 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722 |
| SHA256 | 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b |
| SHA512 | 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\data2.bin
| MD5 | c07d78df2948c22e08ed45e1caac323a |
| SHA1 | 8436e0864fa52002039147b6fe178c4804b5d10f |
| SHA256 | e807b074cceef5e7d939c1d717467fd1d5cb5e68de46fd405cd3c1d4add6e582 |
| SHA512 | 876b6c9ca25d45f9c4a2dcd24c9a8e385f148ff48518aa4e8cf298c24daf2a878323391e76ca893abe22dc6e9a33ef7f0461676f35802bbe57ade77ffe90c340 |
memory/2004-102-0x0000000000460000-0x00000000004EA000-memory.dmp
\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2004-109-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2004-110-0x0000000000460000-0x00000000004EA000-memory.dmp
\??\c:\tmpa\script.au3
| MD5 | 48eeb1337636486be6435ded79fe941d |
| SHA1 | 015f1736bbca8bd9af17fb8e3548d65b55d56a0d |
| SHA256 | 21052c7eb3b48e77a2c274a163256c433df776709fd22b98dcd34f64ecf0f1dd |
| SHA512 | a00c033b11d65dad96efe5d3589704a68588e482407bd239a7c3adbf3d023abe2eabbc87f556059a1be16cdc32969ab71863e95ac96403adffca3ca74696a3db |
memory/1068-116-0x0000000002F60000-0x00000000030F5000-memory.dmp
memory/1068-115-0x0000000000810000-0x0000000000C10000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00000-~1.PNG
| MD5 | c5f6eb13db175fbcd0925434424df781 |
| SHA1 | 2197137928fff79f8b11e966ffb6a9eb5112a3c8 |
| SHA256 | 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50 |
| SHA512 | 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00005-~1.PNG
| MD5 | 66732fccbeee97415b033c017e594196 |
| SHA1 | 6db8fada912e6ea219b526cbe1a136a6afdabffb |
| SHA256 | dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc |
| SHA512 | 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00004-~1.PNG
| MD5 | 2ccc17c1a5bb5e656e7f3bb09ff0beff |
| SHA1 | 05866cf7dd5fa99ea852b01c2791b30e7741ea19 |
| SHA256 | 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2 |
| SHA512 | 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00003-~1.PNG
| MD5 | 3f3788816f75078edb9817a98259a223 |
| SHA1 | 1eb191dd0dcff72f5922aa775dc95dced7967bd5 |
| SHA256 | a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0 |
| SHA512 | 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62 |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00002-~1.PNG
| MD5 | 92028b5b43ea981f2172f2e9ce6556bf |
| SHA1 | 6da86abe3bc0caf500908ec7b8e841b797948fec |
| SHA256 | 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed |
| SHA512 | 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f |
C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00001-~1.PNG
| MD5 | a384c8b03d6d72e9f9e268d265e8b435 |
| SHA1 | 3b238b66b33e2dc191da037973a79f01d50ee2d4 |
| SHA256 | 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b |
| SHA512 | 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565 |
memory/1068-125-0x0000000000810000-0x0000000000C10000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-02 14:33
Reported
2023-11-02 14:36
Platform
win10v2004-20231023-en
Max time kernel
136s
Max time network
147s
Command Line
Signatures
DarkGate
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e59717d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\MSI9D12.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI741D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\MSI9D61.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e59717d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{55C146AB-B7F0-42D4-AD6E-0B25F80D0552} | C:\Windows\system32\msiexec.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\02112023_2233_00pack.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 5AAD83334083EEAB12443C3637FA4EBB
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe"
\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\." /SETINTEGRITYLEVEL (CI)(OI)LOW
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 155.245.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.23.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.246.36.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 27.73.42.20.in-addr.arpa | udp |
Files
C:\Windows\Installer\MSI741D.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSI741D.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\msiwrapper.ini
| MD5 | 47902af84156be97b6d19a1b34c8d1dd |
| SHA1 | a81f76568916851856813dbe3d4bd3f70d315e41 |
| SHA256 | 648beb1847a35fa70635f249c07ce49ce5e4b124e0037ffd64e69d375da08cce |
| SHA512 | 042e8a708d57fbf0b4c068f50f567740caab582d0f1807f8bf375b65e654d2cad26521b35f1f1d8a09bd0033bd44f1d8b1b8bd1a387f8c751ff483db90b8e6ea |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\msiwrapper.ini
| MD5 | c0d10733dc4db0547b480d645f36f460 |
| SHA1 | a85f51386df37771a6716d782ab282adfe27ba03 |
| SHA256 | 57bcfab63a33627c347f5dc0d6ebd408b614f9378f9e7e826fde3a86ba260ac3 |
| SHA512 | 44560d58b1d2aba6a79ba5d0e56893dec95d2e30e7e3fd962c7ae75923dafe4a962fce5a048239c5b444df8b26280b9c1565a91e41c09d7039c143d530844225 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files.cab
| MD5 | f8ceecca1884b37c9042a24286112b40 |
| SHA1 | 917c4066ca6071aa29ac51a09038bc6a451cd43a |
| SHA256 | 59b366a3c5a6132530fb9fbba7cd60d0558865e3e1d7c98e22c820608d13dc5d |
| SHA512 | 2d880cf0dafc731acd986c8d7b63fc18b86690aefae4f669438aae1134942b02a177d78677d7558eb1c7073fe891d830db49437913f7937bf201c7b5cb4b01d6 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\msiwrapper.ini
| MD5 | c0d10733dc4db0547b480d645f36f460 |
| SHA1 | a85f51386df37771a6716d782ab282adfe27ba03 |
| SHA256 | 57bcfab63a33627c347f5dc0d6ebd408b614f9378f9e7e826fde3a86ba260ac3 |
| SHA512 | 44560d58b1d2aba6a79ba5d0e56893dec95d2e30e7e3fd962c7ae75923dafe4a962fce5a048239c5b444df8b26280b9c1565a91e41c09d7039c143d530844225 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
memory/208-102-0x0000000000970000-0x00000000009CE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\dbgeng.dll
| MD5 | 335f090d924818a80f31463d328b2ee5 |
| SHA1 | c4e147102f9c4d4d91f23f832db5880925460123 |
| SHA256 | 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e |
| SHA512 | e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\data2.bin
| MD5 | c07d78df2948c22e08ed45e1caac323a |
| SHA1 | 8436e0864fa52002039147b6fe178c4804b5d10f |
| SHA256 | e807b074cceef5e7d939c1d717467fd1d5cb5e68de46fd405cd3c1d4add6e582 |
| SHA512 | 876b6c9ca25d45f9c4a2dcd24c9a8e385f148ff48518aa4e8cf298c24daf2a878323391e76ca893abe22dc6e9a33ef7f0461676f35802bbe57ade77ffe90c340 |
memory/208-105-0x00000000023C0000-0x000000000244A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\data.bin
| MD5 | 8b305b67e45165844d2f8547a085d782 |
| SHA1 | 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722 |
| SHA256 | 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b |
| SHA512 | 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6 |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/208-110-0x0000000000970000-0x00000000009CE000-memory.dmp
memory/208-111-0x00000000023C0000-0x000000000244A000-memory.dmp
\??\c:\tmpa\script.au3
| MD5 | 48eeb1337636486be6435ded79fe941d |
| SHA1 | 015f1736bbca8bd9af17fb8e3548d65b55d56a0d |
| SHA256 | 21052c7eb3b48e77a2c274a163256c433df776709fd22b98dcd34f64ecf0f1dd |
| SHA512 | a00c033b11d65dad96efe5d3589704a68588e482407bd239a7c3adbf3d023abe2eabbc87f556059a1be16cdc32969ab71863e95ac96403adffca3ca74696a3db |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\msiwrapper.ini
| MD5 | e81a1e2a879bf6ed8554e28b20674766 |
| SHA1 | 400b263075f3b2472e9a4dfd37d095b7594e0962 |
| SHA256 | fc5661eb4a90fc8c8c91ee73a690c961a0595cfd22cd774c230a71fb66e35b71 |
| SHA512 | 4b61df0701e55c6d7cc7ad9b7fa47bfa451defdd8a403eca6a5bfb8dc953d5f21cddc541f3308c5b15bf9f49e33a3dfed62043c8be15b9d35e47f470408e848a |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00005-3931689802.png
| MD5 | 66732fccbeee97415b033c017e594196 |
| SHA1 | 6db8fada912e6ea219b526cbe1a136a6afdabffb |
| SHA256 | dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc |
| SHA512 | 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00004-4001132497.png
| MD5 | 2ccc17c1a5bb5e656e7f3bb09ff0beff |
| SHA1 | 05866cf7dd5fa99ea852b01c2791b30e7741ea19 |
| SHA256 | 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2 |
| SHA512 | 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00003-1310450276.png
| MD5 | 3f3788816f75078edb9817a98259a223 |
| SHA1 | 1eb191dd0dcff72f5922aa775dc95dced7967bd5 |
| SHA256 | a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0 |
| SHA512 | 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00002-1969081335.png
| MD5 | 92028b5b43ea981f2172f2e9ce6556bf |
| SHA1 | 6da86abe3bc0caf500908ec7b8e841b797948fec |
| SHA256 | 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed |
| SHA512 | 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00001-3764640629.png
| MD5 | a384c8b03d6d72e9f9e268d265e8b435 |
| SHA1 | 3b238b66b33e2dc191da037973a79f01d50ee2d4 |
| SHA256 | 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b |
| SHA512 | 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565 |
C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00000-602071660.png
| MD5 | c5f6eb13db175fbcd0925434424df781 |
| SHA1 | 2197137928fff79f8b11e966ffb6a9eb5112a3c8 |
| SHA256 | 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50 |
| SHA512 | 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4 |
memory/1648-122-0x0000000001560000-0x0000000001960000-memory.dmp
C:\Windows\Installer\MSI9D61.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
memory/1648-121-0x00000000042D0000-0x0000000004465000-memory.dmp
C:\Windows\Installer\MSI9D61.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8c94ef69-62e5-4399-bac5-3c7aa84254b2}_OnDiskSnapshotProp
| MD5 | 8d61fc1f0de3ab13f0aff00ce8e3867e |
| SHA1 | 2c96d1b44747b8234e022e2b64aeaf5783fab379 |
| SHA256 | 62a66cdb5bae620a5f7792ee453a7114a27df6f957fa72395206e5433d5feace |
| SHA512 | 42d015b7b4787aadf14159e71d3968aa9d579327f1e8b23a9ac62de1ff9ff5a324d50a9953dda29137b7f7f05fb5cad6f5992b3d0a8b4785a58a4db2b574d858 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | 98b1a401cbe189fe34a6148cfd1c2ca3 |
| SHA1 | d895a1a3bd1857c257b5a5d519f225faa5ed1f9c |
| SHA256 | 8570d1d1527971f7996b428be4019b7e744590a320f32f7a5ace1addb1279134 |
| SHA512 | 495f5943a726bfb3d32e4e83cb874371a8ca4bcdca9d72014ef0e0064289f2019495c0381ab451f14fb11397617259e74ae595aa0b87fc3ac17ee6f08cf84b77 |