Malware Analysis Report

2025-01-03 09:33

Sample ID 240604-n4ezhsfc9y
Target 2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber
SHA256 d91638fba1522225fd6bfad05302c9e389cd0028322a39e56535b1a8c935d9b3
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d91638fba1522225fd6bfad05302c9e389cd0028322a39e56535b1a8c935d9b3

Threat Level: Shows suspicious behavior

The file 2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Unsigned PE

Enumerates physical storage devices

Modifies Internet Explorer settings

Suspicious behavior: AddClipboardFormatListener

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 11:56

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 11:56

Reported

2024-06-04 11:59

Platform

win10v2004-20240426-en

Max time kernel

146s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation C:\ProgramData\Synaptics\Synaptics.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\WOW6432Node\Avira\Antivirus C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Clear.log" C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Clear.log" C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\ProgramData\Synaptics\Synaptics.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvastPersistentStorage\SfxInstProgress = "0" C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3476 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe
PID 3476 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe
PID 3476 wrote to memory of 4480 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe
PID 3476 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3476 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3476 wrote to memory of 3376 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 3376 wrote to memory of 3120 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3376 wrote to memory of 3120 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 3376 wrote to memory of 3120 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 4480 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe
PID 4480 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe
PID 4480 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe
PID 3120 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe
PID 3120 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe
PID 3120 wrote to memory of 4908 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe

"C:\Windows\Temp\asw.dc87d630ea0cdff4\instup.exe" /sfx:clear /sfxstorage:C:\Windows\Temp\asw.dc87d630ea0cdff4 /prod:ais /wait

C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe

"C:\Windows\Temp\asw.e4a2004684c5ae5f\instup.exe" /sfx:clear /sfxstorage:C:\Windows\Temp\asw.e4a2004684c5ae5f /prod:ais /wait InjUpdate

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE

"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 240.76.109.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 252.215.42.69.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.200.14:443 docs.google.com tcp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 225.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/3476-0-0x0000000001340000-0x0000000001341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe

MD5 daf890ee210f122500d8ddf1760dd2af
SHA1 3589f7aa775c3e79c7c01d0047d51ca2169ba9b9
SHA256 187b06109c0aff4effae62114a4e9b788aab1d14b795671381539d149c40df2a
SHA512 b2bd255cd80292c0767ec8663102442769c1952d61ca086e8ef1167b1be6a2ab9b253b907baae5cfaeff0c167a115b786276102788ebd4b4f61d30614a2a4cd9

C:\ProgramData\Synaptics\Synaptics.exe

MD5 de0e927a33ec54cdc2744c93d840211c
SHA1 5c27c491923b3c7a4b9a4929d94d65cd6bc2622d
SHA256 d91638fba1522225fd6bfad05302c9e389cd0028322a39e56535b1a8c935d9b3
SHA512 04087f422eda8a7f6e18e16729123610d7821e4e365be7cb99a87e1487f356535f2d2fb0543bd6b49d7d063a0c26da9e7f841998e4ef9c8a8d34079f7c9fcba8

memory/3476-128-0x0000000000400000-0x000000000114D000-memory.dmp

C:\Windows\Temp\asw.dc87d630ea0cdff4\sbr.exe

MD5 8992a31974c92d4e40ead4b5b42c3b02
SHA1 9273f0c3c83ab2e3ac6457e27cde27839112d587
SHA256 aef6d194daf122af68bfe94442d02bf4b24674fa32655f3cebd773b9619c0e46
SHA512 b34a5533226908d44c8ab2e251c48915579af020e537155e7df35ac67d51fdd212f3afb5c947b005a5f55853507ee098de7e52873a1c4483f3bb8b31bf24c7fb

C:\Windows\Temp\asw.dc87d630ea0cdff4\instcont_ais-9f5.vpx

MD5 44f6daa669edc6987a55dbff3c4db8da
SHA1 76931380810886d82a30ee0ab2e21d732932840d
SHA256 40a168e9495486c7d930862e98442f99b555d4411b2331b09aea1ba38092ae1c
SHA512 433fbdb8bf36f752abe3be1cecab1cb845bde8978c32b21582f48e1d1efe78b0972313db39b0a8484bece1c014bebd07dea986ebbde784ddf730a761f63b8cb1

C:\Windows\Temp\asw.dc87d630ea0cdff4\setgui_ais-9f5.vpx

MD5 4c8c2ed822be76c3793c6e3c64ff642d
SHA1 ed6b59a112e6d721137a67361f7fb0f6cfade5ee
SHA256 ac1a2700ae9a23cc6ba05d6b11d734b1307583512085f844bfbee36fa7bd7935
SHA512 db8dc93a76bae20dca21d4052c5961dbee94b12d33cbb23cad9e55fcc240485e2341bd8f5bdee72523738b595a62693be1d572294de4f66e5d36c574210ec9ff

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Clear.log

MD5 8a6cf732849169eba61a7845030773c9
SHA1 3cc0bfa21408a58e5e6394e8212538e4c349a826
SHA256 8a58082b15f5e5bbd702190db63efd9c94528b830a39b63a776c18e9ed0a6ea8
SHA512 e5c518050301a4cc59e9f5272a2eaf6b53c7abb2147e2d66bb6dfca749cd15c659cc957a2fe9989e7d68b2604238eaba5e284a9b0ef05715dc96047858484d9a

C:\Windows\Temp\asw.dc87d630ea0cdff4\instup_ais-9f5.vpx

MD5 a269c3a9cb2255dd444de7ad557a9dcf
SHA1 e2f79c996c49ba540a959fc60f845256f4126c59
SHA256 4abb744e961205f131bad847b0cceaead353d8de6916e150c0be4ec0145403f1
SHA512 32fa8ddc0f40a0726c914533f0b816b88c41a2686eb642e6094dbe310d43426206eac7eb499a48fd875ae70abdd3c0d0888d6ef4f9daa80fefa5b0e49f077cab

C:\Windows\Temp\asw.e4a2004684c5ae5f\servers.def

MD5 c36be3493923f1c095c6aa8549fecc1c
SHA1 164004228a3bf133255e96eeb0ee68d728e384f2
SHA256 f90b6ca1a2af639923b6ebabecc95f43947d38fed388124fe0a93cd2ff2ab5c6
SHA512 76ed511929fd6b3d6cea50b64b58ead8a6e5365b2ebe1cfa83f13a136d33360849a1c3aaea716f2b2fad0bec75bb086330fbe3b75de8abdd0054dc285f64225f

C:\Windows\Temp\asw.e4a2004684c5ae5f\servers.def.vpx

MD5 599322829798c315a050415419df7700
SHA1 cea4881bd5367d1c9b2b9c09ed55e8353807695b
SHA256 c8aca2e52b8c59fa744da36f19d1a30ef7484e9782fd9176ef601359d78e5c39
SHA512 663589ecedf4978eb60b0e2404be3a27d7a0c15b904c29b42b1a001310de7d021356d9541f69d584f2819b11154eccc8d533110e8a96c53c14ed888ee0749a5d

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Clear.log

MD5 76fee7b934e481b7463389a5563ed2a1
SHA1 ddf87e2f15b659fe07105c781696d8a0d6869d8d
SHA256 76448261b4ce815a117d3e24edaba76c5fe860ca33366bb932169112e67fe2d8
SHA512 c0a1bbaf8271d09ee0613505b2e6194f1848c49a3789d893d92cec5a98d99d0f50778f31cae5263070cdc4f20e9d23eacc8b1e735b46e72153911befcb2252b8

C:\Windows\Temp\asw.dc87d630ea0cdff4\config.def

MD5 8d137be190fdd24a6aa3b50585e506fe
SHA1 e48a3a49028462a0282ed8ee1894459df170ee00
SHA256 a7aefdc1e4344d8d1b3a44311c7a488cae0b164fd9b6e72f79f0300fb67b2fde
SHA512 5d443711d05d2ac08184ebbfe62baef1627e45b1b0fa7f760f4cae1ca8dec35f834965588f4ffceee6397cda709d7ecdfdbf7b77dfff870bd0be1fd31d75b1a8

C:\Windows\Temp\asw.dc87d630ea0cdff4\part-prg_ais-160c179c.vpx

MD5 0f66df67816a0a3f1a91bc233e5e8927
SHA1 cbbe2a5d5681092ec4e96ef7bb44cb63345a4dd8
SHA256 828e5527f3fdd07256d0ee4c46462a513344bf020a889de02827f8e46e40c68b
SHA512 723b8a29a94b010133d3d255fb5a43dcab4e3661ee262ff6f8024816d370ab54c940eef56d7e37995048f186520760c56000957e6f4f50cd8bbad4292f6366f1

C:\Windows\Temp\asw.dc87d630ea0cdff4\prod-pgm.vpx

MD5 a8c2bcae452f28ac0b9571f6d80e469f
SHA1 5b81f42f00a9113b3004178791f865d2f31bfcea
SHA256 4f9f496c842078da8bcd48acaf675a9e60fe2a5f19d37afd0b8a47f8a5a76d9c
SHA512 b1bdb6221a0a7015299d60c574852e516afcc30a224ce1718dfeff4ee09a0e478f5a7658f531ce7b95b2590f01180620231a5b6819e15ad8273c5fd569c48c62

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Clear.log

MD5 8458a72c75f6078a2c6619ae52ce6a5f
SHA1 79beae151ed44f67489e5d7612a376ea67f5b5d0
SHA256 85ba0a5a4d8f9898fbf7df38a1925b0d57d6139b127cead6aca40204a9696368
SHA512 495be638910fc798df12b96803eeb06dca72f0d8edced068fef1bc07a5f56351ebc1892c3446f9b23c0d3ce272982a8c2d67227eeebd6e56038bf01b8f7a8c83

C:\Windows\Temp\asw.dc87d630ea0cdff4\part-setup_ais-160c179c.vpx

MD5 19c6b650b438f5ecfbe9c28e714f482d
SHA1 b360c25f205ec7ce945e34a18e29c23f8c330632
SHA256 636b7e907b800e3075e664a72cce29b35cb9a7d3bd0027b22e07a8859bd513c5
SHA512 b0a650d3b1c237b751ef0badff8c19dfbcb93ae48abb551ac92546f04b2664ce46107f48d5ffd868e97a89fd3e19e19c88999e9a26ca23c169eb8dcf34cc5435

C:\Windows\Temp\asw.dc87d630ea0cdff4\part-vps_windows-22120604.vpx

MD5 6109b55c6ed21dae3d582c2a0a74051d
SHA1 fed01d47e4b68283b8a330663cdf3373d453faa0
SHA256 b584e46807d292aaa9d934e2cd1e2a1241a7c2d263f2f61a6d403e6d83135a96
SHA512 760fa3c5f411f28812dd402ac6d26ad9d3fba1c9c22df84066c5d82c914d2237aa80fe55d08a0204033a775c30ebab546169a1868432ed5e78e376e1223be4c3

C:\Windows\Temp\asw.dc87d630ea0cdff4\part-jrog2-ea4.vpx

MD5 1ae25e3608feaba01a3a9ac1a5fa8dde
SHA1 fc9008ec53bdbfbb03446004d86429b517f9ed1e
SHA256 79cc03acf5f78895113d90159e324062be71b5b75a435ac0105536a02c32e480
SHA512 be7bd4c654703ecb371191a08d228c81709f8eb34d960a8f9669681597ad5e50c46fc38455a22b3d17a69174228c1201b791ef42f7df458758e1934678961ca6

C:\Windows\Temp\asw.dc87d630ea0cdff4\prod-vps.vpx

MD5 e971bcdcec1d8d1c5cc990d39bc69548
SHA1 689cf3b203954e7fa6cd4a0c639f7179b9f3e95d
SHA256 811685daddd9134b05b7e0aa819c39c04d77bf77f47a0b64a0786517017faa81
SHA512 aab02c4231a1148737d8ce676ae1eaf747a0e1629e240cc5d29c12659a371c281956a3154c56591b37bb04b0eaf99aefd7229ae6b2ef5eb0b30d25a726bf89bf

C:\Windows\Temp\asw.dc87d630ea0cdff4\config.ini

MD5 df2c1d52de7e6f787f43c20648ad1a78
SHA1 339bfa7f3cb86e8b5d131eb57738bb7cf26abdad
SHA256 6879b7f5ed88f2c71327336b6719fe67429416874ac74030551220addeeb5b38
SHA512 1ee73371dbf31b8b403e3cccbbaf7485a0d69fd1df7f763c66519f17a02011d8e33eba0ab69d60a74ee9c6b8039bf0f3087b262f326e99d031a20fee491e2744

C:\Windows\Temp\asw.dc87d630ea0cdff4\config.def

MD5 7a0ee83514469fa1a68601839b6ceeb4
SHA1 531b2682319f90a91125fafc80932783534ab172
SHA256 dafda7c43ea6affb6fdd458a12371544f616c2695cb9d86e4940ac0d60c55878
SHA512 c87d24ef53f6d628d333750b26e0a4384e6306c26253207dfb0d80f49cdc185d650786fda4fd851e2e10692476acfeaba98d838cfee32a775a7ed56110ed360a

memory/3376-352-0x0000000000400000-0x000000000114D000-memory.dmp

memory/2196-357-0x00007FFFBE970000-0x00007FFFBE980000-memory.dmp

memory/2196-356-0x00007FFFBE970000-0x00007FFFBE980000-memory.dmp

memory/2196-355-0x00007FFFBE970000-0x00007FFFBE980000-memory.dmp

memory/2196-358-0x00007FFFBC710000-0x00007FFFBC720000-memory.dmp

memory/2196-354-0x00007FFFBE970000-0x00007FFFBE980000-memory.dmp

memory/2196-353-0x00007FFFBE970000-0x00007FFFBE980000-memory.dmp

memory/2196-359-0x00007FFFBC710000-0x00007FFFBC720000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\PoQ7PINo.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/3376-373-0x0000000000400000-0x000000000114D000-memory.dmp

memory/3376-402-0x0000000000400000-0x000000000114D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 11:56

Reported

2024-06-04 11:59

Platform

win7-20240508-en

Max time kernel

150s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\ProgramData\Synaptics\Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
N/A N/A C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
N/A N/A C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe" C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A

Checks for any installed AV software in registry

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry = "1" C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LogFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Wow6432Node\Avira\Antivirus C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Clear.log" C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\MovedFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\UseRegistry C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ShepherdDebug C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\TempFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\DataFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CrashGuardProcessWatcherExclusions C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\FwDataFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\JournalFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ReportFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\CertificateFile C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ProgramFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\SetupLog = "C:\\ProgramData\\Avast Software\\Persistent Data\\Avast\\Logs\\Clear.log" C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\burger_client C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\ChestFolder C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \Registry\MACHINE\SOFTWARE\Avast Software\Avast C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\Instup_IgnoredDownloadTypes C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\properties\settings C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast\LicenseFile C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Modifies registry class

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000 C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe
PID 2008 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe
PID 2008 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe
PID 2008 wrote to memory of 2560 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2008 wrote to memory of 2724 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\ProgramData\Synaptics\Synaptics.exe
PID 2724 wrote to memory of 348 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2724 wrote to memory of 348 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2724 wrote to memory of 348 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2724 wrote to memory of 348 N/A C:\ProgramData\Synaptics\Synaptics.exe C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
PID 2560 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe
PID 2560 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe
PID 2560 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe
PID 2560 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe
PID 2560 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe
PID 2560 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe
PID 2560 wrote to memory of 2096 N/A C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe
PID 348 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe
PID 348 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe
PID 348 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe
PID 348 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe
PID 348 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe
PID 348 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe
PID 348 wrote to memory of 112 N/A C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe"

C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe"

C:\ProgramData\Synaptics\Synaptics.exe

"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding

C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe

"C:\Windows\Temp\asw.c42e5b6489f19ea6\instup.exe" /sfx:clear /sfxstorage:C:\Windows\Temp\asw.c42e5b6489f19ea6 /prod:ais /wait

C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe

"C:\Windows\Temp\asw.a04c62f104cd537f\instup.exe" /sfx:clear /sfxstorage:C:\Windows\Temp\asw.a04c62f104cd537f /prod:ais /wait InjUpdate

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.ff.avast.com udp
US 8.8.8.8:53 v7event.stats.avast.com udp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 34.117.223.223:443 v7event.stats.avast.com tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 xred.mooo.com udp
US 8.8.8.8:53 freedns.afraid.org udp
US 69.42.215.252:80 freedns.afraid.org tcp
US 8.8.8.8:53 docs.google.com udp
GB 142.250.200.14:443 docs.google.com tcp
US 8.8.8.8:53 drive.usercontent.google.com udp
GB 142.250.179.225:443 drive.usercontent.google.com tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/2008-0-0x0000000000220000-0x0000000000221000-memory.dmp

\Users\Admin\AppData\Local\Temp\._cache_2024-06-04_de0e927a33ec54cdc2744c93d840211c_darkgate_magniber.exe

MD5 daf890ee210f122500d8ddf1760dd2af
SHA1 3589f7aa775c3e79c7c01d0047d51ca2169ba9b9
SHA256 187b06109c0aff4effae62114a4e9b788aab1d14b795671381539d149c40df2a
SHA512 b2bd255cd80292c0767ec8663102442769c1952d61ca086e8ef1167b1be6a2ab9b253b907baae5cfaeff0c167a115b786276102788ebd4b4f61d30614a2a4cd9

C:\ProgramData\Synaptics\Synaptics.exe

MD5 de0e927a33ec54cdc2744c93d840211c
SHA1 5c27c491923b3c7a4b9a4929d94d65cd6bc2622d
SHA256 d91638fba1522225fd6bfad05302c9e389cd0028322a39e56535b1a8c935d9b3
SHA512 04087f422eda8a7f6e18e16729123610d7821e4e365be7cb99a87e1487f356535f2d2fb0543bd6b49d7d063a0c26da9e7f841998e4ef9c8a8d34079f7c9fcba8

memory/2008-33-0x0000000000400000-0x000000000114D000-memory.dmp

C:\Windows\Temp\asw.c42e5b6489f19ea6\Instup.exe

MD5 44f6daa669edc6987a55dbff3c4db8da
SHA1 76931380810886d82a30ee0ab2e21d732932840d
SHA256 40a168e9495486c7d930862e98442f99b555d4411b2331b09aea1ba38092ae1c
SHA512 433fbdb8bf36f752abe3be1cecab1cb845bde8978c32b21582f48e1d1efe78b0972313db39b0a8484bece1c014bebd07dea986ebbde784ddf730a761f63b8cb1

C:\Windows\Temp\asw.c42e5b6489f19ea6\sbr.exe

MD5 8992a31974c92d4e40ead4b5b42c3b02
SHA1 9273f0c3c83ab2e3ac6457e27cde27839112d587
SHA256 aef6d194daf122af68bfe94442d02bf4b24674fa32655f3cebd773b9619c0e46
SHA512 b34a5533226908d44c8ab2e251c48915579af020e537155e7df35ac67d51fdd212f3afb5c947b005a5f55853507ee098de7e52873a1c4483f3bb8b31bf24c7fb

C:\Windows\Temp\asw.c42e5b6489f19ea6\HTMLayout.dll

MD5 4c8c2ed822be76c3793c6e3c64ff642d
SHA1 ed6b59a112e6d721137a67361f7fb0f6cfade5ee
SHA256 ac1a2700ae9a23cc6ba05d6b11d734b1307583512085f844bfbee36fa7bd7935
SHA512 db8dc93a76bae20dca21d4052c5961dbee94b12d33cbb23cad9e55fcc240485e2341bd8f5bdee72523738b595a62693be1d572294de4f66e5d36c574210ec9ff

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Clear.log

MD5 d087d2f0c71b105d4202b1a17cffa58f
SHA1 f40a3231776d1c5bfcd08b3557c96e52c0eecc99
SHA256 e68901a504a16ba108022b6b3fe2eaa09a9f687a5ea18997c142adf32108b6d8
SHA512 b1856bc42579d9fa1109087aede5c50537fd319718562e05a95cafb15fdbed47ef89cf26cf182b89941cba03686013c195947c8acfec55acf8b56c02ec0ed65e

C:\Windows\Temp\asw.a04c62f104cd537f\servers.def

MD5 c36be3493923f1c095c6aa8549fecc1c
SHA1 164004228a3bf133255e96eeb0ee68d728e384f2
SHA256 f90b6ca1a2af639923b6ebabecc95f43947d38fed388124fe0a93cd2ff2ab5c6
SHA512 76ed511929fd6b3d6cea50b64b58ead8a6e5365b2ebe1cfa83f13a136d33360849a1c3aaea716f2b2fad0bec75bb086330fbe3b75de8abdd0054dc285f64225f

C:\Windows\Temp\asw.c42e5b6489f19ea6\Instup.dll

MD5 a269c3a9cb2255dd444de7ad557a9dcf
SHA1 e2f79c996c49ba540a959fc60f845256f4126c59
SHA256 4abb744e961205f131bad847b0cceaead353d8de6916e150c0be4ec0145403f1
SHA512 32fa8ddc0f40a0726c914533f0b816b88c41a2686eb642e6094dbe310d43426206eac7eb499a48fd875ae70abdd3c0d0888d6ef4f9daa80fefa5b0e49f077cab

C:\Windows\Temp\asw.a04c62f104cd537f\servers.def.vpx

MD5 599322829798c315a050415419df7700
SHA1 cea4881bd5367d1c9b2b9c09ed55e8353807695b
SHA256 c8aca2e52b8c59fa744da36f19d1a30ef7484e9782fd9176ef601359d78e5c39
SHA512 663589ecedf4978eb60b0e2404be3a27d7a0c15b904c29b42b1a001310de7d021356d9541f69d584f2819b11154eccc8d533110e8a96c53c14ed888ee0749a5d

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Clear.log

MD5 7ada4a0c2857c4699ebc455966400af5
SHA1 044b66e884e60617d2d233e14b38acd9532195a6
SHA256 995c5b2f472246afefbde784ef1fbf325131a92df746240cc425831da1630c59
SHA512 ab3767366fb487428642f2dc31d1e761c8295e11b4a1417919361f0fbc1110d902b77562d4a48824b45c6400fdffa9819fe3d04e92616b17641e8bf2ab151e7f

C:\Windows\Temp\asw.c42e5b6489f19ea6\config.def

MD5 8d137be190fdd24a6aa3b50585e506fe
SHA1 e48a3a49028462a0282ed8ee1894459df170ee00
SHA256 a7aefdc1e4344d8d1b3a44311c7a488cae0b164fd9b6e72f79f0300fb67b2fde
SHA512 5d443711d05d2ac08184ebbfe62baef1627e45b1b0fa7f760f4cae1ca8dec35f834965588f4ffceee6397cda709d7ecdfdbf7b77dfff870bd0be1fd31d75b1a8

C:\Windows\Temp\asw.c42e5b6489f19ea6\part-prg_ais-160c179c.vpx

MD5 0f66df67816a0a3f1a91bc233e5e8927
SHA1 cbbe2a5d5681092ec4e96ef7bb44cb63345a4dd8
SHA256 828e5527f3fdd07256d0ee4c46462a513344bf020a889de02827f8e46e40c68b
SHA512 723b8a29a94b010133d3d255fb5a43dcab4e3661ee262ff6f8024816d370ab54c940eef56d7e37995048f186520760c56000957e6f4f50cd8bbad4292f6366f1

C:\Windows\Temp\asw.c42e5b6489f19ea6\prod-pgm.vpx

MD5 a8c2bcae452f28ac0b9571f6d80e469f
SHA1 5b81f42f00a9113b3004178791f865d2f31bfcea
SHA256 4f9f496c842078da8bcd48acaf675a9e60fe2a5f19d37afd0b8a47f8a5a76d9c
SHA512 b1bdb6221a0a7015299d60c574852e516afcc30a224ce1718dfeff4ee09a0e478f5a7658f531ce7b95b2590f01180620231a5b6819e15ad8273c5fd569c48c62

memory/1900-167-0x000000005FFF0000-0x0000000060000000-memory.dmp

C:\ProgramData\Avast Software\Persistent Data\Avast\Logs\Clear.log

MD5 4451b0da3bfd707050b7ff1e7fe1baa2
SHA1 83fcda108fc84c1b7a10051cdddf8c1b85c1cd97
SHA256 f95c52e5f4ee5000e0291aeed2199a2de77cafac73c0c422fdf84c8b2ba076d3
SHA512 ede693f1e24e2c18b890ba47ae43fb9041f8183409bfbf9ab6356a37a55936c2219f92587e09b607659205582e8b0cbb552f138361d205bc9e5387b53e21fb5f

C:\Users\Admin\AppData\Local\Temp\21bGOyrk.xlsm

MD5 e566fc53051035e1e6fd0ed1823de0f9
SHA1 00bc96c48b98676ecd67e81a6f1d7754e4156044
SHA256 8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512 a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

memory/2724-178-0x0000000000400000-0x000000000114D000-memory.dmp

C:\Windows\Temp\asw.c42e5b6489f19ea6\part-setup_ais-160c179c.vpx

MD5 19c6b650b438f5ecfbe9c28e714f482d
SHA1 b360c25f205ec7ce945e34a18e29c23f8c330632
SHA256 636b7e907b800e3075e664a72cce29b35cb9a7d3bd0027b22e07a8859bd513c5
SHA512 b0a650d3b1c237b751ef0badff8c19dfbcb93ae48abb551ac92546f04b2664ce46107f48d5ffd868e97a89fd3e19e19c88999e9a26ca23c169eb8dcf34cc5435

C:\Windows\Temp\asw.c42e5b6489f19ea6\part-vps_windows-22120604.vpx

MD5 6109b55c6ed21dae3d582c2a0a74051d
SHA1 fed01d47e4b68283b8a330663cdf3373d453faa0
SHA256 b584e46807d292aaa9d934e2cd1e2a1241a7c2d263f2f61a6d403e6d83135a96
SHA512 760fa3c5f411f28812dd402ac6d26ad9d3fba1c9c22df84066c5d82c914d2237aa80fe55d08a0204033a775c30ebab546169a1868432ed5e78e376e1223be4c3

C:\Windows\Temp\asw.c42e5b6489f19ea6\part-jrog2-ea4.vpx

MD5 1ae25e3608feaba01a3a9ac1a5fa8dde
SHA1 fc9008ec53bdbfbb03446004d86429b517f9ed1e
SHA256 79cc03acf5f78895113d90159e324062be71b5b75a435ac0105536a02c32e480
SHA512 be7bd4c654703ecb371191a08d228c81709f8eb34d960a8f9669681597ad5e50c46fc38455a22b3d17a69174228c1201b791ef42f7df458758e1934678961ca6

C:\Windows\Temp\asw.c42e5b6489f19ea6\prod-vps.vpx

MD5 e971bcdcec1d8d1c5cc990d39bc69548
SHA1 689cf3b203954e7fa6cd4a0c639f7179b9f3e95d
SHA256 811685daddd9134b05b7e0aa819c39c04d77bf77f47a0b64a0786517017faa81
SHA512 aab02c4231a1148737d8ce676ae1eaf747a0e1629e240cc5d29c12659a371c281956a3154c56591b37bb04b0eaf99aefd7229ae6b2ef5eb0b30d25a726bf89bf

C:\Windows\Temp\asw.c42e5b6489f19ea6\config.def

MD5 9b658efc5986a60f2a2b94922b36256f
SHA1 7167ebb6e62e328ab1b3807860a5980ea27d16de
SHA256 76611d187f73de3a6f776d7b7bc3ebabf213fc13c1d197ff930f35336a7b1ea0
SHA512 45afa07d2222ebbc8534b272bf73f168844e0db5c5ea28cee87364161499ef8cb918f00e07c57cb4256506c8b6db7887638010674797071e23997e5712893339

C:\Windows\Temp\asw.c42e5b6489f19ea6\config.ini

MD5 b94bc3b2465f58ff6335b16856fea424
SHA1 19474c2bb1be805ed5dc474307cab357fe17faa9
SHA256 06ca1c15916e38d4f7ea161071cf24cd8f733c36b574b7d950e8fd03cbebb6bb
SHA512 d6bd8a75ab1cd2e0ec59373b4ccf1e4275403b397b05be094130592612cee3aeb28eb9318d3d1136a7a18482a9bca7388d296accec64ee5591130d605e388e9f

memory/2724-228-0x0000000000400000-0x000000000114D000-memory.dmp

memory/2724-229-0x0000000000400000-0x000000000114D000-memory.dmp

memory/2724-263-0x0000000000400000-0x000000000114D000-memory.dmp