darkgate | 91f28c3b1cd4ab5bbd77eb9caa31967a0e35cf9e9cfa303a17b2cdcc9a716349

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2023, 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Udemy Desktop v2.14_JC.msi
Size

1.7MB
MD5

f6c09481e24b07c6e6dfaeaaa95ed8d3
SHA1

e8febb51d555ed42b6105ac6c056184094458bf0
SHA256

91f28c3b1cd4ab5bbd77eb9caa31967a0e35cf9e9cfa303a17b2cdcc9a716349
SHA512

73cb10ffb01979dbabfe67b7feaea2342d3bd83a73faec779b64f8d71eb28b2ccd9d3bf87a18f7e76a7102f6217b912b4871a189d0e21dbad7b6f362fdb94c84
SSDEEP

49152:wpUPjo5oqrQQkTUwEjKt9CWVxbebxkmILc6hpYrH:wp6oaqUQ4Pj/CWV/Thp

Score

10^/10

darkgate ricoc2 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

Ricoc2

http://joagfhreetdsa.com

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
OaqlRfomBMoIbY
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
Ricoc2

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3172 created 3464	3172	Autoit3.exe	33
PID 1612 created 3464	1612	TabTip32.exe	33

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kfkfceb.lnk	TabTip32.exe

Executes dropped EXE 2 IoCs

pid	Process
2552	KeyScramblerLogon.exe
3172	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
3488	MsiExec.exe
2552	KeyScramblerLogon.exe
3488	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3412	ICACLS.EXE
4900	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIE7F0.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d1f6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d1f6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIE7F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D783C326-EC39-41ED-9761-A49DA51B416E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID33E.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002321f-106.dat	nsis_installer_1
behavioral2/files/0x000600000002321f-106.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000530b1468276ad9050000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000530b14680000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900530b1468000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d530b1468000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000530b146800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 6 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
3224	msiexec.exe
3224	msiexec.exe
3172	Autoit3.exe
3172	Autoit3.exe
3172	Autoit3.exe
3172	Autoit3.exe
3172	Autoit3.exe
3172	Autoit3.exe
1612	TabTip32.exe
1612	TabTip32.exe
1612	TabTip32.exe
1612	TabTip32.exe
5304	TabTip32.exe
5304	TabTip32.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1980	msiexec.exe
Token: SeSecurityPrivilege	3224	msiexec.exe
Token: SeCreateTokenPrivilege	1980	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1980	msiexec.exe
Token: SeLockMemoryPrivilege	1980	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1980	msiexec.exe
Token: SeMachineAccountPrivilege	1980	msiexec.exe
Token: SeTcbPrivilege	1980	msiexec.exe
Token: SeSecurityPrivilege	1980	msiexec.exe
Token: SeTakeOwnershipPrivilege	1980	msiexec.exe
Token: SeLoadDriverPrivilege	1980	msiexec.exe
Token: SeSystemProfilePrivilege	1980	msiexec.exe
Token: SeSystemtimePrivilege	1980	msiexec.exe
Token: SeProfSingleProcessPrivilege	1980	msiexec.exe
Token: SeIncBasePriorityPrivilege	1980	msiexec.exe
Token: SeCreatePagefilePrivilege	1980	msiexec.exe
Token: SeCreatePermanentPrivilege	1980	msiexec.exe
Token: SeBackupPrivilege	1980	msiexec.exe
Token: SeRestorePrivilege	1980	msiexec.exe
Token: SeShutdownPrivilege	1980	msiexec.exe
Token: SeDebugPrivilege	1980	msiexec.exe
Token: SeAuditPrivilege	1980	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1980	msiexec.exe
Token: SeChangeNotifyPrivilege	1980	msiexec.exe
Token: SeRemoteShutdownPrivilege	1980	msiexec.exe
Token: SeUndockPrivilege	1980	msiexec.exe
Token: SeSyncAgentPrivilege	1980	msiexec.exe
Token: SeEnableDelegationPrivilege	1980	msiexec.exe
Token: SeManageVolumePrivilege	1980	msiexec.exe
Token: SeImpersonatePrivilege	1980	msiexec.exe
Token: SeCreateGlobalPrivilege	1980	msiexec.exe
Token: SeBackupPrivilege	4696	vssvc.exe
Token: SeRestorePrivilege	4696	vssvc.exe
Token: SeAuditPrivilege	4696	vssvc.exe
Token: SeBackupPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeRestorePrivilege	3224	msiexec.exe
Token: SeTakeOwnershipPrivilege	3224	msiexec.exe
Token: SeBackupPrivilege	4348	srtasks.exe
Token: SeRestorePrivilege	4348	srtasks.exe
Token: SeSecurityPrivilege	4348	srtasks.exe
Token: SeTakeOwnershipPrivilege	4348	srtasks.exe
Token: SeBackupPrivilege	4348	srtasks.exe
Token: SeRestorePrivilege	4348	srtasks.exe
Token: SeSecurityPrivilege	4348	srtasks.exe
Token: SeTakeOwnershipPrivilege	4348	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1980	msiexec.exe
1980	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3224 wrote to memory of 4348	3224	msiexec.exe	102
PID 3224 wrote to memory of 4348	3224	msiexec.exe	102
PID 3224 wrote to memory of 3488	3224	msiexec.exe	104
PID 3224 wrote to memory of 3488	3224	msiexec.exe	104
PID 3224 wrote to memory of 3488	3224	msiexec.exe	104
PID 3488 wrote to memory of 3412	3488	MsiExec.exe	105
PID 3488 wrote to memory of 3412	3488	MsiExec.exe	105
PID 3488 wrote to memory of 3412	3488	MsiExec.exe	105
PID 3488 wrote to memory of 3408	3488	MsiExec.exe	107
PID 3488 wrote to memory of 3408	3488	MsiExec.exe	107
PID 3488 wrote to memory of 3408	3488	MsiExec.exe	107
PID 3488 wrote to memory of 2552	3488	MsiExec.exe	109
PID 3488 wrote to memory of 2552	3488	MsiExec.exe	109
PID 3488 wrote to memory of 2552	3488	MsiExec.exe	109
PID 2552 wrote to memory of 3172	2552	KeyScramblerLogon.exe	111
PID 2552 wrote to memory of 3172	2552	KeyScramblerLogon.exe	111
PID 2552 wrote to memory of 3172	2552	KeyScramblerLogon.exe	111
PID 3488 wrote to memory of 4900	3488	MsiExec.exe	113
PID 3488 wrote to memory of 4900	3488	MsiExec.exe	113
PID 3488 wrote to memory of 4900	3488	MsiExec.exe	113
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114
PID 3172 wrote to memory of 1612	3172	Autoit3.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3464
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1612
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:5304

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Udemy Desktop v2.14_JC.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1980

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3224
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4348
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 80597B85B990D9D32EA21C535D23EC2B
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3488
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3412
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3408
- - C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:3172
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4900

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\afkbdfd\bfhcdaf.au3

Filesize
926KB

MD5
982eb421ea019455193dc26ab4c832a3

SHA1
dadd0e8f1794421ae59fd28de9c7ecf132d2f754

SHA256
15bd882ce44c2d5175b654e87ef2590de3be16518f0c398f3b51b4652bd69388

SHA512
e3fa7accec606ae1f91b56986f333b8ad9273a6b5ebde4397b205b15e51bb7d0fcf1be7d3437a9d49963546fef9708cfc23ed5e7745474730e7f882eec12cf65

Download Submit
C:\ProgramData\afkbdfd\hfgdkgk\gcabaef

Filesize
136B

MD5
f68aa33cac54f0b5481d1c8cbd830b77

SHA1
b4656bb6dfdc01fdb9c13f0144bfb6df3e04eaf8

SHA256
a192ace70a88eed4441522673acd016cb01a867f75ffaadcec65e25ab371972b

SHA512
5ca947369ead563a518befd08f5f22795815494f737549ecac42067d339c719bb1e1f563b8ef1ee0951ee5a2f08863e775912d618d33d6cd9be52b0544068d97

Download Submit
C:\ProgramData\afkbdfd\hfgdkgk\gcabaef

Filesize
136B

MD5
df090b50d0f893589170441ae9d57a23

SHA1
19994bb5f095fd6b21774422af3d121be7f3c227

SHA256
c0c97cb003874896c146fcd840f7b58d2b04e5d8f33b61c0fc683f06b1456b26

SHA512
b92e066217a9abad1c5c4db320c3abb684c256d78ac903f0234869161416d1111c1804b417114f22a11ebd04a1f29b59d20526b6a14afa2d00f805811c049a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files.cab

Filesize
1.4MB

MD5
dd9b0157903a90dff5a42627e1582eef

SHA1
b0c9a5e954b31ff25cbe62115e2301f69b51da60

SHA256
469dc7d7a8b2722a07bdbd14407f523b71d92517c0a4cc32d97a95636b393882

SHA512
de3ed62514620d05de9374ccbf07cf8f4253c276081c3aa9a76afbb6123ea0e26090672916ad58a59a40c853d4467bb68017c0a654af7f93db870e4d2994560c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\KeyScramblerIE.DLL

Filesize
452KB

MD5
de7f6c3fe8b1bd40829cb9e8268fb7e8

SHA1
379a85b9d762f18820cada3b6e60328d7e6baf2b

SHA256
f030e9e622086519fba0c811abd6f1f3d68ee41308f276111773eed8be282b55

SHA512
13c61c35c7d4cc47f9ac62b2e9c6dae5ce454d163b0fee203a3a961ee9877471a0ae53355bee676e9bca1dccad75844c1a35f3bdbe11f0d7c9a5219b23f2fd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\KeyScramblerIE.dll

Filesize
452KB

MD5
de7f6c3fe8b1bd40829cb9e8268fb7e8

SHA1
379a85b9d762f18820cada3b6e60328d7e6baf2b

SHA256
f030e9e622086519fba0c811abd6f1f3d68ee41308f276111773eed8be282b55

SHA512
13c61c35c7d4cc47f9ac62b2e9c6dae5ce454d163b0fee203a3a961ee9877471a0ae53355bee676e9bca1dccad75844c1a35f3bdbe11f0d7c9a5219b23f2fd65

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\KeyScramblerLogon.dll

Filesize
92KB

MD5
760aa6f15db378dda44f262e1349e28d

SHA1
9bb9a0caa54e8b2560245430f33985996b2d40f3

SHA256
ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

SHA512
c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\Uninstall.exe

Filesize
88KB

MD5
6de8cb9727907a59bcaf9871cc493c70

SHA1
a0ea933423c48d36718dca842994b83e5ffc4756

SHA256
408c0fbf2992f89b058bdb228670ff27a68ef0a7a3b648a33ff86ecc39139a11

SHA512
a48d97a7862eeda211a59d1023071641c91c3065a347ad060c40f86532db36010f5c89b0f6ab427a783ccce45485e42cf6443a14c72faa118c9b0a4c34b5c21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\keyscrambler.ico

Filesize
39KB

MD5
fde5504bbf7620aca9f3850511c13a45

SHA1
484382ecc232cedc1651fba5f9311e9164f43369

SHA256
932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

SHA512
6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\keyscrambler.sys

Filesize
225KB

MD5
9baf5236d65a36ed2c388cf04108ab9f

SHA1
f5e28edea04a00b5e8806130cd2736336c6e3792

SHA256
9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

SHA512
1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\script.au3

Filesize
916KB

MD5
d8ce5a1eaae8ae730b8ca3abbedab5c4

SHA1
43d6dbd27ab28f1040ff1bdf708dd719b7a1409f

SHA256
d506de68891b6b8ce975e145940801fafb5d0d9113674aa8574ac24f9f97e277

SHA512
508b9e1549a192eca48951eb2c50a2977863701aec382190cd629c714916e8306d2a0adc177e0f28928ce75a5e616ac63488262c1f61640bc4d999d3ebeb0c01

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\snfutwdm

Filesize
1.8MB

MD5
4098040bf77b66ec3dda0ce8054179ae

SHA1
9f8639209d7a5e7f92985a377ecf4dd7f71b98c0

SHA256
5f8622262ad357f9b7270dfbfd6dccbc85ddb255fa135baa6f8e6aeb083b5254

SHA512
6ebf7db24a62c7a6c3eb3e8eb038aa9fe1ab13b22a198434a56d63ebebe566a25d4ecbbdaa416daa215db311e373c942c65d74d244f1c44de1574c21a7f3ae08

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\files\ysllkyv

Filesize
8B

MD5
68b25ee085c21d69d52eff4b03f96b57

SHA1
83ba3be29cc49a504d1470ce123f30f9ad47c71d

SHA256
2e9899d37f191877759856b52098739f596d7dfceabee11fdfa33e8ead03bc77

SHA512
f5cc49441ca1ed8593f641fc50dac9ebc5045569e43cca795fe0375379ad1914cfc454371e0cfdb5ef19271777a6670daa2e311a3a1f4ead207026cd522d76c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\msiwrapper.ini

Filesize
1KB

MD5
52caeb9271efeb1f2089b4b9941695eb

SHA1
7caf585480cc4fb9ef69fd1ebf3af5c55c49f7c0

SHA256
b88184ef859dbd49ee7faf557054a92d91ea8e88d22569f76ff792f7ec09779a

SHA512
94f6b93831f0ddddc8edf7f3714db031c89f6b2ed886e0dc6b5e0509fa1ccf0f702deb4657ff2cde4d8f7a6b7a8c2553daf4699b2f13cf8e05488a198515de2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\msiwrapper.ini

Filesize
356B

MD5
b38e81e46fb48a9fbd1c2e1d3ce778b0

SHA1
5ee7d30c5b97a951c6718fe661cae3443ded5c0c

SHA256
da242572497f26e30596a197dd6fdcff95ab89fcce999642123f3e1ec7442e0d

SHA512
bda16497813a71727feda20453f720e302d96255901db2b2cd89a4831ed101fdd43dd591690c6cf464edc6025b72174e9707fbfdeaf4f8a5ccf129ab24df527d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\msiwrapper.ini

Filesize
1KB

MD5
81cf2fbe625709e9bea0e900efa74e9e

SHA1
8324e392516ab8e5f5672ee4555a37c47d9577d2

SHA256
9cd0e8228d6b378499e36287ee621c7c3be454206d2378a408f8a700bcf0e3c9

SHA512
485631271e4dff14d9bc6e32c819aee8ce50f48a7c904448eab0a64a84ebb70de9a9a1ca0cbfefd3e6e1010e301ab2434cfcebde4b1bffb8df6f1a2fb1c02285

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\msiwrapper.ini

Filesize
1KB

MD5
c67dfae8bec2e5ea12ea57fcc5e194f6

SHA1
b2b87877144f92d1953fbb96d8b8677c82685c70

SHA256
a156c60379dcc8b3a22d3b9e313d811d76222020b1b569c1f9926867f8926e15

SHA512
d0fb03e72894592dc9681b49375cabedc4b987c19ed9d8b1f423368d3d94e87e92d752af1fa1eb44883bbcb04b75522c9f689f041514b5465cbdb075c3ec2586

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-3fdb12f1-5101-429b-85d0-55e3bf9ad65b\msiwrapper.ini

Filesize
1KB

MD5
c67dfae8bec2e5ea12ea57fcc5e194f6

SHA1
b2b87877144f92d1953fbb96d8b8677c82685c70

SHA256
a156c60379dcc8b3a22d3b9e313d811d76222020b1b569c1f9926867f8926e15

SHA512
d0fb03e72894592dc9681b49375cabedc4b987c19ed9d8b1f423368d3d94e87e92d752af1fa1eb44883bbcb04b75522c9f689f041514b5465cbdb075c3ec2586

Download Submit
C:\Windows\Installer\MSID33E.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSID33E.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIE7F1.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIE7F1.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\ehkkkec

Filesize
4B

MD5
00d78abf7d85294dcbbbb407a0ae8c70

SHA1
345439a4e0c5d8ebace4bcfb8bd0585f6017d93e

SHA256
e9552c64208d6b758a335a50884ff076434dc564b763ab78e45e75e89930b06e

SHA512
38a78658a30176081682e22032ce77f1ae8504dbfbdb6640cae4132e78b3be7d31d082d5adc6d3aed0aa6bd26296b5130791263e8750ece727f31d15208182db

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
17316204de2db0ed5076dc3e4c74533b

SHA1
21d1d630a3b44d8a83d32eaaac27f91106ea2ba8

SHA256
9aa651e37be7ec8b54a9c282012707c3327eda423b96e2fab1c3f5ee58294614

SHA512
99f84a1bbe1997ad7d82d454259979fe62c8c451084aa0e572d566d35379fd4958de15097176c48e109430eb162a7d903ebd3e8326bc440625a3f67bfa4d5819

Download Submit
\??\Volume{68140b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5eae6265-de06-42fe-a647-b5de61df5b02}_OnDiskSnapshotProp

Filesize
5KB

MD5
4876e51d09a0b8f4a4411fb419c3e0c0

SHA1
0f2404978b3a49cf2eca4a91ae7b0c7ee2a7b169

SHA256
7a84dca20a3ec5bf7a27775d6bec7dafc0c9a56770e80ba73f6cfc8964b06669

SHA512
24187c4b2a8fed11a203a368417cc97a14eb91cd0e262cdcfb98f7f65894ba47188af5f490c3b0e808b71f6e0753e15d392f5cc399df996f67303da70060c137

Download Submit
\??\c:\temp\bfhcdaf.au3

Filesize
916KB

MD5
d8ce5a1eaae8ae730b8ca3abbedab5c4

SHA1
43d6dbd27ab28f1040ff1bdf708dd719b7a1409f

SHA256
d506de68891b6b8ce975e145940801fafb5d0d9113674aa8574ac24f9f97e277

SHA512
508b9e1549a192eca48951eb2c50a2977863701aec382190cd629c714916e8306d2a0adc177e0f28928ce75a5e616ac63488262c1f61640bc4d999d3ebeb0c01

Download Submit
memory/1612-714-0x0000000010410000-0x0000000010490000-memory.dmp

Filesize
512KB

Download
memory/1612-746-0x0000000010410000-0x0000000010490000-memory.dmp

Filesize
512KB

Download
memory/1612-128-0x0000000000C70000-0x0000000000C71000-memory.dmp

Filesize
4KB

Download
memory/1612-127-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/2552-96-0x00000000031E0000-0x0000000003910000-memory.dmp

Filesize
7.2MB

Download
memory/2552-99-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2552-98-0x0000000003BE0000-0x0000000003CD5000-memory.dmp

Filesize
980KB

Download
memory/3172-143-0x0000000001470000-0x0000000001870000-memory.dmp

Filesize
4.0MB

Download
memory/3172-148-0x0000000004540000-0x0000000004903000-memory.dmp

Filesize
3.8MB

Download
memory/3172-144-0x0000000003D20000-0x0000000003E15000-memory.dmp

Filesize
980KB

Download
memory/3172-720-0x0000000004540000-0x0000000004903000-memory.dmp

Filesize
3.8MB

Download
memory/3172-124-0x0000000004540000-0x0000000004903000-memory.dmp

Filesize
3.8MB

Download
memory/3172-119-0x0000000004540000-0x0000000004903000-memory.dmp

Filesize
3.8MB

Download
memory/3172-118-0x0000000003D20000-0x0000000003E15000-memory.dmp

Filesize
980KB

Download
memory/3172-117-0x0000000001470000-0x0000000001870000-memory.dmp

Filesize
4.0MB

Download
memory/5304-735-0x0000000001020000-0x0000000001021000-memory.dmp

Filesize
4KB

Download
memory/5304-737-0x00000000010C0000-0x00000000010C1000-memory.dmp

Filesize
4KB

Download
memory/5304-1318-0x0000000010490000-0x0000000010510000-memory.dmp

Filesize
512KB

Download
memory/5304-1324-0x0000000010490000-0x0000000010510000-memory.dmp

Filesize
512KB

Download