darkgate | 8abdcccd1e49663190b5071cdafeba3e8b4a4471bceaeaa5915a7ce17ceaf3a3

Analysis

max time kernel
150s
max time network
146s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
16-11-2023 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.Invoice.msi
Size

2.2MB
MD5

165dc9d8a2036c77094422d89913deff
SHA1

a1b668d163e9ab7a6a1654a27e7a2c46207caaf7
SHA256

8abdcccd1e49663190b5071cdafeba3e8b4a4471bceaeaa5915a7ce17ceaf3a3
SHA512

fd4d02211b820eb0c982fd55d9c37b0ba06f01cb1febc93ac76ba9637f58fcdaafd4656256e8589b10d04d7a4827f568b8f49d3a7bd8c6cf8fa44a1b09822388
SSDEEP

49152:upUPhwblqpM8LVFlJ52YIegQxBXkk1tHaOufTyhvPTCAzk9NoX+Ikgu:upgCpe/28pntpPohXgu

Score

10^/10

darkgate herady5 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

herady5

http://167.114.199.65

Attributes

alternative_c2_port
2351
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
PuqpVjoUKJizHc
internal_mutex
chaCaA
minimum_disk
100
minimum_ram
4096
ping_interval
30
rootkit
true
startup_persistence
true
username
herady5

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 552 created 1116	552	Autoit3.exe	11
PID 1780 created 1116	1780	TabTip32.exe	11

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\degdfkh.lnk	TabTip32.exe

Executes dropped EXE 2 IoCs

pid	Process
1808	KeyScramblerLogon.exe
552	Autoit3.exe

Loads dropped DLL 8 IoCs

pid	Process
2812	MsiExec.exe
2812	MsiExec.exe
2812	MsiExec.exe
2812	MsiExec.exe
2812	MsiExec.exe
1808	KeyScramblerLogon.exe
1808	KeyScramblerLogon.exe
2812	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
760	ICACLS.EXE
440	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7689d8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA91D.tmp	msiexec.exe
File created	C:\Windows\Installer\f7689d9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8D42.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIA8DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7689d9.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f7689d8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral1/files/0x0006000000016c8e-157.dat	nsis_installer_1
behavioral1/files/0x0006000000016c8e-157.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	KeyScramblerLogon.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TabTip32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TabTip32.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	KeyScramblerLogon.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	KeyScramblerLogon.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	KeyScramblerLogon.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2064	msiexec.exe
2064	msiexec.exe
552	Autoit3.exe
552	Autoit3.exe
1780	TabTip32.exe
1780	TabTip32.exe
2848	TabTip32.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2064	msiexec.exe
Token: SeTakeOwnershipPrivilege	2064	msiexec.exe
Token: SeSecurityPrivilege	2064	msiexec.exe
Token: SeCreateTokenPrivilege	2044	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2044	msiexec.exe
Token: SeLockMemoryPrivilege	2044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2044	msiexec.exe
Token: SeMachineAccountPrivilege	2044	msiexec.exe
Token: SeTcbPrivilege	2044	msiexec.exe
Token: SeSecurityPrivilege	2044	msiexec.exe
Token: SeTakeOwnershipPrivilege	2044	msiexec.exe
Token: SeLoadDriverPrivilege	2044	msiexec.exe
Token: SeSystemProfilePrivilege	2044	msiexec.exe
Token: SeSystemtimePrivilege	2044	msiexec.exe
Token: SeProfSingleProcessPrivilege	2044	msiexec.exe
Token: SeIncBasePriorityPrivilege	2044	msiexec.exe
Token: SeCreatePagefilePrivilege	2044	msiexec.exe
Token: SeCreatePermanentPrivilege	2044	msiexec.exe
Token: SeBackupPrivilege	2044	msiexec.exe
Token: SeRestorePrivilege	2044	msiexec.exe
Token: SeShutdownPrivilege	2044	msiexec.exe
Token: SeDebugPrivilege	2044	msiexec.exe
Token: SeAuditPrivilege	2044	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2044	msiexec.exe
Token: SeChangeNotifyPrivilege	2044	msiexec.exe
Token: SeRemoteShutdownPrivilege	2044	msiexec.exe
Token: SeUndockPrivilege	2044	msiexec.exe
Token: SeSyncAgentPrivilege	2044	msiexec.exe
Token: SeEnableDelegationPrivilege	2044	msiexec.exe
Token: SeManageVolumePrivilege	2044	msiexec.exe
Token: SeImpersonatePrivilege	2044	msiexec.exe
Token: SeCreateGlobalPrivilege	2044	msiexec.exe
Token: SeBackupPrivilege	2636	vssvc.exe
Token: SeRestorePrivilege	2636	vssvc.exe
Token: SeAuditPrivilege	2636	vssvc.exe
Token: SeBackupPrivilege	2064	msiexec.exe
Token: SeRestorePrivilege	2064	msiexec.exe
Token: SeRestorePrivilege	2608	DrvInst.exe
Token: SeRestorePrivilege	2608	DrvInst.exe
Token: SeRestorePrivilege	2608	DrvInst.exe
Token: SeRestorePrivilege	2608	DrvInst.exe
Token: SeRestorePrivilege	2608	DrvInst.exe
Token: SeRestorePrivilege	2608	DrvInst.exe
Token: SeRestorePrivilege	2608	DrvInst.exe
Token: SeLoadDriverPrivilege	2608	DrvInst.exe
Token: SeLoadDriverPrivilege	2608	DrvInst.exe
Token: SeLoadDriverPrivilege	2608	DrvInst.exe
Token: SeRestorePrivilege	2064	msiexec.exe
Token: SeTakeOwnershipPrivilege	2064	msiexec.exe
Token: SeRestorePrivilege	2064	msiexec.exe
Token: SeTakeOwnershipPrivilege	2064	msiexec.exe
Token: SeRestorePrivilege	2064	msiexec.exe
Token: SeTakeOwnershipPrivilege	2064	msiexec.exe
Token: SeRestorePrivilege	2064	msiexec.exe
Token: SeTakeOwnershipPrivilege	2064	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2044	msiexec.exe
2044	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2812	2064	msiexec.exe	32
PID 2064 wrote to memory of 2812	2064	msiexec.exe	32
PID 2064 wrote to memory of 2812	2064	msiexec.exe	32
PID 2064 wrote to memory of 2812	2064	msiexec.exe	32
PID 2064 wrote to memory of 2812	2064	msiexec.exe	32
PID 2064 wrote to memory of 2812	2064	msiexec.exe	32
PID 2064 wrote to memory of 2812	2064	msiexec.exe	32
PID 2812 wrote to memory of 760	2812	MsiExec.exe	33
PID 2812 wrote to memory of 760	2812	MsiExec.exe	33
PID 2812 wrote to memory of 760	2812	MsiExec.exe	33
PID 2812 wrote to memory of 760	2812	MsiExec.exe	33
PID 2812 wrote to memory of 1924	2812	MsiExec.exe	35
PID 2812 wrote to memory of 1924	2812	MsiExec.exe	35
PID 2812 wrote to memory of 1924	2812	MsiExec.exe	35
PID 2812 wrote to memory of 1924	2812	MsiExec.exe	35
PID 2812 wrote to memory of 1808	2812	MsiExec.exe	37
PID 2812 wrote to memory of 1808	2812	MsiExec.exe	37
PID 2812 wrote to memory of 1808	2812	MsiExec.exe	37
PID 2812 wrote to memory of 1808	2812	MsiExec.exe	37
PID 1808 wrote to memory of 552	1808	KeyScramblerLogon.exe	38
PID 1808 wrote to memory of 552	1808	KeyScramblerLogon.exe	38
PID 1808 wrote to memory of 552	1808	KeyScramblerLogon.exe	38
PID 1808 wrote to memory of 552	1808	KeyScramblerLogon.exe	38
PID 2812 wrote to memory of 440	2812	MsiExec.exe	39
PID 2812 wrote to memory of 440	2812	MsiExec.exe	39
PID 2812 wrote to memory of 440	2812	MsiExec.exe	39
PID 2812 wrote to memory of 440	2812	MsiExec.exe	39
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41
PID 552 wrote to memory of 1780	552	Autoit3.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1116
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Drops startup file
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1780
- C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
  "C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2848

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.Invoice.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F32481B2A0420E5E6317A1D9C09F0351
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:760
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of WriteProcessMemory
    PID:1808
  - - C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:552
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:440

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "00000000000005AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2608

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccecacd\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\ccecacd\adbcddc\cckaggf

Filesize
135B

MD5
05a50641e84e703c50919fb084fd596a

SHA1
fc096d9e4e1eb19524b760e922ee760849d1562c

SHA256
1f5eb190ebf1d4c04e2db6b530fdb899a7195866555bec86960f8fea08559455

SHA512
e27766b1c534da0e99bebe1369785db724ec7322a84d6ac0f6d3380032355419968bc99f3423bcaff43df9247e8b96c5b193103b363eb801e066a6bdb1f03386

Download Submit
C:\ProgramData\ccecacd\fegaefg.au3

Filesize
779KB

MD5
98304a28f4657cfa73661759185fa4ec

SHA1
1d4a91dd95e7d64e32d2fcb5b14f031ba3af326f

SHA256
5569707bf84d293fa32a6fae6d93f18bd3a2bf4160943ffad43fae0b2803128e

SHA512
eceacddaf1b432c89ad905583bcb8103ed2d0b431985e05ff82d151ffdca4b63622332b3336a10996639f8a9f689a1b65c880a51b47aa0c8779468012b99f2fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files.cab

Filesize
1.9MB

MD5
7054f4eba28a1df7dab2d77d7d48c577

SHA1
8a0899c27a1859ad75f4d0eaabc8f9da386af0bb

SHA256
bd8962dcb0d34286c5f360fadbf647f136864f41526644d666923692816d7fd9

SHA512
e21b4b385634691a5fae2da3ef0f89fe3eac1583c6482c46de335d8b32102878124ef5f88cb8c562b5ea745dcf6ba5e3117a113334b676785cc6e137c15a9ca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\EMCOMSI.pbproj

Filesize
28KB

MD5
2d190d00ca9f4a0da4ea26e6da13307e

SHA1
72cfa041994c30b527cc7f1cf6f4f5877edb35b9

SHA256
7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025

SHA512
e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerIE.DLL

Filesize
535KB

MD5
63e87369f0fa8fb04a420a709f191124

SHA1
8f3628dea6a64a9b7a967d0659f859acecc3b7bf

SHA256
544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c

SHA512
2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.dll

Filesize
92KB

MD5
760aa6f15db378dda44f262e1349e28d

SHA1
9bb9a0caa54e8b2560245430f33985996b2d40f3

SHA256
ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

SHA512
c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Languages\KSLangCHT.dll

Filesize
14KB

MD5
07e327539ff319611d858a4c9575ed02

SHA1
53d74091a51d96bb9b946a06803e16d3a9139df6

SHA256
d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e

SHA512
906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Languages\KSLangJPN.dll

Filesize
14KB

MD5
bc5feb50bc7a25e4c08e3bcd8d2bc1c5

SHA1
fb703a62a503ce8a697e8d8c648f6c09408b2f53

SHA256
d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9

SHA512
84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\QFXUpdateService.exe

Filesize
768KB

MD5
4ed21ae3ae981538ab61f199d4477b92

SHA1
d7266d30270bce21dffb62ed7f2e47fee9890fc2

SHA256
7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b

SHA512
f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\ReadMe.txt

Filesize
13KB

MD5
06a5df751eb0765e69bfb15e12f4c665

SHA1
7394bf7df2dda47bf8d55bfbc880d2a2316054ac

SHA256
8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f

SHA512
aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Sounds\Error.wav

Filesize
35KB

MD5
efad8c5d6cc6cae180ebe01ce3a60c88

SHA1
614839975c1f07161f3c26ba2af08ae910b21c61

SHA256
acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd

SHA512
d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Sounds\Success.wav

Filesize
66KB

MD5
fd8177d61c8dd032dd262bf979d852f6

SHA1
ac64e21b7c80e996bcb369b6023bec4191568a52

SHA256
8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c

SHA512
39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Uninstall.exe

Filesize
72KB

MD5
eff839d29dbb06677a85117d036e29c6

SHA1
473823c718f3db95d27f14b783e68c08f13caded

SHA256
1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80

SHA512
cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\celizvv

Filesize
8B

MD5
ae18e8d531e840927e972f9e56a1af09

SHA1
15a49428f1699cbf6ee71040690b6b05da3e4a04

SHA256
3674e179fcc877affdb4b0d83b4fd23907ace789566bf1f5195f77b392fe6b5c

SHA512
2826941a5c2f8b495db9422794dc4a5f3f464b135b1c3c711b70dfc33b41fa86698eb8d3f5a111a8d210015d1a98545f025c7200bf326d2c9ea4a7b1dc79dcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\getting_started.html

Filesize
1KB

MD5
da033601ee343eaa7f5d609a854b4baa

SHA1
e279b127a9ce7582a626c29dd02a0b88ff10d966

SHA256
e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da

SHA512
b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\keyscrambler.ico

Filesize
39KB

MD5
fde5504bbf7620aca9f3850511c13a45

SHA1
484382ecc232cedc1651fba5f9311e9164f43369

SHA256
932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

SHA512
6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\keyscrambler.sys

Filesize
225KB

MD5
9baf5236d65a36ed2c388cf04108ab9f

SHA1
f5e28edea04a00b5e8806130cd2736336c6e3792

SHA256
9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

SHA512
1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\license.htm

Filesize
6KB

MD5
fbe23ef8575dd46ea36f06dd627e94ab

SHA1
d80929568026e2d1db891742331229f1fd0c7e34

SHA256
104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab

SHA512
caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\project.xml

Filesize
1KB

MD5
189dc774be74d9453606a7a80cd730e6

SHA1
1a70d362b8bd78cdfe7949f3438b346fe8c69adb

SHA256
3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6

SHA512
68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\qtwvkwdh

Filesize
1.6MB

MD5
c6fe14ca635b936944da74a6691a1a8b

SHA1
df66ae8a3a60296d4b2aa71dd61641c13c0231cf

SHA256
8de3daf814abcde323bcfafb07ab89cc5adb8d5a137ef9366e4923d69443b44c

SHA512
edc559e06bc2b5befbf7dc62dcf898e77633f78387137d66911f15bc56225d75ebf4dae3bcacc9b631c4ca68754f254727cc3d9685fe8a76936b0bcd21c6af5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\script.au3

Filesize
768KB

MD5
2e0faac53060f5d57029aaedb0d91c67

SHA1
f8502e476658270ce6068a5bd91f65afeb25c16c

SHA256
a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba

SHA512
21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

Filesize
458B

MD5
5445a4185b1662cfe34afe08b993f0d7

SHA1
9598dd0227f0cf07bb91454ede6f8db980a06f01

SHA256
fe5ea83bb3e4802f67455923c0b2144df8455e435c086014b9daf04f2069d39a

SHA512
cfd524887e0b50aabd391930079dcceffbffa1a5835c674616b388c19ec835683ade728a78c41aec366e8486fcb807f0542715bd77689328aa62b678975fdd00

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

Filesize
1KB

MD5
77aae42ad2d63bd45546ce4f6ebe8022

SHA1
5dd6bfef97dbb0dd7cee233ed8f5db23f47cd397

SHA256
45d1da77715dcc3d2115880e25491bf8f778f3df218ce5c273c143f5317d8a4b

SHA512
6fe5f583c4a0403594361cc5d86c24c14c7a81b430befab5cc5ee2ecbb33a5b049ae60249827467476ea03ccd98a7d531f5abfe33387e9f1a019b964648eb7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

Filesize
1KB

MD5
ff0ff8ecd59c2d411d3ac5a1d7a27d99

SHA1
2689a5229249a37c95c6d701f2073e7093660451

SHA256
d30cf1cf631c8b761fec5bb2b6370bfdf0e8f7b7caa58907ac0f40ec1f0ce587

SHA512
9485feff1a9cc7228a3c7313924d5db2afe649879ac6e59ed7bdf11662e0101aaee04e4c133cf30f923a12232a66bcc4e335ca17774ffd306f6de082106f4151

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

Filesize
1KB

MD5
1f734d3bfbb51ee9621cc8215824e6f4

SHA1
71f4d76c8c0574445032137cc0988b8ebc8412b3

SHA256
f062c00f418a7618af0d1b8bbb51bb8c75bbead6ee36e29a035d764e98259c91

SHA512
990510bf8be6b79e4ae505726abe47e99edc6b58aa3a115d3951a2738ce5333ebb51049e74a836ec5e91e7a1dcc062217742fe49c7b9f30ae7c21a644a5ea593

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

Filesize
1KB

MD5
1f734d3bfbb51ee9621cc8215824e6f4

SHA1
71f4d76c8c0574445032137cc0988b8ebc8412b3

SHA256
f062c00f418a7618af0d1b8bbb51bb8c75bbead6ee36e29a035d764e98259c91

SHA512
990510bf8be6b79e4ae505726abe47e99edc6b58aa3a115d3951a2738ce5333ebb51049e74a836ec5e91e7a1dcc062217742fe49c7b9f30ae7c21a644a5ea593

Download Submit
C:\Windows\Installer\MSI8D42.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIA91D.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\c:\temp\aeabcbf

Filesize
4B

MD5
0d6951c2179a4d2306a5c0deb434a987

SHA1
6a14c44374d3bb96c078fcd7b741c7208c5451b0

SHA256
cc6c9afb2a89709122f7bd2eb7ac5745f02b3c45a92031dd1b06d5e168d92fc5

SHA512
4807e01ee7eba3401b807d8bc1002bf4eb10ee1cfd1e0527edb51d7bc4d274d5640f2e5be7411ef0bc2084c416d79a0db5c518189be4a5454d71064a2c2c99c6

Download Submit
\??\c:\temp\fegaefg.au3

Filesize
768KB

MD5
2e0faac53060f5d57029aaedb0d91c67

SHA1
f8502e476658270ce6068a5bd91f65afeb25c16c

SHA256
a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba

SHA512
21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerIE.dll

Filesize
535KB

MD5
63e87369f0fa8fb04a420a709f191124

SHA1
8f3628dea6a64a9b7a967d0659f859acecc3b7bf

SHA256
544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c

SHA512
2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
\Windows\Installer\MSI8D42.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\Windows\Installer\MSIA91D.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
memory/552-142-0x0000000003260000-0x0000000003440000-memory.dmp

Filesize
1.9MB

Download
memory/552-1205-0x0000000003260000-0x0000000003440000-memory.dmp

Filesize
1.9MB

Download
memory/552-799-0x0000000003260000-0x0000000003440000-memory.dmp

Filesize
1.9MB

Download
memory/552-162-0x0000000003260000-0x0000000003440000-memory.dmp

Filesize
1.9MB

Download
memory/552-140-0x0000000000900000-0x0000000000D00000-memory.dmp

Filesize
4.0MB

Download
memory/552-141-0x0000000002A70000-0x0000000002B65000-memory.dmp

Filesize
980KB

Download
memory/552-188-0x0000000000900000-0x0000000000D00000-memory.dmp

Filesize
4.0MB

Download
memory/1780-177-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1780-789-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/1780-191-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/1780-166-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/1780-226-0x00000000021A0000-0x00000000021A1000-memory.dmp

Filesize
4KB

Download
memory/1780-167-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/1780-1404-0x0000000010410000-0x000000001048F000-memory.dmp

Filesize
508KB

Download
memory/1808-136-0x00000000001A0000-0x0000000000230000-memory.dmp

Filesize
576KB

Download
memory/1808-138-0x0000000002D10000-0x0000000002E05000-memory.dmp

Filesize
980KB

Download
memory/1808-124-0x00000000001A0000-0x0000000000230000-memory.dmp

Filesize
576KB

Download
memory/1808-130-0x00000000024C0000-0x0000000002B60000-memory.dmp

Filesize
6.6MB

Download
memory/1808-133-0x0000000002D10000-0x0000000002E05000-memory.dmp

Filesize
980KB

Download
memory/2848-802-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2848-1403-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download
memory/2848-801-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2848-1412-0x0000000010490000-0x000000001050F000-memory.dmp

Filesize
508KB

Download