Analysis Overview
SHA256
8abdcccd1e49663190b5071cdafeba3e8b4a4471bceaeaa5915a7ce17ceaf3a3
Threat Level: Known bad
The file NEAS.Invoice.msi was found to be: Known bad.
Malicious Activity Summary
Suspicious use of NtCreateUserProcessOtherParentProcess
DarkGate
Drops startup file
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Enumerates connected drives
Drops file in Windows directory
NSIS installer
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Modifies data under HKEY_USERS
Uses Volume Shadow Copy service COM API
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Checks processor information in registry
Checks SCSI registry key(s)
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-16 13:59
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-16 13:59
Reported
2023-11-16 14:02
Platform
win7-20231023-en
Max time kernel
150s
Max time network
146s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 552 created 1116 | N/A | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe | C:\Windows\system32\taskhost.exe |
| PID 1780 created 1116 | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | C:\Windows\system32\taskhost.exe |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\degdfkh.lnk | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7689d8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA91D.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f7689d9.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSI8D42.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\MSIA8DE.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\f7689d9.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File created | C:\Windows\Installer\f7689d8.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\taskhost.exe
"taskhost.exe"
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.Invoice.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "00000000000005AC"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F32481B2A0420E5E6317A1D9C09F0351
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
"C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe"
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\script.au3
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\." /SETINTEGRITYLEVEL (CI)(OI)LOW
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
Network
| Country | Destination | Domain | Proto |
| CA | 167.114.199.65:2351 | tcp | |
| CA | 167.114.199.65:2351 | tcp | |
| CA | 167.114.199.65:2351 | tcp | |
| CA | 167.114.199.65:2351 | tcp | |
| CA | 167.114.199.65:2351 | tcp |
Files
C:\Windows\Installer\MSI8D42.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\Windows\Installer\MSI8D42.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini
| MD5 | 5445a4185b1662cfe34afe08b993f0d7 |
| SHA1 | 9598dd0227f0cf07bb91454ede6f8db980a06f01 |
| SHA256 | fe5ea83bb3e4802f67455923c0b2144df8455e435c086014b9daf04f2069d39a |
| SHA512 | cfd524887e0b50aabd391930079dcceffbffa1a5835c674616b388c19ec835683ade728a78c41aec366e8486fcb807f0542715bd77689328aa62b678975fdd00 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini
| MD5 | ff0ff8ecd59c2d411d3ac5a1d7a27d99 |
| SHA1 | 2689a5229249a37c95c6d701f2073e7093660451 |
| SHA256 | d30cf1cf631c8b761fec5bb2b6370bfdf0e8f7b7caa58907ac0f40ec1f0ce587 |
| SHA512 | 9485feff1a9cc7228a3c7313924d5db2afe649879ac6e59ed7bdf11662e0101aaee04e4c133cf30f923a12232a66bcc4e335ca17774ffd306f6de082106f4151 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini
| MD5 | 1f734d3bfbb51ee9621cc8215824e6f4 |
| SHA1 | 71f4d76c8c0574445032137cc0988b8ebc8412b3 |
| SHA256 | f062c00f418a7618af0d1b8bbb51bb8c75bbead6ee36e29a035d764e98259c91 |
| SHA512 | 990510bf8be6b79e4ae505726abe47e99edc6b58aa3a115d3951a2738ce5333ebb51049e74a836ec5e91e7a1dcc062217742fe49c7b9f30ae7c21a644a5ea593 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files.cab
| MD5 | 7054f4eba28a1df7dab2d77d7d48c577 |
| SHA1 | 8a0899c27a1859ad75f4d0eaabc8f9da386af0bb |
| SHA256 | bd8962dcb0d34286c5f360fadbf647f136864f41526644d666923692816d7fd9 |
| SHA512 | e21b4b385634691a5fae2da3ef0f89fe3eac1583c6482c46de335d8b32102878124ef5f88cb8c562b5ea745dcf6ba5e3117a113334b676785cc6e137c15a9ca2 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini
| MD5 | 1f734d3bfbb51ee9621cc8215824e6f4 |
| SHA1 | 71f4d76c8c0574445032137cc0988b8ebc8412b3 |
| SHA256 | f062c00f418a7618af0d1b8bbb51bb8c75bbead6ee36e29a035d764e98259c91 |
| SHA512 | 990510bf8be6b79e4ae505726abe47e99edc6b58aa3a115d3951a2738ce5333ebb51049e74a836ec5e91e7a1dcc062217742fe49c7b9f30ae7c21a644a5ea593 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
| MD5 | c790ebfcb6a34953a371e32c9174fe46 |
| SHA1 | 3ead08d8bbdb3afd851877cb50507b77ae18a4d8 |
| SHA256 | fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1 |
| SHA512 | 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554 |
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
| MD5 | c790ebfcb6a34953a371e32c9174fe46 |
| SHA1 | 3ead08d8bbdb3afd851877cb50507b77ae18a4d8 |
| SHA256 | fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1 |
| SHA512 | 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554 |
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
| MD5 | c790ebfcb6a34953a371e32c9174fe46 |
| SHA1 | 3ead08d8bbdb3afd851877cb50507b77ae18a4d8 |
| SHA256 | fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1 |
| SHA512 | 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554 |
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
| MD5 | c790ebfcb6a34953a371e32c9174fe46 |
| SHA1 | 3ead08d8bbdb3afd851877cb50507b77ae18a4d8 |
| SHA256 | fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1 |
| SHA512 | 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554 |
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
| MD5 | c790ebfcb6a34953a371e32c9174fe46 |
| SHA1 | 3ead08d8bbdb3afd851877cb50507b77ae18a4d8 |
| SHA256 | fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1 |
| SHA512 | 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
| MD5 | c790ebfcb6a34953a371e32c9174fe46 |
| SHA1 | 3ead08d8bbdb3afd851877cb50507b77ae18a4d8 |
| SHA256 | fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1 |
| SHA512 | 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554 |
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerIE.dll
| MD5 | 63e87369f0fa8fb04a420a709f191124 |
| SHA1 | 8f3628dea6a64a9b7a967d0659f859acecc3b7bf |
| SHA256 | 544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c |
| SHA512 | 2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12 |
memory/1808-124-0x00000000001A0000-0x0000000000230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerIE.DLL
| MD5 | 63e87369f0fa8fb04a420a709f191124 |
| SHA1 | 8f3628dea6a64a9b7a967d0659f859acecc3b7bf |
| SHA256 | 544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c |
| SHA512 | 2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\celizvv
| MD5 | ae18e8d531e840927e972f9e56a1af09 |
| SHA1 | 15a49428f1699cbf6ee71040690b6b05da3e4a04 |
| SHA256 | 3674e179fcc877affdb4b0d83b4fd23907ace789566bf1f5195f77b392fe6b5c |
| SHA512 | 2826941a5c2f8b495db9422794dc4a5f3f464b135b1c3c711b70dfc33b41fa86698eb8d3f5a111a8d210015d1a98545f025c7200bf326d2c9ea4a7b1dc79dcaa |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\qtwvkwdh
| MD5 | c6fe14ca635b936944da74a6691a1a8b |
| SHA1 | df66ae8a3a60296d4b2aa71dd61641c13c0231cf |
| SHA256 | 8de3daf814abcde323bcfafb07ab89cc5adb8d5a137ef9366e4923d69443b44c |
| SHA512 | edc559e06bc2b5befbf7dc62dcf898e77633f78387137d66911f15bc56225d75ebf4dae3bcacc9b631c4ca68754f254727cc3d9685fe8a76936b0bcd21c6af5b |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1808-136-0x00000000001A0000-0x0000000000230000-memory.dmp
memory/1808-133-0x0000000002D10000-0x0000000002E05000-memory.dmp
\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1808-130-0x00000000024C0000-0x0000000002B60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\script.au3
| MD5 | 2e0faac53060f5d57029aaedb0d91c67 |
| SHA1 | f8502e476658270ce6068a5bd91f65afeb25c16c |
| SHA256 | a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba |
| SHA512 | 21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3 |
memory/1808-138-0x0000000002D10000-0x0000000002E05000-memory.dmp
memory/552-140-0x0000000000900000-0x0000000000D00000-memory.dmp
memory/552-141-0x0000000002A70000-0x0000000002B65000-memory.dmp
memory/552-142-0x0000000003260000-0x0000000003440000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\AutoIt3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini
| MD5 | 77aae42ad2d63bd45546ce4f6ebe8022 |
| SHA1 | 5dd6bfef97dbb0dd7cee233ed8f5db23f47cd397 |
| SHA256 | 45d1da77715dcc3d2115880e25491bf8f778f3df218ce5c273c143f5317d8a4b |
| SHA512 | 6fe5f583c4a0403594361cc5d86c24c14c7a81b430befab5cc5ee2ecbb33a5b049ae60249827467476ea03ccd98a7d531f5abfe33387e9f1a019b964648eb7f5 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Uninstall.exe
| MD5 | eff839d29dbb06677a85117d036e29c6 |
| SHA1 | 473823c718f3db95d27f14b783e68c08f13caded |
| SHA256 | 1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80 |
| SHA512 | cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Sounds\Success.wav
| MD5 | fd8177d61c8dd032dd262bf979d852f6 |
| SHA1 | ac64e21b7c80e996bcb369b6023bec4191568a52 |
| SHA256 | 8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c |
| SHA512 | 39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Sounds\Error.wav
| MD5 | efad8c5d6cc6cae180ebe01ce3a60c88 |
| SHA1 | 614839975c1f07161f3c26ba2af08ae910b21c61 |
| SHA256 | acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd |
| SHA512 | d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\ReadMe.txt
| MD5 | 06a5df751eb0765e69bfb15e12f4c665 |
| SHA1 | 7394bf7df2dda47bf8d55bfbc880d2a2316054ac |
| SHA256 | 8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f |
| SHA512 | aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\QFXUpdateService.exe
| MD5 | 4ed21ae3ae981538ab61f199d4477b92 |
| SHA1 | d7266d30270bce21dffb62ed7f2e47fee9890fc2 |
| SHA256 | 7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b |
| SHA512 | f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\project.xml
| MD5 | 189dc774be74d9453606a7a80cd730e6 |
| SHA1 | 1a70d362b8bd78cdfe7949f3438b346fe8c69adb |
| SHA256 | 3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6 |
| SHA512 | 68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\license.htm
| MD5 | fbe23ef8575dd46ea36f06dd627e94ab |
| SHA1 | d80929568026e2d1db891742331229f1fd0c7e34 |
| SHA256 | 104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab |
| SHA512 | caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Languages\KSLangJPN.dll
| MD5 | bc5feb50bc7a25e4c08e3bcd8d2bc1c5 |
| SHA1 | fb703a62a503ce8a697e8d8c648f6c09408b2f53 |
| SHA256 | d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9 |
| SHA512 | 84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Languages\KSLangCHT.dll
| MD5 | 07e327539ff319611d858a4c9575ed02 |
| SHA1 | 53d74091a51d96bb9b946a06803e16d3a9139df6 |
| SHA256 | d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e |
| SHA512 | 906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.dll
| MD5 | 760aa6f15db378dda44f262e1349e28d |
| SHA1 | 9bb9a0caa54e8b2560245430f33985996b2d40f3 |
| SHA256 | ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b |
| SHA512 | c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\keyscrambler.sys
| MD5 | 9baf5236d65a36ed2c388cf04108ab9f |
| SHA1 | f5e28edea04a00b5e8806130cd2736336c6e3792 |
| SHA256 | 9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12 |
| SHA512 | 1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\keyscrambler.ico
| MD5 | fde5504bbf7620aca9f3850511c13a45 |
| SHA1 | 484382ecc232cedc1651fba5f9311e9164f43369 |
| SHA256 | 932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7 |
| SHA512 | 6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4 |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\getting_started.html
| MD5 | da033601ee343eaa7f5d609a854b4baa |
| SHA1 | e279b127a9ce7582a626c29dd02a0b88ff10d966 |
| SHA256 | e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da |
| SHA512 | b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d |
C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\EMCOMSI.pbproj
| MD5 | 2d190d00ca9f4a0da4ea26e6da13307e |
| SHA1 | 72cfa041994c30b527cc7f1cf6f4f5877edb35b9 |
| SHA256 | 7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025 |
| SHA512 | e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5 |
memory/552-162-0x0000000003260000-0x0000000003440000-memory.dmp
memory/1780-167-0x00000000000E0000-0x00000000000E1000-memory.dmp
memory/1780-166-0x00000000000A0000-0x00000000000A1000-memory.dmp
C:\Windows\Installer\MSIA91D.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\Windows\Installer\MSIA91D.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
memory/1780-177-0x0000000000360000-0x0000000000361000-memory.dmp
memory/552-188-0x0000000000900000-0x0000000000D00000-memory.dmp
memory/1780-191-0x0000000000950000-0x0000000000951000-memory.dmp
memory/1780-226-0x00000000021A0000-0x00000000021A1000-memory.dmp
memory/1780-789-0x0000000010410000-0x000000001048F000-memory.dmp
C:\ProgramData\ccecacd\adbcddc\cckaggf
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\c:\temp\fegaefg.au3
| MD5 | 2e0faac53060f5d57029aaedb0d91c67 |
| SHA1 | f8502e476658270ce6068a5bd91f65afeb25c16c |
| SHA256 | a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba |
| SHA512 | 21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3 |
memory/552-799-0x0000000003260000-0x0000000003440000-memory.dmp
memory/2848-801-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2848-802-0x00000000001B0000-0x00000000001B1000-memory.dmp
C:\ProgramData\ccecacd\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/552-1205-0x0000000003260000-0x0000000003440000-memory.dmp
memory/2848-1403-0x0000000010490000-0x000000001050F000-memory.dmp
memory/1780-1404-0x0000000010410000-0x000000001048F000-memory.dmp
\??\c:\temp\aeabcbf
| MD5 | 0d6951c2179a4d2306a5c0deb434a987 |
| SHA1 | 6a14c44374d3bb96c078fcd7b741c7208c5451b0 |
| SHA256 | cc6c9afb2a89709122f7bd2eb7ac5745f02b3c45a92031dd1b06d5e168d92fc5 |
| SHA512 | 4807e01ee7eba3401b807d8bc1002bf4eb10ee1cfd1e0527edb51d7bc4d274d5640f2e5be7411ef0bc2084c416d79a0db5c518189be4a5454d71064a2c2c99c6 |
C:\ProgramData\ccecacd\fegaefg.au3
| MD5 | 98304a28f4657cfa73661759185fa4ec |
| SHA1 | 1d4a91dd95e7d64e32d2fcb5b14f031ba3af326f |
| SHA256 | 5569707bf84d293fa32a6fae6d93f18bd3a2bf4160943ffad43fae0b2803128e |
| SHA512 | eceacddaf1b432c89ad905583bcb8103ed2d0b431985e05ff82d151ffdca4b63622332b3336a10996639f8a9f689a1b65c880a51b47aa0c8779468012b99f2fc |
C:\ProgramData\ccecacd\adbcddc\cckaggf
| MD5 | 05a50641e84e703c50919fb084fd596a |
| SHA1 | fc096d9e4e1eb19524b760e922ee760849d1562c |
| SHA256 | 1f5eb190ebf1d4c04e2db6b530fdb899a7195866555bec86960f8fea08559455 |
| SHA512 | e27766b1c534da0e99bebe1369785db724ec7322a84d6ac0f6d3380032355419968bc99f3423bcaff43df9247e8b96c5b193103b363eb801e066a6bdb1f03386 |
memory/2848-1412-0x0000000010490000-0x000000001050F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-16 13:59
Reported
2023-11-16 14:02
Platform
win10v2004-20231023-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
DarkGate
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 764 created 2464 | N/A | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe | C:\Windows\system32\taskhostw.exe |
| PID 2224 created 3660 | N/A | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | C:\Windows\system32\DllHost.exe |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfcbfhh.lnk | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\e58d59b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{F7A1A386-DAA8-4353-91F8-F68BE0A4494E} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSID77F.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File created | C:\Windows\Installer\e58d59b.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE016.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIE037.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.Invoice.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding DF7DCD33E08C608B40590AF48E4E1794
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe
"C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe"
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\script.au3
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\." /SETINTEGRITYLEVEL (CI)(OI)LOW
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.202.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 98.142.81.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.43.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| CA | 167.114.199.65:2351 | tcp | |
| CA | 167.114.199.65:2351 | tcp |
Files
C:\Windows\Installer\MSID77F.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSID77F.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\msiwrapper.ini
| MD5 | d326559fbd495c9269b362c456bd30ed |
| SHA1 | ffb267d6f57fd89e73bcb9a297cfa16b7aace358 |
| SHA256 | ba06f989b969559cf4a24d7c74cdb29e93dfb0a624fa32b3b0eb6c14463e89e5 |
| SHA512 | 4ed6b657662fcea566455639d0c72aaf9c4912c4065aa173b1388f446fc2b5bbeaebdef406b7cf9512283ae7ac3746e1b03fc499b726b3f097a4e8ee40f6d9d1 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\msiwrapper.ini
| MD5 | dc55ac28908d3ef66146eb32b709afec |
| SHA1 | d46d4da85fa6cfdb537949f170f920ff0b1a7279 |
| SHA256 | 20e1f9b8fa432d7b6fd3d47f9d14278f568551e1df5ae9c754859b7e09c7ebf2 |
| SHA512 | 8b27ef1eb4f5f634c414976c09a4400e806e4c34dfc0f95eda36033af86a2593ea4af20100683cea9d0164c340e9ecc7a7bd62f51662acd4d32aba4f915b7c7d |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files.cab
| MD5 | 7054f4eba28a1df7dab2d77d7d48c577 |
| SHA1 | 8a0899c27a1859ad75f4d0eaabc8f9da386af0bb |
| SHA256 | bd8962dcb0d34286c5f360fadbf647f136864f41526644d666923692816d7fd9 |
| SHA512 | e21b4b385634691a5fae2da3ef0f89fe3eac1583c6482c46de335d8b32102878124ef5f88cb8c562b5ea745dcf6ba5e3117a113334b676785cc6e137c15a9ca2 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\msiwrapper.ini
| MD5 | dc55ac28908d3ef66146eb32b709afec |
| SHA1 | d46d4da85fa6cfdb537949f170f920ff0b1a7279 |
| SHA256 | 20e1f9b8fa432d7b6fd3d47f9d14278f568551e1df5ae9c754859b7e09c7ebf2 |
| SHA512 | 8b27ef1eb4f5f634c414976c09a4400e806e4c34dfc0f95eda36033af86a2593ea4af20100683cea9d0164c340e9ecc7a7bd62f51662acd4d32aba4f915b7c7d |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe
| MD5 | c790ebfcb6a34953a371e32c9174fe46 |
| SHA1 | 3ead08d8bbdb3afd851877cb50507b77ae18a4d8 |
| SHA256 | fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1 |
| SHA512 | 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe
| MD5 | c790ebfcb6a34953a371e32c9174fe46 |
| SHA1 | 3ead08d8bbdb3afd851877cb50507b77ae18a4d8 |
| SHA256 | fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1 |
| SHA512 | 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerIE.dll
| MD5 | 63e87369f0fa8fb04a420a709f191124 |
| SHA1 | 8f3628dea6a64a9b7a967d0659f859acecc3b7bf |
| SHA256 | 544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c |
| SHA512 | 2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerIE.DLL
| MD5 | 63e87369f0fa8fb04a420a709f191124 |
| SHA1 | 8f3628dea6a64a9b7a967d0659f859acecc3b7bf |
| SHA256 | 544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c |
| SHA512 | 2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\qtwvkwdh
| MD5 | c6fe14ca635b936944da74a6691a1a8b |
| SHA1 | df66ae8a3a60296d4b2aa71dd61641c13c0231cf |
| SHA256 | 8de3daf814abcde323bcfafb07ab89cc5adb8d5a137ef9366e4923d69443b44c |
| SHA512 | edc559e06bc2b5befbf7dc62dcf898e77633f78387137d66911f15bc56225d75ebf4dae3bcacc9b631c4ca68754f254727cc3d9685fe8a76936b0bcd21c6af5b |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\celizvv
| MD5 | ae18e8d531e840927e972f9e56a1af09 |
| SHA1 | 15a49428f1699cbf6ee71040690b6b05da3e4a04 |
| SHA256 | 3674e179fcc877affdb4b0d83b4fd23907ace789566bf1f5195f77b392fe6b5c |
| SHA512 | 2826941a5c2f8b495db9422794dc4a5f3f464b135b1c3c711b70dfc33b41fa86698eb8d3f5a111a8d210015d1a98545f025c7200bf326d2c9ea4a7b1dc79dcaa |
\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{55bc267c-699d-4496-8519-914eb4e5b2ce}_OnDiskSnapshotProp
| MD5 | aea4fe8de977cc2be018df67576f0865 |
| SHA1 | df7814a324b87a69a9f945fd9566069ae0751021 |
| SHA256 | 503dcd429838ac366af8182e44abdd081690d2b5e4534e77188790de30c22b5a |
| SHA512 | a425841acb3c257030dc351783cc986157f89e2e5cce47de7f3196d0b46ca532641ce19cfe624070574da1959c7a996b289eba900e4be153c601d69356f88269 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | a0f9e4d4f9e782372ea4d1f53de9ea68 |
| SHA1 | ef95de339c09732cf9dbb6cd3cd887a10ef5bf67 |
| SHA256 | 969959fbab23587268c44d8f996c4ea1fbed90b1e82be26b70e6761bf10a0452 |
| SHA512 | f6b9c868da966afc64cf659d8b8fd1ac561b4707ed9f4d1193485dab89b71169a65282de1d0406b6a3a14c4704a54a2632efcd1a07703eacd4bc88b847453eed |
memory/2300-129-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2300-138-0x0000000003330000-0x00000000039D0000-memory.dmp
memory/2300-139-0x0000000001430000-0x0000000001525000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2300-142-0x0000000000400000-0x0000000000490000-memory.dmp
memory/2300-144-0x0000000001430000-0x0000000001525000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\script.au3
| MD5 | 2e0faac53060f5d57029aaedb0d91c67 |
| SHA1 | f8502e476658270ce6068a5bd91f65afeb25c16c |
| SHA256 | a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba |
| SHA512 | 21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\keyscrambler.ico
| MD5 | fde5504bbf7620aca9f3850511c13a45 |
| SHA1 | 484382ecc232cedc1651fba5f9311e9164f43369 |
| SHA256 | 932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7 |
| SHA512 | 6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Sounds\Error.wav
| MD5 | efad8c5d6cc6cae180ebe01ce3a60c88 |
| SHA1 | 614839975c1f07161f3c26ba2af08ae910b21c61 |
| SHA256 | acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd |
| SHA512 | d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a |
memory/764-162-0x0000000000CC0000-0x00000000010C0000-memory.dmp
memory/764-164-0x0000000004250000-0x0000000004430000-memory.dmp
memory/764-163-0x0000000003A20000-0x0000000003B15000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\msiwrapper.ini
| MD5 | cd269049a0c29cd054beb05a33591996 |
| SHA1 | a7c4c5b561f756d24963ff35e8fcf6f291ae72d5 |
| SHA256 | 53124ecd755ec253de84906315d90d9fc6641a1ace3e3e2f745cd42cd368d2ce |
| SHA512 | dfeb3e643b4015deab151009e15739a953679eab8ff16b7e94172eaafc504784ab09e6442cf920ad022f51d50a7b7422e8159502b942b86fcee8d6a5c89585d7 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Uninstall.exe
| MD5 | eff839d29dbb06677a85117d036e29c6 |
| SHA1 | 473823c718f3db95d27f14b783e68c08f13caded |
| SHA256 | 1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80 |
| SHA512 | cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Sounds\Success.wav
| MD5 | fd8177d61c8dd032dd262bf979d852f6 |
| SHA1 | ac64e21b7c80e996bcb369b6023bec4191568a52 |
| SHA256 | 8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c |
| SHA512 | 39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\ReadMe.txt
| MD5 | 06a5df751eb0765e69bfb15e12f4c665 |
| SHA1 | 7394bf7df2dda47bf8d55bfbc880d2a2316054ac |
| SHA256 | 8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f |
| SHA512 | aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\QFXUpdateService.exe
| MD5 | 4ed21ae3ae981538ab61f199d4477b92 |
| SHA1 | d7266d30270bce21dffb62ed7f2e47fee9890fc2 |
| SHA256 | 7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b |
| SHA512 | f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\project.xml
| MD5 | 189dc774be74d9453606a7a80cd730e6 |
| SHA1 | 1a70d362b8bd78cdfe7949f3438b346fe8c69adb |
| SHA256 | 3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6 |
| SHA512 | 68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\license.htm
| MD5 | fbe23ef8575dd46ea36f06dd627e94ab |
| SHA1 | d80929568026e2d1db891742331229f1fd0c7e34 |
| SHA256 | 104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab |
| SHA512 | caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Languages\KSLangJPN.dll
| MD5 | bc5feb50bc7a25e4c08e3bcd8d2bc1c5 |
| SHA1 | fb703a62a503ce8a697e8d8c648f6c09408b2f53 |
| SHA256 | d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9 |
| SHA512 | 84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Languages\KSLangCHT.dll
| MD5 | 07e327539ff319611d858a4c9575ed02 |
| SHA1 | 53d74091a51d96bb9b946a06803e16d3a9139df6 |
| SHA256 | d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e |
| SHA512 | 906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.dll
| MD5 | 760aa6f15db378dda44f262e1349e28d |
| SHA1 | 9bb9a0caa54e8b2560245430f33985996b2d40f3 |
| SHA256 | ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b |
| SHA512 | c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6 |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\keyscrambler.sys
| MD5 | 9baf5236d65a36ed2c388cf04108ab9f |
| SHA1 | f5e28edea04a00b5e8806130cd2736336c6e3792 |
| SHA256 | 9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12 |
| SHA512 | 1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\getting_started.html
| MD5 | da033601ee343eaa7f5d609a854b4baa |
| SHA1 | e279b127a9ce7582a626c29dd02a0b88ff10d966 |
| SHA256 | e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da |
| SHA512 | b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d |
C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\EMCOMSI.pbproj
| MD5 | 2d190d00ca9f4a0da4ea26e6da13307e |
| SHA1 | 72cfa041994c30b527cc7f1cf6f4f5877edb35b9 |
| SHA256 | 7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025 |
| SHA512 | e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5 |
C:\Windows\Installer\MSIE037.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSIE037.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
memory/764-176-0x0000000004250000-0x0000000004430000-memory.dmp
memory/2224-178-0x00000000006C0000-0x00000000006C1000-memory.dmp
memory/2224-179-0x0000000000780000-0x0000000000781000-memory.dmp
memory/764-770-0x0000000000CC0000-0x00000000010C0000-memory.dmp
memory/2224-771-0x0000000010410000-0x000000001048F000-memory.dmp
\??\c:\temp\hecbgea.au3
| MD5 | 2e0faac53060f5d57029aaedb0d91c67 |
| SHA1 | f8502e476658270ce6068a5bd91f65afeb25c16c |
| SHA256 | a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba |
| SHA512 | 21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3 |
C:\ProgramData\gaebbbb\dhehcff\akgffaa
| MD5 | 695b814d1725722c99e997894b4366d9 |
| SHA1 | 2344f541706ab917722c7e1db6bdbcd5300d2072 |
| SHA256 | 7a6d7ad0cfa119a77138d662b3425a58c282be16e9e497f21b00f4c564be733c |
| SHA512 | 6a02c15b0471ca8fa70a9b6ed125dce09cce8bda569429b0d81e1cccebc5d9acac9ed1126572b3577def1c524ea1190647608cc4bae8276e8aa7ec2d669ceae7 |
memory/3044-781-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
memory/3044-784-0x0000000000AE0000-0x0000000000AE1000-memory.dmp
memory/764-783-0x0000000004250000-0x0000000004430000-memory.dmp
memory/2224-812-0x0000000010410000-0x000000001048F000-memory.dmp
memory/764-1206-0x0000000004250000-0x0000000004430000-memory.dmp
memory/3044-1386-0x0000000010490000-0x000000001050F000-memory.dmp
\??\c:\temp\fhhcghc
| MD5 | b5eabfd7f9c0281015673b7e77cd7a8e |
| SHA1 | 41efabfddd1b4602212eebe3c56f2481c8508446 |
| SHA256 | 6e85922da423010d5e8dcbbed8ea43a2cdc3343dbf520f5a8569d4f266d924c3 |
| SHA512 | dd87c9783c806f4eb47aeab1f12d55cc7bd1580429bbc8bc2766450c29cb0f79e8163b1dc982cd5cca42190a32eb12ce0be2fc18f462a3d2104ca8d09d524d7c |
C:\ProgramData\gaebbbb\dhehcff\akgffaa
| MD5 | 695b814d1725722c99e997894b4366d9 |
| SHA1 | 2344f541706ab917722c7e1db6bdbcd5300d2072 |
| SHA256 | 7a6d7ad0cfa119a77138d662b3425a58c282be16e9e497f21b00f4c564be733c |
| SHA512 | 6a02c15b0471ca8fa70a9b6ed125dce09cce8bda569429b0d81e1cccebc5d9acac9ed1126572b3577def1c524ea1190647608cc4bae8276e8aa7ec2d669ceae7 |
C:\ProgramData\gaebbbb\hecbgea.au3
| MD5 | 0dd6b3d8ed12170f20fb70c7b1a296d6 |
| SHA1 | 3e15cb4b5983a27e164144d3f8acf8a8a22932ad |
| SHA256 | 986a5ef7dbdde4c642ad3f073887b5b4a8d7e3869b75802a5a96f6affc55e0b8 |
| SHA512 | b0631474c33e4ca9216e69e2196b7b4b61c901125cd6fc7c00393044a191dbe745e9a648ea4f3b2996dfd4c2cae75b7bbc0a531fdea433182aefe7416b890abe |