Malware Analysis Report

2024-11-15 07:17

Sample ID 231116-rapteacc44
Target NEAS.Invoice.msi
SHA256 8abdcccd1e49663190b5071cdafeba3e8b4a4471bceaeaa5915a7ce17ceaf3a3
Tags
darkgate herady5 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8abdcccd1e49663190b5071cdafeba3e8b4a4471bceaeaa5915a7ce17ceaf3a3

Threat Level: Known bad

The file NEAS.Invoice.msi was found to be: Known bad.

Malicious Activity Summary

darkgate herady5 discovery stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

DarkGate

Drops startup file

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

NSIS installer

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Modifies data under HKEY_USERS

Uses Volume Shadow Copy service COM API

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Checks processor information in registry

Checks SCSI registry key(s)

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-16 13:59

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-16 13:59

Reported

2023-11-16 14:02

Platform

win7-20231023-en

Max time kernel

150s

Max time network

146s

Command Line

"taskhost.exe"

Signatures

DarkGate

stealer darkgate

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\degdfkh.lnk C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f7689d8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA91D.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f7689d9.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI8D42.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\MSIA8DE.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f7689d9.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f7689d8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2064 wrote to memory of 2812 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2812 wrote to memory of 760 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2812 wrote to memory of 760 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2812 wrote to memory of 760 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2812 wrote to memory of 760 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2812 wrote to memory of 1924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2812 wrote to memory of 1924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2812 wrote to memory of 1924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2812 wrote to memory of 1924 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2812 wrote to memory of 1808 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
PID 2812 wrote to memory of 1808 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
PID 2812 wrote to memory of 1808 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
PID 2812 wrote to memory of 1808 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe
PID 1808 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe
PID 1808 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe
PID 1808 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe
PID 1808 wrote to memory of 552 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe
PID 2812 wrote to memory of 440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2812 wrote to memory of 440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2812 wrote to memory of 440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2812 wrote to memory of 440 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 552 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.Invoice.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "000000000000049C" "00000000000005AC"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding F32481B2A0420E5E6317A1D9C09F0351

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

"C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe"

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe

"C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\." /SETINTEGRITYLEVEL (CI)(OI)LOW

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"

Network

Country Destination Domain Proto
CA 167.114.199.65:2351 tcp
CA 167.114.199.65:2351 tcp
CA 167.114.199.65:2351 tcp
CA 167.114.199.65:2351 tcp
CA 167.114.199.65:2351 tcp

Files

C:\Windows\Installer\MSI8D42.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSI8D42.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

MD5 5445a4185b1662cfe34afe08b993f0d7
SHA1 9598dd0227f0cf07bb91454ede6f8db980a06f01
SHA256 fe5ea83bb3e4802f67455923c0b2144df8455e435c086014b9daf04f2069d39a
SHA512 cfd524887e0b50aabd391930079dcceffbffa1a5835c674616b388c19ec835683ade728a78c41aec366e8486fcb807f0542715bd77689328aa62b678975fdd00

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

MD5 ff0ff8ecd59c2d411d3ac5a1d7a27d99
SHA1 2689a5229249a37c95c6d701f2073e7093660451
SHA256 d30cf1cf631c8b761fec5bb2b6370bfdf0e8f7b7caa58907ac0f40ec1f0ce587
SHA512 9485feff1a9cc7228a3c7313924d5db2afe649879ac6e59ed7bdf11662e0101aaee04e4c133cf30f923a12232a66bcc4e335ca17774ffd306f6de082106f4151

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

MD5 1f734d3bfbb51ee9621cc8215824e6f4
SHA1 71f4d76c8c0574445032137cc0988b8ebc8412b3
SHA256 f062c00f418a7618af0d1b8bbb51bb8c75bbead6ee36e29a035d764e98259c91
SHA512 990510bf8be6b79e4ae505726abe47e99edc6b58aa3a115d3951a2738ce5333ebb51049e74a836ec5e91e7a1dcc062217742fe49c7b9f30ae7c21a644a5ea593

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files.cab

MD5 7054f4eba28a1df7dab2d77d7d48c577
SHA1 8a0899c27a1859ad75f4d0eaabc8f9da386af0bb
SHA256 bd8962dcb0d34286c5f360fadbf647f136864f41526644d666923692816d7fd9
SHA512 e21b4b385634691a5fae2da3ef0f89fe3eac1583c6482c46de335d8b32102878124ef5f88cb8c562b5ea745dcf6ba5e3117a113334b676785cc6e137c15a9ca2

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

MD5 1f734d3bfbb51ee9621cc8215824e6f4
SHA1 71f4d76c8c0574445032137cc0988b8ebc8412b3
SHA256 f062c00f418a7618af0d1b8bbb51bb8c75bbead6ee36e29a035d764e98259c91
SHA512 990510bf8be6b79e4ae505726abe47e99edc6b58aa3a115d3951a2738ce5333ebb51049e74a836ec5e91e7a1dcc062217742fe49c7b9f30ae7c21a644a5ea593

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

MD5 c790ebfcb6a34953a371e32c9174fe46
SHA1 3ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256 fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA512 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

MD5 c790ebfcb6a34953a371e32c9174fe46
SHA1 3ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256 fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA512 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

MD5 c790ebfcb6a34953a371e32c9174fe46
SHA1 3ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256 fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA512 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

MD5 c790ebfcb6a34953a371e32c9174fe46
SHA1 3ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256 fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA512 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

MD5 c790ebfcb6a34953a371e32c9174fe46
SHA1 3ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256 fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA512 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.exe

MD5 c790ebfcb6a34953a371e32c9174fe46
SHA1 3ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256 fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA512 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerIE.dll

MD5 63e87369f0fa8fb04a420a709f191124
SHA1 8f3628dea6a64a9b7a967d0659f859acecc3b7bf
SHA256 544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c
SHA512 2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12

memory/1808-124-0x00000000001A0000-0x0000000000230000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerIE.DLL

MD5 63e87369f0fa8fb04a420a709f191124
SHA1 8f3628dea6a64a9b7a967d0659f859acecc3b7bf
SHA256 544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c
SHA512 2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\celizvv

MD5 ae18e8d531e840927e972f9e56a1af09
SHA1 15a49428f1699cbf6ee71040690b6b05da3e4a04
SHA256 3674e179fcc877affdb4b0d83b4fd23907ace789566bf1f5195f77b392fe6b5c
SHA512 2826941a5c2f8b495db9422794dc4a5f3f464b135b1c3c711b70dfc33b41fa86698eb8d3f5a111a8d210015d1a98545f025c7200bf326d2c9ea4a7b1dc79dcaa

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\qtwvkwdh

MD5 c6fe14ca635b936944da74a6691a1a8b
SHA1 df66ae8a3a60296d4b2aa71dd61641c13c0231cf
SHA256 8de3daf814abcde323bcfafb07ab89cc5adb8d5a137ef9366e4923d69443b44c
SHA512 edc559e06bc2b5befbf7dc62dcf898e77633f78387137d66911f15bc56225d75ebf4dae3bcacc9b631c4ca68754f254727cc3d9685fe8a76936b0bcd21c6af5b

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1808-136-0x00000000001A0000-0x0000000000230000-memory.dmp

memory/1808-133-0x0000000002D10000-0x0000000002E05000-memory.dmp

\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1808-130-0x00000000024C0000-0x0000000002B60000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\script.au3

MD5 2e0faac53060f5d57029aaedb0d91c67
SHA1 f8502e476658270ce6068a5bd91f65afeb25c16c
SHA256 a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba
SHA512 21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3

memory/1808-138-0x0000000002D10000-0x0000000002E05000-memory.dmp

memory/552-140-0x0000000000900000-0x0000000000D00000-memory.dmp

memory/552-141-0x0000000002A70000-0x0000000002B65000-memory.dmp

memory/552-142-0x0000000003260000-0x0000000003440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\AutoIt3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\msiwrapper.ini

MD5 77aae42ad2d63bd45546ce4f6ebe8022
SHA1 5dd6bfef97dbb0dd7cee233ed8f5db23f47cd397
SHA256 45d1da77715dcc3d2115880e25491bf8f778f3df218ce5c273c143f5317d8a4b
SHA512 6fe5f583c4a0403594361cc5d86c24c14c7a81b430befab5cc5ee2ecbb33a5b049ae60249827467476ea03ccd98a7d531f5abfe33387e9f1a019b964648eb7f5

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Uninstall.exe

MD5 eff839d29dbb06677a85117d036e29c6
SHA1 473823c718f3db95d27f14b783e68c08f13caded
SHA256 1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80
SHA512 cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Sounds\Success.wav

MD5 fd8177d61c8dd032dd262bf979d852f6
SHA1 ac64e21b7c80e996bcb369b6023bec4191568a52
SHA256 8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c
SHA512 39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Sounds\Error.wav

MD5 efad8c5d6cc6cae180ebe01ce3a60c88
SHA1 614839975c1f07161f3c26ba2af08ae910b21c61
SHA256 acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd
SHA512 d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\ReadMe.txt

MD5 06a5df751eb0765e69bfb15e12f4c665
SHA1 7394bf7df2dda47bf8d55bfbc880d2a2316054ac
SHA256 8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f
SHA512 aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\QFXUpdateService.exe

MD5 4ed21ae3ae981538ab61f199d4477b92
SHA1 d7266d30270bce21dffb62ed7f2e47fee9890fc2
SHA256 7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b
SHA512 f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\project.xml

MD5 189dc774be74d9453606a7a80cd730e6
SHA1 1a70d362b8bd78cdfe7949f3438b346fe8c69adb
SHA256 3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6
SHA512 68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\license.htm

MD5 fbe23ef8575dd46ea36f06dd627e94ab
SHA1 d80929568026e2d1db891742331229f1fd0c7e34
SHA256 104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab
SHA512 caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Languages\KSLangJPN.dll

MD5 bc5feb50bc7a25e4c08e3bcd8d2bc1c5
SHA1 fb703a62a503ce8a697e8d8c648f6c09408b2f53
SHA256 d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9
SHA512 84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\Languages\KSLangCHT.dll

MD5 07e327539ff319611d858a4c9575ed02
SHA1 53d74091a51d96bb9b946a06803e16d3a9139df6
SHA256 d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e
SHA512 906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\KeyScramblerLogon.dll

MD5 760aa6f15db378dda44f262e1349e28d
SHA1 9bb9a0caa54e8b2560245430f33985996b2d40f3
SHA256 ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b
SHA512 c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\keyscrambler.sys

MD5 9baf5236d65a36ed2c388cf04108ab9f
SHA1 f5e28edea04a00b5e8806130cd2736336c6e3792
SHA256 9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12
SHA512 1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\keyscrambler.ico

MD5 fde5504bbf7620aca9f3850511c13a45
SHA1 484382ecc232cedc1651fba5f9311e9164f43369
SHA256 932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7
SHA512 6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\getting_started.html

MD5 da033601ee343eaa7f5d609a854b4baa
SHA1 e279b127a9ce7582a626c29dd02a0b88ff10d966
SHA256 e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da
SHA512 b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d

C:\Users\Admin\AppData\Local\Temp\MW-ece1dbd6-7dd5-4a9e-a2af-3498740e0958\files\EMCOMSI.pbproj

MD5 2d190d00ca9f4a0da4ea26e6da13307e
SHA1 72cfa041994c30b527cc7f1cf6f4f5877edb35b9
SHA256 7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025
SHA512 e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5

memory/552-162-0x0000000003260000-0x0000000003440000-memory.dmp

memory/1780-167-0x00000000000E0000-0x00000000000E1000-memory.dmp

memory/1780-166-0x00000000000A0000-0x00000000000A1000-memory.dmp

C:\Windows\Installer\MSIA91D.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSIA91D.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

memory/1780-177-0x0000000000360000-0x0000000000361000-memory.dmp

memory/552-188-0x0000000000900000-0x0000000000D00000-memory.dmp

memory/1780-191-0x0000000000950000-0x0000000000951000-memory.dmp

memory/1780-226-0x00000000021A0000-0x00000000021A1000-memory.dmp

memory/1780-789-0x0000000010410000-0x000000001048F000-memory.dmp

C:\ProgramData\ccecacd\adbcddc\cckaggf

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\c:\temp\fegaefg.au3

MD5 2e0faac53060f5d57029aaedb0d91c67
SHA1 f8502e476658270ce6068a5bd91f65afeb25c16c
SHA256 a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba
SHA512 21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3

memory/552-799-0x0000000003260000-0x0000000003440000-memory.dmp

memory/2848-801-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2848-802-0x00000000001B0000-0x00000000001B1000-memory.dmp

C:\ProgramData\ccecacd\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/552-1205-0x0000000003260000-0x0000000003440000-memory.dmp

memory/2848-1403-0x0000000010490000-0x000000001050F000-memory.dmp

memory/1780-1404-0x0000000010410000-0x000000001048F000-memory.dmp

\??\c:\temp\aeabcbf

MD5 0d6951c2179a4d2306a5c0deb434a987
SHA1 6a14c44374d3bb96c078fcd7b741c7208c5451b0
SHA256 cc6c9afb2a89709122f7bd2eb7ac5745f02b3c45a92031dd1b06d5e168d92fc5
SHA512 4807e01ee7eba3401b807d8bc1002bf4eb10ee1cfd1e0527edb51d7bc4d274d5640f2e5be7411ef0bc2084c416d79a0db5c518189be4a5454d71064a2c2c99c6

C:\ProgramData\ccecacd\fegaefg.au3

MD5 98304a28f4657cfa73661759185fa4ec
SHA1 1d4a91dd95e7d64e32d2fcb5b14f031ba3af326f
SHA256 5569707bf84d293fa32a6fae6d93f18bd3a2bf4160943ffad43fae0b2803128e
SHA512 eceacddaf1b432c89ad905583bcb8103ed2d0b431985e05ff82d151ffdca4b63622332b3336a10996639f8a9f689a1b65c880a51b47aa0c8779468012b99f2fc

C:\ProgramData\ccecacd\adbcddc\cckaggf

MD5 05a50641e84e703c50919fb084fd596a
SHA1 fc096d9e4e1eb19524b760e922ee760849d1562c
SHA256 1f5eb190ebf1d4c04e2db6b530fdb899a7195866555bec86960f8fea08559455
SHA512 e27766b1c534da0e99bebe1369785db724ec7322a84d6ac0f6d3380032355419968bc99f3423bcaff43df9247e8b96c5b193103b363eb801e066a6bdb1f03386

memory/2848-1412-0x0000000010490000-0x000000001050F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-16 13:59

Reported

2023-11-16 14:02

Platform

win10v2004-20231023-en

Max time kernel

151s

Max time network

153s

Command Line

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

Signatures

DarkGate

stealer darkgate

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hfcbfhh.lnk C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e58d59b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{F7A1A386-DAA8-4353-91F8-F68BE0A4494E} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSID77F.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File created C:\Windows\Installer\e58d59b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE016.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIE037.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 868 wrote to memory of 1100 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 868 wrote to memory of 1100 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 868 wrote to memory of 3672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 868 wrote to memory of 3672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 868 wrote to memory of 3672 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 3672 wrote to memory of 4896 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3672 wrote to memory of 4896 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3672 wrote to memory of 4896 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3672 wrote to memory of 4020 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 3672 wrote to memory of 4020 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 3672 wrote to memory of 4020 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 3672 wrote to memory of 2300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe
PID 3672 wrote to memory of 2300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe
PID 3672 wrote to memory of 2300 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe
PID 2300 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe
PID 2300 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe
PID 2300 wrote to memory of 764 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe
PID 3672 wrote to memory of 1748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3672 wrote to memory of 1748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 3672 wrote to memory of 1748 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe
PID 764 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.Invoice.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding DF7DCD33E08C608B40590AF48E4E1794

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe

"C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe"

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe

"C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\." /SETINTEGRITYLEVEL (CI)(OI)LOW

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"

C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe

"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 65.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 254.43.238.8.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
CA 167.114.199.65:2351 tcp
CA 167.114.199.65:2351 tcp

Files

C:\Windows\Installer\MSID77F.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSID77F.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\msiwrapper.ini

MD5 d326559fbd495c9269b362c456bd30ed
SHA1 ffb267d6f57fd89e73bcb9a297cfa16b7aace358
SHA256 ba06f989b969559cf4a24d7c74cdb29e93dfb0a624fa32b3b0eb6c14463e89e5
SHA512 4ed6b657662fcea566455639d0c72aaf9c4912c4065aa173b1388f446fc2b5bbeaebdef406b7cf9512283ae7ac3746e1b03fc499b726b3f097a4e8ee40f6d9d1

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\msiwrapper.ini

MD5 dc55ac28908d3ef66146eb32b709afec
SHA1 d46d4da85fa6cfdb537949f170f920ff0b1a7279
SHA256 20e1f9b8fa432d7b6fd3d47f9d14278f568551e1df5ae9c754859b7e09c7ebf2
SHA512 8b27ef1eb4f5f634c414976c09a4400e806e4c34dfc0f95eda36033af86a2593ea4af20100683cea9d0164c340e9ecc7a7bd62f51662acd4d32aba4f915b7c7d

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files.cab

MD5 7054f4eba28a1df7dab2d77d7d48c577
SHA1 8a0899c27a1859ad75f4d0eaabc8f9da386af0bb
SHA256 bd8962dcb0d34286c5f360fadbf647f136864f41526644d666923692816d7fd9
SHA512 e21b4b385634691a5fae2da3ef0f89fe3eac1583c6482c46de335d8b32102878124ef5f88cb8c562b5ea745dcf6ba5e3117a113334b676785cc6e137c15a9ca2

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\msiwrapper.ini

MD5 dc55ac28908d3ef66146eb32b709afec
SHA1 d46d4da85fa6cfdb537949f170f920ff0b1a7279
SHA256 20e1f9b8fa432d7b6fd3d47f9d14278f568551e1df5ae9c754859b7e09c7ebf2
SHA512 8b27ef1eb4f5f634c414976c09a4400e806e4c34dfc0f95eda36033af86a2593ea4af20100683cea9d0164c340e9ecc7a7bd62f51662acd4d32aba4f915b7c7d

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe

MD5 c790ebfcb6a34953a371e32c9174fe46
SHA1 3ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256 fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA512 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.exe

MD5 c790ebfcb6a34953a371e32c9174fe46
SHA1 3ead08d8bbdb3afd851877cb50507b77ae18a4d8
SHA256 fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1
SHA512 74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerIE.dll

MD5 63e87369f0fa8fb04a420a709f191124
SHA1 8f3628dea6a64a9b7a967d0659f859acecc3b7bf
SHA256 544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c
SHA512 2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerIE.DLL

MD5 63e87369f0fa8fb04a420a709f191124
SHA1 8f3628dea6a64a9b7a967d0659f859acecc3b7bf
SHA256 544d564e037c1493aa1daac2dd19afc562b4bfe4700e5eba644a279bcda3276c
SHA512 2d9442aa0e4977d226a4338ade0b4321836611ec56109709cf922da102b6aa9083f659ff740212eb6c9cfc2b3a339cb3482a035e39b1ba9acf3a96a7a6d19f12

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\qtwvkwdh

MD5 c6fe14ca635b936944da74a6691a1a8b
SHA1 df66ae8a3a60296d4b2aa71dd61641c13c0231cf
SHA256 8de3daf814abcde323bcfafb07ab89cc5adb8d5a137ef9366e4923d69443b44c
SHA512 edc559e06bc2b5befbf7dc62dcf898e77633f78387137d66911f15bc56225d75ebf4dae3bcacc9b631c4ca68754f254727cc3d9685fe8a76936b0bcd21c6af5b

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\celizvv

MD5 ae18e8d531e840927e972f9e56a1af09
SHA1 15a49428f1699cbf6ee71040690b6b05da3e4a04
SHA256 3674e179fcc877affdb4b0d83b4fd23907ace789566bf1f5195f77b392fe6b5c
SHA512 2826941a5c2f8b495db9422794dc4a5f3f464b135b1c3c711b70dfc33b41fa86698eb8d3f5a111a8d210015d1a98545f025c7200bf326d2c9ea4a7b1dc79dcaa

\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{55bc267c-699d-4496-8519-914eb4e5b2ce}_OnDiskSnapshotProp

MD5 aea4fe8de977cc2be018df67576f0865
SHA1 df7814a324b87a69a9f945fd9566069ae0751021
SHA256 503dcd429838ac366af8182e44abdd081690d2b5e4534e77188790de30c22b5a
SHA512 a425841acb3c257030dc351783cc986157f89e2e5cce47de7f3196d0b46ca532641ce19cfe624070574da1959c7a996b289eba900e4be153c601d69356f88269

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 a0f9e4d4f9e782372ea4d1f53de9ea68
SHA1 ef95de339c09732cf9dbb6cd3cd887a10ef5bf67
SHA256 969959fbab23587268c44d8f996c4ea1fbed90b1e82be26b70e6761bf10a0452
SHA512 f6b9c868da966afc64cf659d8b8fd1ac561b4707ed9f4d1193485dab89b71169a65282de1d0406b6a3a14c4704a54a2632efcd1a07703eacd4bc88b847453eed

memory/2300-129-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2300-138-0x0000000003330000-0x00000000039D0000-memory.dmp

memory/2300-139-0x0000000001430000-0x0000000001525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2300-142-0x0000000000400000-0x0000000000490000-memory.dmp

memory/2300-144-0x0000000001430000-0x0000000001525000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\script.au3

MD5 2e0faac53060f5d57029aaedb0d91c67
SHA1 f8502e476658270ce6068a5bd91f65afeb25c16c
SHA256 a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba
SHA512 21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\keyscrambler.ico

MD5 fde5504bbf7620aca9f3850511c13a45
SHA1 484382ecc232cedc1651fba5f9311e9164f43369
SHA256 932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7
SHA512 6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Sounds\Error.wav

MD5 efad8c5d6cc6cae180ebe01ce3a60c88
SHA1 614839975c1f07161f3c26ba2af08ae910b21c61
SHA256 acad74b9bb57809e1b35bc06f357941986ebdc547ba33fc618f07e6e7bdc49bd
SHA512 d404752e05ee803958a21b7fcadc0782ba36ea42eba84eae42eca6360df71822bc705eea6ef2caaa82e2fdcc518ba1cd94c04cc7e7e7739d32eb29dbffd2f51a

memory/764-162-0x0000000000CC0000-0x00000000010C0000-memory.dmp

memory/764-164-0x0000000004250000-0x0000000004430000-memory.dmp

memory/764-163-0x0000000003A20000-0x0000000003B15000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\msiwrapper.ini

MD5 cd269049a0c29cd054beb05a33591996
SHA1 a7c4c5b561f756d24963ff35e8fcf6f291ae72d5
SHA256 53124ecd755ec253de84906315d90d9fc6641a1ace3e3e2f745cd42cd368d2ce
SHA512 dfeb3e643b4015deab151009e15739a953679eab8ff16b7e94172eaafc504784ab09e6442cf920ad022f51d50a7b7422e8159502b942b86fcee8d6a5c89585d7

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Uninstall.exe

MD5 eff839d29dbb06677a85117d036e29c6
SHA1 473823c718f3db95d27f14b783e68c08f13caded
SHA256 1b5cb8035b18d06b5219f2e7d30200ca343c0ce6763962c7c41534aecc2b1c80
SHA512 cb4fb2b054e3430df934cd30be220e13c2f86bf2dbc6e2a46d59fa4f7d9c6feca9cbc44fb1cc49bfae7aa39623d26d8f4510fa9a0584a1f64110cae87117aff3

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Sounds\Success.wav

MD5 fd8177d61c8dd032dd262bf979d852f6
SHA1 ac64e21b7c80e996bcb369b6023bec4191568a52
SHA256 8dae19fc9c722a7fb169f37b5881e74551a8d3b8b43ec6f52b6d5d46e885ed6c
SHA512 39e75172a2b410eb25de87f06c57e1c583493f1885a39f2a410ce6437cc8e9d400a3e8e695cdcec63752840096637a16c1d875e43ce1c40e43553f16337ff835

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\ReadMe.txt

MD5 06a5df751eb0765e69bfb15e12f4c665
SHA1 7394bf7df2dda47bf8d55bfbc880d2a2316054ac
SHA256 8b9d97c137459a495936af47f5140fe75f795728a30e9ec3d8ac9c1cb2e5c65f
SHA512 aabd6aa18646192bd49e5343e0129e696b1e003a16e8205fd36aa863be9c97aadf9ac67bba96629d21ea5921e89ce6a401e74d9347aa77468f3854dc64e20558

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\QFXUpdateService.exe

MD5 4ed21ae3ae981538ab61f199d4477b92
SHA1 d7266d30270bce21dffb62ed7f2e47fee9890fc2
SHA256 7053dae7f3d11cee5b0ca0363320104857c73aad6a0f2f9af398c2f4e607a95b
SHA512 f4768e7ccc73d5ae8f9da526875b12f571c36ba7c7c9d08aa1a455926a34560f11598f677242c5513ed750a384bd9b1107b57975487603f49e6c16eea92bcbdb

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\project.xml

MD5 189dc774be74d9453606a7a80cd730e6
SHA1 1a70d362b8bd78cdfe7949f3438b346fe8c69adb
SHA256 3af50be8a1086fff8726686340b4a3883125406f20ac0f72396363891ecc26c6
SHA512 68679076938165c6bb669d5ac7fbe979ae34611b6eda3030eea5361872993c7922a705185ac4016e221ccd6220f8af31e0d3821241d410bbfe744e6c29588a9e

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\license.htm

MD5 fbe23ef8575dd46ea36f06dd627e94ab
SHA1 d80929568026e2d1db891742331229f1fd0c7e34
SHA256 104c6948b760b0dc6fb80f9283a7978229e8be4bab316fe5fa883dccc18dc8ab
SHA512 caba58d22a835c2a9a0c420129631add230ebbb16edc36b45766348f5c7d5e5c9f8dc2edd71622f8876f8777d3c797a3e6dd2da7ea1a743cbca73d1e4ad27d20

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Languages\KSLangJPN.dll

MD5 bc5feb50bc7a25e4c08e3bcd8d2bc1c5
SHA1 fb703a62a503ce8a697e8d8c648f6c09408b2f53
SHA256 d52120ab6b006b1f5bda114129d78b7d11ff33e707c3e689cd6bc15dca836da9
SHA512 84699f9de5079fa6c89430d81c76cc89ffd73cc7a9ae2f1a6e5a92bbdb2db5de9461436fb134ce8ff5074b1eea7e56a72432e0e6595d9e141a44f0290e124214

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\Languages\KSLangCHT.dll

MD5 07e327539ff319611d858a4c9575ed02
SHA1 53d74091a51d96bb9b946a06803e16d3a9139df6
SHA256 d4afb96b37351ebbe9763fe0110a0859e62f6a065abfa840af5454505b3cd80e
SHA512 906a346bb8f5842a81a1b5f4fc54b71d9db9c390bcdc2dfbaf723eb40ad247c456fccc7a0fd77130c666dd80d2821de1e3487ad62528405a3ec86e503202bc67

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\KeyScramblerLogon.dll

MD5 760aa6f15db378dda44f262e1349e28d
SHA1 9bb9a0caa54e8b2560245430f33985996b2d40f3
SHA256 ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b
SHA512 c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\keyscrambler.sys

MD5 9baf5236d65a36ed2c388cf04108ab9f
SHA1 f5e28edea04a00b5e8806130cd2736336c6e3792
SHA256 9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12
SHA512 1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\getting_started.html

MD5 da033601ee343eaa7f5d609a854b4baa
SHA1 e279b127a9ce7582a626c29dd02a0b88ff10d966
SHA256 e4312722cf4e6e179f7c50e8fcc618d583a38ba71046aee2d67090d7a37ee5da
SHA512 b6c53aabc3c1c41d639f5877dc81dbf05145c8feb4101e20afd45dbafdc5f2af90394dda3c26836a34d4382135fbdcc899795a58a40d3974fcaff7f4f8002a9d

C:\Users\Admin\AppData\Local\Temp\MW-509ef421-1fa8-41b2-a1be-41400f79b831\files\EMCOMSI.pbproj

MD5 2d190d00ca9f4a0da4ea26e6da13307e
SHA1 72cfa041994c30b527cc7f1cf6f4f5877edb35b9
SHA256 7c22e0a9afe2f9f4724711c456a049a113cc600d55167598be17ba1ab5124025
SHA512 e16e6bc6e164a40efc47d6cdb7ddd2bcbffe4760c8ad1eec21dcba2d1d3f61d688b26e89d454c24b89847d26aaf824fdb5b9b18a7ae85612c1e3a255021ec5e5

C:\Windows\Installer\MSIE037.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSIE037.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

memory/764-176-0x0000000004250000-0x0000000004430000-memory.dmp

memory/2224-178-0x00000000006C0000-0x00000000006C1000-memory.dmp

memory/2224-179-0x0000000000780000-0x0000000000781000-memory.dmp

memory/764-770-0x0000000000CC0000-0x00000000010C0000-memory.dmp

memory/2224-771-0x0000000010410000-0x000000001048F000-memory.dmp

\??\c:\temp\hecbgea.au3

MD5 2e0faac53060f5d57029aaedb0d91c67
SHA1 f8502e476658270ce6068a5bd91f65afeb25c16c
SHA256 a2be457dc7fc5d5662e5db1b51b77094898449fedab7b1a9f837c093c249c5ba
SHA512 21f19112928b0f9fa27d1f53881884b1aa931d630887de7f1aa0bb5584fe85c0d7003cbe389d641580c0939e140f6fcd9d2160783b9b4e81f58fdb883ff66da3

C:\ProgramData\gaebbbb\dhehcff\akgffaa

MD5 695b814d1725722c99e997894b4366d9
SHA1 2344f541706ab917722c7e1db6bdbcd5300d2072
SHA256 7a6d7ad0cfa119a77138d662b3425a58c282be16e9e497f21b00f4c564be733c
SHA512 6a02c15b0471ca8fa70a9b6ed125dce09cce8bda569429b0d81e1cccebc5d9acac9ed1126572b3577def1c524ea1190647608cc4bae8276e8aa7ec2d669ceae7

memory/3044-781-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

memory/3044-784-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/764-783-0x0000000004250000-0x0000000004430000-memory.dmp

memory/2224-812-0x0000000010410000-0x000000001048F000-memory.dmp

memory/764-1206-0x0000000004250000-0x0000000004430000-memory.dmp

memory/3044-1386-0x0000000010490000-0x000000001050F000-memory.dmp

\??\c:\temp\fhhcghc

MD5 b5eabfd7f9c0281015673b7e77cd7a8e
SHA1 41efabfddd1b4602212eebe3c56f2481c8508446
SHA256 6e85922da423010d5e8dcbbed8ea43a2cdc3343dbf520f5a8569d4f266d924c3
SHA512 dd87c9783c806f4eb47aeab1f12d55cc7bd1580429bbc8bc2766450c29cb0f79e8163b1dc982cd5cca42190a32eb12ce0be2fc18f462a3d2104ca8d09d524d7c

C:\ProgramData\gaebbbb\dhehcff\akgffaa

MD5 695b814d1725722c99e997894b4366d9
SHA1 2344f541706ab917722c7e1db6bdbcd5300d2072
SHA256 7a6d7ad0cfa119a77138d662b3425a58c282be16e9e497f21b00f4c564be733c
SHA512 6a02c15b0471ca8fa70a9b6ed125dce09cce8bda569429b0d81e1cccebc5d9acac9ed1126572b3577def1c524ea1190647608cc4bae8276e8aa7ec2d669ceae7

C:\ProgramData\gaebbbb\hecbgea.au3

MD5 0dd6b3d8ed12170f20fb70c7b1a296d6
SHA1 3e15cb4b5983a27e164144d3f8acf8a8a22932ad
SHA256 986a5ef7dbdde4c642ad3f073887b5b4a8d7e3869b75802a5a96f6affc55e0b8
SHA512 b0631474c33e4ca9216e69e2196b7b4b61c901125cd6fc7c00393044a191dbe745e9a648ea4f3b2996dfd4c2cae75b7bbc0a531fdea433182aefe7416b890abe