darkgate | cb6631977fd57aea2c49e62263131b3e20a071495ad63adb3363ca6fd0d3184a

Analysis

max time kernel
122s
max time network
125s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-03-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad.msi
Size

3.2MB
MD5

6922c8d97e6d60135a3c55302ce1eecf
SHA1

f3714edb96b5db59b392058292ed486dfd3d3629
SHA256

de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad
SHA512

2477b8432ffd9a0873608d978b30a8eea129d6180a18437a3a204c875ec2469e4eb0db2a6c52b6d2bb3e1881fcb0e1e29934d73608499694545cfdda5bf53494
SSDEEP

49152:qpUPqczdMZnZajVw8XsmOL8ruQO7/rsGQNTRJD+jQW/XRaWEr1bCU:qpmBUZaZw8u8rJOjrsG2apKGU

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

pjnbadfjandkadm3kd.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
wVImrJRl
minimum_disk
100
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 3 IoCs

resource	yara_rule
behavioral1/memory/2272-95-0x0000000003780000-0x0000000004750000-memory.dmp	family_darkgate_v6
behavioral1/memory/2272-96-0x0000000004DA0000-0x00000000050EE000-memory.dmp	family_darkgate_v6
behavioral1/memory/2272-98-0x0000000004DA0000-0x00000000050EE000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1520	ICACLS.EXE
1984	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f762d38.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f762d38.msi	msiexec.exe
File created	C:\Windows\Installer\f762d39.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSI2E70.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f762d39.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1444	KeyScramblerLogon.exe
2272	Autoit3.exe

Loads dropped DLL 7 IoCs

pid	Process
1564	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
1564	MsiExec.exe
1444	KeyScramblerLogon.exe
1444	KeyScramblerLogon.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1700	msiexec.exe
1700	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2184	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeSecurityPrivilege	1700	msiexec.exe
Token: SeCreateTokenPrivilege	2184	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2184	msiexec.exe
Token: SeLockMemoryPrivilege	2184	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2184	msiexec.exe
Token: SeMachineAccountPrivilege	2184	msiexec.exe
Token: SeTcbPrivilege	2184	msiexec.exe
Token: SeSecurityPrivilege	2184	msiexec.exe
Token: SeTakeOwnershipPrivilege	2184	msiexec.exe
Token: SeLoadDriverPrivilege	2184	msiexec.exe
Token: SeSystemProfilePrivilege	2184	msiexec.exe
Token: SeSystemtimePrivilege	2184	msiexec.exe
Token: SeProfSingleProcessPrivilege	2184	msiexec.exe
Token: SeIncBasePriorityPrivilege	2184	msiexec.exe
Token: SeCreatePagefilePrivilege	2184	msiexec.exe
Token: SeCreatePermanentPrivilege	2184	msiexec.exe
Token: SeBackupPrivilege	2184	msiexec.exe
Token: SeRestorePrivilege	2184	msiexec.exe
Token: SeShutdownPrivilege	2184	msiexec.exe
Token: SeDebugPrivilege	2184	msiexec.exe
Token: SeAuditPrivilege	2184	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2184	msiexec.exe
Token: SeChangeNotifyPrivilege	2184	msiexec.exe
Token: SeRemoteShutdownPrivilege	2184	msiexec.exe
Token: SeUndockPrivilege	2184	msiexec.exe
Token: SeSyncAgentPrivilege	2184	msiexec.exe
Token: SeEnableDelegationPrivilege	2184	msiexec.exe
Token: SeManageVolumePrivilege	2184	msiexec.exe
Token: SeImpersonatePrivilege	2184	msiexec.exe
Token: SeCreateGlobalPrivilege	2184	msiexec.exe
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: SeBackupPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1536	DrvInst.exe
Token: SeLoadDriverPrivilege	1536	DrvInst.exe
Token: SeLoadDriverPrivilege	1536	DrvInst.exe
Token: SeLoadDriverPrivilege	1536	DrvInst.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe
Token: SeRestorePrivilege	1700	msiexec.exe
Token: SeTakeOwnershipPrivilege	1700	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2184	msiexec.exe
2184	msiexec.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 1700 wrote to memory of 1564	1700	msiexec.exe	32
PID 1700 wrote to memory of 1564	1700	msiexec.exe	32
PID 1700 wrote to memory of 1564	1700	msiexec.exe	32
PID 1700 wrote to memory of 1564	1700	msiexec.exe	32
PID 1700 wrote to memory of 1564	1700	msiexec.exe	32
PID 1700 wrote to memory of 1564	1700	msiexec.exe	32
PID 1700 wrote to memory of 1564	1700	msiexec.exe	32
PID 1564 wrote to memory of 1520	1564	MsiExec.exe	33
PID 1564 wrote to memory of 1520	1564	MsiExec.exe	33
PID 1564 wrote to memory of 1520	1564	MsiExec.exe	33
PID 1564 wrote to memory of 1520	1564	MsiExec.exe	33
PID 1564 wrote to memory of 2260	1564	MsiExec.exe	35
PID 1564 wrote to memory of 2260	1564	MsiExec.exe	35
PID 1564 wrote to memory of 2260	1564	MsiExec.exe	35
PID 1564 wrote to memory of 2260	1564	MsiExec.exe	35
PID 1564 wrote to memory of 1444	1564	MsiExec.exe	37
PID 1564 wrote to memory of 1444	1564	MsiExec.exe	37
PID 1564 wrote to memory of 1444	1564	MsiExec.exe	37
PID 1564 wrote to memory of 1444	1564	MsiExec.exe	37
PID 1444 wrote to memory of 2272	1444	KeyScramblerLogon.exe	38
PID 1444 wrote to memory of 2272	1444	KeyScramblerLogon.exe	38
PID 1444 wrote to memory of 2272	1444	KeyScramblerLogon.exe	38
PID 1444 wrote to memory of 2272	1444	KeyScramblerLogon.exe	38
PID 1564 wrote to memory of 1324	1564	MsiExec.exe	39
PID 1564 wrote to memory of 1324	1564	MsiExec.exe	39
PID 1564 wrote to memory of 1324	1564	MsiExec.exe	39
PID 1564 wrote to memory of 1324	1564	MsiExec.exe	39
PID 1564 wrote to memory of 1984	1564	MsiExec.exe	41
PID 1564 wrote to memory of 1984	1564	MsiExec.exe	41
PID 1564 wrote to memory of 1984	1564	MsiExec.exe	41
PID 1564 wrote to memory of 1984	1564	MsiExec.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2184

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 159F8129B7D7A30E2EAA81DF2DFC9929
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1564
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1520
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2260
- - C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1444
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\files"
    3⤵
    PID:1324
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000574" "0000000000000498"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1536

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\files.cab

Filesize
2.9MB

MD5
01d622632dbbacf38144c286e0592ca2

SHA1
7c580efe8be24bb5b347ff123bf649b63c9a77ce

SHA256
e2141b7864c5e8ebf0fadb016afa9648ef9d46df9fa26dce5f913387acec219d

SHA512
3826bd82e78b2e301c4eab4d893f4e72a36fd4be170a00ef3cb34ad647b00e9bd201f24fe436fa80909671a7038c2128b7c4d5e489f4104b9525957e6ea1b895

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\files\KeyScramblerIE.DLL

Filesize
929KB

MD5
cbdebca0624a78f0d9adbd4af5c4773f

SHA1
7256fcaf986e685e7c5ca4f69178b386ccb2e59f

SHA256
1afac9ba20b60b6fee7708026165f089ab28f28b868166789c6ae2eb1d4f5a8f

SHA512
dfad441832a63efff88f97dd2e0327b2864819113aff7041f1409059da6d06896fa45470a2ca4119277aa33f611dcb302ddaf8ad93498883f1790bc04f5b03d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\files\sqlite3.dll

Filesize
1.5MB

MD5
fc125c903267e34c6729a7b74d2267e6

SHA1
654473ea4e18623909df5369ae6f75564699c175

SHA256
3aea69935cd5759732e403dc3b220b062f8fa582066d32be59a11b2d78ab19b4

SHA512
a7a886b6aec0ee89f1dd137c06a338035c3a304f588dba318ab5e7bf63d6c109c7fb420d063ed244d8b351ee4390d24505ad6294e9250d691662a06dfd878a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\msiwrapper.ini

Filesize
1KB

MD5
5f24f6ab7961dd61d2b9b5a7700301b0

SHA1
5bee79a363dd8a9484244b7d26d3b502dd481308

SHA256
5c8e173822a8d775fd7d64186a25a41a45545b67ab8bb5cdc7a5d02bc509f0a0

SHA512
9198bc0c4363a983cbe08f4d76adb08661e9396ecc310ac1ea5eaa022a3515eac0f4cea5c81f9ce56591f7829bc1e7e67f6fe42113a061b43a6a007c1fd6fed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-9dd9ab33-5f61-4670-94d6-d7c028e4db7b\msiwrapper.ini

Filesize
1KB

MD5
1150260c64e1a203ccfed19d54e7d0a9

SHA1
eb5d598ebd09f7e4cbe74ae7d6c92176a6811220

SHA256
4f08866811d41431c47ae4c9dd556686380ecf072f4c983cec3df3729a39eeab

SHA512
652a117332c5815232080ef5cde7533122b82c303c898a89be6481ec8449bf42a5fad17fd9f8232e960f94d57f1d88374f6199cce39db398ff20a6f255f2ce78

Download Submit
C:\Windows\Installer\MSI2E70.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\c:\temp\script.au3

Filesize
469KB

MD5
5d96e041da78366fb70f972308ebc5d9

SHA1
8dcc25d1bb736adf3b94e9a415597b45df0f1828

SHA256
009bf4414bd1e2d3fe7757d5302c9dc52d686235cab6df278df79db67cedecd3

SHA512
d3d25de8c0843e102cd9d34f8fcb674b067c501d97bcf72bbdae7bdc65f333e9d6b01f78bb6059e7b0ea6f2482f0aff018aa9f934f736224a8c8589559b4c742

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
e9fd91421b3e079be0052a2fc206283b

SHA1
0f09e6fcfc81a628190a6920fc9deee2b99632e9

SHA256
10c491967d675c25b67030162be119894b99396cf60db4663a92ef9df4e2df25

SHA512
ff8188de44e2881799e91c5761ecae9f3646f8e8d283f34aad71cee5f5d0b24d2ba7f11413b72af3caa60ce2cebf89cf649125e8a9b3dfb5c6540421196f1d5e

Download Submit
\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1444-88-0x0000000074960000-0x0000000074A54000-memory.dmp

Filesize
976KB

Download
memory/1444-90-0x0000000002390000-0x0000000002514000-memory.dmp

Filesize
1.5MB

Download
memory/1444-81-0x0000000002390000-0x0000000002514000-memory.dmp

Filesize
1.5MB

Download
memory/2272-95-0x0000000003780000-0x0000000004750000-memory.dmp

Filesize
15.8MB

Download
memory/2272-96-0x0000000004DA0000-0x00000000050EE000-memory.dmp

Filesize
3.3MB

Download
memory/2272-98-0x0000000004DA0000-0x00000000050EE000-memory.dmp

Filesize
3.3MB

Download