darkgate | d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19-10-2023 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8474da7e8a71af08d6c2eae2de2a93edc2b77bb93399fc1b1895fbd8.msi
Size

2.8MB
MD5

8f82b80d2996a27e5efd72c1748a6048
SHA1

7c3deb150d73fe97e8efd1086bd42dca859a4766
SHA256

d0a0a3ac8865737a917983d10cf7307ed235aa4102d146f6858818694ab8f3f4
SHA512

9f476032cf5dbdfa57d2fa34deb8330eca8b118ffcfb344f013437758311cd390f51c5ca803a2cef93bf9b54854451362a68e1fac16a330e39479a14a32df69d
SSDEEP

49152:KpUPZCQMukBtM5X1nMg1Y6PWG0QIaqZQxxWsprXhTrdMqsI1Jqf1vOEMH+3iplvB:Kp2czg71Y6PWGZIaOYxWs1hTrdMqvJqg

Score

10^/10

darkgate civilian1337 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
HLzTkCBjqtAfzL
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 692 created 2012	692	Autoit3.exe	41
PID 692 created 1564	692	Autoit3.exe	43
PID 692 created 2012	692	Autoit3.exe	41
PID 692 created 1132	692	Autoit3.exe	11
PID 692 created 2012	692	Autoit3.exe	41
PID 692 created 2012	692	Autoit3.exe	41
PID 692 created 1564	692	Autoit3.exe	43
PID 692 created 1564	692	Autoit3.exe	43
PID 692 created 1132	692	Autoit3.exe	11
PID 692 created 2012	692	Autoit3.exe	41
PID 692 created 1132	692	Autoit3.exe	11
PID 692 created 1132	692	Autoit3.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1244	1824	cmd.exe	18
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41
PID 1824 created 1132	1824	cmd.exe	11
PID 1824 created 2012	1824	cmd.exe	41

Blocklisted process makes network request 64 IoCs

flow	pid	Process
4	1824	cmd.exe
5	1824	cmd.exe
6	1824	cmd.exe
7	1824	cmd.exe
8	1824	cmd.exe
9	1824	cmd.exe
10	1824	cmd.exe
11	1824	cmd.exe
12	1824	cmd.exe
13	1824	cmd.exe
14	1824	cmd.exe
15	1824	cmd.exe
16	1824	cmd.exe
17	1824	cmd.exe
18	1824	cmd.exe
19	1824	cmd.exe
20	1824	cmd.exe
21	1824	cmd.exe
22	1824	cmd.exe
23	1824	cmd.exe
24	1824	cmd.exe
25	1824	cmd.exe
26	1824	cmd.exe
27	1824	cmd.exe
28	1824	cmd.exe
29	1824	cmd.exe
30	1824	cmd.exe
31	1824	cmd.exe
32	1824	cmd.exe
33	1824	cmd.exe
34	1824	cmd.exe
35	1824	cmd.exe
36	1824	cmd.exe
37	1824	cmd.exe
38	1824	cmd.exe
39	1824	cmd.exe
40	1824	cmd.exe
41	1824	cmd.exe
42	1824	cmd.exe
43	1824	cmd.exe
44	1824	cmd.exe
45	1824	cmd.exe
46	1824	cmd.exe
47	1824	cmd.exe
48	1824	cmd.exe
49	1824	cmd.exe
50	1824	cmd.exe
51	1824	cmd.exe
52	1824	cmd.exe
53	1824	cmd.exe
54	1824	cmd.exe
55	1824	cmd.exe
56	1824	cmd.exe
57	1824	cmd.exe
58	1824	cmd.exe
59	1824	cmd.exe
60	1824	cmd.exe
61	1824	cmd.exe
62	1824	cmd.exe
63	1824	cmd.exe
64	1824	cmd.exe
65	1824	cmd.exe
66	1824	cmd.exe
67	1824	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fcehhcb.lnk	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2024	windbg.exe
692	Autoit3.exe

Loads dropped DLL 9 IoCs

pid	Process
3048	MsiExec.exe
3048	MsiExec.exe
3048	MsiExec.exe
3048	MsiExec.exe
3048	MsiExec.exe
2024	windbg.exe
2024	windbg.exe
3048	MsiExec.exe
1824	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2596	ICACLS.EXE
2604	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 692 set thread context of 1824	692	Autoit3.exe	45

Drops file in Windows directory 13 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f7673f9.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8557.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI86CE.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75AD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f7673f9.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\f7673f8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f7673f8.msi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1108	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2204	msiexec.exe
2204	msiexec.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
692	Autoit3.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe
1824	cmd.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeSecurityPrivilege	2204	msiexec.exe
Token: SeCreateTokenPrivilege	1064	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1064	msiexec.exe
Token: SeLockMemoryPrivilege	1064	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1064	msiexec.exe
Token: SeMachineAccountPrivilege	1064	msiexec.exe
Token: SeTcbPrivilege	1064	msiexec.exe
Token: SeSecurityPrivilege	1064	msiexec.exe
Token: SeTakeOwnershipPrivilege	1064	msiexec.exe
Token: SeLoadDriverPrivilege	1064	msiexec.exe
Token: SeSystemProfilePrivilege	1064	msiexec.exe
Token: SeSystemtimePrivilege	1064	msiexec.exe
Token: SeProfSingleProcessPrivilege	1064	msiexec.exe
Token: SeIncBasePriorityPrivilege	1064	msiexec.exe
Token: SeCreatePagefilePrivilege	1064	msiexec.exe
Token: SeCreatePermanentPrivilege	1064	msiexec.exe
Token: SeBackupPrivilege	1064	msiexec.exe
Token: SeRestorePrivilege	1064	msiexec.exe
Token: SeShutdownPrivilege	1064	msiexec.exe
Token: SeDebugPrivilege	1064	msiexec.exe
Token: SeAuditPrivilege	1064	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1064	msiexec.exe
Token: SeChangeNotifyPrivilege	1064	msiexec.exe
Token: SeRemoteShutdownPrivilege	1064	msiexec.exe
Token: SeUndockPrivilege	1064	msiexec.exe
Token: SeSyncAgentPrivilege	1064	msiexec.exe
Token: SeEnableDelegationPrivilege	1064	msiexec.exe
Token: SeManageVolumePrivilege	1064	msiexec.exe
Token: SeImpersonatePrivilege	1064	msiexec.exe
Token: SeCreateGlobalPrivilege	1064	msiexec.exe
Token: SeBackupPrivilege	2304	vssvc.exe
Token: SeRestorePrivilege	2304	vssvc.exe
Token: SeAuditPrivilege	2304	vssvc.exe
Token: SeBackupPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	892	DrvInst.exe
Token: SeRestorePrivilege	892	DrvInst.exe
Token: SeRestorePrivilege	892	DrvInst.exe
Token: SeRestorePrivilege	892	DrvInst.exe
Token: SeRestorePrivilege	892	DrvInst.exe
Token: SeRestorePrivilege	892	DrvInst.exe
Token: SeRestorePrivilege	892	DrvInst.exe
Token: SeLoadDriverPrivilege	892	DrvInst.exe
Token: SeLoadDriverPrivilege	892	DrvInst.exe
Token: SeLoadDriverPrivilege	892	DrvInst.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe
Token: SeRestorePrivilege	2204	msiexec.exe
Token: SeTakeOwnershipPrivilege	2204	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1064	msiexec.exe
1064	msiexec.exe
2012	DllHost.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 3048	2204	msiexec.exe	32
PID 2204 wrote to memory of 3048	2204	msiexec.exe	32
PID 2204 wrote to memory of 3048	2204	msiexec.exe	32
PID 2204 wrote to memory of 3048	2204	msiexec.exe	32
PID 2204 wrote to memory of 3048	2204	msiexec.exe	32
PID 2204 wrote to memory of 3048	2204	msiexec.exe	32
PID 2204 wrote to memory of 3048	2204	msiexec.exe	32
PID 3048 wrote to memory of 2596	3048	MsiExec.exe	33
PID 3048 wrote to memory of 2596	3048	MsiExec.exe	33
PID 3048 wrote to memory of 2596	3048	MsiExec.exe	33
PID 3048 wrote to memory of 2596	3048	MsiExec.exe	33
PID 3048 wrote to memory of 2724	3048	MsiExec.exe	35
PID 3048 wrote to memory of 2724	3048	MsiExec.exe	35
PID 3048 wrote to memory of 2724	3048	MsiExec.exe	35
PID 3048 wrote to memory of 2724	3048	MsiExec.exe	35
PID 3048 wrote to memory of 2024	3048	MsiExec.exe	37
PID 3048 wrote to memory of 2024	3048	MsiExec.exe	37
PID 3048 wrote to memory of 2024	3048	MsiExec.exe	37
PID 3048 wrote to memory of 2024	3048	MsiExec.exe	37
PID 3048 wrote to memory of 2024	3048	MsiExec.exe	37
PID 3048 wrote to memory of 2024	3048	MsiExec.exe	37
PID 3048 wrote to memory of 2024	3048	MsiExec.exe	37
PID 2024 wrote to memory of 692	2024	windbg.exe	38
PID 2024 wrote to memory of 692	2024	windbg.exe	38
PID 2024 wrote to memory of 692	2024	windbg.exe	38
PID 2024 wrote to memory of 692	2024	windbg.exe	38
PID 3048 wrote to memory of 2604	3048	MsiExec.exe	39
PID 3048 wrote to memory of 2604	3048	MsiExec.exe	39
PID 3048 wrote to memory of 2604	3048	MsiExec.exe	39
PID 3048 wrote to memory of 2604	3048	MsiExec.exe	39
PID 692 wrote to memory of 2968	692	Autoit3.exe	42
PID 692 wrote to memory of 2968	692	Autoit3.exe	42
PID 692 wrote to memory of 2968	692	Autoit3.exe	42
PID 692 wrote to memory of 2968	692	Autoit3.exe	42
PID 2968 wrote to memory of 1108	2968	cmd.exe	44
PID 2968 wrote to memory of 1108	2968	cmd.exe	44
PID 2968 wrote to memory of 1108	2968	cmd.exe	44
PID 2968 wrote to memory of 1108	2968	cmd.exe	44
PID 692 wrote to memory of 1824	692	Autoit3.exe	45
PID 692 wrote to memory of 1824	692	Autoit3.exe	45
PID 692 wrote to memory of 1824	692	Autoit3.exe	45
PID 692 wrote to memory of 1824	692	Autoit3.exe	45
PID 692 wrote to memory of 1824	692	Autoit3.exe	45
PID 692 wrote to memory of 1824	692	Autoit3.exe	45

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1244

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8474da7e8a71af08d6c2eae2de2a93edc2b77bb93399fc1b1895fbd8.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1064

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5653519F5EB14D1CD9DC713324C2F8BB
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3048
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2596
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2724
- - C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2024
  - - \??\c:\tmpp\Autoit3.exe
      c:\tmpp\Autoit3.exe c:\tmpp\test.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:692
    - - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpp\* & rmdir /s /q c:\tmpp\ exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - \??\c:\windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1108
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Drops startup file
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:1824
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2604

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2304

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003B4" "000000000000031C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
1⤵
- Suspicious use of FindShellTrayWindow
PID:2012

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "966252551-189934438511949299831766987875-119848859824711644-1000846973-283324048"
1⤵
PID:1564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\caacada\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\caacada\ebagfgf\fbhbbce

Filesize
170B

MD5
eeb4cc72fcca299a25d01a05bde7dc71

SHA1
c8057baed9ce709401c0487812f99ea66bb819ce

SHA256
6a6413cdda11a4978db89bd85b5cd336fb7fd669438389698502cc767846587c

SHA512
6dee9d5a41ff36d9248671684718f7b366ef334bf28d718228df50a384c82c6fdf4ba39ab0541167f6c4072d093ea1f88c1bd703429cb045441791834dd93778

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files.cab

Filesize
2.6MB

MD5
7b9bdbec97cd227e8b03ce1e797a98c3

SHA1
226cb4b94545a5e4e00fe2209252182cc3b4dc66

SHA256
fd23dddaf0d3698c0a9bda2235ac79071a4caa68e5a9635fd3f681979c020ed2

SHA512
9cb96d687965e63a5fb30ea75c52a4a56061c7f0ee93f23a1676c44b2b1973d8c6722c1d409ad28f0a8cf78fa8f3e419f537de89416c6f8252f58788b35ac7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\00595-1017085943.png

Filesize
661KB

MD5
e5f36215426555498dbba13bb15b012c

SHA1
013d8597350e791f68a72dd1b089a3252e67b0e2

SHA256
c67232ee5b6e81e173fb18c7ea395105de9138da921ef17ce2e3d8ff9eb8a8d7

SHA512
d27dfc373ed1054cebfe72141da96f314fbaa826109c3a1ea844be968a7f87ea208efa113a7e785e3619a034c54764b79a5133c20e0193eb225bd62b1647b814

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\datacountry.png

Filesize
93KB

MD5
a4693a1dd2c47ff19154bc9943fac883

SHA1
0303db5fa3289953eeb5b8b4e44cc42c3be2bf10

SHA256
10129ba8547d56ba4e6f763918f0f3f8e7fabb9292e289b9dad2ae7d05cbadb4

SHA512
bacf272d29c52ee8f468fbe861146ff25760c224038bb11b33ec919c5371ecb59a2c3e39163ea2f966c8a7865f3defcff9cf5e1c980b7d5db7a6c19d67251495

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\dbgeng.dll

Filesize
2.7MB

MD5
ea7ff1907bdaf0fcfab733e020a70b4c

SHA1
1b141ae68ccd8b453fdbfa151c1f0bfd6dea85e5

SHA256
1fbca6c9c3667f6f196ea18111f624c7468be6c7b7cbdb5c1b21e2fdec2e2925

SHA512
5b9433c72c606e21c1fb3ee1830cb3dc7911cf839a52fd38626627c0b6cbe9c158bf9636ff45b68db77e3ca97c43cb54731e3221583549ab0bd5a3fd4c29a22a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\unins000.dat

Filesize
62KB

MD5
5f6d7117758a11c5cc96725a4fc72348

SHA1
eede69efecd034bb059b90b1bdd48d406e80f5e9

SHA256
a5e75d0cb8ef19d4c28156a58b14958fee2ca7c8bf69e4cbb3c4333a0fd21202

SHA512
954d8c7ccc171e47ec495af646638e32f712624c707c6c6edcf860161ba337296c2fa955232e39f077d11d772717d47ee44eeb7554ac904d4936ce3b97fcd4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\unins000.exe

Filesize
1.1MB

MD5
a82fd06ad4339762ef1ea3e6ebf28fae

SHA1
5fa84f3ad4a2f1e078562c00e6bbad445418cdb0

SHA256
6c61ce9dec3052ae229596c8a32fc2cf8c9090b8b632998ef69de580cfeb1afd

SHA512
63eda89fb03ae581c888c189906ec84ea8061097ec55296c0c6bbfa649a9d7e58d5a299e6e2bacb7d9aa8abad62ceec1f5f4e47e4236f9d7de9aff76c502d052

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\unins000.msg

Filesize
22KB

MD5
3b1a9a56eede8c6335e94959d5231ac5

SHA1
8d256fc02492b6c51db9f3861746b386e62ba317

SHA256
161a04957d74daafb21d9a03dade488ae7ebcf90af0e7e41cad1445418a9b3ff

SHA512
9fb552bebb2b72cb8f2df55863ba529974ea0d81da83cffb12f95974faaeead1d623f1a6df87478d308cc69a5102cbd01109dd5b8cf0fe11e5132baa903ae6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\uninsTasks.txt

Filesize
22B

MD5
ed8842c313a411cf074fb082b7184ab0

SHA1
2e411a8b4b62c15e31415fa63742d4c40e8265df

SHA256
9bcb8b4872fb35ebb4413b554a9b8402b39119c78d120bdcef353ce511fc93ca

SHA512
019819aacc76617a466da73bfabdd892c407d7e74844329fa47ba3ea1e13379a41950988976b5021ac2cb9068da904ae93c249a229ff6dfa7fdb633f2adc1216

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\msiwrapper.ini

Filesize
1KB

MD5
f73978f6b7f60bd25c6ec6edf21e0639

SHA1
775a274e5219b39f63d0f48ef9f2ef4c1002b1db

SHA256
5f7fa87d5877c1f7c856a49fd4640c493ed0b77a4d5bc4ff637c2be653ddeccf

SHA512
908197b4c0a22bda5724bde212c1764e1338538e8eafdb4d92154ca887d614c068a5bf0b6e55ef92ec9542b65ab0b0586b110b453f10f46a7f00c86290154315

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\msiwrapper.ini

Filesize
370B

MD5
a1783cf976c648dcf84a7903dc513bb8

SHA1
7ff4d7cedda318d1742482142d92075b07aa5245

SHA256
957ba240c1b04bf758273cf6e722e67f49338fa312bff80a307a66dd009f13b4

SHA512
f8d165d388f519a6aa77fc722bfa40a5c1430f754856e0744b2fafdd32d7b9b845fae470cda71a1aa0e8724369d26836a03011779bb580ca39d7beb39a8a90c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\msiwrapper.ini

Filesize
1KB

MD5
3c80197f111202a81559477e90290dd0

SHA1
b73b8f273329ad78b38c55b5e784f36c37e0d59c

SHA256
828ffd5887774de5be7d767a44f93f5712f13831ee558c379737d23335455ba6

SHA512
66b458bdbb3eb614cce85a038ee4352c3ed7e40b9969abd81cbd6a6db21ff1a50dcdefc2f3096fbb3015aaeae14693ba348f318cb441c9f92cc02e25ec6e4dd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\msiwrapper.ini

Filesize
1KB

MD5
3c80197f111202a81559477e90290dd0

SHA1
b73b8f273329ad78b38c55b5e784f36c37e0d59c

SHA256
828ffd5887774de5be7d767a44f93f5712f13831ee558c379737d23335455ba6

SHA512
66b458bdbb3eb614cce85a038ee4352c3ed7e40b9969abd81cbd6a6db21ff1a50dcdefc2f3096fbb3015aaeae14693ba348f318cb441c9f92cc02e25ec6e4dd4

Download Submit
C:\Windows\Installer\MSI75AD.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI86CE.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\dcbafac.au3

Filesize
498KB

MD5
d7f6bfa501962aa242fa445ac78afa5c

SHA1
f9563cf07b077c10dbe9bbd139830f63e0852c6b

SHA256
d96635e537fb3128b5b1ce600c1739471893100a3450d82a224e89ed56e7db39

SHA512
73ce2fc450c08aaeda6b825e238773912eaeb3e6730b72a3c58c223782a98389e53ba5e1a565c37fb11c231744d2e09059db34734f05f89481c2ce10fb6de12b

Download Submit
\??\c:\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpp\test.au3

Filesize
498KB

MD5
d7f6bfa501962aa242fa445ac78afa5c

SHA1
f9563cf07b077c10dbe9bbd139830f63e0852c6b

SHA256
d96635e537fb3128b5b1ce600c1739471893100a3450d82a224e89ed56e7db39

SHA512
73ce2fc450c08aaeda6b825e238773912eaeb3e6730b72a3c58c223782a98389e53ba5e1a565c37fb11c231744d2e09059db34734f05f89481c2ce10fb6de12b

Download Submit
\ProgramData\caacada\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\dbgeng.dll

Filesize
2.7MB

MD5
ea7ff1907bdaf0fcfab733e020a70b4c

SHA1
1b141ae68ccd8b453fdbfa151c1f0bfd6dea85e5

SHA256
1fbca6c9c3667f6f196ea18111f624c7468be6c7b7cbdb5c1b21e2fdec2e2925

SHA512
5b9433c72c606e21c1fb3ee1830cb3dc7911cf839a52fd38626627c0b6cbe9c158bf9636ff45b68db77e3ca97c43cb54731e3221583549ab0bd5a3fd4c29a22a

Download Submit
\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-2e3ccb2d-a2da-4b0a-8f38-d3b6283e99e9\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Windows\Installer\MSI75AD.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\Windows\Installer\MSI86CE.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/692-112-0x0000000000CB0000-0x00000000010B0000-memory.dmp

Filesize
4.0MB

Download
memory/692-139-0x0000000002EA0000-0x00000000031D2000-memory.dmp

Filesize
3.2MB

Download
memory/692-131-0x0000000002EA0000-0x00000000031D2000-memory.dmp

Filesize
3.2MB

Download
memory/692-132-0x0000000002EA0000-0x00000000031D2000-memory.dmp

Filesize
3.2MB

Download
memory/692-133-0x0000000002EA0000-0x00000000031D2000-memory.dmp

Filesize
3.2MB

Download
memory/692-134-0x0000000002EA0000-0x00000000031D2000-memory.dmp

Filesize
3.2MB

Download
memory/692-113-0x0000000002EA0000-0x00000000031D2000-memory.dmp

Filesize
3.2MB

Download
memory/692-123-0x0000000003F80000-0x0000000003F82000-memory.dmp

Filesize
8KB

Download
memory/692-137-0x0000000000CB0000-0x00000000010B0000-memory.dmp

Filesize
4.0MB

Download
memory/1824-170-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-175-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-140-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-142-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-136-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-219-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-135-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1824-218-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-149-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-148-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-217-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-216-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-156-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-157-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-158-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-159-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-160-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-161-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-162-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-163-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-164-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-165-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-166-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-167-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-168-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-169-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-215-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-171-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-172-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-173-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-174-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-138-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-176-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-189-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-190-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-191-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-193-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-194-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-195-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-196-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-197-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-198-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-199-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-200-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-201-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-202-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-203-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-204-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-205-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-206-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-207-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-208-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-209-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-210-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-211-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-212-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-213-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/1824-214-0x0000000000400000-0x0000000000466000-memory.dmp

Filesize
408KB

Download
memory/2012-126-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2012-147-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/2012-124-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download
memory/2024-94-0x0000000000770000-0x0000000000A34000-memory.dmp

Filesize
2.8MB

Download
memory/2024-101-0x0000000000770000-0x0000000000A34000-memory.dmp

Filesize
2.8MB

Download