darkgate | 1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7

Analysis

max time kernel
155s
max time network
163s
platform
windows7_x64
resource
win7-20231023-en
resource tags

arch:x64arch:x86image:win7-20231023-enlocale:en-usos:windows7-x64system
submitted
24/10/2023, 19:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7msi_JC.msi
Size

9.2MB
MD5

69f900118f985990f488121cd1cf5e2b
SHA1

33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
SHA256

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
SHA512

09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
SSDEEP

196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO

Score

10^/10

darkgate civilian1337 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
VPsTDMdPtonzYs
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 2920 created 1812	2920	Autoit3.exe	40
PID 2920 created 2372	2920	Autoit3.exe	26
PID 2920 created 688	2920	Autoit3.exe	44
PID 2920 created 2372	2920	Autoit3.exe	26
PID 2920 created 2372	2920	Autoit3.exe	26
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1128	984	cmd.exe	12
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11
PID 984 created 1236	984	cmd.exe	11

Blocklisted process makes network request 64 IoCs

flow	pid	Process
5	984	cmd.exe
6	984	cmd.exe
7	984	cmd.exe
8	984	cmd.exe
9	984	cmd.exe
10	984	cmd.exe
11	984	cmd.exe
12	984	cmd.exe
13	984	cmd.exe
14	984	cmd.exe
15	984	cmd.exe
16	984	cmd.exe
17	984	cmd.exe
18	984	cmd.exe
19	984	cmd.exe
20	984	cmd.exe
21	984	cmd.exe
22	984	cmd.exe
23	984	cmd.exe
24	984	cmd.exe
25	984	cmd.exe
26	984	cmd.exe
27	984	cmd.exe
28	984	cmd.exe
29	984	cmd.exe
30	984	cmd.exe
31	984	cmd.exe
32	984	cmd.exe
33	984	cmd.exe
34	984	cmd.exe
35	984	cmd.exe
36	984	cmd.exe
37	984	cmd.exe
38	984	cmd.exe
39	984	cmd.exe
40	984	cmd.exe
41	984	cmd.exe
42	984	cmd.exe
43	984	cmd.exe
44	984	cmd.exe
45	984	cmd.exe
46	984	cmd.exe
47	984	cmd.exe
48	984	cmd.exe
49	984	cmd.exe
50	984	cmd.exe
51	984	cmd.exe
52	984	cmd.exe
53	984	cmd.exe
54	984	cmd.exe
55	984	cmd.exe
56	984	cmd.exe
57	984	cmd.exe
58	984	cmd.exe
59	984	cmd.exe
60	984	cmd.exe
61	984	cmd.exe
62	984	cmd.exe
63	984	cmd.exe
64	984	cmd.exe
65	984	cmd.exe
66	984	cmd.exe
67	984	cmd.exe
68	984	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ckkkada.lnk	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1072	windbg.exe
2920	Autoit3.exe

Loads dropped DLL 8 IoCs

pid	Process
2792	MsiExec.exe
2792	MsiExec.exe
2792	MsiExec.exe
2792	MsiExec.exe
2792	MsiExec.exe
1072	windbg.exe
1072	windbg.exe
984	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
112	ICACLS.EXE
2072	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2920 set thread context of 984	2920	Autoit3.exe	49

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76b471.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\f76b472.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB71F.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76b471.msi	msiexec.exe
File created	C:\Windows\Installer\f76b472.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\bin_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\bin_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\bin_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.bin	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\.bin\ = "bin_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\bin_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\bin_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3618187007-3650799920-3290345941-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1556	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2300	msiexec.exe
2300	msiexec.exe
2920	Autoit3.exe
2920	Autoit3.exe
2920	Autoit3.exe
2920	Autoit3.exe
2920	Autoit3.exe
2920	Autoit3.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe
984	cmd.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeSecurityPrivilege	2300	msiexec.exe
Token: SeCreateTokenPrivilege	2372	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2372	msiexec.exe
Token: SeLockMemoryPrivilege	2372	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2372	msiexec.exe
Token: SeMachineAccountPrivilege	2372	msiexec.exe
Token: SeTcbPrivilege	2372	msiexec.exe
Token: SeSecurityPrivilege	2372	msiexec.exe
Token: SeTakeOwnershipPrivilege	2372	msiexec.exe
Token: SeLoadDriverPrivilege	2372	msiexec.exe
Token: SeSystemProfilePrivilege	2372	msiexec.exe
Token: SeSystemtimePrivilege	2372	msiexec.exe
Token: SeProfSingleProcessPrivilege	2372	msiexec.exe
Token: SeIncBasePriorityPrivilege	2372	msiexec.exe
Token: SeCreatePagefilePrivilege	2372	msiexec.exe
Token: SeCreatePermanentPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2372	msiexec.exe
Token: SeRestorePrivilege	2372	msiexec.exe
Token: SeShutdownPrivilege	2372	msiexec.exe
Token: SeDebugPrivilege	2372	msiexec.exe
Token: SeAuditPrivilege	2372	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2372	msiexec.exe
Token: SeChangeNotifyPrivilege	2372	msiexec.exe
Token: SeRemoteShutdownPrivilege	2372	msiexec.exe
Token: SeUndockPrivilege	2372	msiexec.exe
Token: SeSyncAgentPrivilege	2372	msiexec.exe
Token: SeEnableDelegationPrivilege	2372	msiexec.exe
Token: SeManageVolumePrivilege	2372	msiexec.exe
Token: SeImpersonatePrivilege	2372	msiexec.exe
Token: SeCreateGlobalPrivilege	2372	msiexec.exe
Token: SeBackupPrivilege	2672	vssvc.exe
Token: SeRestorePrivilege	2672	vssvc.exe
Token: SeAuditPrivilege	2672	vssvc.exe
Token: SeBackupPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2520	DrvInst.exe
Token: SeRestorePrivilege	2520	DrvInst.exe
Token: SeRestorePrivilege	2520	DrvInst.exe
Token: SeRestorePrivilege	2520	DrvInst.exe
Token: SeRestorePrivilege	2520	DrvInst.exe
Token: SeRestorePrivilege	2520	DrvInst.exe
Token: SeRestorePrivilege	2520	DrvInst.exe
Token: SeLoadDriverPrivilege	2520	DrvInst.exe
Token: SeLoadDriverPrivilege	2520	DrvInst.exe
Token: SeLoadDriverPrivilege	2520	DrvInst.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe
Token: SeRestorePrivilege	2300	msiexec.exe
Token: SeTakeOwnershipPrivilege	2300	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2372	msiexec.exe
2372	msiexec.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2300 wrote to memory of 2792	2300	msiexec.exe	31
PID 2300 wrote to memory of 2792	2300	msiexec.exe	31
PID 2300 wrote to memory of 2792	2300	msiexec.exe	31
PID 2300 wrote to memory of 2792	2300	msiexec.exe	31
PID 2300 wrote to memory of 2792	2300	msiexec.exe	31
PID 2300 wrote to memory of 2792	2300	msiexec.exe	31
PID 2300 wrote to memory of 2792	2300	msiexec.exe	31
PID 2792 wrote to memory of 112	2792	MsiExec.exe	32
PID 2792 wrote to memory of 112	2792	MsiExec.exe	32
PID 2792 wrote to memory of 112	2792	MsiExec.exe	32
PID 2792 wrote to memory of 112	2792	MsiExec.exe	32
PID 2792 wrote to memory of 692	2792	MsiExec.exe	34
PID 2792 wrote to memory of 692	2792	MsiExec.exe	34
PID 2792 wrote to memory of 692	2792	MsiExec.exe	34
PID 2792 wrote to memory of 692	2792	MsiExec.exe	34
PID 2792 wrote to memory of 1072	2792	MsiExec.exe	36
PID 2792 wrote to memory of 1072	2792	MsiExec.exe	36
PID 2792 wrote to memory of 1072	2792	MsiExec.exe	36
PID 2792 wrote to memory of 1072	2792	MsiExec.exe	36
PID 2792 wrote to memory of 1072	2792	MsiExec.exe	36
PID 2792 wrote to memory of 1072	2792	MsiExec.exe	36
PID 2792 wrote to memory of 1072	2792	MsiExec.exe	36
PID 1072 wrote to memory of 2920	1072	windbg.exe	37
PID 1072 wrote to memory of 2920	1072	windbg.exe	37
PID 1072 wrote to memory of 2920	1072	windbg.exe	37
PID 1072 wrote to memory of 2920	1072	windbg.exe	37
PID 2792 wrote to memory of 3020	2792	MsiExec.exe	38
PID 2792 wrote to memory of 3020	2792	MsiExec.exe	38
PID 2792 wrote to memory of 3020	2792	MsiExec.exe	38
PID 2792 wrote to memory of 3020	2792	MsiExec.exe	38
PID 2920 wrote to memory of 1812	2920	Autoit3.exe	40
PID 2920 wrote to memory of 1812	2920	Autoit3.exe	40
PID 2920 wrote to memory of 1812	2920	Autoit3.exe	40
PID 2920 wrote to memory of 1812	2920	Autoit3.exe	40
PID 2920 wrote to memory of 1812	2920	Autoit3.exe	40
PID 2920 wrote to memory of 1812	2920	Autoit3.exe	40
PID 2920 wrote to memory of 1812	2920	Autoit3.exe	40
PID 2792 wrote to memory of 2072	2792	MsiExec.exe	41
PID 2792 wrote to memory of 2072	2792	MsiExec.exe	41
PID 2792 wrote to memory of 2072	2792	MsiExec.exe	41
PID 2792 wrote to memory of 2072	2792	MsiExec.exe	41
PID 2920 wrote to memory of 2360	2920	Autoit3.exe	43
PID 2920 wrote to memory of 2360	2920	Autoit3.exe	43
PID 2920 wrote to memory of 2360	2920	Autoit3.exe	43
PID 2920 wrote to memory of 2360	2920	Autoit3.exe	43
PID 2360 wrote to memory of 1556	2360	cmd.exe	45
PID 2360 wrote to memory of 1556	2360	cmd.exe	45
PID 2360 wrote to memory of 1556	2360	cmd.exe	45
PID 2360 wrote to memory of 1556	2360	cmd.exe	45
PID 2920 wrote to memory of 984	2920	Autoit3.exe	49
PID 2920 wrote to memory of 984	2920	Autoit3.exe	49
PID 2920 wrote to memory of 984	2920	Autoit3.exe	49
PID 2920 wrote to memory of 984	2920	Autoit3.exe	49
PID 2920 wrote to memory of 984	2920	Autoit3.exe	49
PID 2920 wrote to memory of 984	2920	Autoit3.exe	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1236

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1128

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7msi_JC.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2372

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33DF56A76EE90ED027C1DCB79176D96B
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:112
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:692
- - C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1072
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\data.bin
        5⤵
        Modifies registry class
        
        PID:1812
    - - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2360
      - \??\c:\windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:1556
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Drops startup file
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:984
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files"
    3⤵
    PID:3020
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2072

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2672

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004EC" "00000000000003B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-3797421731776392785238835488-448511294-1329150459697527786307603185-1056407104"
1⤵
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\haaahce\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\haaahce\kcaaghc\fgfhafc

Filesize
170B

MD5
b80c01782aac6a52ee3f2f96600bec89

SHA1
afd6eb8737666c068991b2d640bce048d07e45ee

SHA256
475d84a04d5111574946242e2d891841f4cb931bc52d97f1fe994b4c385421f2

SHA512
e20d88d94741be801ddc6ea2af7d59c97e450d98209e461ff09b9736d620be14edce1f207cb43ec7cc4de8d2a1cd41421d077a20f0c8bfbb1d8dd3f49d2364e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files.cab

Filesize
8.9MB

MD5
3a4de3260c72e38f814cc2a7b2d42df7

SHA1
19458fb6838dd9d8be113b0b9983c7d77c12eb25

SHA256
411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7

SHA512
3493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\00001-~1.PNG

Filesize
1.1MB

MD5
fd49f38e666f94abdbd9cc0bb842c29b

SHA1
36a00401a015d0719787d5a65c86784760ee93ff

SHA256
1f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f

SHA512
2fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\00002-~1.PNG

Filesize
1.0MB

MD5
f68d2ca13e1268dd79e95591b976ec45

SHA1
588454301e3c25065349740573282145aa0a5c7b

SHA256
af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460

SHA512
a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\00003-~1.PNG

Filesize
1.1MB

MD5
7dbe5e4b98d7601585cfb9697f265e0f

SHA1
da8477a2494b1436664c535d7c854bf778942a76

SHA256
c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288

SHA512
38e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\00004-~1.PNG

Filesize
1.0MB

MD5
85da5b7fd4b6983fffe78853c5276c03

SHA1
49a68d92beabfdfce7b2939f35a7b3e4bdc2bc96

SHA256
ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba

SHA512
c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\00005-~1.PNG

Filesize
1.0MB

MD5
602b44b5e0a94c61c7ae501966eb4fd5

SHA1
853f5c83bedd4523cb72ca127cc6c269ac99e2d9

SHA256
2e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3

SHA512
e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\00007-~1.PNG

Filesize
1.1MB

MD5
9a40cf65a81a8f618a4f562e2494a557

SHA1
3b06e119cc017bbe99c06906779f40f2d04b08ad

SHA256
087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6

SHA512
745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\00008-~1.PNG

Filesize
1.1MB

MD5
452b0afd9436be767a0ee61e98ef0356

SHA1
736f12f84f8af0bd04f5b207f31cba8dd359ae03

SHA256
0348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a

SHA512
2fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\DATAPI~1.JPG

Filesize
159KB

MD5
008b295295c49c6d07161baff5f7212b

SHA1
f89d13817531957967be21327c8180a35960d04d

SHA256
9f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134

SHA512
6d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\data2.bin

Filesize
1.8MB

MD5
7673659bf664bd45a6f3c38b7d1c25d3

SHA1
a9b40ab4590b77887417ec33ecd061c98490176a

SHA256
41339e85c54f960b04039fd47df735c5ce78d99ede511364c8c8c2ad81f38c7d

SHA512
14ca50e20b3830765e8f116fc48ea49faabf3e7ede9f8768d5d0e70803d466ef506fe953f53057eb7e2f78009029d87b780c78127e1026b161bb095bf8c4ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\msiwrapper.ini

Filesize
1KB

MD5
703366dcde206069063835fa8b43a471

SHA1
b0a6d53a24c168a2dc59223b900ed192b82f37af

SHA256
01a7c25455ce0e3eb20f5877db6b60bfcb98f69b7f1b831e015eb3532b3ac62e

SHA512
f59d7c6ddbce2087a6a3652037e59964456653f710be2aff6130f180eb9767cd5cdd1d743613c6c688f778811326e7858bfa1bc05e43561f65dc9b299a292115

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\msiwrapper.ini

Filesize
1KB

MD5
703366dcde206069063835fa8b43a471

SHA1
b0a6d53a24c168a2dc59223b900ed192b82f37af

SHA256
01a7c25455ce0e3eb20f5877db6b60bfcb98f69b7f1b831e015eb3532b3ac62e

SHA512
f59d7c6ddbce2087a6a3652037e59964456653f710be2aff6130f180eb9767cd5cdd1d743613c6c688f778811326e7858bfa1bc05e43561f65dc9b299a292115

Download Submit
C:\Windows\Installer\MSIB71F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\ahhebba.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\??\c:\tmpa\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\ProgramData\haaahce\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-159bbba6-10c5-49af-9326-6900b293f626\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Windows\Installer\MSIB71F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/984-165-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-208-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-226-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-225-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-145-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/984-146-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-224-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-222-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-150-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-148-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-152-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-223-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-221-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-157-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-158-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-220-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-219-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-218-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-217-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-166-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-167-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-168-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-169-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-170-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-171-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-172-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-173-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-174-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-175-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-176-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-177-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-178-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-179-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-180-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-181-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-182-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-183-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-184-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-194-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-195-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-196-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-197-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-198-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-199-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-200-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-201-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-203-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-202-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-204-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-205-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-206-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-207-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-216-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-209-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-211-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-210-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-212-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-213-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-215-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/984-214-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/1072-106-0x0000000000100000-0x000000000018D000-memory.dmp

Filesize
564KB

Download
memory/1072-110-0x0000000000250000-0x0000000000350000-memory.dmp

Filesize
1024KB

Download
memory/1072-117-0x0000000000100000-0x000000000018D000-memory.dmp

Filesize
564KB

Download
memory/2920-142-0x0000000002F50000-0x000000000327A000-memory.dmp

Filesize
3.2MB

Download
memory/2920-123-0x0000000000880000-0x0000000000C80000-memory.dmp

Filesize
4.0MB

Download
memory/2920-124-0x0000000002F50000-0x000000000327A000-memory.dmp

Filesize
3.2MB

Download
memory/2920-141-0x0000000002F50000-0x000000000327A000-memory.dmp

Filesize
3.2MB

Download
memory/2920-149-0x0000000002F50000-0x000000000327A000-memory.dmp

Filesize
3.2MB

Download
memory/2920-147-0x0000000000880000-0x0000000000C80000-memory.dmp

Filesize
4.0MB

Download
memory/2920-144-0x0000000002F50000-0x000000000327A000-memory.dmp

Filesize
3.2MB

Download
memory/2920-143-0x0000000002F50000-0x000000000327A000-memory.dmp

Filesize
3.2MB

Download