darkgate | ceb8b96227f3fffeba164d7ace94391ec670e9187695b03ad7641c45349177cc

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
25-10-2023 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
Size

9.2MB
MD5

69f900118f985990f488121cd1cf5e2b
SHA1

33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
SHA256

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
SHA512

09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
SSDEEP

196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO

Score

10^/10

darkgate civilian1337 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
VPsTDMdPtonzYs
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 1520 created 3064	1520	Autoit3.exe	46
PID 1520 created 1620	1520	Autoit3.exe	47
PID 1520 created 3064	1520	Autoit3.exe	46
PID 1520 created 940	1520	Autoit3.exe	45
PID 1520 created 1620	1520	Autoit3.exe	47
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1164	2668	cmd.exe	15
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1112	2668	cmd.exe	16
PID 2668 created 1164	2668	cmd.exe	15

Blocklisted process makes network request 53 IoCs

flow	pid	Process
5	2668	cmd.exe
6	2668	cmd.exe
7	2668	cmd.exe
8	2668	cmd.exe
9	2668	cmd.exe
10	2668	cmd.exe
11	2668	cmd.exe
12	2668	cmd.exe
13	2668	cmd.exe
14	2668	cmd.exe
15	2668	cmd.exe
16	2668	cmd.exe
17	2668	cmd.exe
18	2668	cmd.exe
19	2668	cmd.exe
20	2668	cmd.exe
21	2668	cmd.exe
22	2668	cmd.exe
23	2668	cmd.exe
24	2668	cmd.exe
25	2668	cmd.exe
26	2668	cmd.exe
27	2668	cmd.exe
28	2668	cmd.exe
29	2668	cmd.exe
30	2668	cmd.exe
31	2668	cmd.exe
32	2668	cmd.exe
33	2668	cmd.exe
34	2668	cmd.exe
35	2668	cmd.exe
36	2668	cmd.exe
37	2668	cmd.exe
38	2668	cmd.exe
39	2668	cmd.exe
40	2668	cmd.exe
41	2668	cmd.exe
42	2668	cmd.exe
43	2668	cmd.exe
44	2668	cmd.exe
45	2668	cmd.exe
46	2668	cmd.exe
47	2668	cmd.exe
48	2668	cmd.exe
49	2668	cmd.exe
50	2668	cmd.exe
51	2668	cmd.exe
52	2668	cmd.exe
53	2668	cmd.exe
54	2668	cmd.exe
55	2668	cmd.exe
56	2668	cmd.exe
57	2668	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kafcaea.lnk	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2128	windbg.exe
1520	Autoit3.exe

Loads dropped DLL 8 IoCs

pid	Process
1908	MsiExec.exe
1908	MsiExec.exe
1908	MsiExec.exe
1908	MsiExec.exe
1908	MsiExec.exe
2128	windbg.exe
2128	windbg.exe
2668	cmd.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
272	ICACLS.EXE
2644	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1520 set thread context of 2668	1520	Autoit3.exe	50

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76fae3.ipi	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\f76fae3.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76fae2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76fae2.msi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIFD62.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\bin_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\bin_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\bin_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_Classes\Local Settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\bin_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\.bin	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\bin_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\.bin\ = "bin_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000_CLASSES\bin_auto_file\shell\Read	rundll32.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
900	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2764	msiexec.exe
2764	msiexec.exe
1520	Autoit3.exe
1520	Autoit3.exe
1520	Autoit3.exe
1520	Autoit3.exe
1520	Autoit3.exe
1520	Autoit3.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe
2668	cmd.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	892	msiexec.exe
Token: SeIncreaseQuotaPrivilege	892	msiexec.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe
Token: SeSecurityPrivilege	2764	msiexec.exe
Token: SeCreateTokenPrivilege	892	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	892	msiexec.exe
Token: SeLockMemoryPrivilege	892	msiexec.exe
Token: SeIncreaseQuotaPrivilege	892	msiexec.exe
Token: SeMachineAccountPrivilege	892	msiexec.exe
Token: SeTcbPrivilege	892	msiexec.exe
Token: SeSecurityPrivilege	892	msiexec.exe
Token: SeTakeOwnershipPrivilege	892	msiexec.exe
Token: SeLoadDriverPrivilege	892	msiexec.exe
Token: SeSystemProfilePrivilege	892	msiexec.exe
Token: SeSystemtimePrivilege	892	msiexec.exe
Token: SeProfSingleProcessPrivilege	892	msiexec.exe
Token: SeIncBasePriorityPrivilege	892	msiexec.exe
Token: SeCreatePagefilePrivilege	892	msiexec.exe
Token: SeCreatePermanentPrivilege	892	msiexec.exe
Token: SeBackupPrivilege	892	msiexec.exe
Token: SeRestorePrivilege	892	msiexec.exe
Token: SeShutdownPrivilege	892	msiexec.exe
Token: SeDebugPrivilege	892	msiexec.exe
Token: SeAuditPrivilege	892	msiexec.exe
Token: SeSystemEnvironmentPrivilege	892	msiexec.exe
Token: SeChangeNotifyPrivilege	892	msiexec.exe
Token: SeRemoteShutdownPrivilege	892	msiexec.exe
Token: SeUndockPrivilege	892	msiexec.exe
Token: SeSyncAgentPrivilege	892	msiexec.exe
Token: SeEnableDelegationPrivilege	892	msiexec.exe
Token: SeManageVolumePrivilege	892	msiexec.exe
Token: SeImpersonatePrivilege	892	msiexec.exe
Token: SeCreateGlobalPrivilege	892	msiexec.exe
Token: SeBackupPrivilege	2712	vssvc.exe
Token: SeRestorePrivilege	2712	vssvc.exe
Token: SeAuditPrivilege	2712	vssvc.exe
Token: SeBackupPrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	844	DrvInst.exe
Token: SeRestorePrivilege	844	DrvInst.exe
Token: SeRestorePrivilege	844	DrvInst.exe
Token: SeRestorePrivilege	844	DrvInst.exe
Token: SeRestorePrivilege	844	DrvInst.exe
Token: SeRestorePrivilege	844	DrvInst.exe
Token: SeRestorePrivilege	844	DrvInst.exe
Token: SeLoadDriverPrivilege	844	DrvInst.exe
Token: SeLoadDriverPrivilege	844	DrvInst.exe
Token: SeLoadDriverPrivilege	844	DrvInst.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe
Token: SeRestorePrivilege	2764	msiexec.exe
Token: SeTakeOwnershipPrivilege	2764	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
892	msiexec.exe
892	msiexec.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 1908	2764	msiexec.exe	34
PID 2764 wrote to memory of 1908	2764	msiexec.exe	34
PID 2764 wrote to memory of 1908	2764	msiexec.exe	34
PID 2764 wrote to memory of 1908	2764	msiexec.exe	34
PID 2764 wrote to memory of 1908	2764	msiexec.exe	34
PID 2764 wrote to memory of 1908	2764	msiexec.exe	34
PID 2764 wrote to memory of 1908	2764	msiexec.exe	34
PID 1908 wrote to memory of 2644	1908	MsiExec.exe	35
PID 1908 wrote to memory of 2644	1908	MsiExec.exe	35
PID 1908 wrote to memory of 2644	1908	MsiExec.exe	35
PID 1908 wrote to memory of 2644	1908	MsiExec.exe	35
PID 1908 wrote to memory of 1964	1908	MsiExec.exe	37
PID 1908 wrote to memory of 1964	1908	MsiExec.exe	37
PID 1908 wrote to memory of 1964	1908	MsiExec.exe	37
PID 1908 wrote to memory of 1964	1908	MsiExec.exe	37
PID 1908 wrote to memory of 2128	1908	MsiExec.exe	39
PID 1908 wrote to memory of 2128	1908	MsiExec.exe	39
PID 1908 wrote to memory of 2128	1908	MsiExec.exe	39
PID 1908 wrote to memory of 2128	1908	MsiExec.exe	39
PID 1908 wrote to memory of 2128	1908	MsiExec.exe	39
PID 1908 wrote to memory of 2128	1908	MsiExec.exe	39
PID 1908 wrote to memory of 2128	1908	MsiExec.exe	39
PID 2128 wrote to memory of 1520	2128	windbg.exe	40
PID 2128 wrote to memory of 1520	2128	windbg.exe	40
PID 2128 wrote to memory of 1520	2128	windbg.exe	40
PID 2128 wrote to memory of 1520	2128	windbg.exe	40
PID 1908 wrote to memory of 2368	1908	MsiExec.exe	41
PID 1908 wrote to memory of 2368	1908	MsiExec.exe	41
PID 1908 wrote to memory of 2368	1908	MsiExec.exe	41
PID 1908 wrote to memory of 2368	1908	MsiExec.exe	41
PID 1908 wrote to memory of 272	1908	MsiExec.exe	43
PID 1908 wrote to memory of 272	1908	MsiExec.exe	43
PID 1908 wrote to memory of 272	1908	MsiExec.exe	43
PID 1908 wrote to memory of 272	1908	MsiExec.exe	43
PID 1520 wrote to memory of 940	1520	Autoit3.exe	45
PID 1520 wrote to memory of 940	1520	Autoit3.exe	45
PID 1520 wrote to memory of 940	1520	Autoit3.exe	45
PID 1520 wrote to memory of 940	1520	Autoit3.exe	45
PID 1520 wrote to memory of 940	1520	Autoit3.exe	45
PID 1520 wrote to memory of 940	1520	Autoit3.exe	45
PID 1520 wrote to memory of 940	1520	Autoit3.exe	45
PID 1520 wrote to memory of 3064	1520	Autoit3.exe	46
PID 1520 wrote to memory of 3064	1520	Autoit3.exe	46
PID 1520 wrote to memory of 3064	1520	Autoit3.exe	46
PID 1520 wrote to memory of 3064	1520	Autoit3.exe	46
PID 3064 wrote to memory of 900	3064	cmd.exe	48
PID 3064 wrote to memory of 900	3064	cmd.exe	48
PID 3064 wrote to memory of 900	3064	cmd.exe	48
PID 3064 wrote to memory of 900	3064	cmd.exe	48
PID 1520 wrote to memory of 2668	1520	Autoit3.exe	50
PID 1520 wrote to memory of 2668	1520	Autoit3.exe	50
PID 1520 wrote to memory of 2668	1520	Autoit3.exe	50
PID 1520 wrote to memory of 2668	1520	Autoit3.exe	50
PID 1520 wrote to memory of 2668	1520	Autoit3.exe	50
PID 1520 wrote to memory of 2668	1520	Autoit3.exe	50

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1112

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:892

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 31A72E32F8C4FC1B38180585DCAA1529
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2644
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1964
- - C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1520
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\data.bin
        5⤵
        Modifies registry class
        
        PID:940
    - - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
      - \??\c:\windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:900
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Drops startup file
        Loads dropped DLL
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        
        PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files"
    3⤵
    PID:2368
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:272

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2712

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000060" "000000000000005C"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1069597323-518051178586674708170742475119371310631920204945-1388687120551427680"
1⤵
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\gaaakhk\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\gaaakhk\eabhbad\abhdbae

Filesize
170B

MD5
4c587f35fc2a2eb42efd4130485d550a

SHA1
06f7fc19e4697afcd4a2e182e953b747d0cf6ff9

SHA256
9c762af1d956cd5f196970ecae7e09ec3ee3d2dc48cb6a8e09dda3e5a29f964c

SHA512
487f89325ad7c81dc17679852b37c6ec41300f9cda407910a757d760fca58fdf1a5c494b042913a0b3a710730e9967f3369ad8dfeb2ab64e776b36da415d29df

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files.cab

Filesize
8.9MB

MD5
3a4de3260c72e38f814cc2a7b2d42df7

SHA1
19458fb6838dd9d8be113b0b9983c7d77c12eb25

SHA256
411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7

SHA512
3493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\00001-~1.PNG

Filesize
1.1MB

MD5
fd49f38e666f94abdbd9cc0bb842c29b

SHA1
36a00401a015d0719787d5a65c86784760ee93ff

SHA256
1f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f

SHA512
2fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\00002-~1.PNG

Filesize
1.0MB

MD5
f68d2ca13e1268dd79e95591b976ec45

SHA1
588454301e3c25065349740573282145aa0a5c7b

SHA256
af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460

SHA512
a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\00003-~1.PNG

Filesize
1.1MB

MD5
7dbe5e4b98d7601585cfb9697f265e0f

SHA1
da8477a2494b1436664c535d7c854bf778942a76

SHA256
c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288

SHA512
38e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\00004-~1.PNG

Filesize
1.0MB

MD5
85da5b7fd4b6983fffe78853c5276c03

SHA1
49a68d92beabfdfce7b2939f35a7b3e4bdc2bc96

SHA256
ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba

SHA512
c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\00005-~1.PNG

Filesize
1.0MB

MD5
602b44b5e0a94c61c7ae501966eb4fd5

SHA1
853f5c83bedd4523cb72ca127cc6c269ac99e2d9

SHA256
2e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3

SHA512
e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\00007-~1.PNG

Filesize
1.1MB

MD5
9a40cf65a81a8f618a4f562e2494a557

SHA1
3b06e119cc017bbe99c06906779f40f2d04b08ad

SHA256
087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6

SHA512
745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\00008-~1.PNG

Filesize
1.1MB

MD5
452b0afd9436be767a0ee61e98ef0356

SHA1
736f12f84f8af0bd04f5b207f31cba8dd359ae03

SHA256
0348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a

SHA512
2fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\DATAPI~1.JPG

Filesize
159KB

MD5
008b295295c49c6d07161baff5f7212b

SHA1
f89d13817531957967be21327c8180a35960d04d

SHA256
9f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134

SHA512
6d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\data2.bin

Filesize
1.8MB

MD5
7673659bf664bd45a6f3c38b7d1c25d3

SHA1
a9b40ab4590b77887417ec33ecd061c98490176a

SHA256
41339e85c54f960b04039fd47df735c5ce78d99ede511364c8c8c2ad81f38c7d

SHA512
14ca50e20b3830765e8f116fc48ea49faabf3e7ede9f8768d5d0e70803d466ef506fe953f53057eb7e2f78009029d87b780c78127e1026b161bb095bf8c4ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\msiwrapper.ini

Filesize
1010B

MD5
a0f7bd2f66aecdcf53c2eca2d37c8425

SHA1
a3a7fcda28c631973c4b4529e88965b79d00c860

SHA256
6601badefaeeeb8e6de3cd81c18af7923a39b2b27f4c61e591b5efaee77547de

SHA512
adc2dd160c73a0301dd1c8556935edd090c33ea883881df4ea4894307facfea6f17fcdb133b7e3403f794e67e743830530ce20e158c4a85589a5f7d3b0a53b09

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\msiwrapper.ini

Filesize
1KB

MD5
edd343bf96c219640bf57d7250947a4a

SHA1
600d9d64180e0a5547f662a0ce269cf256092480

SHA256
e714d430c08de369d8fc65770e6369bdd1975bf8b23df1497f0410db9d025f22

SHA512
b7c80ec39b36620d9f77f670d91bd61f49964975802ee2c5d94e2d0ee127b20ff001dbccfbe4c86ed99172adb1458f18278aed4f4545280779a3f98366e9d3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\msiwrapper.ini

Filesize
1KB

MD5
edd343bf96c219640bf57d7250947a4a

SHA1
600d9d64180e0a5547f662a0ce269cf256092480

SHA256
e714d430c08de369d8fc65770e6369bdd1975bf8b23df1497f0410db9d025f22

SHA512
b7c80ec39b36620d9f77f670d91bd61f49964975802ee2c5d94e2d0ee127b20ff001dbccfbe4c86ed99172adb1458f18278aed4f4545280779a3f98366e9d3d8

Download Submit
C:\Windows\Installer\MSIFD62.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\hdaaakc.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\??\c:\tmpa\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\ProgramData\gaaakhk\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-a0b955b2-dc28-4199-b53d-ddca3ea69b14\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Windows\Installer\MSIFD62.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/1520-142-0x00000000030B0000-0x00000000033DA000-memory.dmp

Filesize
3.2MB

Download
memory/1520-141-0x00000000030B0000-0x00000000033DA000-memory.dmp

Filesize
3.2MB

Download
memory/1520-133-0x00000000030B0000-0x00000000033DA000-memory.dmp

Filesize
3.2MB

Download
memory/1520-145-0x00000000030B0000-0x00000000033DA000-memory.dmp

Filesize
3.2MB

Download
memory/1520-124-0x0000000000940000-0x0000000000D40000-memory.dmp

Filesize
4.0MB

Download
memory/1520-149-0x00000000030B0000-0x00000000033DA000-memory.dmp

Filesize
3.2MB

Download
memory/1520-140-0x00000000030B0000-0x00000000033DA000-memory.dmp

Filesize
3.2MB

Download
memory/2128-110-0x0000000001C60000-0x0000000001D60000-memory.dmp

Filesize
1024KB

Download
memory/2128-107-0x0000000000240000-0x00000000002CD000-memory.dmp

Filesize
564KB

Download
memory/2128-118-0x0000000000240000-0x00000000002CD000-memory.dmp

Filesize
564KB

Download
memory/2668-166-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-190-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-148-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-157-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-158-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-150-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-147-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-146-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2668-165-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-167-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-170-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-171-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-172-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-173-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-174-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-176-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-175-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-177-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-178-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-179-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-180-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-181-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-182-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-183-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-184-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-185-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-186-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-188-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-189-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-151-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-196-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-199-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-200-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-201-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-202-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-203-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-204-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-205-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-206-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-207-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-208-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-209-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-210-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-212-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-211-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-213-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-214-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-215-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-216-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-217-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-218-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-219-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-220-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-221-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-222-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-223-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-224-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-225-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-226-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2668-227-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download