Malware Analysis Report

2024-11-30 11:12

Sample ID 231028-bvpq5sdh44
Target 595527dff7c5234f4509cbbfa7047b6a.bin
SHA256 368acb20bb90d8358ac4aa8f2f78e8f8231900f81b059332c2f09f2fd438df1c
Tags
discovery darkgate ads5 stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

368acb20bb90d8358ac4aa8f2f78e8f8231900f81b059332c2f09f2fd438df1c

Threat Level: Known bad

The file 595527dff7c5234f4509cbbfa7047b6a.bin was found to be: Known bad.

Malicious Activity Summary

discovery darkgate ads5 stealer

DarkGate

Modifies file permissions

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Checks processor information in registry

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Uses Volume Shadow Copy service COM API

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-28 01:28

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-28 01:28

Reported

2023-10-28 01:30

Platform

win10v2004-20231020-en

Max time kernel

142s

Max time network

150s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236.msi

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\e583b8d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e583b8d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4E5B.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI4E5C.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{402D72DA-4565-4771-A043-039847D7145B} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI3D23.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000299f28d78dcfadf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000299f28d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000299f28d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0299f28d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000299f28d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 4972 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2888 wrote to memory of 4972 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2888 wrote to memory of 572 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2888 wrote to memory of 572 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2888 wrote to memory of 572 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 572 wrote to memory of 4416 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 572 wrote to memory of 4416 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 572 wrote to memory of 4416 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 572 wrote to memory of 1512 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 572 wrote to memory of 1512 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 572 wrote to memory of 1512 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 572 wrote to memory of 1720 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe
PID 572 wrote to memory of 1720 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe
PID 572 wrote to memory of 1720 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe
PID 1720 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1720 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1720 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 572 wrote to memory of 4116 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 572 wrote to memory of 4116 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 572 wrote to memory of 4116 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 43AB5220DD2D25A28231710B66580F95

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 69.210.218.23.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 136.71.105.51.in-addr.arpa udp

Files

C:\Windows\Installer\MSI3D23.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSI3D23.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\msiwrapper.ini

MD5 207f719b6271b194e6d8831eabc06c9b
SHA1 21587e325ed06ac703200b9df491bac990618f12
SHA256 564d952097c64f9b00f7f414257446635ce1678b873d428164b744e9f5e799f7
SHA512 1b9af970d8610058720f3199ed8ede26fa677ad3553f519800445d6f931f9874a4d7a3b333b754eb4d8062e82f1b570fe05ca3e7322ad754d3830e0dc8e80974

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\msiwrapper.ini

MD5 1dee98039f0982d707ffe2b96aba4936
SHA1 571e6ab3270c8af561f9dae44a4605277908e257
SHA256 f3fb11128045727b71feddae41856b943bb092cdd161d262ec23a0a854704ef9
SHA512 8a4f062baf8217e7ae63c0ef26b3fd1742b53ce826fad3dfc30b510044c1503413f48fdfb130f14f43c20706e740ad2b1eb8033b183bb87549cff4c3602a3063

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\msiwrapper.ini

MD5 2e0f9946e8f4e114f62f7db99557bac2
SHA1 08accceea7585cc07c0e9d2a75a652e3b2ad780f
SHA256 6ffdb9d88f5b0a7162057897568ee98547c656b60472611e422a09d5dd673ef4
SHA512 2c53b408a0886c7e363c5f137d97c7b2451d20fa0a28a9dab11959347585938e829add428909ef45ceab4bd6963b893470bf043f7552ae4db07979276512d8d4

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\msiwrapper.ini

MD5 232e0e9da246090198f2155baa087222
SHA1 fae147668d3b93f4f1e6db3cf3f718fad9c0a55e
SHA256 16441e375ee93862f7067d12c139f3d8ead1b266fef5d90518ae068064c4d0af
SHA512 a6e371b39fc650b9a0fe523fc3cce02f9eb7329dc5933496fee2410fccc7106d92c807c55251c149b8311aace207339e301dffa6b5285d61b5b2adbb124da26a

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\msiwrapper.ini

MD5 232e0e9da246090198f2155baa087222
SHA1 fae147668d3b93f4f1e6db3cf3f718fad9c0a55e
SHA256 16441e375ee93862f7067d12c139f3d8ead1b266fef5d90518ae068064c4d0af
SHA512 a6e371b39fc650b9a0fe523fc3cce02f9eb7329dc5933496fee2410fccc7106d92c807c55251c149b8311aace207339e301dffa6b5285d61b5b2adbb124da26a

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files.cab

MD5 11573546f1cb94036c51e1f256067a9a
SHA1 791d3293afeda092c26d2c237804f7a646d0979b
SHA256 ecd6c5174f7fa2f836b7326c52b31cd4a19e53447b8e4a7d036f8b41c0235054
SHA512 7b8cb6c8972472bf8f8c467cbb510216037f5342babe4cdf6889e20ece8400c80084c96ce6507773fb266f20638c68703d120d3f5b98940eaceda57017891067

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\dbgeng.dll

MD5 f540f998d60d6fc1c23f942ed5857296
SHA1 1ef333bfea08b37cda99ea1353d52928a4458f28
SHA256 d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11
SHA512 e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\dbgeng.dll

MD5 f540f998d60d6fc1c23f942ed5857296
SHA1 1ef333bfea08b37cda99ea1353d52928a4458f28
SHA256 d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11
SHA512 e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\data.bin

MD5 8b305b67e45165844d2f8547a085d782
SHA1 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA512 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\data2.bin

MD5 1cdde34f6f487545c26673a907af15f6
SHA1 4da95d333976a15ecd368d8fc04e6331a1952fa9
SHA256 3c1fdbc968598ee048f02a47b9fe888e33bfeff5a55bea059c8cb91e6d0f2c8c
SHA512 e6b1a2ccb7b994aecef47ec035659e720f151a71d6d0db8449266f47e6053238878d635ca45fe2a334b328adf5e008fd0257feb4b5968f23094e62def349365a

memory/1720-100-0x0000000002830000-0x0000000002930000-memory.dmp

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1720-105-0x0000000000400000-0x000000000054B000-memory.dmp

\??\c:\tmpa\script.au3

MD5 cd434465236e62f9960f6eaa8ace2bf1
SHA1 45167afe0513736ec52a0a90bd87dd94273a836b
SHA256 f2bdc1b0da1e7270fa3b26a883f5ad4bbf189d8cb593af4c53ab6db680c9258c
SHA512 5b6d58757e222e17c962ad8e52d9e792604a9b898a3c61afa137d8c76a6de674b1dc00f32c9e3e97021a789a9f8e4de61044558ced7e34be84669d74fedf21c2

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\00000-602071660.png

MD5 c5f6eb13db175fbcd0925434424df781
SHA1 2197137928fff79f8b11e966ffb6a9eb5112a3c8
SHA256 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50
SHA512 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\00003-1310450276.png

MD5 3f3788816f75078edb9817a98259a223
SHA1 1eb191dd0dcff72f5922aa775dc95dced7967bd5
SHA256 a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0
SHA512 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\msiwrapper.ini

MD5 f7b688a2c64f659a77dca00ee8a5d173
SHA1 3dfa0e74f31687783c051f66498410ed2b53b5e1
SHA256 5af895854ef9e5796e703ca0d953d6d8e9d893c87f521ab3699894bbe6782f58
SHA512 4e324285e827353e47fe4e43e5f5e2177fbaf7c26d58fa87f98bb09bb368e36c5c899b927e5d24b242b1092a9e4dbdee974f21f0f7cc2b03dbdfab2c79132073

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\00005-3931689802.png

MD5 66732fccbeee97415b033c017e594196
SHA1 6db8fada912e6ea219b526cbe1a136a6afdabffb
SHA256 dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc
SHA512 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\00004-4001132497.png

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\00002-1969081335.png

MD5 92028b5b43ea981f2172f2e9ce6556bf
SHA1 6da86abe3bc0caf500908ec7b8e841b797948fec
SHA256 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed
SHA512 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

C:\Users\Admin\AppData\Local\Temp\MW-fdc53cd6-1655-466a-b203-7bd2778e25ea\files\00001-3764640629.png

MD5 a384c8b03d6d72e9f9e268d265e8b435
SHA1 3b238b66b33e2dc191da037973a79f01d50ee2d4
SHA256 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b
SHA512 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

C:\Windows\Installer\MSI4E5C.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSI4E5C.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\??\Volume{8df29902-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a27a60c3-8673-481e-adf0-3405962a4c8c}_OnDiskSnapshotProp

MD5 4bab0a980f291a6d40d9aae99c3238d7
SHA1 650f6bca5ff996642920b88d798675a511faa53e
SHA256 82c9d6d090cdd66122756c3ce782f005057e2630143d559017f79fd59543dac9
SHA512 8426bb31cf20172d4308ec659815658c19b76b3cee4bc3289eca4628f8e39f5c7ba25c1ff1efc2549db0a8432cce585275daace726aaf4f6e5f47816478db1b1

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 a84318ce1e0f33aab3c8e079d5d8960b
SHA1 67f53d8de4ee8e5edeba0512b56a31835c11b8a6
SHA256 f3409401c1ce24ce7d43ff4a018ca3966bd6461d5bd7dd8d8b63c674f646069e
SHA512 7675b60c61f1af7552eb8ba740c795e3581454efa72e9d3fee65c2011e4948c42e0be303a1bbef746e71bbc33aba9957c4fdd04a6e62cfe24a993b54e2816750

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-28 01:28

Reported

2023-10-28 01:32

Platform

win7-20231023-en

Max time kernel

145s

Max time network

30s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\f789f5b.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f789f5c.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f789f5b.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIA479.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f789f5c.ipi C:\Windows\system32\msiexec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 2480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2264 wrote to memory of 2480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2264 wrote to memory of 2480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2264 wrote to memory of 2480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2264 wrote to memory of 2480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2264 wrote to memory of 2480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2264 wrote to memory of 2480 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2480 wrote to memory of 1552 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2480 wrote to memory of 1552 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2480 wrote to memory of 1552 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2480 wrote to memory of 1552 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2480 wrote to memory of 1476 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2480 wrote to memory of 1476 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2480 wrote to memory of 1476 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2480 wrote to memory of 1476 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2480 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe
PID 2480 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe
PID 2480 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe
PID 2480 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe
PID 2480 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe
PID 2480 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe
PID 2480 wrote to memory of 1084 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe
PID 1084 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1084 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1084 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1084 wrote to memory of 1056 N/A C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2480 wrote to memory of 1168 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1168 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1168 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1168 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2480 wrote to memory of 1220 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2480 wrote to memory of 1220 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2480 wrote to memory of 1220 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2480 wrote to memory of 1220 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000003C0" "00000000000003C8"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding ADF5DED0B217D0DC864E9FB22451A5CE

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files"

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

N/A

Files

C:\Windows\Installer\MSIA479.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSIA479.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\msiwrapper.ini

MD5 86eef078730d4a51412697d031aac37b
SHA1 23cc4684b03730a75650bd3107316b66c56a8cfa
SHA256 9a3901fc76ba60a346f825a036d9fdac63680ad741d3da9b45ea56c2cff1190f
SHA512 e919bcc250a826006f96ef8fc230d854f097eed9c2b8db187b55bc06cc44eff3b4af5c8ad49e7b65e746908bebd4959b7bd0a5b037858f132f0662fc1b28f4d4

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\msiwrapper.ini

MD5 ab8c86f1f489a4d93a7b76678f6457ee
SHA1 ceaff4b11712f1b392a18bba76fd097fc71134a0
SHA256 e14a17a71f87c6023e7a4b28c1e9dcf66bc02dd6478a588cc1eecc3bc0479a3a
SHA512 51e7e97cf685253e21cf88b3772c8e050de83e3551b3a6fb5d24c035bef4e5482d2aa6561922bad7f186756cd3120dd2048cbdf7d9cba2cce5ed8044e38286e6

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\msiwrapper.ini

MD5 ab8c86f1f489a4d93a7b76678f6457ee
SHA1 ceaff4b11712f1b392a18bba76fd097fc71134a0
SHA256 e14a17a71f87c6023e7a4b28c1e9dcf66bc02dd6478a588cc1eecc3bc0479a3a
SHA512 51e7e97cf685253e21cf88b3772c8e050de83e3551b3a6fb5d24c035bef4e5482d2aa6561922bad7f186756cd3120dd2048cbdf7d9cba2cce5ed8044e38286e6

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files.cab

MD5 11573546f1cb94036c51e1f256067a9a
SHA1 791d3293afeda092c26d2c237804f7a646d0979b
SHA256 ecd6c5174f7fa2f836b7326c52b31cd4a19e53447b8e4a7d036f8b41c0235054
SHA512 7b8cb6c8972472bf8f8c467cbb510216037f5342babe4cdf6889e20ece8400c80084c96ce6507773fb266f20638c68703d120d3f5b98940eaceda57017891067

\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\dbgeng.dll

MD5 f540f998d60d6fc1c23f942ed5857296
SHA1 1ef333bfea08b37cda99ea1353d52928a4458f28
SHA256 d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11
SHA512 e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\dbgeng.dll

MD5 f540f998d60d6fc1c23f942ed5857296
SHA1 1ef333bfea08b37cda99ea1353d52928a4458f28
SHA256 d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11
SHA512 e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c

memory/1084-103-0x0000000000590000-0x00000000006DB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\data.bin

MD5 8b305b67e45165844d2f8547a085d782
SHA1 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA512 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\data2.bin

MD5 1cdde34f6f487545c26673a907af15f6
SHA1 4da95d333976a15ecd368d8fc04e6331a1952fa9
SHA256 3c1fdbc968598ee048f02a47b9fe888e33bfeff5a55bea059c8cb91e6d0f2c8c
SHA512 e6b1a2ccb7b994aecef47ec035659e720f151a71d6d0db8449266f47e6053238878d635ca45fe2a334b328adf5e008fd0257feb4b5968f23094e62def349365a

memory/1084-107-0x0000000000A00000-0x0000000000B00000-memory.dmp

\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1084-114-0x0000000000590000-0x00000000006DB000-memory.dmp

\??\c:\tmpa\script.au3

MD5 cd434465236e62f9960f6eaa8ace2bf1
SHA1 45167afe0513736ec52a0a90bd87dd94273a836b
SHA256 f2bdc1b0da1e7270fa3b26a883f5ad4bbf189d8cb593af4c53ab6db680c9258c
SHA512 5b6d58757e222e17c962ad8e52d9e792604a9b898a3c61afa137d8c76a6de674b1dc00f32c9e3e97021a789a9f8e4de61044558ced7e34be84669d74fedf21c2

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\00002-~1.PNG

MD5 92028b5b43ea981f2172f2e9ce6556bf
SHA1 6da86abe3bc0caf500908ec7b8e841b797948fec
SHA256 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed
SHA512 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

memory/1056-125-0x0000000000CB0000-0x00000000010B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\00005-~1.PNG

MD5 66732fccbeee97415b033c017e594196
SHA1 6db8fada912e6ea219b526cbe1a136a6afdabffb
SHA256 dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc
SHA512 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

memory/1056-126-0x0000000002E50000-0x000000000317A000-memory.dmp

memory/1056-127-0x0000000000CB0000-0x00000000010B0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\00004-~1.PNG

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\00003-~1.PNG

MD5 3f3788816f75078edb9817a98259a223
SHA1 1eb191dd0dcff72f5922aa775dc95dced7967bd5
SHA256 a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0
SHA512 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\00001-~1.PNG

MD5 a384c8b03d6d72e9f9e268d265e8b435
SHA1 3b238b66b33e2dc191da037973a79f01d50ee2d4
SHA256 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b
SHA512 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

C:\Users\Admin\AppData\Local\Temp\MW-c212bd7d-068b-4d8d-af08-7fe5bdb3d520\files\00000-~1.PNG

MD5 c5f6eb13db175fbcd0925434424df781
SHA1 2197137928fff79f8b11e966ffb6a9eb5112a3c8
SHA256 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50
SHA512 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4