darkgate | 7a92489050089498d6ec05fb7bdfad37da13bb965023d126c41789c5756e4e02

Resubmissions

01/11/2023, 17:40

231101-v855tsbb71 10

26/10/2023, 20:02

231026-yr4gfsha49 10

Analysis

max time kernel
278s
max time network
266s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
01/11/2023, 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

hyreszxc.msi
Size

8.6MB
MD5

a0e0687c1f4e8f50243db910ebf2e623
SHA1

72629d1d68dbfb601cc8390d642ad7a1289fb946
SHA256

7a92489050089498d6ec05fb7bdfad37da13bb965023d126c41789c5756e4e02
SHA512

31f631b7ec686cab39b0d5edf7e2b62b43f22cb74479c56fefb6d226ba1b89162a41d7dcaa2f9d81c4633f46c782d3229805bf6a9b2336404066bd120e3cf721
SSDEEP

196608:5kdAirk9zqV8GinTPMoGkd/ROfL0uUmN4in1VAnEVYxVSe3yt/:edAirAzqVAnTPMgd+0ogHnF3y

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://hadfadf87yuadfad.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
CbTWFsAhFuOWYT
internal_mutex
txtMut
minimum_disk
40
minimum_ram
7000
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 5 IoCs

pid	Process
3300	windbg.exe
3220	Autoit3.exe
2412	Autoit3.exe
4480	Autoit3.exe
2000	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
4372	MsiExec.exe
3300	windbg.exe
4372	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4920	ICACLS.EXE
2440	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{9A06088C-7C5D-4EC4-B58A-0F31E252F23E}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC0FB.tmp	msiexec.exe
File created	C:\Windows\Installer\e58a42a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a42a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 8 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006f5277fd0b2376700000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006f5277fd0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006f5277fd000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6f5277fd000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006f5277fd00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Autoit3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Autoit3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Autoit3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
3420	msiexec.exe
3420	msiexec.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4956	taskmgr.exe
1796	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4760	msiexec.exe
Token: SeSecurityPrivilege	3420	msiexec.exe
Token: SeCreateTokenPrivilege	4760	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4760	msiexec.exe
Token: SeLockMemoryPrivilege	4760	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4760	msiexec.exe
Token: SeMachineAccountPrivilege	4760	msiexec.exe
Token: SeTcbPrivilege	4760	msiexec.exe
Token: SeSecurityPrivilege	4760	msiexec.exe
Token: SeTakeOwnershipPrivilege	4760	msiexec.exe
Token: SeLoadDriverPrivilege	4760	msiexec.exe
Token: SeSystemProfilePrivilege	4760	msiexec.exe
Token: SeSystemtimePrivilege	4760	msiexec.exe
Token: SeProfSingleProcessPrivilege	4760	msiexec.exe
Token: SeIncBasePriorityPrivilege	4760	msiexec.exe
Token: SeCreatePagefilePrivilege	4760	msiexec.exe
Token: SeCreatePermanentPrivilege	4760	msiexec.exe
Token: SeBackupPrivilege	4760	msiexec.exe
Token: SeRestorePrivilege	4760	msiexec.exe
Token: SeShutdownPrivilege	4760	msiexec.exe
Token: SeDebugPrivilege	4760	msiexec.exe
Token: SeAuditPrivilege	4760	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4760	msiexec.exe
Token: SeChangeNotifyPrivilege	4760	msiexec.exe
Token: SeRemoteShutdownPrivilege	4760	msiexec.exe
Token: SeUndockPrivilege	4760	msiexec.exe
Token: SeSyncAgentPrivilege	4760	msiexec.exe
Token: SeEnableDelegationPrivilege	4760	msiexec.exe
Token: SeManageVolumePrivilege	4760	msiexec.exe
Token: SeImpersonatePrivilege	4760	msiexec.exe
Token: SeCreateGlobalPrivilege	4760	msiexec.exe
Token: SeBackupPrivilege	3516	vssvc.exe
Token: SeRestorePrivilege	3516	vssvc.exe
Token: SeAuditPrivilege	3516	vssvc.exe
Token: SeBackupPrivilege	3420	msiexec.exe
Token: SeRestorePrivilege	3420	msiexec.exe
Token: SeDebugPrivilege	4956	taskmgr.exe
Token: SeSystemProfilePrivilege	4956	taskmgr.exe
Token: SeCreateGlobalPrivilege	4956	taskmgr.exe
Token: SeRestorePrivilege	3420	msiexec.exe
Token: SeTakeOwnershipPrivilege	3420	msiexec.exe
Token: SeRestorePrivilege	3420	msiexec.exe
Token: SeTakeOwnershipPrivilege	3420	msiexec.exe
Token: SeRestorePrivilege	3420	msiexec.exe
Token: SeTakeOwnershipPrivilege	3420	msiexec.exe
Token: SeRestorePrivilege	3420	msiexec.exe
Token: SeTakeOwnershipPrivilege	3420	msiexec.exe
Token: SeBackupPrivilege	5064	srtasks.exe
Token: SeRestorePrivilege	5064	srtasks.exe
Token: SeSecurityPrivilege	5064	srtasks.exe
Token: SeTakeOwnershipPrivilege	5064	srtasks.exe
Token: SeBackupPrivilege	5064	srtasks.exe
Token: SeRestorePrivilege	5064	srtasks.exe
Token: SeSecurityPrivilege	5064	srtasks.exe
Token: SeTakeOwnershipPrivilege	5064	srtasks.exe
Token: 33	1796	mmc.exe
Token: SeIncBasePriorityPrivilege	1796	mmc.exe
Token: 33	1796	mmc.exe
Token: SeIncBasePriorityPrivilege	1796	mmc.exe
Token: 33	1796	mmc.exe
Token: SeIncBasePriorityPrivilege	1796	mmc.exe
Token: 33	1796	mmc.exe
Token: SeIncBasePriorityPrivilege	1796	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4760	msiexec.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4760	msiexec.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe
4956	taskmgr.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2412	Autoit3.exe
4480	Autoit3.exe
2000	Autoit3.exe
1796	mmc.exe
1796	mmc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3420 wrote to memory of 5064	3420	msiexec.exe	102
PID 3420 wrote to memory of 5064	3420	msiexec.exe	102
PID 3420 wrote to memory of 4372	3420	msiexec.exe	104
PID 3420 wrote to memory of 4372	3420	msiexec.exe	104
PID 3420 wrote to memory of 4372	3420	msiexec.exe	104
PID 4372 wrote to memory of 2440	4372	MsiExec.exe	105
PID 4372 wrote to memory of 2440	4372	MsiExec.exe	105
PID 4372 wrote to memory of 2440	4372	MsiExec.exe	105
PID 4372 wrote to memory of 3212	4372	MsiExec.exe	108
PID 4372 wrote to memory of 3212	4372	MsiExec.exe	108
PID 4372 wrote to memory of 3212	4372	MsiExec.exe	108
PID 4372 wrote to memory of 3300	4372	MsiExec.exe	110
PID 4372 wrote to memory of 3300	4372	MsiExec.exe	110
PID 4372 wrote to memory of 3300	4372	MsiExec.exe	110
PID 3300 wrote to memory of 3220	3300	windbg.exe	111
PID 3300 wrote to memory of 3220	3300	windbg.exe	111
PID 3300 wrote to memory of 3220	3300	windbg.exe	111
PID 4372 wrote to memory of 4920	4372	MsiExec.exe	112
PID 4372 wrote to memory of 4920	4372	MsiExec.exe	112
PID 4372 wrote to memory of 4920	4372	MsiExec.exe	112

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\hyreszxc.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3420
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5064
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9FF05FD7C558694A00F44A69477811DD
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4372
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2440
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3212
- - C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3300
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:3220
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4920

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3516

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4956

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3768

C:\tmpa\Autoit3.exe
"C:\tmpa\Autoit3.exe"
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2412

C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
1⤵
PID:4332

C:\tmpa\Autoit3.exe
"C:\tmpa\Autoit3.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4480

C:\tmpa\Autoit3.exe
"C:\tmpa\Autoit3.exe"
1⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2000

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files.cab

Filesize
8.4MB

MD5
6ecd06249526d985bd28cc1864e8c143

SHA1
5ab8062d24dfda2ec3c5ebca958485041f92a562

SHA256
8931c76f39a6e4052c95422cd9ba00cd6648cb12618ed5007a2aef769592b3dd

SHA512
eb5dca026bf2c011be9b752432d1096ffa145efadf2bd1726a6076b2ca0f6d34f00647a321401df1d70733c1b6a05633b6966e542d45ff1dac7c7c898ebe3ca5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00000-602071660.png

Filesize
1.2MB

MD5
c5f6eb13db175fbcd0925434424df781

SHA1
2197137928fff79f8b11e966ffb6a9eb5112a3c8

SHA256
6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50

SHA512
40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00001-3764640629.png

Filesize
1.3MB

MD5
a384c8b03d6d72e9f9e268d265e8b435

SHA1
3b238b66b33e2dc191da037973a79f01d50ee2d4

SHA256
9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b

SHA512
94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00002-1969081335.png

Filesize
1.1MB

MD5
92028b5b43ea981f2172f2e9ce6556bf

SHA1
6da86abe3bc0caf500908ec7b8e841b797948fec

SHA256
7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed

SHA512
1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00003-1310450276.png

Filesize
1.2MB

MD5
3f3788816f75078edb9817a98259a223

SHA1
1eb191dd0dcff72f5922aa775dc95dced7967bd5

SHA256
a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0

SHA512
2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00004-4001132497.png

Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00005-3931689802.png

Filesize
903KB

MD5
66732fccbeee97415b033c017e594196

SHA1
6db8fada912e6ea219b526cbe1a136a6afdabffb

SHA256
dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc

SHA512
70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\data2.bin

Filesize
1.8MB

MD5
d12826317bcc07a47d9e0b83fd487c5e

SHA1
f129cfa73c8ae56e72c11f93e05823916bdc86f0

SHA256
b37677c2a7cdc0cc97d9f942fc0423037eb50b8f1685ceee45cf97b9477eaadd

SHA512
45297229d26909945a2422ab879611410f5c31d5f2eeb4c926a2d555c9a6771f02295ee9a65efdb893c8a44d88af0fc0224373f5ce0e6a408c42f02b25f76a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\dbgeng.dll

Filesize
1.3MB

MD5
f540f998d60d6fc1c23f942ed5857296

SHA1
1ef333bfea08b37cda99ea1353d52928a4458f28

SHA256
d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11

SHA512
e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\dbgeng.dll

Filesize
1.3MB

MD5
f540f998d60d6fc1c23f942ed5857296

SHA1
1ef333bfea08b37cda99ea1353d52928a4458f28

SHA256
d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11

SHA512
e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\msiwrapper.ini

Filesize
1KB

MD5
7f72902bda1705ba4a11184574128a86

SHA1
36e69b4253aa84fabf83f049b6ce09e9e9edb035

SHA256
6c240f69de156720b95c2cfe2fc42c52bc103156ffe74c81195d4412d7310ddc

SHA512
8fe960bfb814f97d07f3aa89866b46be3798beefa668a98d706d14abd9559dbf38fd2cab4fa905ce14a44382bf1f41ff0f3314f779ee95561eb6026137dacc14

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\msiwrapper.ini

Filesize
1KB

MD5
54a67d73154b7943675d7441ffb648e5

SHA1
17faccb83977474478cd81f7caf18c5925277ef5

SHA256
03b54cf56825e7359d96f9687ef1dc875fcaaabecc92aa50ec30c876c799af74

SHA512
b3bea042dd1ec63ee7fab5b0f99e6b416a3a3c98268fb150397d0435062f91fcbfd7c8c51ffbd21cc8c91c303fffa6bc0b2d4ff410e6b75085688d221d2f7c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\msiwrapper.ini

Filesize
1KB

MD5
54a67d73154b7943675d7441ffb648e5

SHA1
17faccb83977474478cd81f7caf18c5925277ef5

SHA256
03b54cf56825e7359d96f9687ef1dc875fcaaabecc92aa50ec30c876c799af74

SHA512
b3bea042dd1ec63ee7fab5b0f99e6b416a3a3c98268fb150397d0435062f91fcbfd7c8c51ffbd21cc8c91c303fffa6bc0b2d4ff410e6b75085688d221d2f7c0b

Download Submit
C:\Windows\Installer\MSIA6AB.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIA6AB.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIC0FB.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIC0FB.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
f06eb287d826ea7d6403fe2e4d903586

SHA1
ec3400d6cdab5694b6ece499ae2fc17b20702a5d

SHA256
1e727d74a8ce9caaf91cb534f2f986d6e5401a51d6e329e494bf3a91df9c8730

SHA512
64db86b1c559038adc379d00e32f164091d023b1323fce23a4fea74bcd7e4fc94411dd181447f22469017a6d5d6ccd3830322aa9b5db2e55a6c76db00e75832f

Download Submit
\??\Volume{fd77526f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{12c72381-9325-42bc-812b-0ac1679c84f4}_OnDiskSnapshotProp

Filesize
5KB

MD5
9deb91f1cecc82522ee61d7bb2c0cde2

SHA1
494f3004d116baac0b0101f0075c086a35756b46

SHA256
260cf72f1b87209b5b816bd08e9c31d4dd05224346be6d67d6f9b75252b46ca3

SHA512
e8dc110ef832b163a065a60377df88faea674b72b10e9aaaa856a6552bcc4ea7441e3745d00205060abeb7097bb0214a16fc23829f7ca90245a72ee08c9a9ea3

Download Submit
\??\c:\tmpa\autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
489KB

MD5
fbe2606010b7d86a18af938b3dcb08c6

SHA1
c67db324c8159dc141eab06379db31d276375dc4

SHA256
3371278138866e0b7fd051b836dba80b06565944c4161ff0c11d5eda6c6c210f

SHA512
368c390c353ed1c1206607e5bc92dd71dddb6ab656c81e377f80962ec94af7d24d23996d921e38a850979b4b25021677fa897d97feb14665cf0fdf6ca484c22b

Download Submit
memory/1796-159-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-166-0x000000001E4A0000-0x000000001E5A0000-memory.dmp

Filesize
1024KB

Download
memory/1796-165-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-163-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-164-0x00007FF4D0590000-0x00007FF4D05A0000-memory.dmp

Filesize
64KB

Download
memory/1796-162-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-154-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-153-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-160-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-161-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-152-0x00007FFCD6190000-0x00007FFCD6C51000-memory.dmp

Filesize
10.8MB

Download
memory/1796-158-0x000000001E4A0000-0x000000001E5A0000-memory.dmp

Filesize
1024KB

Download
memory/1796-155-0x00007FF4D0590000-0x00007FF4D05A0000-memory.dmp

Filesize
64KB

Download
memory/1796-157-0x000000001CA70000-0x000000001CA80000-memory.dmp

Filesize
64KB

Download
memory/1796-156-0x00007FFCD6190000-0x00007FFCD6C51000-memory.dmp

Filesize
10.8MB

Download
memory/2412-149-0x000000000A380000-0x000000000A6AA000-memory.dmp

Filesize
3.2MB

Download
memory/2412-148-0x000000000A380000-0x000000000A6AA000-memory.dmp

Filesize
3.2MB

Download
memory/2412-147-0x0000000003E30000-0x0000000004030000-memory.dmp

Filesize
2.0MB

Download
memory/3220-121-0x0000000000B70000-0x0000000000F70000-memory.dmp

Filesize
4.0MB

Download
memory/3220-122-0x0000000003EE0000-0x000000000420A000-memory.dmp

Filesize
3.2MB

Download
memory/3300-118-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/3300-113-0x0000000002D60000-0x0000000002E60000-memory.dmp

Filesize
1024KB

Download
memory/4956-0-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-12-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-11-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-10-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-9-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-1-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-2-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-6-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-7-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download
memory/4956-8-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp

Filesize
4KB

Download