Analysis Overview
SHA256
7a92489050089498d6ec05fb7bdfad37da13bb965023d126c41789c5756e4e02
Threat Level: Known bad
The file hyreszxc.msi was found to be: Known bad.
Malicious Activity Summary
DarkGate
Executes dropped EXE
Modifies file permissions
Loads dropped DLL
Enumerates connected drives
Drops file in System32 directory
Drops file in Windows directory
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Modifies data under HKEY_USERS
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-11-01 17:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-11-01 17:40
Reported
2023-11-01 17:45
Platform
win7-20231020-en
Max time kernel
306s
Max time network
124s
Command Line
Signatures
DarkGate
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\taskschd.msc | C:\Windows\system32\mmc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Installer\f76c88d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c88e.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\f76c88d.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSICB4B.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Logs\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\Installer\f76c88e.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev3 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.ev1 | C:\Windows\system32\DrvInst.exe | N/A |
| File opened for modification | C:\Windows\INF\setupapi.dev.log | C:\Windows\system32\DrvInst.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\system32\DrvInst.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\system32\DrvInst.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\DrvInst.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\hyreszxc.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000570" "000000000000031C"
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 91FC0E4376A524DB85DE6E4DDC2720F5
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe"
\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files"
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
\??\c:\tmpa\Autoit3.exe
Autoit3.exe script.au3
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1052
Network
Files
memory/2864-0-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2864-1-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2864-2-0x0000000140000000-0x00000001405E8000-memory.dmp
C:\Windows\Installer\MSICB4B.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\Windows\Installer\MSICB4B.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\msiwrapper.ini
| MD5 | d6cbc32cbd2599eb4473d216bb1194d7 |
| SHA1 | e9e315f38d03e5b96105a3de870a88a6aae74104 |
| SHA256 | 7e7a7f4c21fcb87581ad665b9addfa8a29523c55cdd27385147e5bd8aebf7e90 |
| SHA512 | 9dab7f90c8fb2db468210e8337402017e45945317a2786875d7e3a54300bcac0ef8734672d9b9d0c292390b8f2a4d1813d2fcd4a8755a0495f05146e7de89a36 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files.cab
| MD5 | 6ecd06249526d985bd28cc1864e8c143 |
| SHA1 | 5ab8062d24dfda2ec3c5ebca958485041f92a562 |
| SHA256 | 8931c76f39a6e4052c95422cd9ba00cd6648cb12618ed5007a2aef769592b3dd |
| SHA512 | eb5dca026bf2c011be9b752432d1096ffa145efadf2bd1726a6076b2ca0f6d34f00647a321401df1d70733c1b6a05633b6966e542d45ff1dac7c7c898ebe3ca5 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\msiwrapper.ini
| MD5 | d6cbc32cbd2599eb4473d216bb1194d7 |
| SHA1 | e9e315f38d03e5b96105a3de870a88a6aae74104 |
| SHA256 | 7e7a7f4c21fcb87581ad665b9addfa8a29523c55cdd27385147e5bd8aebf7e90 |
| SHA512 | 9dab7f90c8fb2db468210e8337402017e45945317a2786875d7e3a54300bcac0ef8734672d9b9d0c292390b8f2a4d1813d2fcd4a8755a0495f05146e7de89a36 |
\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
memory/2300-104-0x0000000000540000-0x000000000068B000-memory.dmp
\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\data.bin
| MD5 | 8b305b67e45165844d2f8547a085d782 |
| SHA1 | 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722 |
| SHA256 | 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b |
| SHA512 | 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6 |
memory/2300-108-0x0000000000320000-0x0000000000420000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\data2.bin
| MD5 | d12826317bcc07a47d9e0b83fd487c5e |
| SHA1 | f129cfa73c8ae56e72c11f93e05823916bdc86f0 |
| SHA256 | b37677c2a7cdc0cc97d9f942fc0423037eb50b8f1685ceee45cf97b9477eaadd |
| SHA512 | 45297229d26909945a2422ab879611410f5c31d5f2eeb4c926a2d555c9a6771f02295ee9a65efdb893c8a44d88af0fc0224373f5ce0e6a408c42f02b25f76a36 |
\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2300-115-0x0000000000540000-0x000000000068B000-memory.dmp
\??\c:\tmpa\script.au3
| MD5 | fbe2606010b7d86a18af938b3dcb08c6 |
| SHA1 | c67db324c8159dc141eab06379db31d276375dc4 |
| SHA256 | 3371278138866e0b7fd051b836dba80b06565944c4161ff0c11d5eda6c6c210f |
| SHA512 | 368c390c353ed1c1206607e5bc92dd71dddb6ab656c81e377f80962ec94af7d24d23996d921e38a850979b4b25021677fa897d97feb14665cf0fdf6ca484c22b |
memory/2996-120-0x0000000000AB0000-0x0000000000EB0000-memory.dmp
memory/2996-121-0x0000000002ED0000-0x00000000031FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\00005-~1.PNG
| MD5 | 66732fccbeee97415b033c017e594196 |
| SHA1 | 6db8fada912e6ea219b526cbe1a136a6afdabffb |
| SHA256 | dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc |
| SHA512 | 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\00004-~1.PNG
| MD5 | 2ccc17c1a5bb5e656e7f3bb09ff0beff |
| SHA1 | 05866cf7dd5fa99ea852b01c2791b30e7741ea19 |
| SHA256 | 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2 |
| SHA512 | 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\00003-~1.PNG
| MD5 | 3f3788816f75078edb9817a98259a223 |
| SHA1 | 1eb191dd0dcff72f5922aa775dc95dced7967bd5 |
| SHA256 | a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0 |
| SHA512 | 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\00001-~1.PNG
| MD5 | a384c8b03d6d72e9f9e268d265e8b435 |
| SHA1 | 3b238b66b33e2dc191da037973a79f01d50ee2d4 |
| SHA256 | 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b |
| SHA512 | 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565 |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\00002-~1.PNG
| MD5 | 92028b5b43ea981f2172f2e9ce6556bf |
| SHA1 | 6da86abe3bc0caf500908ec7b8e841b797948fec |
| SHA256 | 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed |
| SHA512 | 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f |
C:\Users\Admin\AppData\Local\Temp\MW-5630e676-90c5-4260-8108-af277fcb6fc9\files\00000-~1.PNG
| MD5 | c5f6eb13db175fbcd0925434424df781 |
| SHA1 | 2197137928fff79f8b11e966ffb6a9eb5112a3c8 |
| SHA256 | 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50 |
| SHA512 | 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4 |
\??\c:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2712-145-0x0000000002F10000-0x000000000323A000-memory.dmp
memory/2712-144-0x0000000000970000-0x0000000000D70000-memory.dmp
memory/2712-146-0x0000000000970000-0x0000000000D70000-memory.dmp
memory/832-147-0x0000000002580000-0x0000000002581000-memory.dmp
memory/832-148-0x0000000002A30000-0x0000000002A4E000-memory.dmp
memory/832-149-0x000007FEF3C50000-0x000007FEF45ED000-memory.dmp
memory/832-150-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-151-0x000007FEF3C50000-0x000007FEF45ED000-memory.dmp
memory/832-152-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-153-0x000000001D110000-0x000000001D456000-memory.dmp
memory/832-154-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-155-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-156-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-157-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-158-0x000007FFFFF00000-0x000007FFFFF10000-memory.dmp
memory/832-159-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-160-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-161-0x0000000003520000-0x00000000035A0000-memory.dmp
memory/832-162-0x000007FEF3C50000-0x000007FEF45ED000-memory.dmp
memory/2652-163-0x0000000000280000-0x0000000000281000-memory.dmp
memory/832-164-0x0000000002580000-0x0000000002581000-memory.dmp
memory/832-165-0x000007FEF3C50000-0x000007FEF45ED000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-11-01 17:40
Reported
2023-11-01 17:45
Platform
win10v2004-20231023-en
Max time kernel
278s
Max time network
266s
Command Line
Signatures
DarkGate
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe | N/A |
| N/A | N/A | \??\c:\tmpa\Autoit3.exe | N/A |
| N/A | N/A | C:\tmpa\Autoit3.exe | N/A |
| N/A | N/A | C:\tmpa\Autoit3.exe | N/A |
| N/A | N/A | C:\tmpa\Autoit3.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
| N/A | N/A | C:\Windows\SysWOW64\ICACLS.EXE | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\taskschd.msc | C:\Windows\system32\mmc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Installer\SourceHash{9A06088C-7C5D-4EC4-B58A-0F31E252F23E} | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIA6AB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC0CB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\MSIC0FB.tmp | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\e58a42a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\e58a42a.msi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\Installer\ | C:\Windows\system32\msiexec.exe | N/A |
| File created | C:\Windows\Installer\inprogressinstallinfo.ipi | C:\Windows\system32\msiexec.exe | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setupact.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
| File opened for modification | C:\Windows\LOGS\DPX\setuperr.log | C:\Windows\SysWOW64\EXPAND.EXE | N/A |
Enumerates physical storage devices
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006f5277fd0b2376700000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006f5277fd0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006f5277fd000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6f5277fd000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006f5277fd00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | C:\Windows\system32\vssvc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters | C:\Windows\system32\vssvc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr | C:\Windows\system32\vssvc.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | \??\c:\tmpa\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\tmpa\Autoit3.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\tmpa\Autoit3.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | \??\c:\tmpa\Autoit3.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4 | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\tmpa\Autoit3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\tmpa\Autoit3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\tmpa\Autoit3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff | C:\tmpa\Autoit3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\SniffedFolderType = "Generic" | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" | C:\tmpa\Autoit3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202 | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell | C:\tmpa\Autoit3.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" | C:\tmpa\Autoit3.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU | C:\tmpa\Autoit3.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2231940048-779848787-2990559741-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 | C:\tmpa\Autoit3.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\system32\vssvc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\srtasks.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\mmc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\tmpa\Autoit3.exe | N/A |
| N/A | N/A | C:\tmpa\Autoit3.exe | N/A |
| N/A | N/A | C:\tmpa\Autoit3.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
| N/A | N/A | C:\Windows\system32\mmc.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Uses Volume Shadow Copy service COM API
Processes
C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\hyreszxc.msi
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 9FF05FD7C558694A00F44A69477811DD
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe"
\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\tmpa\Autoit3.exe
"C:\tmpa\Autoit3.exe"
C:\Windows\system32\notepad.exe
"C:\Windows\system32\notepad.exe"
C:\tmpa\Autoit3.exe
"C:\tmpa\Autoit3.exe"
C:\tmpa\Autoit3.exe
"C:\tmpa\Autoit3.exe"
C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.177.238.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.2.85.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.252.72.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.239.69.13.in-addr.arpa | udp |
Files
memory/4956-0-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-1-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-2-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-6-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-7-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-8-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-9-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-10-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-11-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
memory/4956-12-0x000001CA70AA0000-0x000001CA70AA1000-memory.dmp
C:\Windows\Installer\MSIA6AB.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSIA6AB.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\msiwrapper.ini
| MD5 | 54a67d73154b7943675d7441ffb648e5 |
| SHA1 | 17faccb83977474478cd81f7caf18c5925277ef5 |
| SHA256 | 03b54cf56825e7359d96f9687ef1dc875fcaaabecc92aa50ec30c876c799af74 |
| SHA512 | b3bea042dd1ec63ee7fab5b0f99e6b416a3a3c98268fb150397d0435062f91fcbfd7c8c51ffbd21cc8c91c303fffa6bc0b2d4ff410e6b75085688d221d2f7c0b |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\msiwrapper.ini
| MD5 | 54a67d73154b7943675d7441ffb648e5 |
| SHA1 | 17faccb83977474478cd81f7caf18c5925277ef5 |
| SHA256 | 03b54cf56825e7359d96f9687ef1dc875fcaaabecc92aa50ec30c876c799af74 |
| SHA512 | b3bea042dd1ec63ee7fab5b0f99e6b416a3a3c98268fb150397d0435062f91fcbfd7c8c51ffbd21cc8c91c303fffa6bc0b2d4ff410e6b75085688d221d2f7c0b |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files.cab
| MD5 | 6ecd06249526d985bd28cc1864e8c143 |
| SHA1 | 5ab8062d24dfda2ec3c5ebca958485041f92a562 |
| SHA256 | 8931c76f39a6e4052c95422cd9ba00cd6648cb12618ed5007a2aef769592b3dd |
| SHA512 | eb5dca026bf2c011be9b752432d1096ffa145efadf2bd1726a6076b2ca0f6d34f00647a321401df1d70733c1b6a05633b6966e542d45ff1dac7c7c898ebe3ca5 |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\windbg.exe
| MD5 | 04ec4f58a1f4a87b5eeb1f4b7afc48e0 |
| SHA1 | 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7 |
| SHA256 | bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4 |
| SHA512 | 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80 |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\dbgeng.dll
| MD5 | f540f998d60d6fc1c23f942ed5857296 |
| SHA1 | 1ef333bfea08b37cda99ea1353d52928a4458f28 |
| SHA256 | d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11 |
| SHA512 | e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\data2.bin
| MD5 | d12826317bcc07a47d9e0b83fd487c5e |
| SHA1 | f129cfa73c8ae56e72c11f93e05823916bdc86f0 |
| SHA256 | b37677c2a7cdc0cc97d9f942fc0423037eb50b8f1685ceee45cf97b9477eaadd |
| SHA512 | 45297229d26909945a2422ab879611410f5c31d5f2eeb4c926a2d555c9a6771f02295ee9a65efdb893c8a44d88af0fc0224373f5ce0e6a408c42f02b25f76a36 |
memory/3300-113-0x0000000002D60000-0x0000000002E60000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\data.bin
| MD5 | 8b305b67e45165844d2f8547a085d782 |
| SHA1 | 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722 |
| SHA256 | 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b |
| SHA512 | 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6 |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/3300-118-0x0000000000400000-0x000000000054B000-memory.dmp
\??\c:\tmpa\script.au3
| MD5 | fbe2606010b7d86a18af938b3dcb08c6 |
| SHA1 | c67db324c8159dc141eab06379db31d276375dc4 |
| SHA256 | 3371278138866e0b7fd051b836dba80b06565944c4161ff0c11d5eda6c6c210f |
| SHA512 | 368c390c353ed1c1206607e5bc92dd71dddb6ab656c81e377f80962ec94af7d24d23996d921e38a850979b4b25021677fa897d97feb14665cf0fdf6ca484c22b |
memory/3220-121-0x0000000000B70000-0x0000000000F70000-memory.dmp
memory/3220-122-0x0000000003EE0000-0x000000000420A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\msiwrapper.ini
| MD5 | 7f72902bda1705ba4a11184574128a86 |
| SHA1 | 36e69b4253aa84fabf83f049b6ce09e9e9edb035 |
| SHA256 | 6c240f69de156720b95c2cfe2fc42c52bc103156ffe74c81195d4412d7310ddc |
| SHA512 | 8fe960bfb814f97d07f3aa89866b46be3798beefa668a98d706d14abd9559dbf38fd2cab4fa905ce14a44382bf1f41ff0f3314f779ee95561eb6026137dacc14 |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00005-3931689802.png
| MD5 | 66732fccbeee97415b033c017e594196 |
| SHA1 | 6db8fada912e6ea219b526cbe1a136a6afdabffb |
| SHA256 | dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc |
| SHA512 | 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248 |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00004-4001132497.png
| MD5 | 2ccc17c1a5bb5e656e7f3bb09ff0beff |
| SHA1 | 05866cf7dd5fa99ea852b01c2791b30e7741ea19 |
| SHA256 | 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2 |
| SHA512 | 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5 |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00003-1310450276.png
| MD5 | 3f3788816f75078edb9817a98259a223 |
| SHA1 | 1eb191dd0dcff72f5922aa775dc95dced7967bd5 |
| SHA256 | a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0 |
| SHA512 | 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62 |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00002-1969081335.png
| MD5 | 92028b5b43ea981f2172f2e9ce6556bf |
| SHA1 | 6da86abe3bc0caf500908ec7b8e841b797948fec |
| SHA256 | 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed |
| SHA512 | 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00001-3764640629.png
| MD5 | a384c8b03d6d72e9f9e268d265e8b435 |
| SHA1 | 3b238b66b33e2dc191da037973a79f01d50ee2d4 |
| SHA256 | 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b |
| SHA512 | 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565 |
C:\Users\Admin\AppData\Local\Temp\MW-fd08f0f0-7d38-433d-97ca-6646ef0da98e\files\00000-602071660.png
| MD5 | c5f6eb13db175fbcd0925434424df781 |
| SHA1 | 2197137928fff79f8b11e966ffb6a9eb5112a3c8 |
| SHA256 | 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50 |
| SHA512 | 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4 |
C:\Windows\Installer\MSIC0FB.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
C:\Windows\Installer\MSIC0FB.tmp
| MD5 | d82b3fb861129c5d71f0cd2874f97216 |
| SHA1 | f3fe341d79224126e950d2691d574d147102b18d |
| SHA256 | 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c |
| SHA512 | 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b |
\??\Volume{fd77526f-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{12c72381-9325-42bc-812b-0ac1679c84f4}_OnDiskSnapshotProp
| MD5 | 9deb91f1cecc82522ee61d7bb2c0cde2 |
| SHA1 | 494f3004d116baac0b0101f0075c086a35756b46 |
| SHA256 | 260cf72f1b87209b5b816bd08e9c31d4dd05224346be6d67d6f9b75252b46ca3 |
| SHA512 | e8dc110ef832b163a065a60377df88faea674b72b10e9aaaa856a6552bcc4ea7441e3745d00205060abeb7097bb0214a16fc23829f7ca90245a72ee08c9a9ea3 |
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
| MD5 | f06eb287d826ea7d6403fe2e4d903586 |
| SHA1 | ec3400d6cdab5694b6ece499ae2fc17b20702a5d |
| SHA256 | 1e727d74a8ce9caaf91cb534f2f986d6e5401a51d6e329e494bf3a91df9c8730 |
| SHA512 | 64db86b1c559038adc379d00e32f164091d023b1323fce23a4fea74bcd7e4fc94411dd181447f22469017a6d5d6ccd3830322aa9b5db2e55a6c76db00e75832f |
\??\c:\tmpa\autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/2412-147-0x0000000003E30000-0x0000000004030000-memory.dmp
memory/2412-148-0x000000000A380000-0x000000000A6AA000-memory.dmp
memory/2412-149-0x000000000A380000-0x000000000A6AA000-memory.dmp
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
C:\tmpa\Autoit3.exe
| MD5 | c56b5f0201a3b3de53e561fe76912bfd |
| SHA1 | 2a4062e10a5de813f5688221dbeb3f3ff33eb417 |
| SHA256 | 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d |
| SHA512 | 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c |
memory/1796-152-0x00007FFCD6190000-0x00007FFCD6C51000-memory.dmp
memory/1796-153-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-154-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-155-0x00007FF4D0590000-0x00007FF4D05A0000-memory.dmp
memory/1796-157-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-156-0x00007FFCD6190000-0x00007FFCD6C51000-memory.dmp
memory/1796-158-0x000000001E4A0000-0x000000001E5A0000-memory.dmp
memory/1796-159-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-160-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-161-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-162-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-164-0x00007FF4D0590000-0x00007FF4D05A0000-memory.dmp
memory/1796-163-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-165-0x000000001CA70000-0x000000001CA80000-memory.dmp
memory/1796-166-0x000000001E4A0000-0x000000001E5A0000-memory.dmp