Malware Analysis Report

2024-11-30 11:22

Sample ID 231102-rw846sfb77
Target 02112023_2233_00pack.msi
SHA256 32039dccac205468c9f43636815e636f4dc821081f495f4bacebbbaa6f05818d
Tags
darkgate user_871236672 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

32039dccac205468c9f43636815e636f4dc821081f495f4bacebbbaa6f05818d

Threat Level: Known bad

The file 02112023_2233_00pack.msi was found to be: Known bad.

Malicious Activity Summary

darkgate user_871236672 discovery stealer

DarkGate

Loads dropped DLL

Executes dropped EXE

Modifies file permissions

Enumerates connected drives

Drops file in Windows directory

Uses Volume Shadow Copy service COM API

Checks processor information in registry

Suspicious use of AdjustPrivilegeToken

Checks SCSI registry key(s)

Suspicious use of WriteProcessMemory

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-02 14:33

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-02 14:33

Reported

2023-11-02 14:36

Platform

win7-20231020-en

Max time kernel

117s

Max time network

120s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\02112023_2233_00pack.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f768ec9.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f768ec8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f768ec8.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI9138.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\f768ec9.ipi C:\Windows\system32\msiexec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1232 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1232 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1232 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1232 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1232 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1232 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1232 wrote to memory of 2504 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2504 wrote to memory of 2548 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2504 wrote to memory of 2548 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2504 wrote to memory of 2548 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2504 wrote to memory of 2548 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2504 wrote to memory of 1944 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2504 wrote to memory of 1944 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2504 wrote to memory of 1944 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2504 wrote to memory of 1944 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2504 wrote to memory of 2004 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
PID 2504 wrote to memory of 2004 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
PID 2504 wrote to memory of 2004 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
PID 2504 wrote to memory of 2004 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
PID 2504 wrote to memory of 2004 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
PID 2504 wrote to memory of 2004 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
PID 2504 wrote to memory of 2004 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe
PID 2004 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2004 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2004 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2004 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2504 wrote to memory of 832 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 832 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 832 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 832 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2504 wrote to memory of 1020 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2504 wrote to memory of 1020 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2504 wrote to memory of 1020 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2504 wrote to memory of 1020 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\02112023_2233_00pack.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "0000000000000060"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding E9BADD34C05C8ED70E05D033ADDE8651

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files"

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

N/A

Files

C:\Windows\Installer\MSI9138.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSI9138.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\msiwrapper.ini

MD5 8435bc2220b68c99adcf0bfd36e24d8e
SHA1 be75d523e4d440254f8d80f6ebe4346c978419cb
SHA256 11bb2fee41943ec796ea1ee7bdfeb49aaa19ffef20f60eb668699f9e6541a61f
SHA512 717f730de3b125dd5c6f03fd9e5233ca4012efae56a5e037aee6bfe69a28de5430e2999f5e399ec19133fc45d0d3d795328ef7f958ec95b035a9d41b6202ef3b

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\msiwrapper.ini

MD5 7de2863163798786b1f14301e13ebc8b
SHA1 a99b4ad536d4e6593b9f76eb845d04cfe9e4b324
SHA256 da135c23897f7564b19452e7411b465fa7f3330943a6ce5d0375c569207f9fec
SHA512 984023faeb532857c1b69ebff6a241447eaa687bb7a65f48fa55e1f611f2689ddd761b5949101f80ad2d5014810550af89d5e215d44eb25285d1072e67d25ad8

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\msiwrapper.ini

MD5 7de2863163798786b1f14301e13ebc8b
SHA1 a99b4ad536d4e6593b9f76eb845d04cfe9e4b324
SHA256 da135c23897f7564b19452e7411b465fa7f3330943a6ce5d0375c569207f9fec
SHA512 984023faeb532857c1b69ebff6a241447eaa687bb7a65f48fa55e1f611f2689ddd761b5949101f80ad2d5014810550af89d5e215d44eb25285d1072e67d25ad8

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files.cab

MD5 f8ceecca1884b37c9042a24286112b40
SHA1 917c4066ca6071aa29ac51a09038bc6a451cd43a
SHA256 59b366a3c5a6132530fb9fbba7cd60d0558865e3e1d7c98e22c820608d13dc5d
SHA512 2d880cf0dafc731acd986c8d7b63fc18b86690aefae4f669438aae1134942b02a177d78677d7558eb1c7073fe891d830db49437913f7937bf201c7b5cb4b01d6

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\data.bin

MD5 8b305b67e45165844d2f8547a085d782
SHA1 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA512 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\data2.bin

MD5 c07d78df2948c22e08ed45e1caac323a
SHA1 8436e0864fa52002039147b6fe178c4804b5d10f
SHA256 e807b074cceef5e7d939c1d717467fd1d5cb5e68de46fd405cd3c1d4add6e582
SHA512 876b6c9ca25d45f9c4a2dcd24c9a8e385f148ff48518aa4e8cf298c24daf2a878323391e76ca893abe22dc6e9a33ef7f0461676f35802bbe57ade77ffe90c340

memory/2004-102-0x0000000000460000-0x00000000004EA000-memory.dmp

\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2004-109-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2004-110-0x0000000000460000-0x00000000004EA000-memory.dmp

\??\c:\tmpa\script.au3

MD5 48eeb1337636486be6435ded79fe941d
SHA1 015f1736bbca8bd9af17fb8e3548d65b55d56a0d
SHA256 21052c7eb3b48e77a2c274a163256c433df776709fd22b98dcd34f64ecf0f1dd
SHA512 a00c033b11d65dad96efe5d3589704a68588e482407bd239a7c3adbf3d023abe2eabbc87f556059a1be16cdc32969ab71863e95ac96403adffca3ca74696a3db

memory/1068-116-0x0000000002F60000-0x00000000030F5000-memory.dmp

memory/1068-115-0x0000000000810000-0x0000000000C10000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00000-~1.PNG

MD5 c5f6eb13db175fbcd0925434424df781
SHA1 2197137928fff79f8b11e966ffb6a9eb5112a3c8
SHA256 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50
SHA512 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00005-~1.PNG

MD5 66732fccbeee97415b033c017e594196
SHA1 6db8fada912e6ea219b526cbe1a136a6afdabffb
SHA256 dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc
SHA512 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00004-~1.PNG

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00003-~1.PNG

MD5 3f3788816f75078edb9817a98259a223
SHA1 1eb191dd0dcff72f5922aa775dc95dced7967bd5
SHA256 a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0
SHA512 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00002-~1.PNG

MD5 92028b5b43ea981f2172f2e9ce6556bf
SHA1 6da86abe3bc0caf500908ec7b8e841b797948fec
SHA256 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed
SHA512 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

C:\Users\Admin\AppData\Local\Temp\MW-1fba07a8-bedd-4cfe-a4fd-1870798a829e\files\00001-~1.PNG

MD5 a384c8b03d6d72e9f9e268d265e8b435
SHA1 3b238b66b33e2dc191da037973a79f01d50ee2d4
SHA256 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b
SHA512 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

memory/1068-125-0x0000000000810000-0x0000000000C10000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-02 14:33

Reported

2023-11-02 14:36

Platform

win10v2004-20231023-en

Max time kernel

136s

Max time network

147s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\02112023_2233_00pack.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\e59717d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\MSI9D12.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI741D.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\MSI9D61.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e59717d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{55C146AB-B7F0-42D4-AD6E-0B25F80D0552} C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 3000 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2380 wrote to memory of 3000 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2380 wrote to memory of 4264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2380 wrote to memory of 4264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2380 wrote to memory of 4264 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4264 wrote to memory of 2920 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4264 wrote to memory of 2920 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4264 wrote to memory of 2920 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4264 wrote to memory of 4860 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 4264 wrote to memory of 4860 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 4264 wrote to memory of 4860 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 4264 wrote to memory of 208 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe
PID 4264 wrote to memory of 208 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe
PID 4264 wrote to memory of 208 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe
PID 208 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 208 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 208 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 4264 wrote to memory of 1736 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4264 wrote to memory of 1736 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 4264 wrote to memory of 1736 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\02112023_2233_00pack.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 5AAD83334083EEAB12443C3637FA4EBB

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 155.245.36.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.23.238.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 1.202.248.87.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.246.36.23.in-addr.arpa udp
US 8.8.8.8:53 27.73.42.20.in-addr.arpa udp

Files

C:\Windows\Installer\MSI741D.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSI741D.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\msiwrapper.ini

MD5 47902af84156be97b6d19a1b34c8d1dd
SHA1 a81f76568916851856813dbe3d4bd3f70d315e41
SHA256 648beb1847a35fa70635f249c07ce49ce5e4b124e0037ffd64e69d375da08cce
SHA512 042e8a708d57fbf0b4c068f50f567740caab582d0f1807f8bf375b65e654d2cad26521b35f1f1d8a09bd0033bd44f1d8b1b8bd1a387f8c751ff483db90b8e6ea

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\msiwrapper.ini

MD5 c0d10733dc4db0547b480d645f36f460
SHA1 a85f51386df37771a6716d782ab282adfe27ba03
SHA256 57bcfab63a33627c347f5dc0d6ebd408b614f9378f9e7e826fde3a86ba260ac3
SHA512 44560d58b1d2aba6a79ba5d0e56893dec95d2e30e7e3fd962c7ae75923dafe4a962fce5a048239c5b444df8b26280b9c1565a91e41c09d7039c143d530844225

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files.cab

MD5 f8ceecca1884b37c9042a24286112b40
SHA1 917c4066ca6071aa29ac51a09038bc6a451cd43a
SHA256 59b366a3c5a6132530fb9fbba7cd60d0558865e3e1d7c98e22c820608d13dc5d
SHA512 2d880cf0dafc731acd986c8d7b63fc18b86690aefae4f669438aae1134942b02a177d78677d7558eb1c7073fe891d830db49437913f7937bf201c7b5cb4b01d6

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\msiwrapper.ini

MD5 c0d10733dc4db0547b480d645f36f460
SHA1 a85f51386df37771a6716d782ab282adfe27ba03
SHA256 57bcfab63a33627c347f5dc0d6ebd408b614f9378f9e7e826fde3a86ba260ac3
SHA512 44560d58b1d2aba6a79ba5d0e56893dec95d2e30e7e3fd962c7ae75923dafe4a962fce5a048239c5b444df8b26280b9c1565a91e41c09d7039c143d530844225

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

memory/208-102-0x0000000000970000-0x00000000009CE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\data2.bin

MD5 c07d78df2948c22e08ed45e1caac323a
SHA1 8436e0864fa52002039147b6fe178c4804b5d10f
SHA256 e807b074cceef5e7d939c1d717467fd1d5cb5e68de46fd405cd3c1d4add6e582
SHA512 876b6c9ca25d45f9c4a2dcd24c9a8e385f148ff48518aa4e8cf298c24daf2a878323391e76ca893abe22dc6e9a33ef7f0461676f35802bbe57ade77ffe90c340

memory/208-105-0x00000000023C0000-0x000000000244A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\data.bin

MD5 8b305b67e45165844d2f8547a085d782
SHA1 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA512 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/208-110-0x0000000000970000-0x00000000009CE000-memory.dmp

memory/208-111-0x00000000023C0000-0x000000000244A000-memory.dmp

\??\c:\tmpa\script.au3

MD5 48eeb1337636486be6435ded79fe941d
SHA1 015f1736bbca8bd9af17fb8e3548d65b55d56a0d
SHA256 21052c7eb3b48e77a2c274a163256c433df776709fd22b98dcd34f64ecf0f1dd
SHA512 a00c033b11d65dad96efe5d3589704a68588e482407bd239a7c3adbf3d023abe2eabbc87f556059a1be16cdc32969ab71863e95ac96403adffca3ca74696a3db

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\msiwrapper.ini

MD5 e81a1e2a879bf6ed8554e28b20674766
SHA1 400b263075f3b2472e9a4dfd37d095b7594e0962
SHA256 fc5661eb4a90fc8c8c91ee73a690c961a0595cfd22cd774c230a71fb66e35b71
SHA512 4b61df0701e55c6d7cc7ad9b7fa47bfa451defdd8a403eca6a5bfb8dc953d5f21cddc541f3308c5b15bf9f49e33a3dfed62043c8be15b9d35e47f470408e848a

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00005-3931689802.png

MD5 66732fccbeee97415b033c017e594196
SHA1 6db8fada912e6ea219b526cbe1a136a6afdabffb
SHA256 dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc
SHA512 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00004-4001132497.png

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00003-1310450276.png

MD5 3f3788816f75078edb9817a98259a223
SHA1 1eb191dd0dcff72f5922aa775dc95dced7967bd5
SHA256 a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0
SHA512 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00002-1969081335.png

MD5 92028b5b43ea981f2172f2e9ce6556bf
SHA1 6da86abe3bc0caf500908ec7b8e841b797948fec
SHA256 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed
SHA512 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00001-3764640629.png

MD5 a384c8b03d6d72e9f9e268d265e8b435
SHA1 3b238b66b33e2dc191da037973a79f01d50ee2d4
SHA256 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b
SHA512 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

C:\Users\Admin\AppData\Local\Temp\MW-64f629d3-8c4d-440d-944e-619d1c296764\files\00000-602071660.png

MD5 c5f6eb13db175fbcd0925434424df781
SHA1 2197137928fff79f8b11e966ffb6a9eb5112a3c8
SHA256 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50
SHA512 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4

memory/1648-122-0x0000000001560000-0x0000000001960000-memory.dmp

C:\Windows\Installer\MSI9D61.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

memory/1648-121-0x00000000042D0000-0x0000000004465000-memory.dmp

C:\Windows\Installer\MSI9D61.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8c94ef69-62e5-4399-bac5-3c7aa84254b2}_OnDiskSnapshotProp

MD5 8d61fc1f0de3ab13f0aff00ce8e3867e
SHA1 2c96d1b44747b8234e022e2b64aeaf5783fab379
SHA256 62a66cdb5bae620a5f7792ee453a7114a27df6f957fa72395206e5433d5feace
SHA512 42d015b7b4787aadf14159e71d3968aa9d579327f1e8b23a9ac62de1ff9ff5a324d50a9953dda29137b7f7f05fb5cad6f5992b3d0a8b4785a58a4db2b574d858

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 98b1a401cbe189fe34a6148cfd1c2ca3
SHA1 d895a1a3bd1857c257b5a5d519f225faa5ed1f9c
SHA256 8570d1d1527971f7996b428be4019b7e744590a320f32f7a5ace1addb1279134
SHA512 495f5943a726bfb3d32e4e83cb874371a8ca4bcdca9d72014ef0e0064289f2019495c0381ab451f14fb11397617259e74ae595aa0b87fc3ac17ee6f08cf84b77