Malware Analysis Report

2024-11-30 11:20

Sample ID 231103-bmnh4shh4y
Target 2a2cfd61d4ebc2f4956e9a56815b7c0f.bin
SHA256 9a04642537126dfbe384c18c082b04b705e08d1a0b167a7e2dd6c18f02d38054
Tags
darkgate ads5 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9a04642537126dfbe384c18c082b04b705e08d1a0b167a7e2dd6c18f02d38054

Threat Level: Known bad

The file 2a2cfd61d4ebc2f4956e9a56815b7c0f.bin was found to be: Known bad.

Malicious Activity Summary

darkgate ads5 discovery stealer

DarkGate

Loads dropped DLL

Modifies file permissions

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Suspicious use of AdjustPrivilegeToken

Uses Volume Shadow Copy service COM API

Modifies data under HKEY_USERS

Checks SCSI registry key(s)

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-03 01:15

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-03 01:15

Reported

2023-11-03 01:19

Platform

win10v2004-20231020-en

Max time kernel

108s

Max time network

149s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC9A5.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{2C553FE4-D9D1-4FCD-8E6F-BBC4FF2FC0EA} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSI91AC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\MSIC9E5.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e5882f6.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e5882f6.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000299f28d78dcfadf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000299f28d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000299f28d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0299f28d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000299f28d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 4336 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4076 wrote to memory of 4336 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 4076 wrote to memory of 1052 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4076 wrote to memory of 1052 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 4076 wrote to memory of 1052 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1052 wrote to memory of 4852 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1052 wrote to memory of 4852 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1052 wrote to memory of 4852 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1052 wrote to memory of 3964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 1052 wrote to memory of 3964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 1052 wrote to memory of 3964 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 1052 wrote to memory of 3668 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe
PID 1052 wrote to memory of 3668 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe
PID 1052 wrote to memory of 3668 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe
PID 3668 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 3668 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 3668 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1052 wrote to memory of 3972 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1052 wrote to memory of 3972 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 1052 wrote to memory of 3972 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 01A318491C35EAAB5C08C1905FAF4C5D

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 126.24.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 39.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 98.142.81.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 146.99.217.23.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

C:\Windows\Installer\MSI91AC.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSI91AC.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\??\Volume{8df29902-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d79e61de-092d-4b38-8f49-134df5dfa513}_OnDiskSnapshotProp

MD5 775747b367914762dfa46f9825542866
SHA1 3f148b4156c9928d81facf7ce3df8cb532d21de6
SHA256 691ee7752ac750b2730725b3f0983e69a08d28bb0aba1828f9af67d3c0ab193a
SHA512 82f64f70a7ad13c8b12ef460f06dadc500ba427479890ce4d2a76ff022bd7a80f58a8945657b87a007a02dc2792317ec5cfc471dce38b017ccc228ecd30d3cae

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 565e5f06d0779235d33cc56ade754f06
SHA1 bf5b882a51ddb85aca878b7c148332701f2359be
SHA256 24207b1a9defdf83c4f636226559800ef0ee4ea57649e68cc3b6cbfb1e17fb3f
SHA512 1d5d695f8e3a838fde5cb15ee3c0883c75738bbdc5cc4683fd01e632d7897230e18effa38d5d4a1dadc9d15f03b1c7a37bf5b2176fbecf223556e4491941d539

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\msiwrapper.ini

MD5 0cee3f96f1a6f352d0a3196e72b3c21c
SHA1 b389b9e5ce17660326e02b28b88eb0ebc0dce856
SHA256 911ffb5c3dd8d6d99bcbfee0635d77640c805220af6ce6c95817820618337ec3
SHA512 02bb320269a3b327ac3099880335e3ebf75db6a94937dc8456a02bbd5647a9fe243114519ec2ac47246b0b21ab2cdef2b164fc183340a4c6e6f25b59d3dbee04

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\msiwrapper.ini

MD5 0cee3f96f1a6f352d0a3196e72b3c21c
SHA1 b389b9e5ce17660326e02b28b88eb0ebc0dce856
SHA256 911ffb5c3dd8d6d99bcbfee0635d77640c805220af6ce6c95817820618337ec3
SHA512 02bb320269a3b327ac3099880335e3ebf75db6a94937dc8456a02bbd5647a9fe243114519ec2ac47246b0b21ab2cdef2b164fc183340a4c6e6f25b59d3dbee04

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files.cab

MD5 7549bc55ffdc58192eddaaef4a08f040
SHA1 7080f130a8893fe09fc54cf15b87424b57dfe008
SHA256 1f5ceee9b9bb5c3f8619f293a8df9bedb2764d0041e2add91ba04985a5601bee
SHA512 d1b0b09322711ae29f189ae58c1dd3279c7c81f9ad1d4cf4379c42fc82e6361439b877e14fc998ef759af6708cc9880900909efdf5c00331a691ca0d410c1736

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

memory/3668-104-0x0000000000880000-0x00000000008DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\data.bin

MD5 8b305b67e45165844d2f8547a085d782
SHA1 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA512 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\data2.bin

MD5 ebd72e79cf2fd580561a5fd219f1aa7d
SHA1 57f4b307022a65d1cf6afc60f3717b8c05a88974
SHA256 809b1ac22af6b499e95d7ff48b6d7f14293804889218feb76e875dc05a06bbd2
SHA512 c53cfefd83cabddd90c1acee3a85d0edb364d7d49913e63958374534c6c476329be7264cef3ed8624cfbe3b3bdf9aad1c23be16dc7ea0efc86974fa9b57e873c

memory/3668-107-0x0000000002310000-0x000000000239A000-memory.dmp

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/3668-112-0x0000000000880000-0x00000000008DE000-memory.dmp

memory/3668-113-0x0000000002310000-0x000000000239A000-memory.dmp

\??\c:\tmpa\script.au3

MD5 43457fd457324c4b908952aeb443e119
SHA1 412fdc015fab68ca639b476cdd4109742512676f
SHA256 047f7861cc69dc9dc29e0d240b6c4a2db24f0e82cf61ccd338197cdb7ea175ed
SHA512 4de8dbf26e16a436798d209d07375121108a31c18fd0a303c732473886a78049226226a56a8975b684048491a1d80e32a53084a2056358ebd94ac47e0aa3731e

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00000-602071660.png

MD5 c5f6eb13db175fbcd0925434424df781
SHA1 2197137928fff79f8b11e966ffb6a9eb5112a3c8
SHA256 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50
SHA512 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\msiwrapper.ini

MD5 150fc4121bf74eef5542123829211db3
SHA1 a3f8b69c00556bfff7dda2722f88b666fb36b97f
SHA256 fc7d9f9b941b237415d4eb33f085a84b852f929949112e6272ed47c13bee921b
SHA512 158b7afc09074d73b08f069b50356ab1183eb9b07a4006d91f017b50dafe49a9168db92e209f110b13a8fe4a7d06c976e574392d3d3d7e8f1fa75d03352ae6d0

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00005-3931689802.png

MD5 66732fccbeee97415b033c017e594196
SHA1 6db8fada912e6ea219b526cbe1a136a6afdabffb
SHA256 dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc
SHA512 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00004-4001132497.png

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00003-1310450276.png

MD5 3f3788816f75078edb9817a98259a223
SHA1 1eb191dd0dcff72f5922aa775dc95dced7967bd5
SHA256 a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0
SHA512 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00002-1969081335.png

MD5 92028b5b43ea981f2172f2e9ce6556bf
SHA1 6da86abe3bc0caf500908ec7b8e841b797948fec
SHA256 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed
SHA512 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00001-3764640629.png

MD5 a384c8b03d6d72e9f9e268d265e8b435
SHA1 3b238b66b33e2dc191da037973a79f01d50ee2d4
SHA256 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b
SHA512 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

memory/2412-123-0x0000000001600000-0x0000000001A00000-memory.dmp

memory/2412-124-0x00000000044A0000-0x0000000004635000-memory.dmp

C:\Windows\Installer\MSIC9E5.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSIC9E5.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-03 01:15

Reported

2023-11-03 01:18

Platform

win7-20231020-en

Max time kernel

120s

Max time network

124s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Installer\MSIC8AC.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\f76b01e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76b01d.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76b01d.msi C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\f76b01e.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1724 wrote to memory of 2684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1724 wrote to memory of 2684 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2684 wrote to memory of 1940 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2684 wrote to memory of 1940 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2684 wrote to memory of 1940 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2684 wrote to memory of 1940 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2684 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2684 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2684 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2684 wrote to memory of 1584 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 2684 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe
PID 2684 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe
PID 2684 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe
PID 2684 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe
PID 2684 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe
PID 2684 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe
PID 2684 wrote to memory of 1104 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe
PID 1104 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1104 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1104 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1104 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2684 wrote to memory of 1932 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1932 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1932 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1932 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 2684 wrote to memory of 1260 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2684 wrote to memory of 1260 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2684 wrote to memory of 1260 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 2684 wrote to memory of 1260 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004DC" "00000000000005D4"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 57B20563DF6EB729C29624FC52F1D7C0

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files"

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

N/A

Files

C:\Windows\Installer\MSIC8AC.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSIC8AC.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\msiwrapper.ini

MD5 6a936580634fd06cb6445b377d0b2101
SHA1 bb94c3cd0f307dbb3b73125e1becdc4f80e967cc
SHA256 934de6c9cffae2fe10c8961b82acad6f9cc70f35135b712030cbc553ae929c00
SHA512 1f413644819e0fdae8d0d5b28e3078f67ee3253328bea4a600c3a08687aae4d76cd1899a55ad2402871c1c933327c93fe5269afe76cb05622f61d0de6f375299

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\msiwrapper.ini

MD5 23b2eb02932687181fe3d946051fc1eb
SHA1 fbb62577958d58bb44dabbb1a37c3d62a090b097
SHA256 1cd8e9e9f1938ef46988b5eed7a5eabb83d8906cf97e7b981363abb3355c6b0d
SHA512 b8dd728fd4d71d8dfa473165156cd3790f44dac7521ffa728c84df19e2e7133179bcd0bf9fed668345d9ef3cbcdc41953b37c7eb34be8f18a3e236d7c3e5abe8

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\msiwrapper.ini

MD5 ca220fa3fd7cedc35e04ff1de187439c
SHA1 6fb514898b194259ee7de22e0db820de69d07836
SHA256 e2e2845b2f68e0e28cc473131b9d1acd6bf7f1fab23f89bdb3e7ebbb0c7813f0
SHA512 46009552be94c07493b9eb8eb798f67997f99e9e798a429f44ae7eb874ff3d8e61a34d439e95fbcc80b5de06154dbe9a7f30ed20b53c8c0470ffe92b7d041dbd

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\msiwrapper.ini

MD5 ca220fa3fd7cedc35e04ff1de187439c
SHA1 6fb514898b194259ee7de22e0db820de69d07836
SHA256 e2e2845b2f68e0e28cc473131b9d1acd6bf7f1fab23f89bdb3e7ebbb0c7813f0
SHA512 46009552be94c07493b9eb8eb798f67997f99e9e798a429f44ae7eb874ff3d8e61a34d439e95fbcc80b5de06154dbe9a7f30ed20b53c8c0470ffe92b7d041dbd

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files.cab

MD5 7549bc55ffdc58192eddaaef4a08f040
SHA1 7080f130a8893fe09fc54cf15b87424b57dfe008
SHA256 1f5ceee9b9bb5c3f8619f293a8df9bedb2764d0041e2add91ba04985a5601bee
SHA512 d1b0b09322711ae29f189ae58c1dd3279c7c81f9ad1d4cf4379c42fc82e6361439b877e14fc998ef759af6708cc9880900909efdf5c00331a691ca0d410c1736

\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\dbgeng.dll

MD5 335f090d924818a80f31463d328b2ee5
SHA1 c4e147102f9c4d4d91f23f832db5880925460123
SHA256 4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e
SHA512 e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\data.bin

MD5 8b305b67e45165844d2f8547a085d782
SHA1 92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256 776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA512 2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

memory/1104-103-0x0000000000360000-0x00000000003EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\data2.bin

MD5 ebd72e79cf2fd580561a5fd219f1aa7d
SHA1 57f4b307022a65d1cf6afc60f3717b8c05a88974
SHA256 809b1ac22af6b499e95d7ff48b6d7f14293804889218feb76e875dc05a06bbd2
SHA512 c53cfefd83cabddd90c1acee3a85d0edb364d7d49913e63958374534c6c476329be7264cef3ed8624cfbe3b3bdf9aad1c23be16dc7ea0efc86974fa9b57e873c

\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1104-110-0x0000000000400000-0x000000000045E000-memory.dmp

memory/1104-112-0x0000000000360000-0x00000000003EA000-memory.dmp

\??\c:\tmpa\script.au3

MD5 43457fd457324c4b908952aeb443e119
SHA1 412fdc015fab68ca639b476cdd4109742512676f
SHA256 047f7861cc69dc9dc29e0d240b6c4a2db24f0e82cf61ccd338197cdb7ea175ed
SHA512 4de8dbf26e16a436798d209d07375121108a31c18fd0a303c732473886a78049226226a56a8975b684048491a1d80e32a53084a2056358ebd94ac47e0aa3731e

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2040-116-0x0000000002A50000-0x0000000002BE5000-memory.dmp

memory/2040-117-0x00000000008B0000-0x0000000000CB0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\00005-~1.PNG

MD5 66732fccbeee97415b033c017e594196
SHA1 6db8fada912e6ea219b526cbe1a136a6afdabffb
SHA256 dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc
SHA512 70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\00004-~1.PNG

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\00003-~1.PNG

MD5 3f3788816f75078edb9817a98259a223
SHA1 1eb191dd0dcff72f5922aa775dc95dced7967bd5
SHA256 a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0
SHA512 2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\00002-~1.PNG

MD5 92028b5b43ea981f2172f2e9ce6556bf
SHA1 6da86abe3bc0caf500908ec7b8e841b797948fec
SHA256 7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed
SHA512 1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\00001-~1.PNG

MD5 a384c8b03d6d72e9f9e268d265e8b435
SHA1 3b238b66b33e2dc191da037973a79f01d50ee2d4
SHA256 9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b
SHA512 94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

C:\Users\Admin\AppData\Local\Temp\MW-4017faf2-e7cb-4e46-9eca-ed50af1f375c\files\00000-~1.PNG

MD5 c5f6eb13db175fbcd0925434424df781
SHA1 2197137928fff79f8b11e966ffb6a9eb5112a3c8
SHA256 6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50
SHA512 40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4