darkgate | ea94c5aef721f20aa4dc76d932f4b78780989ba636914e7aed9aa0d60a5ff080

Resubmissions

06-11-2023 19:54

231106-ymqd2afe74 10

06-11-2023 19:50

231106-yka7bsea21 10

Analysis

max time kernel
147s
max time network
151s
platform
windows10-1703_x64
resource
win10-20231023-en
resource tags

arch:x64arch:x86image:win10-20231023-enlocale:en-usos:windows10-1703-x64system
submitted
06-11-2023 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
Size

9.2MB
MD5

69f900118f985990f488121cd1cf5e2b
SHA1

33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
SHA256

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
SHA512

09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
SSDEEP

196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO

Score

10^/10

darkgate civilian1337 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
VPsTDMdPtonzYs
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 64 IoCs

description	pid	Process	procid_target
PID 1668 created 4940	1668	Autoit3.exe	87
PID 1668 created 4260	1668	Autoit3.exe	88
PID 1668 created 2836	1668	Autoit3.exe	16
PID 1668 created 2824	1668	Autoit3.exe	36
PID 1668 created 2836	1668	Autoit3.exe	16
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 784	4524	cmd.exe	18
PID 4524 created 3576	4524	cmd.exe	30
PID 4524 created 1596	4524	cmd.exe	28
PID 4524 created 356	4524	cmd.exe	20
PID 4524 created 2836	4524	cmd.exe	16
PID 4524 created 2836	4524	cmd.exe	16
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 2824	4524	cmd.exe	36
PID 4524 created 2836	4524	cmd.exe	16
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 3576	4524	cmd.exe	30
PID 4524 created 3852	4524	cmd.exe	29
PID 4524 created 3576	4524	cmd.exe	30
PID 4524 created 356	4524	cmd.exe	20
PID 4524 created 3576	4524	cmd.exe	30
PID 4524 created 3852	4524	cmd.exe	29
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 3576	4524	cmd.exe	30
PID 4524 created 2836	4524	cmd.exe	16
PID 4524 created 2824	4524	cmd.exe	36
PID 4524 created 2824	4524	cmd.exe	36
PID 4524 created 3560	4524	cmd.exe	17
PID 4524 created 2824	4524	cmd.exe	36
PID 4524 created 2824	4524	cmd.exe	36
PID 4524 created 3852	4524	cmd.exe	29
PID 4524 created 1596	4524	cmd.exe	28
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 3576	4524	cmd.exe	30
PID 4524 created 1596	4524	cmd.exe	28
PID 4524 created 3576	4524	cmd.exe	30
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 1596	4524	cmd.exe	28
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 784	4524	cmd.exe	18
PID 4524 created 3560	4524	cmd.exe	17
PID 4524 created 784	4524	cmd.exe	18
PID 4524 created 2900	4524	cmd.exe	35
PID 4524 created 3560	4524	cmd.exe	17
PID 4524 created 1596	4524	cmd.exe	28
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 3560	4524	cmd.exe	17
PID 4524 created 784	4524	cmd.exe	18
PID 4524 created 5088	4524	cmd.exe	86
PID 4524 created 784	4524	cmd.exe	18
PID 4524 created 3560	4524	cmd.exe	17
PID 4524 created 356	4524	cmd.exe	20
PID 4524 created 2824	4524	cmd.exe	36
PID 4524 created 2824	4524	cmd.exe	36
PID 4524 created 2836	4524	cmd.exe	16
PID 4524 created 784	4524	cmd.exe	18
PID 4524 created 3560	4524	cmd.exe	17
PID 4524 created 4520	4524	cmd.exe	92
PID 4524 created 2836	4524	cmd.exe	16
PID 4524 created 1596	4524	cmd.exe	28
PID 4524 created 3576	4524	cmd.exe	30
PID 4524 created 3576	4524	cmd.exe	30

Blocklisted process makes network request 53 IoCs

flow	pid	Process
13	4524	cmd.exe
14	4524	cmd.exe
15	4524	cmd.exe
16	4524	cmd.exe
17	4524	cmd.exe
18	4524	cmd.exe
19	4524	cmd.exe
20	4524	cmd.exe
21	4524	cmd.exe
22	4524	cmd.exe
23	4524	cmd.exe
25	4524	cmd.exe
29	4524	cmd.exe
30	4524	cmd.exe
31	4524	cmd.exe
32	4524	cmd.exe
33	4524	cmd.exe
34	4524	cmd.exe
35	4524	cmd.exe
36	4524	cmd.exe
37	4524	cmd.exe
38	4524	cmd.exe
39	4524	cmd.exe
40	4524	cmd.exe
41	4524	cmd.exe
42	4524	cmd.exe
43	4524	cmd.exe
44	4524	cmd.exe
45	4524	cmd.exe
46	4524	cmd.exe
47	4524	cmd.exe
48	4524	cmd.exe
49	4524	cmd.exe
50	4524	cmd.exe
77	4524	cmd.exe
78	4524	cmd.exe
79	4524	cmd.exe
81	4524	cmd.exe
82	4524	cmd.exe
83	4524	cmd.exe
84	4524	cmd.exe
88	4524	cmd.exe
89	4524	cmd.exe
90	4524	cmd.exe
91	4524	cmd.exe
92	4524	cmd.exe
93	4524	cmd.exe
94	4524	cmd.exe
95	4524	cmd.exe
96	4524	cmd.exe
97	4524	cmd.exe
98	4524	cmd.exe
99	4524	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cadhbef.lnk	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2912	windbg.exe
1668	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
3884	MsiExec.exe
2912	windbg.exe
3884	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4332	ICACLS.EXE
2756	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1668 set thread context of 4524	1668	Autoit3.exe	90

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e585a60.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5C25.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI722F.tmp	msiexec.exe
File created	C:\Windows\Installer\e585a60.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2B99EF3E-10B9-44A2-AA7C-FA01E82FF4F3}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI720F.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\DeviceDesc	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe

Modifies registry class 4 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2184424523-918736138-622003966-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
652	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5040	msiexec.exe
5040	msiexec.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
1668	Autoit3.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe
4524	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
4524	cmd.exe
5088	OpenWith.exe
660	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3236	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3236	msiexec.exe
Token: SeSecurityPrivilege	5040	msiexec.exe
Token: SeCreateTokenPrivilege	3236	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3236	msiexec.exe
Token: SeLockMemoryPrivilege	3236	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3236	msiexec.exe
Token: SeMachineAccountPrivilege	3236	msiexec.exe
Token: SeTcbPrivilege	3236	msiexec.exe
Token: SeSecurityPrivilege	3236	msiexec.exe
Token: SeTakeOwnershipPrivilege	3236	msiexec.exe
Token: SeLoadDriverPrivilege	3236	msiexec.exe
Token: SeSystemProfilePrivilege	3236	msiexec.exe
Token: SeSystemtimePrivilege	3236	msiexec.exe
Token: SeProfSingleProcessPrivilege	3236	msiexec.exe
Token: SeIncBasePriorityPrivilege	3236	msiexec.exe
Token: SeCreatePagefilePrivilege	3236	msiexec.exe
Token: SeCreatePermanentPrivilege	3236	msiexec.exe
Token: SeBackupPrivilege	3236	msiexec.exe
Token: SeRestorePrivilege	3236	msiexec.exe
Token: SeShutdownPrivilege	3236	msiexec.exe
Token: SeDebugPrivilege	3236	msiexec.exe
Token: SeAuditPrivilege	3236	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3236	msiexec.exe
Token: SeChangeNotifyPrivilege	3236	msiexec.exe
Token: SeRemoteShutdownPrivilege	3236	msiexec.exe
Token: SeUndockPrivilege	3236	msiexec.exe
Token: SeSyncAgentPrivilege	3236	msiexec.exe
Token: SeEnableDelegationPrivilege	3236	msiexec.exe
Token: SeManageVolumePrivilege	3236	msiexec.exe
Token: SeImpersonatePrivilege	3236	msiexec.exe
Token: SeCreateGlobalPrivilege	3236	msiexec.exe
Token: SeBackupPrivilege	1328	vssvc.exe
Token: SeRestorePrivilege	1328	vssvc.exe
Token: SeAuditPrivilege	1328	vssvc.exe
Token: SeBackupPrivilege	5040	msiexec.exe
Token: SeRestorePrivilege	5040	msiexec.exe
Token: SeRestorePrivilege	5040	msiexec.exe
Token: SeTakeOwnershipPrivilege	5040	msiexec.exe
Token: SeRestorePrivilege	5040	msiexec.exe
Token: SeTakeOwnershipPrivilege	5040	msiexec.exe
Token: SeRestorePrivilege	5040	msiexec.exe
Token: SeTakeOwnershipPrivilege	5040	msiexec.exe
Token: SeRestorePrivilege	5040	msiexec.exe
Token: SeTakeOwnershipPrivilege	5040	msiexec.exe
Token: SeBackupPrivilege	4068	srtasks.exe
Token: SeRestorePrivilege	4068	srtasks.exe
Token: SeSecurityPrivilege	4068	srtasks.exe
Token: SeTakeOwnershipPrivilege	4068	srtasks.exe
Token: SeBackupPrivilege	4068	srtasks.exe
Token: SeRestorePrivilege	4068	srtasks.exe
Token: SeSecurityPrivilege	4068	srtasks.exe
Token: SeTakeOwnershipPrivilege	4068	srtasks.exe
Token: SeDebugPrivilege	4520	firefox.exe
Token: SeDebugPrivilege	4520	firefox.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
3236	msiexec.exe
3236	msiexec.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4520	firefox.exe
4520	firefox.exe
4520	firefox.exe

Suspicious use of SetWindowsHookEx 39 IoCs

pid	Process
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
5088	OpenWith.exe
4520	firefox.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe
660	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5040 wrote to memory of 4068	5040	msiexec.exe	75
PID 5040 wrote to memory of 4068	5040	msiexec.exe	75
PID 5040 wrote to memory of 3884	5040	msiexec.exe	77
PID 5040 wrote to memory of 3884	5040	msiexec.exe	77
PID 5040 wrote to memory of 3884	5040	msiexec.exe	77
PID 3884 wrote to memory of 4332	3884	MsiExec.exe	78
PID 3884 wrote to memory of 4332	3884	MsiExec.exe	78
PID 3884 wrote to memory of 4332	3884	MsiExec.exe	78
PID 3884 wrote to memory of 4340	3884	MsiExec.exe	80
PID 3884 wrote to memory of 4340	3884	MsiExec.exe	80
PID 3884 wrote to memory of 4340	3884	MsiExec.exe	80
PID 3884 wrote to memory of 2912	3884	MsiExec.exe	82
PID 3884 wrote to memory of 2912	3884	MsiExec.exe	82
PID 3884 wrote to memory of 2912	3884	MsiExec.exe	82
PID 2912 wrote to memory of 1668	2912	windbg.exe	83
PID 2912 wrote to memory of 1668	2912	windbg.exe	83
PID 2912 wrote to memory of 1668	2912	windbg.exe	83
PID 3884 wrote to memory of 2756	3884	MsiExec.exe	84
PID 3884 wrote to memory of 2756	3884	MsiExec.exe	84
PID 3884 wrote to memory of 2756	3884	MsiExec.exe	84
PID 1668 wrote to memory of 4940	1668	Autoit3.exe	87
PID 1668 wrote to memory of 4940	1668	Autoit3.exe	87
PID 1668 wrote to memory of 4940	1668	Autoit3.exe	87
PID 4940 wrote to memory of 652	4940	cmd.exe	89
PID 4940 wrote to memory of 652	4940	cmd.exe	89
PID 4940 wrote to memory of 652	4940	cmd.exe	89
PID 1668 wrote to memory of 4524	1668	Autoit3.exe	90
PID 1668 wrote to memory of 4524	1668	Autoit3.exe	90
PID 1668 wrote to memory of 4524	1668	Autoit3.exe	90
PID 1668 wrote to memory of 4524	1668	Autoit3.exe	90
PID 1668 wrote to memory of 4524	1668	Autoit3.exe	90
PID 5088 wrote to memory of 3064	5088	OpenWith.exe	91
PID 5088 wrote to memory of 3064	5088	OpenWith.exe	91
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 3064 wrote to memory of 4520	3064	firefox.exe	92
PID 4520 wrote to memory of 4320	4520	firefox.exe	93
PID 4520 wrote to memory of 4320	4520	firefox.exe	93
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94
PID 4520 wrote to memory of 5020	4520	firefox.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2836

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3560

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
PID:784

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
PID:356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1596

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3852

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3576

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3236

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2900

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2824

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5040
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4068
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 35F5E96030EE9C40D1B16D63A2E34561
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4332
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4340
- - C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1668
    - - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4940
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:4260
      - \??\c:\windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:652
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Drops startup file
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:4524
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2756

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:1244

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5088
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data.bin"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data.bin
    3⤵
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.0.1788951793\1397472502" -parentBuildID 20221007134813 -prefsHandle 1700 -prefMapHandle 1692 -prefsLen 20936 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b6f4e77c-70f5-4e9e-a04f-13380af675ce} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 1780 18eb40d6e58 gpu
      4⤵
      PID:4320
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.1.91239398\80626073" -parentBuildID 20221007134813 -prefsHandle 2144 -prefMapHandle 2140 -prefsLen 21797 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a43529f0-048b-4b5b-806f-62f1bd270e61} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 2156 18eb3ffce58 socket
      4⤵
      Checks processor information in registry
      PID:5020
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.2.958765279\392146621" -childID 1 -isForBrowser -prefsHandle 3064 -prefMapHandle 3060 -prefsLen 21900 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {85e7bf54-b168-4c9d-94aa-caeefdf19e69} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 3080 18eb7ee1e58 tab
      4⤵
      PID:2976
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.3.2120229620\1516054870" -childID 2 -isForBrowser -prefsHandle 3484 -prefMapHandle 3460 -prefsLen 26480 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {683c01cc-debe-4100-8871-ab7b426f4a8d} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 3500 18ea9065b58 tab
      4⤵
      PID:2668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.4.1897925715\1990247681" -childID 3 -isForBrowser -prefsHandle 4788 -prefMapHandle 4804 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {577aea82-03c6-4018-90d8-bac16837defe} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 4764 18eba687358 tab
      4⤵
      PID:4348
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.6.948677586\916890056" -childID 5 -isForBrowser -prefsHandle 5160 -prefMapHandle 5164 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9383b0c0-eb9a-46fb-b864-c71321b5261f} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 5148 18ebb10fe58 tab
      4⤵
      PID:4668
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4520.5.1041537351\555661060" -childID 4 -isForBrowser -prefsHandle 4956 -prefMapHandle 4960 -prefsLen 26795 -prefMapSize 232675 -jsInitHandle 1276 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e3daa12-e10f-481c-b490-b460c2fbb0b4} 4520 "\\.\pipe\gecko-crash-server-pipe.4520" 4948 18ebb10f558 tab
      4⤵
      PID:1792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:660
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data.bin
  2⤵
  PID:4844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\fhafchh\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\fhafchh\hhhcede\hckffda

Filesize
170B

MD5
b283326419ac4d0ac8eaaddd8bd2b86c

SHA1
a29dc705e56f939388ebcf11d6f45a787f0779bc

SHA256
947c7a0e8d345cc0fcdfa98715448148397796fcf03b70d7a619f7b4a9705d72

SHA512
e9e40406a73f12fcdf780ef26076b7597fa7fcbd6c66f5d6e2b5c4e96e2f8bd5ead3a0dc7dba29d5ecc27f2af07ade955cc1fa390bdfd6f58362a2719f79c37a

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\u5fl9cze.default-release\activity-stream.discovery_stream.json.tmp

Filesize
21KB

MD5
4b2030def192fa9e9e40723d88a28f57

SHA1
c2765b2f897d3f1cb879f16be796efee6bd24275

SHA256
e758088ebafbade5718edcd9f7d9860680cead0d3b1f068af6443c3730661c2d

SHA512
2bedf09efeed27e16f67a85b8a490d99fbc044ab3085318b50ac8f375157dec902e56c190e7a4dbbdf0c2ee4acb8c94ede22792d75cb7aa7d249fbfd59a055af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files.cab

Filesize
8.9MB

MD5
3a4de3260c72e38f814cc2a7b2d42df7

SHA1
19458fb6838dd9d8be113b0b9983c7d77c12eb25

SHA256
411776c8e92afa462d734d14b7c569341442e5d7726009e80eaa497b5e09deb7

SHA512
3493664ecdb50d0c0d4f2646aabdd24a20fb435f4799af96f95f625aa983842c1baf7977956964d77d5b344c9e2551d60f007230838bc7a82bc40a2c9714cc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00001-337121377.png

Filesize
1.1MB

MD5
fd49f38e666f94abdbd9cc0bb842c29b

SHA1
36a00401a015d0719787d5a65c86784760ee93ff

SHA256
1f5620bf07b2c25dd18fea78288c48fb2f7b5f0a5cfc1ee6c8d8dbf6029c442f

SHA512
2fc40f776e84574f915e418c4b946097234faceb9902239015d2b80e683fe61d623035644055dddb6f7b92160b3c8663795f8a27bf16c5b137c7053cc9f4f612

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00002-337121378.png

Filesize
1.0MB

MD5
f68d2ca13e1268dd79e95591b976ec45

SHA1
588454301e3c25065349740573282145aa0a5c7b

SHA256
af008f94fe42c29b1c7da7abe02e5edaaf9b89b1c8383e646ccfc8e0e7a66460

SHA512
a34b648c8453df91b88d7143237e5decf84a979bfe19a98ae5cff2d37081683236502ad2f62b585409cefae98da89e92acfc8665af40d3f7c9ece4c90e32ebae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00003-337121379.png

Filesize
1.1MB

MD5
7dbe5e4b98d7601585cfb9697f265e0f

SHA1
da8477a2494b1436664c535d7c854bf778942a76

SHA256
c3c4c040c61bbf8432d4450e34b7101110de26e5e4671736d64535b06189a288

SHA512
38e8d0e103096fee998aae33179ad15eee50acc57236bb75bf115f99bd7fa1e1d5fe386ab9a3adcced910f5114c36459c06b55b2218e8020832066eea3755d9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00004-337121380.png

Filesize
1.0MB

MD5
85da5b7fd4b6983fffe78853c5276c03

SHA1
49a68d92beabfdfce7b2939f35a7b3e4bdc2bc96

SHA256
ff2a43f449bf81510c74eee9cd867bef4226c9c909b698e636ca8c56135d57ba

SHA512
c1d19bde8f9d434e29322edb8ac8892a475385bf97b5afd2f655175f1da6ce3ebc9df196585f3ea6a2a1755a1ec0fba2b60f203408ceebbea7801f4d1ab92f5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00005-337121381.png

Filesize
1.0MB

MD5
602b44b5e0a94c61c7ae501966eb4fd5

SHA1
853f5c83bedd4523cb72ca127cc6c269ac99e2d9

SHA256
2e3feac0a21a7fa351458ef1fed86f6f7a282c15fbc7f21cac29f874db9da4f3

SHA512
e7fe6c8965a35faecb3ab7bf6a3f8ed7a58aba891c5d5a2addec6aeda4a6790cef78a7874a386d89327d6bcb1e90ad376444d37d44fd0c604d6905dbd7ac6c97

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00007-337121383.png

Filesize
1.1MB

MD5
9a40cf65a81a8f618a4f562e2494a557

SHA1
3b06e119cc017bbe99c06906779f40f2d04b08ad

SHA256
087b59e3bfe212a96303f20122e9b9636753956fedaf2e1c8336e2e08c39f4e6

SHA512
745722fdeeb9d5f9011825d4826fb3c7c0fdeb0751a156a396b537c458854c376aac60a4709036ebf78e6d2d27cfeb302ef52ecfb1bfa3a6c238240d98839920

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\00008-337121384.png

Filesize
1.1MB

MD5
452b0afd9436be767a0ee61e98ef0356

SHA1
736f12f84f8af0bd04f5b207f31cba8dd359ae03

SHA256
0348e5297e8040b2cc3e83e2c6edf6ccbfa122af0b3880ebd079c0dda3286c9a

SHA512
2fc4deaadd35f691aca0af4fb2e36201a2f68e7f7dcda9fe4da01d0b72c4cb8e448ca69d90d1cb230abfc2dc795ff785c1a1b2e95b5ab8fc0833d86013660338

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\data2.bin

Filesize
1.8MB

MD5
7673659bf664bd45a6f3c38b7d1c25d3

SHA1
a9b40ab4590b77887417ec33ecd061c98490176a

SHA256
41339e85c54f960b04039fd47df735c5ce78d99ede511364c8c8c2ad81f38c7d

SHA512
14ca50e20b3830765e8f116fc48ea49faabf3e7ede9f8768d5d0e70803d466ef506fe953f53057eb7e2f78009029d87b780c78127e1026b161bb095bf8c4ab24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\dataPicture.jpg

Filesize
159KB

MD5
008b295295c49c6d07161baff5f7212b

SHA1
f89d13817531957967be21327c8180a35960d04d

SHA256
9f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134

SHA512
6d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\msiwrapper.ini

Filesize
1KB

MD5
8786a7ca19c14dbe1fc4572cf2c32142

SHA1
529266d037d32ebb7838222adb1d0166c2ab74fc

SHA256
c01b1425027365dbee426c05b3d88647b0f60391608059881ecd2e9e06a2bc75

SHA512
8eab1db52b63e14f8af9c1f83f3c212f2cc7257c14772d82a5b582b3b3dad708ccf209459fcfa824ce8114348a9401c54aa308cd3d79a192af9178183353245a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\msiwrapper.ini

Filesize
1KB

MD5
b101cdc25f827394a2af871c6bb0f70f

SHA1
3af1b6332be1adfe60c3e1cda9dd2470f6e0ac33

SHA256
d57bf057ce24d5a4bc4d29530cf58fc77e4cfa0238c9e91a6969898f8184b2d5

SHA512
d5fcf0b73d09341ccd27f5f6daac20578d530db5901f2f9158827e23381ddb26b92c81d3267d4830c7428ffb9778d5cac5ac7dd84a8b0bdcda5021c1f88b9b74

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\msiwrapper.ini

Filesize
1KB

MD5
b101cdc25f827394a2af871c6bb0f70f

SHA1
3af1b6332be1adfe60c3e1cda9dd2470f6e0ac33

SHA256
d57bf057ce24d5a4bc4d29530cf58fc77e4cfa0238c9e91a6969898f8184b2d5

SHA512
d5fcf0b73d09341ccd27f5f6daac20578d530db5901f2f9158827e23381ddb26b92c81d3267d4830c7428ffb9778d5cac5ac7dd84a8b0bdcda5021c1f88b9b74

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u5fl9cze.default-release\prefs-1.js

Filesize
6KB

MD5
4d15aecb674199a6a8fc98dfc35289f7

SHA1
dbf51639a77ddfd78b77a430f7493b351838d633

SHA256
a61059e1c44c929cc6f7b44fb521388e1f4209301d22ade1e62755cc2ffcf8c1

SHA512
3d2fd5372d6d9c9d635921edb9fd556867049bc4b6ed4850669fcc398a74f90c16277ca276eb5923283733179c080b9c8e2ba5e7ce2ff665e4ee52bc87cad44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u5fl9cze.default-release\sessionCheckpoints.json.tmp

Filesize
259B

MD5
e6c20f53d6714067f2b49d0e9ba8030e

SHA1
f516dc1084cdd8302b3e7f7167b905e603b6f04f

SHA256
50a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092

SHA512
462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\u5fl9cze.default-release\sessionstore.jsonlz4

Filesize
648B

MD5
8718a370592f2d72642d804b1a19f99f

SHA1
affa7cbe2e852fe2e031bb738afad81078cef280

SHA256
d1bc8297593e289dc38e0b3135b95670db4780ab7722540246f6fb104d3e736d

SHA512
fe50fbf0af96ea44ef55776a03c1ed366cdfc81d1c9c466164fc2e9caafc898fd8056db58496c6d8d867be732a1dc0b5e04b752801d812967d8b46beb1fa3cbc

Download Submit
C:\Users\Admin\Downloads\YEJWjhjm.bin.part

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Windows\Installer\MSI5C25.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI722F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
e72ab68ff7c3427ba7d5bd4f1d5728cc

SHA1
c3cdd37f1156163173290dea66f7be146a0df92a

SHA256
c609a7afbfa7d8c4bfe4f617e81e5a4d3d0b86e0b2656d86f7ad9b2ec6d12338

SHA512
87a7070a5e875b3d28339128ef0e246c922a98f81557134f2bdc26f761fbb76012c6571e30d05c10a3c84697af69c4feb75983855bb883a3ff73da0600df8f70

Download Submit
\??\Volume{ee705b7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{66e5c5ad-4394-487c-8863-5b93f3143523}_OnDiskSnapshotProp

Filesize
5KB

MD5
6209ecb15380c1ff8cd243111f999dd0

SHA1
e3828da0cbf4c8b5cea35e05e53e691669b05223

SHA256
0ffdbd73600e4f8d0832e42b3a986baf73e6af6dc12049af3fc756b1dabe06fb

SHA512
4de47b05d571c6b683c38e16d8553809651ae1d92db848ca7f6428b23741a2244eaa5614bcd1d6e1238a72ded408651da7cf4622d54d5fdde9f4579d23108c6b

Download Submit
\??\c:\temp\kefhfbh.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\??\c:\tmpa\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\Users\Admin\AppData\Local\Temp\MW-1b6427ca-e145-43f1-90df-6918311f254d\files\dbgeng.dll

Filesize
542KB

MD5
a1defa998f5984c7819cffd68664e00a

SHA1
9b0b17a2d660a2a51c8188186f394f8fe1650552

SHA256
abbb1d098f8ee24b0881278bee4228a59bb021242aba16af593c944c489e829f

SHA512
792ef593f78ffc453500f413640dee030bcf2bdd383697b01dc343f5e02e2b0f31b75ad68860fd7cfcae355e450e0d532ba99d1a912de7b47ced76fbc68fea24

Download Submit
\Windows\Installer\MSI5C25.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\Windows\Installer\MSI722F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
memory/1668-155-0x00000000042D0000-0x00000000045FA000-memory.dmp

Filesize
3.2MB

Download
memory/1668-147-0x00000000042D0000-0x00000000045FA000-memory.dmp

Filesize
3.2MB

Download
memory/1668-132-0x00000000042D0000-0x00000000045FA000-memory.dmp

Filesize
3.2MB

Download
memory/1668-146-0x00000000042D0000-0x00000000045FA000-memory.dmp

Filesize
3.2MB

Download
memory/1668-149-0x00000000042D0000-0x00000000045FA000-memory.dmp

Filesize
3.2MB

Download
memory/1668-130-0x00000000014C0000-0x00000000018C0000-memory.dmp

Filesize
4.0MB

Download
memory/1668-148-0x00000000042D0000-0x00000000045FA000-memory.dmp

Filesize
3.2MB

Download
memory/2912-117-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download
memory/2912-112-0x0000000005440000-0x0000000005540000-memory.dmp

Filesize
1024KB

Download
memory/4524-178-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-205-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-173-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-174-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-175-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-176-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-177-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-166-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-179-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-180-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-181-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-182-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-183-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-187-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-188-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-189-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-190-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-191-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-192-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-195-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-196-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-197-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-198-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-199-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-200-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-201-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-202-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-203-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-204-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-172-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-206-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-207-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-208-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-209-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-210-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-211-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-212-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-213-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-214-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-215-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-216-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-218-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-219-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-221-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-165-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-159-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-263-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-262-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-268-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-269-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-273-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-274-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-275-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-276-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-287-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-305-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-158-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-157-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-153-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4524-340-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download