Malware Analysis Report

2024-11-15 07:17

Sample ID 231111-mfb3aaed46
Target NEAS.8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi
SHA256 8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7
Tags
darkgate user_871236672 discovery stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7

Threat Level: Known bad

The file NEAS.8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi was found to be: Known bad.

Malicious Activity Summary

darkgate user_871236672 discovery stealer

DarkGate

Loads dropped DLL

Executes dropped EXE

Modifies file permissions

Enumerates connected drives

Drops file in Windows directory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Checks processor information in registry

Modifies data under HKEY_USERS

Suspicious use of FindShellTrayWindow

Checks SCSI registry key(s)

Uses Volume Shadow Copy service COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-11-11 10:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-11-11 10:24

Reported

2023-11-11 10:26

Platform

win7-20231020-en

Max time kernel

119s

Max time network

122s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\f76b397.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIB673.tmp C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A
File created C:\Windows\Installer\f76b396.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\f76b396.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Logs\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\f76b397.ipi C:\Windows\system32\msiexec.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1496 wrote to memory of 552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1496 wrote to memory of 552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1496 wrote to memory of 552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1496 wrote to memory of 552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1496 wrote to memory of 552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 1496 wrote to memory of 552 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 552 wrote to memory of 1056 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 552 wrote to memory of 1056 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 552 wrote to memory of 1056 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 552 wrote to memory of 1056 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 552 wrote to memory of 2248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 552 wrote to memory of 2248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 552 wrote to memory of 2248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 552 wrote to memory of 2248 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 552 wrote to memory of 1580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe
PID 552 wrote to memory of 1580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe
PID 552 wrote to memory of 1580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe
PID 552 wrote to memory of 1580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe
PID 552 wrote to memory of 1580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe
PID 552 wrote to memory of 1580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe
PID 552 wrote to memory of 1580 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe
PID 1580 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1580 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1580 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 1580 wrote to memory of 1216 N/A C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 552 wrote to memory of 2052 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 2052 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 2052 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 2052 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\cmd.exe
PID 552 wrote to memory of 2816 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 552 wrote to memory of 2816 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 552 wrote to memory of 2816 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 552 wrote to memory of 2816 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000002C4" "0000000000000584"

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding 2EFC7DDB1B15A0CFF1E9DCD0CD0E2724

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files"

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

N/A

Files

C:\Windows\Installer\MSIB673.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

\Windows\Installer\MSIB673.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\msiwrapper.ini

MD5 1decd4a46d87b55d0a19e894baa9a01e
SHA1 270e76dc6aa4e5c7221ef88f82e5f1737e5589e3
SHA256 635e49923a886bb435aa23d6c0ef843c8103ed6dbc99075a8c4b7008d8992caf
SHA512 667128ee7a0608b0555bc128d514cc536a340a3131ab7cf42e944927cbb58b740086b399f547a80d79d2d30688c1ccffed23703cdd9db64a394dbe6b2de01b18

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\msiwrapper.ini

MD5 001d63fa55c3ed60e2e93ac65f761631
SHA1 b4ae3088abca4a2fb078f506f9fc712c7d367dd6
SHA256 f71e21d09a43a4ba4f3fe83ef2043d6c35f38dc5fa9da80c0ffdded92b64aef9
SHA512 de99e03fa4429ed4bc7343bbf336e77ba4ff5bcfb1cc028d37313eaa64285be22a4e974c634ae96cb50885c92f1ceab80f80947d540c3789924861c5aa9d54d4

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\msiwrapper.ini

MD5 001d63fa55c3ed60e2e93ac65f761631
SHA1 b4ae3088abca4a2fb078f506f9fc712c7d367dd6
SHA256 f71e21d09a43a4ba4f3fe83ef2043d6c35f38dc5fa9da80c0ffdded92b64aef9
SHA512 de99e03fa4429ed4bc7343bbf336e77ba4ff5bcfb1cc028d37313eaa64285be22a4e974c634ae96cb50885c92f1ceab80f80947d540c3789924861c5aa9d54d4

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files.cab

MD5 c2861c23df5ad7a31c8ae622dc87f867
SHA1 0c50bc37cbf26c1e91f34b4a617f7ad663c78b13
SHA256 beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013
SHA512 81d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\data.bin

MD5 bb8c7df11b277155036fd6f62110d818
SHA1 c7f7413f4e525822be37b33817a1755a04fec4e8
SHA256 742f8df79f6dd2bd16d00d7235f655b32b687886cda485808d1c1762ba44336a
SHA512 a568949fcef56f0db85c5f452b345f4912c8ce9435915b9380b21f97bebbcc0961e9739b8c62fa5181d527e1852c72e3bd947a56dddb0a3031c6f2c9d67e1b1d

memory/1580-96-0x0000000000A70000-0x0000000000AFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\data2.bin

MD5 148787dfd8c9b0d3c0681f0a984cbcf0
SHA1 0456d2fd54da6e9eaa239b9620efcf17c9cf95c5
SHA256 4f1c84df725ddff0403f24080baff45abc06a1191b43c00f9847d791b7b79488
SHA512 e0e4c8fc3953e48f253f3b762f6df6ec7bce0067e6f867eb1e8e5b3921ea7eada1993f8a173ae7f29103927b4e339374425b9f2a729da075fa142a8b5440e830

\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/1580-103-0x0000000000400000-0x0000000000600000-memory.dmp

memory/1580-104-0x0000000000A70000-0x0000000000AFA000-memory.dmp

\??\c:\tmpa\script.au3

MD5 74de66e9523816a5b1dfbdb31b56cb3b
SHA1 9b0bd88932223c819d2c10d5739abdaf4f1a3cec
SHA256 91323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2
SHA512 21da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a

memory/1216-113-0x00000000036F0000-0x0000000003885000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\00007-~1.PNG

MD5 94b4895b7b8a60481393b7b8c22ad742
SHA1 902796c4aee78ab74e7ba5004625d797d83a8787
SHA256 f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973
SHA512 d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\00006-~1.PNG

MD5 173a98c6c7a166db7c3caa3a06fec06c
SHA1 3c562051f42353e72ba87b6f54744f6d0107df86
SHA256 212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad
SHA512 9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

memory/1216-114-0x0000000002F80000-0x0000000003380000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\00005-~1.PNG

MD5 dee56d4f89c71ea6c4f1e75b82f2e9c9
SHA1 293ce531cddbf4034782d5dfed1e35c807d75c52
SHA256 a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf
SHA512 e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

C:\Users\Admin\AppData\Local\Temp\MW-289908f3-fa11-477c-acbb-9e984ed9847f\files\00004-~1.PNG

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

memory/1216-118-0x0000000002F80000-0x0000000003380000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-11-11 10:24

Reported

2023-11-11 10:26

Platform

win10v2004-20231023-en

Max time kernel

138s

Max time network

147s

Command Line

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

Signatures

DarkGate

stealer darkgate

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe N/A
N/A N/A \??\c:\tmpa\Autoit3.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A
N/A N/A C:\Windows\SysWOW64\ICACLS.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\K: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\J: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Z: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\W: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\M: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\O: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\R: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\P: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\L: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Q: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\G: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\Y: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\H: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\E: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\T: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\X: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\U: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\V: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\I: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\N: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\A: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\B: C:\Windows\system32\msiexec.exe N/A
File opened (read-only) \??\S: C:\Windows\system32\msiexec.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\LOGS\DPX\setupact.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\MSI2C67.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\e590565.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\e590565.msi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\SourceHash{3D6CC9D9-208A-4C2E-8054-F677C4EFB216} C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\ C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\Installer\MSIAD4.tmp C:\Windows\system32\msiexec.exe N/A
File created C:\Windows\Installer\inprogressinstallinfo.ipi C:\Windows\system32\msiexec.exe N/A
File opened for modification C:\Windows\LOGS\DPX\setuperr.log C:\Windows\SysWOW64\EXPAND.EXE N/A
File opened for modification C:\Windows\Installer\MSI2C37.tmp C:\Windows\system32\msiexec.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 \??\c:\tmpa\Autoit3.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString \??\c:\tmpa\Autoit3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAssignPrimaryTokenPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLockMemoryPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeMachineAccountPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreatePermanentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeSyncAgentPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeEnableDelegationPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\msiexec.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\msiexec.exe N/A
N/A N/A C:\Windows\system32\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2420 wrote to memory of 2324 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2420 wrote to memory of 2324 N/A C:\Windows\system32\msiexec.exe C:\Windows\system32\srtasks.exe
PID 2420 wrote to memory of 640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2420 wrote to memory of 640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 2420 wrote to memory of 640 N/A C:\Windows\system32\msiexec.exe C:\Windows\syswow64\MsiExec.exe
PID 640 wrote to memory of 3420 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 640 wrote to memory of 3420 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 640 wrote to memory of 3420 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 640 wrote to memory of 5064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 640 wrote to memory of 5064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 640 wrote to memory of 5064 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\EXPAND.EXE
PID 640 wrote to memory of 2204 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe
PID 640 wrote to memory of 2204 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe
PID 640 wrote to memory of 2204 N/A C:\Windows\syswow64\MsiExec.exe C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe
PID 2204 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2204 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 2204 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe \??\c:\tmpa\Autoit3.exe
PID 640 wrote to memory of 2556 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 640 wrote to memory of 2556 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE
PID 640 wrote to memory of 2556 N/A C:\Windows\syswow64\MsiExec.exe C:\Windows\SysWOW64\ICACLS.EXE

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\msiexec.exe

msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7.msi

C:\Windows\system32\msiexec.exe

C:\Windows\system32\msiexec.exe /V

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

C:\Windows\syswow64\MsiExec.exe

C:\Windows\syswow64\MsiExec.exe -Embedding D1A9BFB593D9087A1A7F9F3546CBC201

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH

C:\Windows\SysWOW64\EXPAND.EXE

"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe

"C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe"

\??\c:\tmpa\Autoit3.exe

c:\tmpa\Autoit3.exe c:\tmpa\script.au3

C:\Windows\SysWOW64\ICACLS.EXE

"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\." /SETINTEGRITYLEVEL (CI)(OI)LOW

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 198.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 254.111.26.67.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 183.2.85.104.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{532a523a-ff42-4412-ab21-33c6b440fad9}_OnDiskSnapshotProp

MD5 21cffe5a4ab0639eca91b79e569a3097
SHA1 fefd30c39f5d9ee26c951c7d390da946bc00bd76
SHA256 08083997df41dcc53fce39cbd7471fff65f79b26a2c074e74e546138a29da14e
SHA512 acf8e99ee12bbe68e9c6eefdd90ce0057156ca30dd92abf1e9b72ad11eff756cffa6eb23055fddeaa721fa603896815ec0437c3e0197d45081e334d88cfd0d02

\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

MD5 c5612342b515f603630660c763d7027a
SHA1 e7647beaa2892c560c4f58bab09c7be3588cbdea
SHA256 793a3c3a9d5f6123a3bc3c9d6f6c6d134e58a7df4a472ee8a65ee888489f93b2
SHA512 0e9a0e49a1f9f671d9a92ec766ee0ee662dd054d28fdf2ff83cc699e685555f109b7705f3bd8cda41312609e1c76c670baf75eba2e72183ac373a27176ec2748

C:\Windows\Installer\MSIAD4.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSIAD4.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\msiwrapper.ini

MD5 e13a6f6221c3b4b629881ff0744bdfd6
SHA1 bf5f68b418125304f6e913dcf9776081a6873e33
SHA256 47acf3aaa53095e27ee8d86641536d4ba7e5ee9b05d8fc8d90938b72164b7563
SHA512 553743884779218f1ce834afc52eee36636d957f1018a052f1aa32227004f5a3bbf2a1bea963874fdf7de636e9a49b05be2e7e792ee7104df47d33116a3bf8de

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\msiwrapper.ini

MD5 5f26d8c7b5dec69ce42a98a49c865804
SHA1 353d4434bf522492f768fcf58b4faa7e8ae1b0ce
SHA256 59c511b09449a5e96b1d395d0a0e7266fb151306f165a875c97985ff5f806716
SHA512 38e70e56a55444191caa1fcde1af8a30662dcff2eb4b874ee18e9dadecab6e47a26e570a7cf2a5baec71aad2311687fa3b61966f8224e61755fd4272e63dd8ba

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files.cab

MD5 c2861c23df5ad7a31c8ae622dc87f867
SHA1 0c50bc37cbf26c1e91f34b4a617f7ad663c78b13
SHA256 beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013
SHA512 81d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\msiwrapper.ini

MD5 5f26d8c7b5dec69ce42a98a49c865804
SHA1 353d4434bf522492f768fcf58b4faa7e8ae1b0ce
SHA256 59c511b09449a5e96b1d395d0a0e7266fb151306f165a875c97985ff5f806716
SHA512 38e70e56a55444191caa1fcde1af8a30662dcff2eb4b874ee18e9dadecab6e47a26e570a7cf2a5baec71aad2311687fa3b61966f8224e61755fd4272e63dd8ba

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\windbg.exe

MD5 04ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA1 58dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256 bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA512 5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

memory/2204-97-0x0000000000C50000-0x0000000000E50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\dbgeng.dll

MD5 ed7798f01f00f2ce332053e85b73d512
SHA1 9dcbe0d54f61a0d5acda7e18dc47a247f598edd4
SHA256 b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942
SHA512 9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\data.bin

MD5 bb8c7df11b277155036fd6f62110d818
SHA1 c7f7413f4e525822be37b33817a1755a04fec4e8
SHA256 742f8df79f6dd2bd16d00d7235f655b32b687886cda485808d1c1762ba44336a
SHA512 a568949fcef56f0db85c5f452b345f4912c8ce9435915b9380b21f97bebbcc0961e9739b8c62fa5181d527e1852c72e3bd947a56dddb0a3031c6f2c9d67e1b1d

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\data2.bin

MD5 148787dfd8c9b0d3c0681f0a984cbcf0
SHA1 0456d2fd54da6e9eaa239b9620efcf17c9cf95c5
SHA256 4f1c84df725ddff0403f24080baff45abc06a1191b43c00f9847d791b7b79488
SHA512 e0e4c8fc3953e48f253f3b762f6df6ec7bce0067e6f867eb1e8e5b3921ea7eada1993f8a173ae7f29103927b4e339374425b9f2a729da075fa142a8b5440e830

memory/2204-101-0x0000000002C40000-0x0000000002CCA000-memory.dmp

C:\tmpa\Autoit3.exe

MD5 c56b5f0201a3b3de53e561fe76912bfd
SHA1 2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256 237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512 195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

memory/2204-106-0x0000000000C50000-0x0000000000E50000-memory.dmp

memory/2204-107-0x0000000002C40000-0x0000000002CCA000-memory.dmp

\??\c:\tmpa\script.au3

MD5 74de66e9523816a5b1dfbdb31b56cb3b
SHA1 9b0bd88932223c819d2c10d5739abdaf4f1a3cec
SHA256 91323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2
SHA512 21da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\00007-3546315030.png

MD5 94b4895b7b8a60481393b7b8c22ad742
SHA1 902796c4aee78ab74e7ba5004625d797d83a8787
SHA256 f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973
SHA512 d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\msiwrapper.ini

MD5 ee6c3f9472d001a9c32796b1932132fc
SHA1 335ec8f2d44978e03c68cc98deb5363fe554acaa
SHA256 e03f1fb253dcf53053e8a51a0321acbab232fe5ad117855d57fd7900fdc217f5
SHA512 98e4edd45b6a77e405659f355b89d92e392245e8f11711c6102f1428402e80186c7b00218ef748d25d3302e472c3e014a798ab8dd6a85f53ff04afc8279d7827

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\00006-3546315029.png

MD5 173a98c6c7a166db7c3caa3a06fec06c
SHA1 3c562051f42353e72ba87b6f54744f6d0107df86
SHA256 212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad
SHA512 9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\00005-3546315028.png

MD5 dee56d4f89c71ea6c4f1e75b82f2e9c9
SHA1 293ce531cddbf4034782d5dfed1e35c807d75c52
SHA256 a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf
SHA512 e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

C:\Users\Admin\AppData\Local\Temp\MW-5e6d692f-380f-4c69-9d3f-16a818a7a97c\files\00004-4001132497.png

MD5 2ccc17c1a5bb5e656e7f3bb09ff0beff
SHA1 05866cf7dd5fa99ea852b01c2791b30e7741ea19
SHA256 411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2
SHA512 46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

memory/2240-116-0x0000000004E40000-0x0000000004FD5000-memory.dmp

memory/2240-115-0x00000000044B0000-0x00000000048B0000-memory.dmp

memory/2240-117-0x0000000004E40000-0x0000000004FD5000-memory.dmp

C:\Windows\Installer\MSI2C67.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

C:\Windows\Installer\MSI2C67.tmp

MD5 d82b3fb861129c5d71f0cd2874f97216
SHA1 f3fe341d79224126e950d2691d574d147102b18d
SHA256 107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512 244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b