19f91ee8a2acf408d69be07e1c4a99992213e565b9c8bb6d5c52f59f79707da3

Analysis

max time kernel
40s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2024 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

autoit-v3-setup.exe
Size

12.9MB
MD5

a65b5df1a846fb0bb7ad4b2da19bbbcd
SHA1

b93c659c6f9eca5cdaea8e552c0466cac3ea61d6
SHA256

19f91ee8a2acf408d69be07e1c4a99992213e565b9c8bb6d5c52f59f79707da3
SHA512

34980e23fe4c17c358cd23678c53ff548117479eab9c5cbd9f937a76bb2772e49a60c46e190da88f973ce05338a891609f012936f27de4c71b84f2789955da29
SSDEEP

393216:TDaWWhLNL186VkPwBOf74ycQf2TftfJBYT6IL/owfe:TDaWWdNxpg2icfRC7L/xm

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\DriveSpaceFree.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\GUICtrlCreateContextMenu.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\StringToASCIIArray.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_Date_Time_SystemTimeToTzSpecificLocalTime.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_Excel_SheetAdd[2].au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlListView_GetExtendedListViewStyle.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\ChrW.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlComboBox_GetEditSel.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlRebar_GetBandID.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlRichEdit_GetTextLength.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_MoveFileEx.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_UrlApplyScheme.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Include\MenuConstants.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_DateDayOfWeek.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlToolbar_GetRows.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_ShellGetKnownFolderPath.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\Eval.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GDIPlus_PathCreate2.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlStatusBar_GetTextLengthEx.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_TCPIpToName.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\ControlCommand.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GDIPlus_PenDispose.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlEdit_Create[2].au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlListView_GetHotCursor.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlListView_GetViewDetails.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_IE_Introduction.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Aut2Exe\Icons\AutoIt_Main_v11_256x256_RGB-A.ico	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\StringIsLower.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlListView_GetItemGroupID.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_TransparentBlt.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\COM\WordTest.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\TCPConnect.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_Date_Time_LocalFileTimeToFileTime.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlSlider_GetChannelRect.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlStatusBar_GetText[2].au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\COM\RegExpTest.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\FileGetTime.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GDIPlus_BitmapDispose.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlButton_GetNote.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlStatusBar_Create.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTreeView_DisplayRect.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUIToolTip_Create.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_StringLenA.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\FileGetShortName.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_FileWriteLog.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_WinAPI_ExtractIconEx.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Extras\AutoUpdateIt\AutoSQLiteUpdateIt.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\ControlCommand.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\FuncName.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlComboBox_GetExtendedUI.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlTreeView_GetSelected.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\AutoIt.chm	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\DriveMapAdd.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\EnvUpdate.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_viOpen.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlComboBoxEx_GetDroppedControlRectEx.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlEdit_LineLength.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlMenu_GetItemData.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GUICtrlMenu_SetItemBitmaps.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Include\APIDlgConstants.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Include\APIDlgConstants.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\ExitLoop.au3	autoit-v3-setup.exe
File created	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_ClipBoard_EnumFormats.au3	autoit-v3-setup.exe
File opened for modification	C:\Program Files (x86)\AutoIt3\Examples\Helpfile\_GDIPlus_ImageScale[2].au3	autoit-v3-setup.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ShellNew\Template.au3	autoit-v3-setup.exe

Loads dropped DLL 9 IoCs

pid	Process
2204	autoit-v3-setup.exe
2204	autoit-v3-setup.exe
2204	autoit-v3-setup.exe
2204	autoit-v3-setup.exe
2204	autoit-v3-setup.exe
2204	autoit-v3-setup.exe
2204	autoit-v3-setup.exe
2204	autoit-v3-setup.exe
2204	autoit-v3-setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	autoit-v3-setup.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\IESettingSync	hh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	hh.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	hh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	hh.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32\ThreadingModel = "Apartment"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\0\win32	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.a3x	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Edit\Command	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CLSID	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\InprocServer32\ = "C:\\Program Files (x86)\\AutoIt3\\AutoItX\\AutoItX3.dll"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutoItX3.DLL\AppID = "{6E8109C4-F369-415D-AF9A-2AEEFF313234}"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX86\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\Aut2Exe\\Aut2Exe.exe\" /in \"%l\""	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Edit\ = "Edit Script"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ = "IAutoItX3"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Open	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control\CurVer\ = "AutoItX3.Control.1"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\AutoIt3\\AutoItX"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\ = "AutoIt v3 Script"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Run\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3.exe\" \"%1\" %*"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX64\ = "Compile Script (x64)"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.au3\PerceivedType = "text"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\DefaultIcon	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Open\Command	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\ = "AutoIt v3 Encoded Script"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6E8109C4-F369-415D-AF9A-2AEEFF313234}\ = "AutoItX3"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\ = "Run"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Run\Command	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\NumMethods\ = "107"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Compile\Command	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Compile\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\Aut2Exe\\Aut2Exe.exe\" /in \"%l\""	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\Shell\Run\ = "Run Script"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\AutoItX3.DLL	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\Shell	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\RunX86\Command	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\Programmable	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX64\Command	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\Edit\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\SciTE\\SciTE.exe\" \"%1\""	autoit-v3-setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\WOW6432Node\CLSID	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\InProcServer32\ = "C:\\Program Files (x86)\\AutoIt3\\AutoItX\\AutoItX3.dll"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\VersionIndependentProgID\ = "AutoItX3.Control"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\Version = "1.0"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\CompileX64\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\Aut2Exe\\Aut2Exe_x64.exe\" /in \"%l\""	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3XScript\Shell\ = "Run"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\AppID = "{6E8109C4-F369-415D-AF9A-2AEEFF313234}"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\TypeLib	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{6E8109C4-F369-415D-AF9A-2AEEFF313234}	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.au3	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\RunX86	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoIt3Script\Shell\RunX64\Command\ = "\"C:\\Program Files (x86)\\AutoIt3\\AutoIt3_x64.exe\" \"%1\" %*"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.au3\PersistentHandler\ = "{5e941d80-bf96-11cd-b579-08002b30bfeb}"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\ = "AutoItX3 Class"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AutoItX3.Control.1\CLSID\ = "{1A671297-FA74-4422-80FA-6C5D8CE4DE04}"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ = "AutoItX3 Class"	autoit-v3-setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1A671297-FA74-4422-80FA-6C5D8CE4DE04}\ProgID	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F8937E53-D444-4E71-9275-35B64210CC3B}\1.0\FLAGS\ = "0"	autoit-v3-setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3D54C6B8-D283-40E0-8FAB-C97F05947EE8}\TypeLib\Version = "1.0"	autoit-v3-setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4052	hh.exe
4052	hh.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 2204 wrote to memory of 4052	2204	autoit-v3-setup.exe	92
PID 2204 wrote to memory of 4052	2204	autoit-v3-setup.exe	92

C:\Users\Admin\AppData\Local\Temp\autoit-v3-setup.exe
"C:\Users\Admin\AppData\Local\Temp\autoit-v3-setup.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Windows\hh.exe
  "C:\Windows\hh.exe" -mapid 1000 "C:\Program Files (x86)\AutoIt3\AutoIt.chm"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AutoIt3\AutoIt.chm

Filesize
6.9MB

MD5
ead459341e28c7baed87220409defd03

SHA1
c584a20d05d1276951244a88868acd8db8ce3f6e

SHA256
5e364bf4e210106ac194c27fbb9e180192f965e66c36b1d08e5e4d7ae6f0360d

SHA512
313a61eda7b14eb1f2472792313dec6d3a25d24495e6c741ec5dfb7ff7008bf893e76fa66fd2d03a154cd4ed0e564322973507514886963a766876872ebdb137

Download Submit
C:\Program Files (x86)\AutoIt3\AutoIt3.exe

Filesize
925KB

MD5
0adb9b817f1df7807576c2d7068dd931

SHA1
4a1b94a9a5113106f40cd8ea724703734d15f118

SHA256
98e4f904f7de1644e519d09371b8afcbbf40ff3bd56d76ce4df48479a4ab884b

SHA512
883aa88f2dba4214bb534fbdaf69712127357a3d0f5666667525db3c1fa351598f067068dfc9e7c7a45fed4248d7dca729ba4f75764341e47048429f9ca8846a

Download Submit
C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.dll

Filesize
709KB

MD5
5bacfb9950a2e5cc6406f3ed03b3aa1d

SHA1
16eb30debf314c9f342a183b37442cc349f3e648

SHA256
a26fddee7674f74730d28d553220566bac64c4f877c5f33b5be6899202307845

SHA512
b927545809635e9d0b6929b77a268269aa54c7b34b1f0fed0631d380f3eb155dd6d010d569183b39efac58b0f13404f02de9d953b470a4e6ed833f600248c0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\InstallOptions.dll

Filesize
15KB

MD5
ece25721125d55aa26cdfe019c871476

SHA1
b87685ae482553823bf95e73e790de48dc0c11ba

SHA256
c7fef6457989d97fecc0616a69947927da9d8c493f7905dc8475c748f044f3cf

SHA512
4e384735d03c943f5eb3396bb3a9cb42c9d8a5479fe2871de5b8bc18db4bbd6e2c5f8fd71b6840512a7249e12a1c63e0e760417e4baa3dc30f51375588410480

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\System.dll

Filesize
12KB

MD5
cff85c549d536f651d4fb8387f1976f2

SHA1
d41ce3a5ff609df9cf5c7e207d3b59bf8a48530e

SHA256
8dc562cda7217a3a52db898243de3e2ed68b80e62ddcb8619545ed0b4e7f65a8

SHA512
531d6328daf3b86d85556016d299798fa06fefc81604185108a342d000e203094c8c12226a12bd6e1f89b0db501fb66f827b610d460b933bd4ab936ac2fd8a88

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\UserInfo.dll

Filesize
4KB

MD5
2f69afa9d17a5245ec9b5bb03d56f63c

SHA1
e0a133222136b3d4783e965513a690c23826aec9

SHA256
e54989d2b83e7282d0bec56b098635146aab5d5a283f1f89486816851ef885a0

SHA512
bfd4af50e41ebc56e30355c722c2a55540a5bbddb68f1522ef7aabfe4f5f2a20e87fa9677ee3cdb3c0bf5bd3988b89d1224d32c9f23342a16e46c542d8dc0926

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioDefaultOpen.ini

Filesize
486B

MD5
6d68980f2334eeb2619718051ad09cb9

SHA1
ba59b6c2658897331a72dfce8f5541cd7844eeda

SHA256
22248b05251d4adc2a799066bb2f5adbbad46af0abed7a883cd42c02ca0c0571

SHA512
6e87669125dd9a5ca98aa64f1290e935f08d77da53993f0b5fc1d2a4ed4d26c45681838b3072077328111d017fc22de6d1f2d15b1279d386ff44ca59efe397f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioDefaultOpen.ini

Filesize
666B

MD5
f206c218d309e5860cfa2ec8c4241b13

SHA1
b516eb68e49ce81e53f00accf8a6615a2236085d

SHA256
7019178b31439834c268006e52bd5efa4d7f585c0ccad6ea5ebed2c19d74b6bc

SHA512
1e467f5cedcdcc3baf40a105cf9c6002c6219c1d686c507584d6ab7e7c0161ade34f2ae04e0ca8781b190440abecfb48c83919e31ec91103db58f4096d7a246f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioDefaultOpen.ini

Filesize
780B

MD5
91571cd246bdbe8b7ee038b14f55cd4a

SHA1
fc61cd54c574647a6d7b809269b833301350a11f

SHA256
81edc77bc343cf69569f466b4668e10e7decf900a07aa7c9f4b30bb2a1bfceb0

SHA512
6bc44fb819197ae7c2d2ea338f3087b6a0fc4847d26e56b0cd05efd78cc31cea0505e0965799b0ef1892afba5cd143c1fb3ac62682c8747f1f578692333f1fb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioSpecial.ini

Filesize
1KB

MD5
bfc16e947460d388fce5ca7db71c2f95

SHA1
2ccd285011725d047ec04bb57533cdcdfae10a66

SHA256
ef0d45623997f56fa57e15ebe03339cfbc21b4db33ee36c5e026629376092718

SHA512
15c93ff609b49b1a243591b3cbd1f89b81a638da47f428fc1f7a87bbad2cd807402d0575b1c14cadd16272e901ac11290f3122c7c8bd9ec400445b6614baa968

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioSpecial.ini

Filesize
1KB

MD5
06b3f2e0537a1a9f208b5eb68b19e1a8

SHA1
9052d77a9e0ad7c274cf59db92d801bc73a55711

SHA256
041e3638719c05fe521162e8c78b2bf3ee269834f544612c1b2f8cbf578da7b2

SHA512
eafc37458ce0c6592c3fc8d1802b8ebd8159e8185e4660dd311fb6cf9ca72662a76034152f5c5074713208747d5fb0df7be5e5d1052b9f198c5b2d1e263dd33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioSpecial.ini

Filesize
1KB

MD5
a56730d50d4af8be64e3eec1c0342da4

SHA1
8bbd28cd99ad587181817cabfe3e02c4181e6b4b

SHA256
d679c8ea9dd07836f03e57aac7c704c57f86feb8250854ba8df3088e87501d6f

SHA512
ff8d3fe20ff31d9bd51d104a716a42d0276e1c508b798debe27e88bd77b927f503b2f57b33b61ec121a831fa11a4a5f446b2f3757a2e458b5b3b2f1fc4da33da

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioSpecial.ini

Filesize
1KB

MD5
2100162790d514ea3f979c5eceb3c37a

SHA1
034fab63ed307c1ab7b4d2ce36a929c32354130a

SHA256
e356658ec7e87946c8a114c1abd7f2321126f1d9e9bd5fb3e904abd6ec9a914a

SHA512
20e7aa03e118d6970776422419c6466cbe90fb76306c9eda8e1c5bbf3f168f250954f178dc1d14eeaf25a80beb6bfc4b08404598eabd452d03406ef18362e3d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioSpecial.ini

Filesize
1KB

MD5
83e60ccba66d60a9856fe6faddfea742

SHA1
8a5cec27d9f13c5cc1a90b834574c3dde100f1d4

SHA256
f1206b0b5a13ff4b587e12d5c9f889f77b0eb52d67952e574da9497c33084d10

SHA512
c1cfe797d5798808f64f49a4d8a69c74155788b3660b6bd1955ed6c42030c057ff9606945638d15ef10c24263de34170e740ceaf766639bf0668c952968211aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioX64Options.ini

Filesize
1KB

MD5
5d7f62f8a866750ef251e10ad24cf7ef

SHA1
bd8ddf635fe3fa79c4b1470908390779bebebf5f

SHA256
a730cb3105755eb3451275972fb13a3e4e000ec27419d6a7379d675abff103b1

SHA512
ab9a8c942beca69861578a673187b7b344b95ecd66c1ec32055669b49a36ec5b8ba928e5fc7e76adbbaea9ae3d1b516aa39a2cd7f5e56694e057ed459e6e4ba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsf8697.tmp\ioX64Options.ini

Filesize
1KB

MD5
b4dbc442b63ab533aa2b928170fadfc0

SHA1
d693dc34359a31b7f76eaaa668d48dcf08f1115d

SHA256
cfccf4befc7610759450e34ea584d8cf0ad042dcc492356502fed3a8a9e5eb33

SHA512
5de98535283a69d3e6e6fa6b50c093aa03708312b6fe6b4146167000a670bacaf6900eeaf9aa8aef7af1d13517f84f4b48aeab9c8a213f7e5d729f5309634a26

Download Submit