darkgate | 5fb1567d2cbbaf1df7c4ec782f8c9b1a0e1a171bdb6f814f3b3089dab7a03bf4

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250313-en
resource tags

arch:x64arch:x86image:win10v2004-20250313-enlocale:en-usos:windows10-2004-x64system
submitted
27/03/2025, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

test/Autoit3.exe
Size

872KB
MD5

c56b5f0201a3b3de53e561fe76912bfd
SHA1

2a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256

237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512

195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
SSDEEP

12288:6pVWeOV7GtINsegA/hMyyzlcqikvAfcN9b2MyZa31twoPTdFxgawV2M01:6T3E53Myyzl0hMf1tr7Caw8M01

Score

10^/10

darkgate drk3 discovery execution persistence stealer

Malware Config

Extracted

Family

darkgate

Botnet

drk3

aspava-yachting.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
ZuMRODIC
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
drk3

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 6 IoCs

resource	yara_rule
behavioral2/memory/3696-37-0x0000000003C70000-0x0000000003FC5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3696-72-0x0000000003C70000-0x0000000003FC5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3696-74-0x0000000003C70000-0x0000000003FC5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3696-76-0x0000000003C70000-0x0000000003FC5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3696-75-0x0000000003C70000-0x0000000003FC5000-memory.dmp	family_darkgate_v6
behavioral2/memory/3696-73-0x0000000003C70000-0x0000000003FC5000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 15 IoCs

description	pid	Process	procid_target
PID 3696 created 3660	3696	Autoit3.exe	76
PID 3696 created 3660	3696	Autoit3.exe	76
PID 1216 created 3892	1216	Autoit3.exe	59
PID 6128 created 4056	6128	Autoit3.exe	61
PID 2052 created 3960	2052	Autoit3.exe	60
PID 1120 created 3892	1120	Autoit3.exe	59
PID 6036 created 3696	6036	Autoit3.exe	112
PID 3696 created 2704	3696	Autoit3.exe	72
PID 3696 created 2768	3696	Autoit3.exe	47
PID 1900 created 2056	1900	Autoit3.exe	106
PID 4492 created 2056	4492	Autoit3.exe	106
PID 4064 created 3696	4064	Autoit3.exe	112
PID 4948 created 3448	4948	Autoit3.exe	139
PID 2460 created 3892	2460	Autoit3.exe	59
PID 3696 created 1036	3696	Autoit3.exe	164

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ahbbbfh = "\"C:\\ProgramData\\dbadddg\\Autoit3.exe\" C:\\ProgramData\\dbadddg\\ahfdfcd.a3x"	Autoit3.exe

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
3696	Autoit3.exe

Executes dropped EXE 12 IoCs

pid	Process
1216	Autoit3.exe
6128	Autoit3.exe
2052	Autoit3.exe
1120	Autoit3.exe
6036	Autoit3.exe
1900	Autoit3.exe
4492	Autoit3.exe
4064	Autoit3.exe
4948	Autoit3.exe
2460	Autoit3.exe
4304	Autoit3.exe
2636	Autoit3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 34 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WMIC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msbuild.exe

Checks processor information in registry 2 TTPs 26 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Modifies registry class 33 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Autoit3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Autoit3.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Autoit3.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Autoit3.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3446877943-4095308722-756223633-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1548	powershell.exe
1548	powershell.exe
3696	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
6128	Autoit3.exe
6128	Autoit3.exe
1216	Autoit3.exe
1216	Autoit3.exe
1216	Autoit3.exe
1216	Autoit3.exe
2052	Autoit3.exe
2052	Autoit3.exe
6128	Autoit3.exe
6128	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
1120	Autoit3.exe
1120	Autoit3.exe
2052	Autoit3.exe
2052	Autoit3.exe
6036	Autoit3.exe
6036	Autoit3.exe
1120	Autoit3.exe
1120	Autoit3.exe
6128	Autoit3.exe
6128	Autoit3.exe
1900	Autoit3.exe
1900	Autoit3.exe
6036	Autoit3.exe
6036	Autoit3.exe
2052	Autoit3.exe
2052	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
4492	Autoit3.exe
4492	Autoit3.exe
1900	Autoit3.exe
1900	Autoit3.exe
4064	Autoit3.exe
4064	Autoit3.exe
4492	Autoit3.exe
4492	Autoit3.exe
6036	Autoit3.exe
6036	Autoit3.exe
3696	Autoit3.exe
3696	Autoit3.exe
4948	Autoit3.exe
4948	Autoit3.exe
4064	Autoit3.exe
4064	Autoit3.exe
2460	Autoit3.exe
2460	Autoit3.exe
4948	Autoit3.exe
4948	Autoit3.exe
4304	Autoit3.exe
4304	Autoit3.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4828	Autoit3.exe
3696	Autoit3.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeIncreaseQuotaPrivilege	3760	WMIC.exe
Token: SeSecurityPrivilege	3760	WMIC.exe
Token: SeTakeOwnershipPrivilege	3760	WMIC.exe
Token: SeLoadDriverPrivilege	3760	WMIC.exe
Token: SeSystemProfilePrivilege	3760	WMIC.exe
Token: SeSystemtimePrivilege	3760	WMIC.exe
Token: SeProfSingleProcessPrivilege	3760	WMIC.exe
Token: SeIncBasePriorityPrivilege	3760	WMIC.exe
Token: SeCreatePagefilePrivilege	3760	WMIC.exe
Token: SeBackupPrivilege	3760	WMIC.exe
Token: SeRestorePrivilege	3760	WMIC.exe
Token: SeShutdownPrivilege	3760	WMIC.exe
Token: SeDebugPrivilege	3760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3760	WMIC.exe
Token: SeRemoteShutdownPrivilege	3760	WMIC.exe
Token: SeUndockPrivilege	3760	WMIC.exe
Token: SeManageVolumePrivilege	3760	WMIC.exe
Token: 33	3760	WMIC.exe
Token: 34	3760	WMIC.exe
Token: 35	3760	WMIC.exe
Token: 36	3760	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3760	WMIC.exe
Token: SeSecurityPrivilege	3760	WMIC.exe
Token: SeTakeOwnershipPrivilege	3760	WMIC.exe
Token: SeLoadDriverPrivilege	3760	WMIC.exe
Token: SeSystemProfilePrivilege	3760	WMIC.exe
Token: SeSystemtimePrivilege	3760	WMIC.exe
Token: SeProfSingleProcessPrivilege	3760	WMIC.exe
Token: SeIncBasePriorityPrivilege	3760	WMIC.exe
Token: SeCreatePagefilePrivilege	3760	WMIC.exe
Token: SeBackupPrivilege	3760	WMIC.exe
Token: SeRestorePrivilege	3760	WMIC.exe
Token: SeShutdownPrivilege	3760	WMIC.exe
Token: SeDebugPrivilege	3760	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3760	WMIC.exe
Token: SeRemoteShutdownPrivilege	3760	WMIC.exe
Token: SeUndockPrivilege	3760	WMIC.exe
Token: SeManageVolumePrivilege	3760	WMIC.exe
Token: 33	3760	WMIC.exe
Token: 34	3760	WMIC.exe
Token: 35	3760	WMIC.exe
Token: 36	3760	WMIC.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4828	Autoit3.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1548 wrote to memory of 3696	1548	powershell.exe	112
PID 1548 wrote to memory of 3696	1548	powershell.exe	112
PID 1548 wrote to memory of 3696	1548	powershell.exe	112
PID 3696 wrote to memory of 1468	3696	Autoit3.exe	113
PID 3696 wrote to memory of 1468	3696	Autoit3.exe	113
PID 3696 wrote to memory of 1468	3696	Autoit3.exe	113
PID 1468 wrote to memory of 3760	1468	cmd.exe	115
PID 1468 wrote to memory of 3760	1468	cmd.exe	115
PID 1468 wrote to memory of 3760	1468	cmd.exe	115
PID 3696 wrote to memory of 3228	3696	Autoit3.exe	117
PID 3696 wrote to memory of 3228	3696	Autoit3.exe	117
PID 3696 wrote to memory of 3228	3696	Autoit3.exe	117
PID 3696 wrote to memory of 2748	3696	Autoit3.exe	119
PID 3696 wrote to memory of 2748	3696	Autoit3.exe	119
PID 3696 wrote to memory of 2748	3696	Autoit3.exe	119
PID 3696 wrote to memory of 4896	3696	Autoit3.exe	125
PID 3696 wrote to memory of 4896	3696	Autoit3.exe	125
PID 3696 wrote to memory of 4896	3696	Autoit3.exe	125
PID 5884 wrote to memory of 1216	5884	cmd.exe	127
PID 5884 wrote to memory of 1216	5884	cmd.exe	127
PID 5884 wrote to memory of 1216	5884	cmd.exe	127
PID 4612 wrote to memory of 6128	4612	cmd.exe	128
PID 4612 wrote to memory of 6128	4612	cmd.exe	128
PID 4612 wrote to memory of 6128	4612	cmd.exe	128
PID 1216 wrote to memory of 3672	1216	Autoit3.exe	129
PID 1216 wrote to memory of 3672	1216	Autoit3.exe	129
PID 1216 wrote to memory of 3672	1216	Autoit3.exe	129
PID 3696 wrote to memory of 5540	3696	Autoit3.exe	133
PID 3696 wrote to memory of 5540	3696	Autoit3.exe	133
PID 3696 wrote to memory of 5540	3696	Autoit3.exe	133
PID 4972 wrote to memory of 2052	4972	cmd.exe	134
PID 4972 wrote to memory of 2052	4972	cmd.exe	134
PID 4972 wrote to memory of 2052	4972	cmd.exe	134
PID 2244 wrote to memory of 1120	2244	cmd.exe	138
PID 2244 wrote to memory of 1120	2244	cmd.exe	138
PID 2244 wrote to memory of 1120	2244	cmd.exe	138
PID 6128 wrote to memory of 3448	6128	Autoit3.exe	139
PID 6128 wrote to memory of 3448	6128	Autoit3.exe	139
PID 6128 wrote to memory of 3448	6128	Autoit3.exe	139
PID 2052 wrote to memory of 1568	2052	Autoit3.exe	142
PID 2052 wrote to memory of 1568	2052	Autoit3.exe	142
PID 2052 wrote to memory of 1568	2052	Autoit3.exe	142
PID 4556 wrote to memory of 6036	4556	cmd.exe	143
PID 4556 wrote to memory of 6036	4556	cmd.exe	143
PID 4556 wrote to memory of 6036	4556	cmd.exe	143
PID 6128 wrote to memory of 2964	6128	Autoit3.exe	145
PID 6128 wrote to memory of 2964	6128	Autoit3.exe	145
PID 6128 wrote to memory of 2964	6128	Autoit3.exe	145
PID 1120 wrote to memory of 3196	1120	Autoit3.exe	147
PID 1120 wrote to memory of 3196	1120	Autoit3.exe	147
PID 1120 wrote to memory of 3196	1120	Autoit3.exe	147
PID 2432 wrote to memory of 1900	2432	cmd.exe	151
PID 2432 wrote to memory of 1900	2432	cmd.exe	151
PID 2432 wrote to memory of 1900	2432	cmd.exe	151
PID 2052 wrote to memory of 436	2052	Autoit3.exe	152
PID 2052 wrote to memory of 436	2052	Autoit3.exe	152
PID 2052 wrote to memory of 436	2052	Autoit3.exe	152
PID 6036 wrote to memory of 3156	6036	Autoit3.exe	154
PID 6036 wrote to memory of 3156	6036	Autoit3.exe	154
PID 6036 wrote to memory of 3156	6036	Autoit3.exe	154
PID 1448 wrote to memory of 4492	1448	cmd.exe	158
PID 1448 wrote to memory of 4492	1448	cmd.exe	158
PID 1448 wrote to memory of 4492	1448	cmd.exe	158
PID 3696 wrote to memory of 1312	3696	Autoit3.exe	159

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1312

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3196
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1568

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:3448
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    PID:3132

C:\Windows\system32\SppExtComObj.exe
C:\Windows\system32\SppExtComObj.exe -Embedding
1⤵
PID:2704

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4896

C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe
"C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4828

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:ShellFeedsUI.AppXnj65k2d1a1rnztt2t2nng5ctmk3e76pn.mca
1⤵
PID:2056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:5280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  PID:512

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548
- C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe
  "C:\Users\Admin\AppData\Local\Temp\test\Autoit3.exe" .\script.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Adds Run key to start application
  - Command and Scripting Interpreter: AutoIT
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:3696
- - \??\c:\windows\SysWOW64\cmd.exe
    "c:\windows\system32\cmd.exe" /c wmic ComputerSystem get domain > C:\ProgramData\dbadddg\hdafhfd
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic ComputerSystem get domain
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      PID:3760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2748
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5540
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:4612
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:6128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:5884
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:2244
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:4556
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:6036
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:2432
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:1900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
- Suspicious use of WriteProcessMemory
PID:1448
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4492

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
PID:1036
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
PID:4308
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
PID:116
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
PID:5772
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:4304

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\dbadddg\Autoit3.exe" C:\ProgramData\dbadddg\ahfdfcd.a3x
1⤵
PID:4680
- C:\ProgramData\dbadddg\Autoit3.exe
  C:\ProgramData\dbadddg\Autoit3.exe C:\ProgramData\dbadddg\ahfdfcd.a3x
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dbadddg\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\ProgramData\dbadddg\afbdhcd

Filesize
1KB

MD5
0db9f84c29a4894a5bbf61c487f55d7e

SHA1
7f7ae26706ad3ad97aca89ee19f87131449ddae1

SHA256
e3ab61154628d331df3422bd31523eb6bcb17280faaf0317f8efb79b4b99f5b6

SHA512
7a1b532d61d163e4e9857998973419d2f5e7464a64e113c96a7935bc4b262e380ee7a5b519b651e96bd437ade4013829ddade5e3a6b42e6bae5bf92df0f6f98d

Download Submit
C:\ProgramData\dbadddg\ahfdfcd.a3x

Filesize
585KB

MD5
19c3cd08cdf0b443297669fd94288fb5

SHA1
89e2519e2a0ff144f99e0f5d7a7419898e36ba77

SHA256
020740d11c15f7b3b5bbc2eef7e7237c91207089c06573fded479d03ab7f5092

SHA512
dc4e0b5fc15d5ce65d80792daffd2a8617b3079fd1a7877ca6e3c17cceb518972702b135524c076dd791d032e2f8247632cc43c4d0da296d12e0c38d1b439cc3

Download Submit
C:\ProgramData\dbadddg\hdafhfd

Filesize
54B

MD5
c8bbad190eaaa9755c8dfb1573984d81

SHA1
17ad91294403223fde66f687450545a2bad72af5

SHA256
7f136265128b7175fb67024a6ddd7524586b025725a878c07d76a9d8ad3dc2ac

SHA512
05f02cf90969b7b9a2de39eecdf810a1835325e7c83ffe81388c9866c6f79be6cdc8617f606a8fedc6affe6127bede4b143106a90289bbb9bf61d94c648059df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\msbuild.exe.log

Filesize
841B

MD5
0efd0cfcc86075d96e951890baf0fa87

SHA1
6e98c66d43aa3f01b2395048e754d69b7386b511

SHA256
ff981780f37479af6a428dd121eef68cf6e0b471ae92f080893a55320cc993f7

SHA512
4e79f5a8494aac94f98af8dbbc71bdd0a57b02103757ad970da7e7d4e6a0dc5015ca008256a6bd2c5bdec3a0f5736a994e17b3ef004b0f374a3339e480ac41b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uxquwgjj.g3c.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\bchcGch

Filesize
32B

MD5
e75a045e44bd18a47c166542ee98a242

SHA1
69a76e67c1ff224d62e882a8e851fe2dfce68839

SHA256
95ef74da0183b851a93f3684c094cd52c2493fa208ae1048e0cd63809cad8df2

SHA512
08b74f6ab68148a851113d330b1d7b4a23fe2c5f4d7a7dda9da632d4920196be4f7a8d77c9f5a28cd0c85ad29bd38a5c992f0df041c3695ef41e5e3e4765d316

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
b355a9b5b3a2d30c8eabbf74c6412649

SHA1
a03685c1e6aa65b2c60ec305d9c518eb03b0d390

SHA256
f36f01c0ae836a7b53f913de114f414002a1acb542ecb895f424c1b136fc2444

SHA512
0380cb5da1207c906b80849ab6a3d1060d9efa25d0796d1c28b9b714c6dc4b13dd6df84d786100a42b516b017f9860e36dfdf2eae38fec3c7c9770a349875be6

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
ae50cbecc6aefb8ae831472954ae3068

SHA1
babe71e5927e0557fd9bbb873fe4023f9187f4ba

SHA256
335ff38d6622898ecf1515c72878778a5eb13ed707a3cabdc0adfd394ffdbf30

SHA512
7c015b086e1f7f275190790c7df92bc11b59f5ca5db6df0de5140b7efb45868dce50204c8567199b93ff1af6edf9ab0ce674f23c030655da1fb779b53172b65f

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
ad5f3b17a587e68d7a331bbb60a6150d

SHA1
5f3a165793b3d6f6b7691b979f40bc7fe4244602

SHA256
f1c0ae0df557ec142a652a85cd839e54e413c2e907f27d3eb7be98fe04288e9c

SHA512
7922fb3718fd761a30e6fe8eb1e9e7e7b8049b440dfb14cdd8118e5644b17ad549253374b5d3028000641d47462d53a1e4afc35f6f01356138c28ce60c53ee18

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
78abba4d0e1f8768d5887f991a409f88

SHA1
059f31d0b109f3d2c31217fce5144998522c480c

SHA256
77ede39cf8bb66acc6e69fb5148172248bdeecbac1a4443937e8666d50d6275c

SHA512
24b5da1b2890ddb150ef85a726bc60706f64c337035d0a09d03ccb6458a7cdff81332d59c5c6e5509509fc25d2f4de1e615d663aed83b781786c374889e658d5

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
72d6548f25f091515c9e979de952ae3f

SHA1
80eaf61d5151dafa075bce06a6e66925b65fbac8

SHA256
38f2866c21a80acc7ac58132b11c185a5a2633268f0652314d8a39d14f401ea2

SHA512
cb5701acc136c3957ccf79b7f71bf5229f72ddca9044efd8972a0678a770e97abc6b09e39539f9b88e1086d36c48918ff73642545be915ac99de753563436a2b

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
2f1f07ce97a03b43d2d16c9c4f8372dc

SHA1
1ce52e24f9764101a2666f041a752a8a8a568f3b

SHA256
0ae15004856478cce594d3f4332e9d6a0ddc5023c5c2f3b45904c8a71dc6c12a

SHA512
5e2506b7c13aec74eec18a9a5d56bc9f8680bc019c7941b6da0da49f0908dfd089dd519c3a5b74490b8c13a8613caba5a32a60877dc2f204afa4df97b49b98e4

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
038f1cf00892d4c1df474b4a04a24ec0

SHA1
db35c391c22db1c55748f7d9e6c3943fe1b5d12b

SHA256
80fab300a8d96479a3f8e46b64d6aa819e5d585ad56c8aaa41192a281083b2b3

SHA512
e81f56a68ca55a660be3e3183d23c29c3fe401db1904a1a182ccd3f6cdc06a5ff1383c06753e5c36bde52a0bc4d90682067eb939f6b885db8c7994a590acf33e

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
0b6c0787f560ba7165c702a1c81042d1

SHA1
b772a83f24ed1144e213904d9a9c12e0f04ef333

SHA256
15c6d97f6084c17cedde1e8de91712473d864c0ea837fddfb399aca25c126892

SHA512
0541fb337eff04da6113510549aa5317da685e57eb6d505d01d52b03a1d3b8c17740196800286c646a274fbe7264b7a5793007d5122fac0448587e74e7ec9095

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
b6762b436a662ed08e6bdf35f125d93b

SHA1
cec77a8efd2a6d4d3246c4de8d75edfb05ca6469

SHA256
8692b060b7876b96139eb5629f19199c05995c9b45c232e4de3e23b7d7717a48

SHA512
8d8dfa239787c822f2893b663a6c12cc5353c5ac5c35d7902217a48303fbfc3ae442e465e7db7c454493bc85cd1de8d72277e4e3d8703f747f6e4548fd99263e

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
ea349256a47f1cb5e83dbc1674501c53

SHA1
812f914d954101bdea614bd9df516c0717df5148

SHA256
1bc9359651e0b29771b6edcdb5c8ad5233e21fbb806ee2e756c5a6c7ed5b89b8

SHA512
1ebf29207b83f89812a895482f23c1388c9b1782cd99f074da44809e19f2a42b2777994be3adf1e4654a19ac94b71e078b0a05f6706b9153845a77fb6bc8b861

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
98054415d0a3dfe55c425b4dab11fba5

SHA1
c70899671bea98e88d7571791d4acfb4789b0638

SHA256
3caa140b5106d269dd2ed7b36d3ec9a87fd7434e584da21e486aeff86e42c10c

SHA512
9e9458b2149aed9205a7b5086b27d00fa87d1711be78027d06d97b6c5bcbc59292e2637b7992f47f8d0e8945fe3937ca5b2975a9710a7fa098c382c9dfca9b90

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
48672f8b175b3c29cbce7c405c0422a2

SHA1
4d65c68593e212e0ad932a104b6742fa5d518129

SHA256
6bb74c630cc4c1c9cbcfe4c47aa6d2594d322861a7c96a23acaddad295fdbf97

SHA512
f4673577fbf4844914ccc93302274f921fded9e1ffb206d5c08c14faacb6bb21cc9532a7d009873408c99fb656f2385c1b9b2c03296dca03082ce1209ae9575a

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
973ebe452979db3ceba250db2257e450

SHA1
9d7a66adebcdd55409119c90c9934a77ad4c4857

SHA256
020ae60236b05d50c13d33c0a31c2567b1ea6499bef26799f60efaa8b7fffc46

SHA512
987bfa0c97987212879f364989b14fb62d740c04a6c97294f1e7b95464beb994609e6c5ae5025ad8365db6c6224c5606fd3a518f7f9e9406a370391f3cb139a8

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
93bef4e41cfef79ad31a6de193a93fcc

SHA1
8f66b97568f615272b0460e226a0e951c9b92269

SHA256
ed6f8449acf54cbaa64d230ec4388dc751aa45346a1c5eb76d530dbd2f24d7a9

SHA512
883b71ece62612a8a997e61f52988df5f025f055dbdd3192bb9b0b73481b09a12a7a3a9f63424188f75a29d5e466063a20ff4f27931e2148c4051405e44d28de

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
dc71f21e9be8afeaa8793c2add7c6d5e

SHA1
ada7cfe90e291ce99d34661c63872fbe3ab47fda

SHA256
f1da5464a8877e212498255afbd1c1281e7748100bf43a35d44e24d28b277b7c

SHA512
d62646e54904accd9061b0fc5555f481c7c25a598a450d64fb7f0f350f87466c791e2470c38a114e7e2ef679dcd6223fddee20868ba0048aedd55b5f6a595922

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
430bc8016f8a218fdf5a0c21e91800c6

SHA1
16ebd2312408e789a6dd7da7e6ddc4a3cf4eecc4

SHA256
c5a1c655ede86f9dd3687ea3a88ee157c961d624741aad79e198e186be889987

SHA512
557964d409f32cd5cd2add59b76d1981a2222e9e623650c1b3a58e319607b5eec0ef7f8735933683ba42bed6d9d27e54eae2bedce008ac7bf6c514dabb73d906

Download Submit
C:\temp\ccfkfea

Filesize
4B

MD5
be418907905bfa2f7e29c1bd4a35ac17

SHA1
db3945381ab511ddb5ea0a508d4aa0cc2c730bfb

SHA256
71c88fd6c6e1c75c6e2255166640a936f2d85f06c92635215ee071bc4c563335

SHA512
6890c95346acfd1a3099b3d469f8809bcfd0ac6eb1cac0c5394e662ee0d12f5b1f56c87a4c084bf9f34c00d4cf58de6d00c59d5e908961561303a319cf7dc59e

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
f622c66ca347b9bf0c5a4f5ec0f68275

SHA1
4fe8032e8f90e30af02661aa0cae6a48cf9d15f6

SHA256
b91d32243c543ee65b715d11e815b414d90443f506c28b12ac16a20d8cc862d0

SHA512
16cc13ddfcdd0f4342f3af1856f366519305a960ef2c08895e16c4f1d40585d39bd6257337d17676bfc3dc7c641c3deca4862a484b9e60c0424b4edaf7f3bcad

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
21b07f623697913556744fbaebedb114

SHA1
0d92380a152506dd79f54ebc796bba7b6c22fe76

SHA256
4e216a126c689f34a586c7262557231e336b814a9567a629c2f97555a67a4be8

SHA512
ada1ae0403f21e2dd65864f8cb534c4269b186c4e3b4790bb386d567f1d3dc96b8c78faf71cb6b26241094badcceba727f33e4e3e8a5649446e73bb75130ec93

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
e22361c326ced7da45eb5e890220504b

SHA1
58593ec346cf27162ccdd7ae9dedcd0195cba60f

SHA256
8c44868884a7f055f185ca65b1caf061b27f0a7e9ed426d00c82973f9b9b05fa

SHA512
98d37501317b3d3ad1d4c4c5b137eca022817aeeb2c1d1312bbf2ca42edad9cebc7a4cbd1f01bbd6cfdf094f1883855a60a58a7c3b46b2ece42951b993ab9f91

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
4cd410b14944979e92bbe0a1ded5543d

SHA1
79fc22fbc7bdbe030d9502c0d3408a311599eff2

SHA256
3d99e1fd43e5c76c8238d95cf3491457dac582c9491720ed862e212a70e2a1f7

SHA512
29d62b64b27a8cb584d88304779fcd2c9ab15ac6e54d11e6da7d865e08340fe9d3c20fd95e3435690ec71d16ad164e893878bdc392ef06bced3bc3ca7ff6322e

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
f3ffed2792173fb56bde325b43fa0dac

SHA1
d9c999fba51ae52825eee3aa9308799c8ad62f4d

SHA256
e56b6006ac4e1f7c1cb17abcb0f31ebdcd01081857430d1a253149a805be0f12

SHA512
938586e30cc906b5b3353e5ecc22440d14fbd3c54fd17143d29e2b9b0071e85c01dc155ba0d86f654fe4c137fc3ac95cfe5ce2cd74f88bd11a8f5b395a46c6c9

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
4cd53540488b81663fe3cc8f96dfc879

SHA1
a63d191cff637c903f616d960ef19b06cd95688b

SHA256
d636413bd8c7be6d637f9fe1ec94a7a03621c94e7d70e2e0333b593d65bb385d

SHA512
f8ead6e0e764d73e603eb5f40ec5c1dcce1826686c69d7439aa57619d845dda23cf93223acf9f495213ce0e8e71d9dfb793da6b3f0ced0cc3cf48aa3344a524f

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
042033ddfd3e6140eb80af2724bf8b30

SHA1
3caf23fde87565d8850c5b75777e94ed50d3e048

SHA256
321c5f4d9d1c1bcb7349cce942df820d83648d3d5febf53ff4927874d606a740

SHA512
c0b05f97ca2dbc9e409b4e9d7de1a15587e246b40cc059852c96ca2f09c2dcaa5050cdbcefe190df1cf270a144ebcc1b6c451775ac845827cdc718e95c965328

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
ce6e02383f51214e0c4e9b7dac728edf

SHA1
ae3d299c85ceefe2fbe3713d773590571fe2fb19

SHA256
d260c0adbee41fabc54b9438ad734d80a75682a51d2ddb2470988bf78365e29f

SHA512
d2f6aaf3955dadb899d42d5d9320e1025c8dc18a31df5474e1255ca470467e1f4c2451b820e96b9239e309dbe9dffba37d6cf509fe73a02029cad5349708ed5a

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
e31eddfd3b702ca5e0d84af23a61e646

SHA1
a05b23ffdaa52f9addcf961e9a428aeb8447ccca

SHA256
62c41b8b3dd321ce0f932a91bf3dae58e046db13ba16e4079ee7f4fefc493e51

SHA512
d62d562e1b5d9ae0e837c7e8c24af4f32227c8d395bbf3fa485917185b9b21b5f968f300fedb3a4f21ca6e1ab302c4e9d9a4eda191a9a6172d2f7870114fab3e

Download Submit
C:\temp\haghkeb

Filesize
4B

MD5
f9f5cedc7278dd77deece814c6f8a03e

SHA1
3d29083450e2ec5a14f5dc4ae548765e6c0300ce

SHA256
ea2efa3df2476573b82e0716d1da55252446e91f21776399ab564f3b90ddc678

SHA512
87e354732a1d208ae9c82561a6a785e6b6ae576c99f36e0516953d6ccfde2aadb48f961b40f7ad335f5f236218af10a7659baf805a96f71df4e8a495c0f78c01

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
5b658d2a925565f0755e035597f8d22f

SHA1
caeac19e6be8a09e082a28ff3a15af6a00fbb64a

SHA256
c7c63acc2b79f8ae36746930b4ebfdef3aca62b8f7665682145ac26732be1137

SHA512
faa75c566acf927af65755351cd089102e7db1533187c1bee87bb27d8835cf86d971fbc448f19148d8442c213be8ed2c1be376d61b27004870b64a99f4eac69a

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
5cbba2d075f0d1648e0851e1467ba79f

SHA1
b9abf4cce982fdb8d77daad3864eb4f65088e03a

SHA256
25b99b9c636ea2d7820f5409c19248e08e87e59d0fb42c5b44ce7695508f0408

SHA512
a1bfaa112abfd5581f93d82cbadb29807028218aed42bd5ff82a9fc6f18b141d542f99dfd6ab0a7b7bcbd18f4400c1dc5bc8cbbd4e10ae3a58671c0cafb6856e

Download Submit
C:\temp\lp.txt

Filesize
1B

MD5
cfcd208495d565ef66e7dff9f98764da

SHA1
b6589fc6ab0dc82cf12099d1c2d40ab994e8410c

SHA256
5feceb66ffc86f38d952786c6d696c79c2dbc239dd4e91b46729d73a27fb57e9

SHA512
31bca02094eb78126a517b206a88c73cfa9ec6f704c7030d18212cace820f025f00bf0ea68dbf3f3a5436ca63b53bf7bf80ad8d5de7d8359d0b7fed9dbc3ab99

Download Submit
C:\temp\lp.txt

Filesize
4B

MD5
c5bbd980e5ab2c17413ec02bd757a9e5

SHA1
b9c1d2de39fe832a29a1d22c32b7edfda6e1ce81

SHA256
115c08a62490bff35d2499453b1d120c023212ac1bd3a477d585155bdb2d2b81

SHA512
d806ba436694880c604e417bc2941b7d52ef36bf59b5a1f68b452913c39aa142bd99080f91d999fd53c666346759a3ab5685a9c1a28e15dcbed514c90512e811

Download Submit
memory/1548-15-0x0000021A1E0B0000-0x0000021A1E0CE000-memory.dmp

Filesize
120KB

Download
memory/1548-3-0x0000021A1DB80000-0x0000021A1DBA2000-memory.dmp

Filesize
136KB

Download
memory/1548-13-0x0000021A1E040000-0x0000021A1E084000-memory.dmp

Filesize
272KB

Download
memory/1548-14-0x0000021A1E110000-0x0000021A1E186000-memory.dmp

Filesize
472KB

Download
memory/2748-28-0x00000000009D0000-0x0000000000A10000-memory.dmp

Filesize
256KB

Download
memory/2748-29-0x0000000002DD0000-0x0000000002DEA000-memory.dmp

Filesize
104KB

Download
memory/2748-30-0x0000000005540000-0x000000000569A000-memory.dmp

Filesize
1.4MB

Download
memory/3696-73-0x0000000003C70000-0x0000000003FC5000-memory.dmp

Filesize
3.3MB

Download
memory/3696-75-0x0000000003C70000-0x0000000003FC5000-memory.dmp

Filesize
3.3MB

Download
memory/3696-76-0x0000000003C70000-0x0000000003FC5000-memory.dmp

Filesize
3.3MB

Download
memory/3696-74-0x0000000003C70000-0x0000000003FC5000-memory.dmp

Filesize
3.3MB

Download
memory/3696-72-0x0000000003C70000-0x0000000003FC5000-memory.dmp

Filesize
3.3MB

Download
memory/3696-37-0x0000000003C70000-0x0000000003FC5000-memory.dmp

Filesize
3.3MB

Download