darkgate | b9aeb7f233ebc00cfe8be8832a8eb48d2c1e5bfa69cfdba4ecc9ee054e55b59f

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2023 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.msi
Size

1.8MB
MD5

691cb50fb8459ffacfcb82cfacb6feb6
SHA1

e43e20c942ad06433ffee8ec7b04bb384973d5d7
SHA256

b9aeb7f233ebc00cfe8be8832a8eb48d2c1e5bfa69cfdba4ecc9ee054e55b59f
SHA512

a9ea4d3cc045a9ee9379a76469356d12b17279eb3194bf3f39f07cd3fc15b180200f88a78fb84ecec04ba83e4eeca30752b842df7534402de1203ec42a898f38
SSDEEP

49152:epUPfjpSNeHaHGYayNId4pWL56Hq05vHjYL57CBN4/6sT:epeeHGKId+W1n6/01kN4ysT

Score

10^/10

darkgate aa11 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

AA11

http://94.228.169.143

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
true
crypter_dll
false
crypter_rawstub
false
crypto_key
bABouSDRyBocvj
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
AA11

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
1536	KeyScramblerLogon.exe
3100	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
4156	MsiExec.exe
1536	KeyScramblerLogon.exe
4156	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3152	ICACLS.EXE
2880	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58a7c4.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI7C7B.tmp	msiexec.exe
File created	C:\Windows\Installer\e58a7c4.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{18B4CBD5-10E8-4AAA-AA5D-C567FC9003CF}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA9A9.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI7C5B.tmp	msiexec.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x000600000002325b-118.dat	nsis_installer_1
behavioral2/files/0x000600000002325b-118.dat	nsis_installer_2

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002d5e0d994d17e0d40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002d5e0d990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002d5e0d99000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2d5e0d99000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002d5e0d9900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
224	msiexec.exe
224	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3596	msiexec.exe
Token: SeSecurityPrivilege	224	msiexec.exe
Token: SeCreateTokenPrivilege	3596	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3596	msiexec.exe
Token: SeLockMemoryPrivilege	3596	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3596	msiexec.exe
Token: SeMachineAccountPrivilege	3596	msiexec.exe
Token: SeTcbPrivilege	3596	msiexec.exe
Token: SeSecurityPrivilege	3596	msiexec.exe
Token: SeTakeOwnershipPrivilege	3596	msiexec.exe
Token: SeLoadDriverPrivilege	3596	msiexec.exe
Token: SeSystemProfilePrivilege	3596	msiexec.exe
Token: SeSystemtimePrivilege	3596	msiexec.exe
Token: SeProfSingleProcessPrivilege	3596	msiexec.exe
Token: SeIncBasePriorityPrivilege	3596	msiexec.exe
Token: SeCreatePagefilePrivilege	3596	msiexec.exe
Token: SeCreatePermanentPrivilege	3596	msiexec.exe
Token: SeBackupPrivilege	3596	msiexec.exe
Token: SeRestorePrivilege	3596	msiexec.exe
Token: SeShutdownPrivilege	3596	msiexec.exe
Token: SeDebugPrivilege	3596	msiexec.exe
Token: SeAuditPrivilege	3596	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3596	msiexec.exe
Token: SeChangeNotifyPrivilege	3596	msiexec.exe
Token: SeRemoteShutdownPrivilege	3596	msiexec.exe
Token: SeUndockPrivilege	3596	msiexec.exe
Token: SeSyncAgentPrivilege	3596	msiexec.exe
Token: SeEnableDelegationPrivilege	3596	msiexec.exe
Token: SeManageVolumePrivilege	3596	msiexec.exe
Token: SeImpersonatePrivilege	3596	msiexec.exe
Token: SeCreateGlobalPrivilege	3596	msiexec.exe
Token: SeBackupPrivilege	3804	vssvc.exe
Token: SeRestorePrivilege	3804	vssvc.exe
Token: SeAuditPrivilege	3804	vssvc.exe
Token: SeBackupPrivilege	224	msiexec.exe
Token: SeRestorePrivilege	224	msiexec.exe
Token: SeRestorePrivilege	224	msiexec.exe
Token: SeTakeOwnershipPrivilege	224	msiexec.exe
Token: SeRestorePrivilege	224	msiexec.exe
Token: SeTakeOwnershipPrivilege	224	msiexec.exe
Token: SeBackupPrivilege	2024	srtasks.exe
Token: SeRestorePrivilege	2024	srtasks.exe
Token: SeSecurityPrivilege	2024	srtasks.exe
Token: SeTakeOwnershipPrivilege	2024	srtasks.exe
Token: SeBackupPrivilege	2024	srtasks.exe
Token: SeRestorePrivilege	2024	srtasks.exe
Token: SeSecurityPrivilege	2024	srtasks.exe
Token: SeTakeOwnershipPrivilege	2024	srtasks.exe
Token: SeRestorePrivilege	224	msiexec.exe
Token: SeTakeOwnershipPrivilege	224	msiexec.exe
Token: SeRestorePrivilege	224	msiexec.exe
Token: SeTakeOwnershipPrivilege	224	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3596	msiexec.exe
3596	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 224 wrote to memory of 2024	224	msiexec.exe	98
PID 224 wrote to memory of 2024	224	msiexec.exe	98
PID 224 wrote to memory of 4156	224	msiexec.exe	101
PID 224 wrote to memory of 4156	224	msiexec.exe	101
PID 224 wrote to memory of 4156	224	msiexec.exe	101
PID 4156 wrote to memory of 3152	4156	MsiExec.exe	102
PID 4156 wrote to memory of 3152	4156	MsiExec.exe	102
PID 4156 wrote to memory of 3152	4156	MsiExec.exe	102
PID 4156 wrote to memory of 2748	4156	MsiExec.exe	104
PID 4156 wrote to memory of 2748	4156	MsiExec.exe	104
PID 4156 wrote to memory of 2748	4156	MsiExec.exe	104
PID 4156 wrote to memory of 1536	4156	MsiExec.exe	106
PID 4156 wrote to memory of 1536	4156	MsiExec.exe	106
PID 4156 wrote to memory of 1536	4156	MsiExec.exe	106
PID 1536 wrote to memory of 3100	1536	KeyScramblerLogon.exe	114
PID 1536 wrote to memory of 3100	1536	KeyScramblerLogon.exe	114
PID 1536 wrote to memory of 3100	1536	KeyScramblerLogon.exe	114
PID 4156 wrote to memory of 2880	4156	MsiExec.exe	116
PID 4156 wrote to memory of 2880	4156	MsiExec.exe	116
PID 4156 wrote to memory of 2880	4156	MsiExec.exe	116

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3596

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2024
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91E97FD316B6CE641F124DB78E20E436
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4156
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:3152
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1536
  - - C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\Autoit3.exe
      "C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\Autoit3.exe" C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:3100
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2880

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files.cab

Filesize
1.5MB

MD5
5db928e279f821e733a8e8a404c5fd5a

SHA1
c76a81b6632724d027611c5a78e2b233bdcf197c

SHA256
89231e4af7cf31fe0e57aef0b76f37db9f6f66b078c12e6d973825290a616ce1

SHA512
cd37952521969e791d94966ee4182b975a6153df79fe979bde625d993445338d1609cbfb4dc0d34ceea8ebc85cb58c2569523f8c50b6770e64431cb2b7e90354

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\KeyScramblerIE.DLL

Filesize
620KB

MD5
20f10fe9d17f9cf2d8e9772957b9ebe4

SHA1
dc8b8a023e31636719a7d88233aaf54cc80d2715

SHA256
2a637f0dc2136bd4241ec57bcf022e22e55eaf7f33be93495f1f1bea49d59988

SHA512
9b1306fa921167fdda1b0a6134c74ae676813c364e6e9de2c99dcefb6970a42339ecfe4f8e6140550a42067e8717900164ff046797c072971a8b51472c3f2269

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\KeyScramblerIE.dll

Filesize
620KB

MD5
20f10fe9d17f9cf2d8e9772957b9ebe4

SHA1
dc8b8a023e31636719a7d88233aaf54cc80d2715

SHA256
2a637f0dc2136bd4241ec57bcf022e22e55eaf7f33be93495f1f1bea49d59988

SHA512
9b1306fa921167fdda1b0a6134c74ae676813c364e6e9de2c99dcefb6970a42339ecfe4f8e6140550a42067e8717900164ff046797c072971a8b51472c3f2269

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\KeyScramblerLogon.dll

Filesize
92KB

MD5
760aa6f15db378dda44f262e1349e28d

SHA1
9bb9a0caa54e8b2560245430f33985996b2d40f3

SHA256
ee04957d0010ca2134c4770b434b2fdec08a25400b474dd51f47d5d1dc8d574b

SHA512
c6cf081dc189d88c85d01832f5cb09ff42c1264d7d4c548a336a33b97ec0b0b24aeb25076fd24db7db2f7a7ced6eccc67d26497352f7eeb1d29bb9c0a59abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\Uninstall.exe

Filesize
88KB

MD5
6de8cb9727907a59bcaf9871cc493c70

SHA1
a0ea933423c48d36718dca842994b83e5ffc4756

SHA256
408c0fbf2992f89b058bdb228670ff27a68ef0a7a3b648a33ff86ecc39139a11

SHA512
a48d97a7862eeda211a59d1023071641c91c3065a347ad060c40f86532db36010f5c89b0f6ab427a783ccce45485e42cf6443a14c72faa118c9b0a4c34b5c21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\ipefxaxq

Filesize
1.8MB

MD5
5ebab6046d7b361b12c30f8f56197abc

SHA1
95f6bd06c917732da2663d7bd9aeedbbe112b520

SHA256
25eb89da04c22d6833d7aaf9b12f47b262c5fba0e7b1e7a5702d5ec5df4c3027

SHA512
041a10136c64b143c5c81492cc62b79719bf22596276cdc052875b08e80c185cc929009e2485695ddd1c8eaa4d442ecfa6709c7ad697950827e43cade6fecb0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\jnulzbm

Filesize
8B

MD5
7a27eee407959b2458f661d9cf3e367f

SHA1
e4174c47f0560507edd7a8bfa6de873f1c8ef86a

SHA256
b6a3433951f93ce9688489eaffa1b72a75be24f518ec7ec9c2c18053d7c7be1e

SHA512
61b7edc9351641f26bbca4eeef63d1a9e142efda440cedaf73780f5ebe8297ae56d74802d265fbca3984d5ecb0d38e4a1002979e53679e5fa1804d1b5bab10a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\keyscrambler.ico

Filesize
39KB

MD5
fde5504bbf7620aca9f3850511c13a45

SHA1
484382ecc232cedc1651fba5f9311e9164f43369

SHA256
932409eb2abfc31f2dd218240de70a150359ea8ab09fcceb1f076b9a17c844b7

SHA512
6d67be9398fcc2b85fe4fd7357f37d6cfc1d3e548f713319080707c750b66d2b1e631c79a7e745c56b1a72be91735156e3989eff8d0b84c3442c0fa548c2a6b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\keyscrambler.sys

Filesize
225KB

MD5
9baf5236d65a36ed2c388cf04108ab9f

SHA1
f5e28edea04a00b5e8806130cd2736336c6e3792

SHA256
9e79960a40797c11a007d9c8e6a4bce721baf603f5d651f5485eb5481c717b12

SHA512
1fc899c37e628adbe05a53812e6106332de7dbef83ce72094dd228067eefa71d09abe55d250b35d93f7454b9596073de95af6700e543c17bb5d43e7de0fcac1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\files\script.au3

Filesize
921KB

MD5
d27371f6316a8761d6e1fe90613c3365

SHA1
aaa7052ce6872e777615b0a52f76e2c20f11136c

SHA256
4525d1bdc7a55bfcae1b691e2dc333bcb97c03fc47c37f31656b0d9dcbb681a7

SHA512
000cb911c697179c3030436ebbe92de3406c6b318bb8653b7d3111293bca5a8a710e0f411c3b963f12c87cea5d7f3fa1befac5e13a2e94a77253f44f3383c9ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\msiwrapper.ini

Filesize
1KB

MD5
7e2cf754084f35a683683c165d0f2885

SHA1
269a9ac80ac33ecf4b0e954e845e3926b6bf3b57

SHA256
343f278a97271d36ceab229daebf43624c788426a13814a4c945383664929dc8

SHA512
99b14da2293909e00008daaf8465fdde0fc888cc9520c0aca01829df7463f624ab186df8435c56d5588e0c621ba061b7669bc01b33db4afbc067b4d22bb7e6a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\msiwrapper.ini

Filesize
458B

MD5
88cc3641661e189a6b4888f18c08668d

SHA1
293aac23ec3eaaaeb6e17ba07505b0cdbad5b506

SHA256
eeb8d7404ac41cf1f7d9075dde7b215f75d2646fa1737222376e6db22c3a6cd4

SHA512
b9b28c73b317e60126b8dd32a1773329eb340abf5e363587765f03964e45506c5e75b73ab2900fa0c50f238fc00887b08f985101bf12d633aeb8fb3da3a9d4f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\msiwrapper.ini

Filesize
1KB

MD5
e2ebe49f3c23cd7b4da256813ae58bdc

SHA1
2eae13c86eb44f5b14efa6b72743cb3111af2918

SHA256
a53f94ca72ed34aa4ca2a0ca28a79700c8057a6de224a487164634e62e567829

SHA512
66b674f824d6d82641616670dc25f098944ed6b2dc448357169f0c9c0b3e5756c1d7fb69746e7672a5b5822cfcc7437b619724b5c9259fe560b9fa3fdf799b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\msiwrapper.ini

Filesize
1KB

MD5
a96b7a19ab2eaf0d328c9b55ce88ff29

SHA1
c21598f8bc4f0cf26bc19722f18997a675afd9af

SHA256
4524c19250dc4c37f63bef7452b8b605e6c6470ae152bbe04620d31aa691a150

SHA512
d02aad71798f943a63aee5b853a9cc12baece369b0e1bf12bd018d3bfef5844c282ae059efe8ef67e80156f22469211682235aa2638ea440b251d5b2e9bbc523

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dd0274bc-13da-40ae-8c0c-9e8a4c6a7c96\msiwrapper.ini

Filesize
1KB

MD5
a96b7a19ab2eaf0d328c9b55ce88ff29

SHA1
c21598f8bc4f0cf26bc19722f18997a675afd9af

SHA256
4524c19250dc4c37f63bef7452b8b605e6c6470ae152bbe04620d31aa691a150

SHA512
d02aad71798f943a63aee5b853a9cc12baece369b0e1bf12bd018d3bfef5844c282ae059efe8ef67e80156f22469211682235aa2638ea440b251d5b2e9bbc523

Download Submit
C:\Windows\Installer\MSI7C7B.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI7C7B.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIA9A9.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIA9A9.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
f96b6a6600e59d6914ffcd2b90b21c40

SHA1
68cce37c3c9da7bdec265784b9b5d881e0b47c06

SHA256
9f5d042ba716414e391b3f5e93a264086b7b3f4fc736caf1e73d5d2282c09407

SHA512
2e9f3d362244a47469db5c75c59fb87216b3089ce4005f44be06e5e63b29d54debd4bf8a13f0c673a352494bd8efe6b3d79483c887976c2181fe383ea701ddd1

Download Submit
\??\Volume{990d5e2d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{1adcd21a-1c0a-4637-bacd-78453aafa436}_OnDiskSnapshotProp

Filesize
6KB

MD5
111917b80b2a7615ffa2a8d35dc86625

SHA1
1bd09987756d9e1cfb45df228715e0b38b8c986d

SHA256
830a2da4daa60891024b5f51fdced6a8d3a8dcba5605e9b6ce622d3ad3223b90

SHA512
ba407f183a3adf393dd205163018287839b6912d8aa0a507a91286fefabc9c5c7bb6057a8f2bc4170ebb934a3dacd17f61fb065544d7367a7016b657a1758c33

Download Submit
memory/1536-113-0x0000000003A90000-0x0000000003B85000-memory.dmp

Filesize
980KB

Download
memory/1536-95-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/1536-107-0x0000000003360000-0x0000000003A90000-memory.dmp

Filesize
7.2MB

Download
memory/1536-108-0x0000000003A90000-0x0000000003B85000-memory.dmp

Filesize
980KB

Download
memory/1536-104-0x0000000000400000-0x00000000004A2000-memory.dmp

Filesize
648KB

Download
memory/3100-130-0x0000000003860000-0x0000000003955000-memory.dmp

Filesize
980KB

Download
memory/3100-129-0x0000000000C00000-0x0000000001000000-memory.dmp

Filesize
4.0MB

Download
memory/3100-131-0x0000000004160000-0x0000000004523000-memory.dmp

Filesize
3.8MB

Download
memory/3100-132-0x0000000003860000-0x0000000003955000-memory.dmp

Filesize
980KB

Download
memory/3100-133-0x0000000004160000-0x0000000004523000-memory.dmp

Filesize
3.8MB

Download