darkgate | f604a97971fb5a57e885cdb84d7d062ebad183322127f6f2f4b817b9745d468b

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2023 14:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sync.msi
Size

3.6MB
MD5

90f0b40d57f4ea5dfeb20e31247a23b5
SHA1

b8db6363b3da2a2f1d147c7ea4aece85c0db8bd7
SHA256

b94d80f932f1eaccf4bd6651c5654f315a135c68704649d26576270b964b492a
SHA512

6ced50ea71d416bfbcd9d8384f7511ec87baecbbed75e195e54aac9a24336ff889126fb519b18d9072c6972ead761073381c1e1a386a320fefadff86dc04e454
SSDEEP

98304:cpI1DCG1G1w7cwv9JAEKJkZsTJ0UZ3BOuoSisgG:FE+dvLAEKlbBaSisgG

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://cheneseemeg7575.cash

http://annoyingannoying.vodka

http://uiahbmajokriswhoer.net

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
TqpMuqGfTpFnfb
internal_mutex
txtMut
minimum_disk
35
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
8	windbg.exe
1172	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
3796	MsiExec.exe
8	windbg.exe
8	windbg.exe
3796	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2924	ICACLS.EXE
4716	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIB7E2.tmp	msiexec.exe
File created	C:\Windows\Installer\e589863.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e589863.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{182AB81D-109E-4B61-B0EF-902F82587BEE}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A47.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB7F3.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d6f92995d065bd40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d6f92990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d6f9299000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d6f9299000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d6f929900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4412	msiexec.exe
4412	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4500	msiexec.exe
Token: SeSecurityPrivilege	4412	msiexec.exe
Token: SeCreateTokenPrivilege	4500	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4500	msiexec.exe
Token: SeLockMemoryPrivilege	4500	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4500	msiexec.exe
Token: SeMachineAccountPrivilege	4500	msiexec.exe
Token: SeTcbPrivilege	4500	msiexec.exe
Token: SeSecurityPrivilege	4500	msiexec.exe
Token: SeTakeOwnershipPrivilege	4500	msiexec.exe
Token: SeLoadDriverPrivilege	4500	msiexec.exe
Token: SeSystemProfilePrivilege	4500	msiexec.exe
Token: SeSystemtimePrivilege	4500	msiexec.exe
Token: SeProfSingleProcessPrivilege	4500	msiexec.exe
Token: SeIncBasePriorityPrivilege	4500	msiexec.exe
Token: SeCreatePagefilePrivilege	4500	msiexec.exe
Token: SeCreatePermanentPrivilege	4500	msiexec.exe
Token: SeBackupPrivilege	4500	msiexec.exe
Token: SeRestorePrivilege	4500	msiexec.exe
Token: SeShutdownPrivilege	4500	msiexec.exe
Token: SeDebugPrivilege	4500	msiexec.exe
Token: SeAuditPrivilege	4500	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4500	msiexec.exe
Token: SeChangeNotifyPrivilege	4500	msiexec.exe
Token: SeRemoteShutdownPrivilege	4500	msiexec.exe
Token: SeUndockPrivilege	4500	msiexec.exe
Token: SeSyncAgentPrivilege	4500	msiexec.exe
Token: SeEnableDelegationPrivilege	4500	msiexec.exe
Token: SeManageVolumePrivilege	4500	msiexec.exe
Token: SeImpersonatePrivilege	4500	msiexec.exe
Token: SeCreateGlobalPrivilege	4500	msiexec.exe
Token: SeBackupPrivilege	5020	vssvc.exe
Token: SeRestorePrivilege	5020	vssvc.exe
Token: SeAuditPrivilege	5020	vssvc.exe
Token: SeBackupPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeRestorePrivilege	4412	msiexec.exe
Token: SeTakeOwnershipPrivilege	4412	msiexec.exe
Token: SeBackupPrivilege	2352	srtasks.exe
Token: SeRestorePrivilege	2352	srtasks.exe
Token: SeSecurityPrivilege	2352	srtasks.exe
Token: SeTakeOwnershipPrivilege	2352	srtasks.exe
Token: SeBackupPrivilege	2352	srtasks.exe
Token: SeRestorePrivilege	2352	srtasks.exe
Token: SeSecurityPrivilege	2352	srtasks.exe
Token: SeTakeOwnershipPrivilege	2352	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4500	msiexec.exe
4500	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4412 wrote to memory of 2352	4412	msiexec.exe	96
PID 4412 wrote to memory of 2352	4412	msiexec.exe	96
PID 4412 wrote to memory of 3796	4412	msiexec.exe	98
PID 4412 wrote to memory of 3796	4412	msiexec.exe	98
PID 4412 wrote to memory of 3796	4412	msiexec.exe	98
PID 3796 wrote to memory of 2924	3796	MsiExec.exe	99
PID 3796 wrote to memory of 2924	3796	MsiExec.exe	99
PID 3796 wrote to memory of 2924	3796	MsiExec.exe	99
PID 3796 wrote to memory of 368	3796	MsiExec.exe	101
PID 3796 wrote to memory of 368	3796	MsiExec.exe	101
PID 3796 wrote to memory of 368	3796	MsiExec.exe	101
PID 3796 wrote to memory of 8	3796	MsiExec.exe	103
PID 3796 wrote to memory of 8	3796	MsiExec.exe	103
PID 3796 wrote to memory of 8	3796	MsiExec.exe	103
PID 8 wrote to memory of 1172	8	windbg.exe	104
PID 8 wrote to memory of 1172	8	windbg.exe	104
PID 8 wrote to memory of 1172	8	windbg.exe	104
PID 3796 wrote to memory of 4716	3796	MsiExec.exe	105
PID 3796 wrote to memory of 4716	3796	MsiExec.exe	105
PID 3796 wrote to memory of 4716	3796	MsiExec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sync.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4500

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4412
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B4A3B0DC4C525812C6FE8943861EA433
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3796
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2924
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:368
- - C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:8
  - - \??\c:\tmpp\Autoit3.exe
      c:\tmpp\Autoit3.exe c:\tmpp\test.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1172
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files.cab

Filesize
3.3MB

MD5
42ee5cf9dd6e436ac98511423bcf9915

SHA1
211c9f438741d88d9e6c18773f376909682390bb

SHA256
5db4c90b788a2eb7a3ac7c0e94f00dcab00d263ecfb8cecf5804a20d4673c606

SHA512
91198a2b051abf559b8db7e5f6298f23527344242c20525ec353c799e6f108317d3ff416c271fb6551245db6931357c50c92fe0f30ffff8cdb2e2ae68528afc5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\00595-1017085943.png

Filesize
1.1MB

MD5
cc4c3d3cd87934c4befb0e3489ffebf0

SHA1
509b27a80bd2a1d2ca5cfb1316b923698a5fe286

SHA256
a09c328f3d8dd7448491ec7a03ef67432527f9a79156a05151e05964ad6eeedd

SHA512
ebb895bd2a8b022e79b8bf118f785172f4c20a65f13c4f0b862738ebce48fbff8469899ef13f7d19b351303f3d19f764f35a17739a589b32b3316cc2a078df98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\dbgeng.dll

Filesize
3.8MB

MD5
c18e3b266a2e219cc23e7ca472242d2c

SHA1
4b40c4990c3ff07976caca7b1ddebba2ab7a0725

SHA256
f20ee4d13ab8faf966fe545a2badda63e6da24b0c9d44ed28d2d96378fffa3a6

SHA512
f51950e6a1374eb071c38a252a90d3a22f2aec0ad607625bf5f59b85e414e5e9e46347f1ab47b5396a796213dc8e058d1592f903564ac9640d5516c1af142f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\dbgeng.dll

Filesize
3.8MB

MD5
c18e3b266a2e219cc23e7ca472242d2c

SHA1
4b40c4990c3ff07976caca7b1ddebba2ab7a0725

SHA256
f20ee4d13ab8faf966fe545a2badda63e6da24b0c9d44ed28d2d96378fffa3a6

SHA512
f51950e6a1374eb071c38a252a90d3a22f2aec0ad607625bf5f59b85e414e5e9e46347f1ab47b5396a796213dc8e058d1592f903564ac9640d5516c1af142f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\dbgeng.dll

Filesize
3.8MB

MD5
c18e3b266a2e219cc23e7ca472242d2c

SHA1
4b40c4990c3ff07976caca7b1ddebba2ab7a0725

SHA256
f20ee4d13ab8faf966fe545a2badda63e6da24b0c9d44ed28d2d96378fffa3a6

SHA512
f51950e6a1374eb071c38a252a90d3a22f2aec0ad607625bf5f59b85e414e5e9e46347f1ab47b5396a796213dc8e058d1592f903564ac9640d5516c1af142f0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\unins000.dat

Filesize
62KB

MD5
5f6d7117758a11c5cc96725a4fc72348

SHA1
eede69efecd034bb059b90b1bdd48d406e80f5e9

SHA256
a5e75d0cb8ef19d4c28156a58b14958fee2ca7c8bf69e4cbb3c4333a0fd21202

SHA512
954d8c7ccc171e47ec495af646638e32f712624c707c6c6edcf860161ba337296c2fa955232e39f077d11d772717d47ee44eeb7554ac904d4936ce3b97fcd4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\unins000.exe

Filesize
1.1MB

MD5
a82fd06ad4339762ef1ea3e6ebf28fae

SHA1
5fa84f3ad4a2f1e078562c00e6bbad445418cdb0

SHA256
6c61ce9dec3052ae229596c8a32fc2cf8c9090b8b632998ef69de580cfeb1afd

SHA512
63eda89fb03ae581c888c189906ec84ea8061097ec55296c0c6bbfa649a9d7e58d5a299e6e2bacb7d9aa8abad62ceec1f5f4e47e4236f9d7de9aff76c502d052

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\unins000.msg

Filesize
22KB

MD5
3b1a9a56eede8c6335e94959d5231ac5

SHA1
8d256fc02492b6c51db9f3861746b386e62ba317

SHA256
161a04957d74daafb21d9a03dade488ae7ebcf90af0e7e41cad1445418a9b3ff

SHA512
9fb552bebb2b72cb8f2df55863ba529974ea0d81da83cffb12f95974faaeead1d623f1a6df87478d308cc69a5102cbd01109dd5b8cf0fe11e5132baa903ae6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\uninsTasks.txt

Filesize
22B

MD5
ed8842c313a411cf074fb082b7184ab0

SHA1
2e411a8b4b62c15e31415fa63742d4c40e8265df

SHA256
9bcb8b4872fb35ebb4413b554a9b8402b39119c78d120bdcef353ce511fc93ca

SHA512
019819aacc76617a466da73bfabdd892c407d7e74844329fa47ba3ea1e13379a41950988976b5021ac2cb9068da904ae93c249a229ff6dfa7fdb633f2adc1216

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\msiwrapper.ini

Filesize
1KB

MD5
8ca80e5c870d2a9f4140976176c1dc25

SHA1
501f092cedd3c289b9903ffaa491b1895ac544ea

SHA256
aa07db036e9ae9978f90e3e77ec08e9feae05a07a6ba4b0472e9ea537870503d

SHA512
029b42adcc8518573d5fa11f2d5207693b50826fa35cc885e5c912821953837f68f38f9720d35e5fc32d35daa3154d93452e80c8e9d182b5f5135c7331bf5d2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\msiwrapper.ini

Filesize
1010B

MD5
51758e073d7461b84ff903b0073b3c3e

SHA1
9e2f13aa049b2b12395ae18c7ccf318a0818e10f

SHA256
8d7d0152b91978fc3dcb2c29d7b30811f8d187d6798ffcd3c680c81feed479fd

SHA512
0409444c189e5748b2c2a1abfb9f85e6aed7358f8866a9178ada93434e43c543c8ae24dfa5ccdfaa01d90d7c8e80febfb3a78fde14aea05ba115e6e32d99e4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\msiwrapper.ini

Filesize
1KB

MD5
9abfdbe9ceac6b660c9a89d8960ee97f

SHA1
ad71354238c6c6d81f5d4d2ae5254f48b4945794

SHA256
25d8554fc9e856384b6b6456023e6fe234135c50941cbda7fbf9435ffabfbdfb

SHA512
6411a0d7b3e0d4889280b7720e29098a61456227ab54186477ba0ee7db15fdcb9cd8916ac494e80db5c847af95f4bd0d7f692148d2db7ea891ace9a85c9fcc0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-70c76106-1519-424f-adc2-068bcbe9e61c\msiwrapper.ini

Filesize
1KB

MD5
9abfdbe9ceac6b660c9a89d8960ee97f

SHA1
ad71354238c6c6d81f5d4d2ae5254f48b4945794

SHA256
25d8554fc9e856384b6b6456023e6fe234135c50941cbda7fbf9435ffabfbdfb

SHA512
6411a0d7b3e0d4889280b7720e29098a61456227ab54186477ba0ee7db15fdcb9cd8916ac494e80db5c847af95f4bd0d7f692148d2db7ea891ace9a85c9fcc0e

Download Submit
C:\Windows\Installer\MSI9A47.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI9A47.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIB7F3.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIB7F3.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
b8651f818b45d46d42e55281119aca14

SHA1
b04c5f508e29681373f1da7b1a3d9a25e33cc4f4

SHA256
579950aa9d15629ce8231fde5f8a7a4c16460f984331a99dd490f98b7aadd516

SHA512
82a39766b03675ceb19bd967e93928e6e8f5dd8b91b655d17c4163c6942449799e8b8f1d63ff6ac321972f9f5fa508ceef9733f24ec07029d2fec20e46f45681

Download Submit
\??\Volume{99926f1d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{898f7309-3646-4646-a5ce-ea6725f06f37}_OnDiskSnapshotProp

Filesize
5KB

MD5
2ca0fc6d27f2aed6707fac189a080a71

SHA1
cb03cb576c8702836efba139906aa852c15208e1

SHA256
f2e7d1159b59ac6253231138b9bdc8de3561d04a828aa6c7515da692e014dc00

SHA512
1f8f24d7437288b6091dc362230825cc345bd89cdd7bf839177e4eea03c181b8da8377cd71ccbfd82c0f63ee8cff26b4b6f069e4748ad28b4611c4a418e651b6

Download Submit
\??\c:\tmpp\test.au3

Filesize
493KB

MD5
accce425c42f2323a548224eadc7a039

SHA1
a74ad3c89f3f8166736d026e6009699ba4e32ef5

SHA256
42bf5d7cfe11bb39581cdaeae62eacdfab99e22422923264065e62e2f06bcf27

SHA512
e3155bb0d44b56863f63e14ff4c146dc0cb2e4031d5ebc3983c250d4d70c23bde6cd7395cc2a9eff803e18ff3cbd675717592fc36f8593d0a1b5df2177f2e8fc

Download Submit
memory/8-98-0x0000000000FE0000-0x00000000013C1000-memory.dmp

Filesize
3.9MB

Download
memory/8-93-0x0000000000FE0000-0x00000000013C1000-memory.dmp

Filesize
3.9MB

Download
memory/1172-107-0x00000000015F0000-0x00000000019F0000-memory.dmp

Filesize
4.0MB

Download
memory/1172-109-0x0000000004520000-0x0000000004852000-memory.dmp

Filesize
3.2MB

Download
memory/1172-118-0x0000000004520000-0x0000000004852000-memory.dmp

Filesize
3.2MB

Download