darkgate | 143c1f6a1095fd6f63eae25d3b2cee9ba800c47b48279c8f7c62609118cc4299

Analysis

max time kernel
140s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2023 16:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

sync.msi
Size

3.6MB
MD5

6550b181486c080b7c524bec6370d85d
SHA1

b54ca1ad61df207e0aa3215cb58e362886f68095
SHA256

143c1f6a1095fd6f63eae25d3b2cee9ba800c47b48279c8f7c62609118cc4299
SHA512

13453e3777583540449225d83c6ca8838da905ec6067312488c23cc36d3f387e772f5716c4a4778ddc5a5302aa4cda1eef983e6d76e3c414aaa5d4a32a544ea2
SSDEEP

98304:TpA1DCG1G1w7cwv9JAEh7DyU35oGFYGHnzzMBdHB3:gE+dvLAEh7DyU35oGFTHz4B/3

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://cheneseemeg7575.cash

http://annoyingannoying.vodka

http://uiahbmajokriswhoer.net

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
bfpKQguIjifOez
internal_mutex
txtMut
minimum_disk
35
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
4276	windbg.exe
4908	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
4308	MsiExec.exe
4276	windbg.exe
4276	windbg.exe
4308	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4760	ICACLS.EXE
1320	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI288.tmp	msiexec.exe
File created	C:\Windows\Installer\e58ed39.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI298.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e58ed39.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9421EE93-6E4F-49FD-8A88-931F6F4A8969}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEEDF.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d6f92995d065bd40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d6f92990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d6f9299000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d6f9299000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d6f929900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3532	msiexec.exe
3532	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2192	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2192	msiexec.exe
Token: SeSecurityPrivilege	3532	msiexec.exe
Token: SeCreateTokenPrivilege	2192	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2192	msiexec.exe
Token: SeLockMemoryPrivilege	2192	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2192	msiexec.exe
Token: SeMachineAccountPrivilege	2192	msiexec.exe
Token: SeTcbPrivilege	2192	msiexec.exe
Token: SeSecurityPrivilege	2192	msiexec.exe
Token: SeTakeOwnershipPrivilege	2192	msiexec.exe
Token: SeLoadDriverPrivilege	2192	msiexec.exe
Token: SeSystemProfilePrivilege	2192	msiexec.exe
Token: SeSystemtimePrivilege	2192	msiexec.exe
Token: SeProfSingleProcessPrivilege	2192	msiexec.exe
Token: SeIncBasePriorityPrivilege	2192	msiexec.exe
Token: SeCreatePagefilePrivilege	2192	msiexec.exe
Token: SeCreatePermanentPrivilege	2192	msiexec.exe
Token: SeBackupPrivilege	2192	msiexec.exe
Token: SeRestorePrivilege	2192	msiexec.exe
Token: SeShutdownPrivilege	2192	msiexec.exe
Token: SeDebugPrivilege	2192	msiexec.exe
Token: SeAuditPrivilege	2192	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2192	msiexec.exe
Token: SeChangeNotifyPrivilege	2192	msiexec.exe
Token: SeRemoteShutdownPrivilege	2192	msiexec.exe
Token: SeUndockPrivilege	2192	msiexec.exe
Token: SeSyncAgentPrivilege	2192	msiexec.exe
Token: SeEnableDelegationPrivilege	2192	msiexec.exe
Token: SeManageVolumePrivilege	2192	msiexec.exe
Token: SeImpersonatePrivilege	2192	msiexec.exe
Token: SeCreateGlobalPrivilege	2192	msiexec.exe
Token: SeBackupPrivilege	3984	vssvc.exe
Token: SeRestorePrivilege	3984	vssvc.exe
Token: SeAuditPrivilege	3984	vssvc.exe
Token: SeBackupPrivilege	3532	msiexec.exe
Token: SeRestorePrivilege	3532	msiexec.exe
Token: SeRestorePrivilege	3532	msiexec.exe
Token: SeTakeOwnershipPrivilege	3532	msiexec.exe
Token: SeRestorePrivilege	3532	msiexec.exe
Token: SeTakeOwnershipPrivilege	3532	msiexec.exe
Token: SeRestorePrivilege	3532	msiexec.exe
Token: SeTakeOwnershipPrivilege	3532	msiexec.exe
Token: SeRestorePrivilege	3532	msiexec.exe
Token: SeTakeOwnershipPrivilege	3532	msiexec.exe
Token: SeBackupPrivilege	2112	srtasks.exe
Token: SeRestorePrivilege	2112	srtasks.exe
Token: SeSecurityPrivilege	2112	srtasks.exe
Token: SeTakeOwnershipPrivilege	2112	srtasks.exe
Token: SeBackupPrivilege	2112	srtasks.exe
Token: SeRestorePrivilege	2112	srtasks.exe
Token: SeSecurityPrivilege	2112	srtasks.exe
Token: SeTakeOwnershipPrivilege	2112	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2192	msiexec.exe
2192	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3532 wrote to memory of 2112	3532	msiexec.exe	97
PID 3532 wrote to memory of 2112	3532	msiexec.exe	97
PID 3532 wrote to memory of 4308	3532	msiexec.exe	99
PID 3532 wrote to memory of 4308	3532	msiexec.exe	99
PID 3532 wrote to memory of 4308	3532	msiexec.exe	99
PID 4308 wrote to memory of 4760	4308	MsiExec.exe	100
PID 4308 wrote to memory of 4760	4308	MsiExec.exe	100
PID 4308 wrote to memory of 4760	4308	MsiExec.exe	100
PID 4308 wrote to memory of 1732	4308	MsiExec.exe	102
PID 4308 wrote to memory of 1732	4308	MsiExec.exe	102
PID 4308 wrote to memory of 1732	4308	MsiExec.exe	102
PID 4308 wrote to memory of 4276	4308	MsiExec.exe	104
PID 4308 wrote to memory of 4276	4308	MsiExec.exe	104
PID 4308 wrote to memory of 4276	4308	MsiExec.exe	104
PID 4276 wrote to memory of 4908	4276	windbg.exe	105
PID 4276 wrote to memory of 4908	4276	windbg.exe	105
PID 4276 wrote to memory of 4908	4276	windbg.exe	105
PID 4308 wrote to memory of 1320	4308	MsiExec.exe	106
PID 4308 wrote to memory of 1320	4308	MsiExec.exe	106
PID 4308 wrote to memory of 1320	4308	MsiExec.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\sync.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2192

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2112
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D8CE14BCD860C7E3AB814135CEB2CE99
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4760
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1732
- - C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - \??\c:\tmpp\Autoit3.exe
      c:\tmpp\Autoit3.exe c:\tmpp\test.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:4908
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files.cab

Filesize
3.3MB

MD5
715bba93d091b4e64f26a9e7511742bf

SHA1
16d3ed9c4a46c39d2bc11880350bc62b532b3b65

SHA256
1fa7c173f814cc611f279ee51624b225ea978b31e67fcdc53f49ce5f4ddabaae

SHA512
a4e614c00cbf6efa2713ef1976494a8a8e0f03616d5c3dd3946bf6e9061f7945dd2885b7d7e7adc73c0430e6576a7bda5b0b27f7bee6d4a0dddc351dc19a15e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\00595-1017085943.png

Filesize
1.1MB

MD5
cc4c3d3cd87934c4befb0e3489ffebf0

SHA1
509b27a80bd2a1d2ca5cfb1316b923698a5fe286

SHA256
a09c328f3d8dd7448491ec7a03ef67432527f9a79156a05151e05964ad6eeedd

SHA512
ebb895bd2a8b022e79b8bf118f785172f4c20a65f13c4f0b862738ebce48fbff8469899ef13f7d19b351303f3d19f764f35a17739a589b32b3316cc2a078df98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\dbgeng.dll

Filesize
3.8MB

MD5
544ad0ac2a8ac23cfcadce08dbc6ccf4

SHA1
435a190c0ab8e1bf7f0acfeaf677ddfcea2eb5eb

SHA256
6b7e78ffec23a2f21ee3664d5e9a976cf6fce4a2413c49808976cebe7fad1db8

SHA512
c80e2e057c42052e784c644e4b78cd6acab77c0810bd60a291f40e531c51b31a6ad73bd89eafdd29a20d98afaf01250f920a2e5d3ebe026b032b08c3edaaba63

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\dbgeng.dll

Filesize
3.8MB

MD5
544ad0ac2a8ac23cfcadce08dbc6ccf4

SHA1
435a190c0ab8e1bf7f0acfeaf677ddfcea2eb5eb

SHA256
6b7e78ffec23a2f21ee3664d5e9a976cf6fce4a2413c49808976cebe7fad1db8

SHA512
c80e2e057c42052e784c644e4b78cd6acab77c0810bd60a291f40e531c51b31a6ad73bd89eafdd29a20d98afaf01250f920a2e5d3ebe026b032b08c3edaaba63

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\dbgeng.dll

Filesize
3.8MB

MD5
544ad0ac2a8ac23cfcadce08dbc6ccf4

SHA1
435a190c0ab8e1bf7f0acfeaf677ddfcea2eb5eb

SHA256
6b7e78ffec23a2f21ee3664d5e9a976cf6fce4a2413c49808976cebe7fad1db8

SHA512
c80e2e057c42052e784c644e4b78cd6acab77c0810bd60a291f40e531c51b31a6ad73bd89eafdd29a20d98afaf01250f920a2e5d3ebe026b032b08c3edaaba63

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\unins000.dat

Filesize
62KB

MD5
5f6d7117758a11c5cc96725a4fc72348

SHA1
eede69efecd034bb059b90b1bdd48d406e80f5e9

SHA256
a5e75d0cb8ef19d4c28156a58b14958fee2ca7c8bf69e4cbb3c4333a0fd21202

SHA512
954d8c7ccc171e47ec495af646638e32f712624c707c6c6edcf860161ba337296c2fa955232e39f077d11d772717d47ee44eeb7554ac904d4936ce3b97fcd4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\unins000.exe

Filesize
1.1MB

MD5
a82fd06ad4339762ef1ea3e6ebf28fae

SHA1
5fa84f3ad4a2f1e078562c00e6bbad445418cdb0

SHA256
6c61ce9dec3052ae229596c8a32fc2cf8c9090b8b632998ef69de580cfeb1afd

SHA512
63eda89fb03ae581c888c189906ec84ea8061097ec55296c0c6bbfa649a9d7e58d5a299e6e2bacb7d9aa8abad62ceec1f5f4e47e4236f9d7de9aff76c502d052

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\unins000.msg

Filesize
22KB

MD5
3b1a9a56eede8c6335e94959d5231ac5

SHA1
8d256fc02492b6c51db9f3861746b386e62ba317

SHA256
161a04957d74daafb21d9a03dade488ae7ebcf90af0e7e41cad1445418a9b3ff

SHA512
9fb552bebb2b72cb8f2df55863ba529974ea0d81da83cffb12f95974faaeead1d623f1a6df87478d308cc69a5102cbd01109dd5b8cf0fe11e5132baa903ae6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\uninsTasks.txt

Filesize
22B

MD5
ed8842c313a411cf074fb082b7184ab0

SHA1
2e411a8b4b62c15e31415fa63742d4c40e8265df

SHA256
9bcb8b4872fb35ebb4413b554a9b8402b39119c78d120bdcef353ce511fc93ca

SHA512
019819aacc76617a466da73bfabdd892c407d7e74844329fa47ba3ea1e13379a41950988976b5021ac2cb9068da904ae93c249a229ff6dfa7fdb633f2adc1216

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\msiwrapper.ini

Filesize
1KB

MD5
4f276097c9a887fe39fee092119084d0

SHA1
c3e2a7a3fa6b16986ffa1cb2c935ab67fc7513e0

SHA256
579881d568afdb3de202f340ab4a76e7cb8d264d20d346421ad09ae5c807897c

SHA512
e7af598e383d769ea1fbd6a632f7fa9677ced4eda3de391a27ba3127ce9cd42c92773998525874527e66c2d3e8104bddffa33d09f02c1e7039f3a7ffc5775f3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\msiwrapper.ini

Filesize
1010B

MD5
d0d4f51c3b2d48dc237916e486c95036

SHA1
6e57ff77df29bda4dbf5e820c26d6a22836a684e

SHA256
3c4cd1d2c6b6c409c15954f25026f41c91d8e91198d0cbd52c21f8b69bf1f982

SHA512
edcc3fb6a2e101f32e108f3c4e4a87b6c4a9f81e8b6871ec9b4435b6cf3292b6874833a8c46d919b066f77da419df9dc188d6f5fb54a1f693d06c5f3f5d800b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\msiwrapper.ini

Filesize
1KB

MD5
6c05f3219219992992a2e118398b9228

SHA1
09bbc488fc432eb35d9f8c6739df2c0ee3cb68a5

SHA256
e00937e19c2968b4eb3df0c92d7e587de4673bfabc860ccc18b40c189065dfdb

SHA512
650c49f41a3d53b6dbb362b1677e4f25e769d1876ad3b0875ab675220ff712bda1cf8f363b6d0fc76d79895c97fe5e19cc0c30a35908887ee685b803d435846e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-77fac0cd-b736-4a0c-98b8-b1f67505ef3e\msiwrapper.ini

Filesize
1KB

MD5
6c05f3219219992992a2e118398b9228

SHA1
09bbc488fc432eb35d9f8c6739df2c0ee3cb68a5

SHA256
e00937e19c2968b4eb3df0c92d7e587de4673bfabc860ccc18b40c189065dfdb

SHA512
650c49f41a3d53b6dbb362b1677e4f25e769d1876ad3b0875ab675220ff712bda1cf8f363b6d0fc76d79895c97fe5e19cc0c30a35908887ee685b803d435846e

Download Submit
C:\Windows\Installer\MSI298.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI298.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIEEDF.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIEEDF.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
b731b46e0b8dcb0fef63d44db502e706

SHA1
8e20c004370126c1485dc9f794792db297162819

SHA256
c233788f580ce4031a03bfe4cdf3d06f7b9d06238a25595b3109ed2f38165ebb

SHA512
995e3cfc1516a063620aa3ac17095fc092dd7ac29494cb273b8cb5b88bb7c7623e5f5a08038c2ca91ec08fbc7544b3cf9b72bf6fe91de4f04b7e24273efaa783

Download Submit
\??\Volume{99926f1d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c1434dca-9635-49ca-9d9d-e91405ef0fb8}_OnDiskSnapshotProp

Filesize
5KB

MD5
cf7db9a9d3be2abb032b683edda82770

SHA1
018c54091b3f57eb46cf6163ad6659a648e5f117

SHA256
f0bf35e6118856f6c8cb830effaba13e0276f503618f79b09e24fb6bc30126c2

SHA512
08a471ed72841a2f66ef7f10446fcf6800a5e7f2ac1dac795cc09db725a5b89d9f117d3de1caf573856ff7215d11187782dd106028bb83c56a968eb86d0c1b13

Download Submit
\??\c:\tmpp\test.au3

Filesize
493KB

MD5
c0f2c7cc9d7111047be09e53165e2317

SHA1
2720bf8d2c7f46fa86930b93a65454dd19bb32fb

SHA256
53521c6673a1c8f9e1981147efa2db1a7d3a723e79041c9a50f5ac3b450ef051

SHA512
6ca1a2ea9dda32ef3909111203fb15379c5998b89b194fa7c1178db8dc96a4052ffa9e68503186f15820bf51d0e74462e7a6a9b34e270481d0cf16f240ea6d3b

Download Submit
memory/4276-93-0x0000000000FD0000-0x00000000013B1000-memory.dmp

Filesize
3.9MB

Download
memory/4276-98-0x0000000000FD0000-0x00000000013B1000-memory.dmp

Filesize
3.9MB

Download
memory/4908-111-0x0000000001170000-0x0000000001570000-memory.dmp

Filesize
4.0MB

Download
memory/4908-117-0x00000000044D0000-0x0000000004802000-memory.dmp

Filesize
3.2MB

Download
memory/4908-120-0x00000000044D0000-0x0000000004802000-memory.dmp

Filesize
3.2MB

Download