darkgate | 6d9afd0f1344222b7eef020dd05a1d51698f4d3786728dbe83d0efdcfd5c2035

Analysis

max time kernel
140s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2023 16:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

destroy.msi
Size

3.6MB
MD5

c5dacb642fc9c905f9c29e8c3666ecae
SHA1

21c21c7aff42ded891f2c69bb03f5a7d65758ea9
SHA256

2c33166a74ba155a80bb28dcb1fa905ff8cce2dd19464d5784e863478facade5
SHA512

97d82b1bc70d7368a68ee1af746ee8aaa45cce7150b94185818656bf6d1c4217043b004e01b73a8348d7f7e1803fead1cdfe2b3ce1d11d119e06ab5f439f482b
SSDEEP

98304:cpG1DCG1G1w7cwv9JAEJUvXF/rFmoyqcUQc1ShZ:zE+dvLAEilrFmoyqdFSL

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://cheneseemeg7575.cash

http://annoyingannoying.vodka

http://uiahbmajokriswhoer.net

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
TDoGTDSWKFuYaM
internal_mutex
txtMut
minimum_disk
35
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
3368	windbg.exe
2128	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
4392	MsiExec.exe
3368	windbg.exe
3368	windbg.exe
4392	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2444	ICACLS.EXE
4496	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI8384.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e586b29.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{40EA2A6F-33B3-4DCE-90DA-1B18930CC6A9}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6E07.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI83A4.tmp	msiexec.exe
File created	C:\Windows\Installer\e586b29.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000002d5e0d994d17e0d40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800002d5e0d990000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809002d5e0d99000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d2d5e0d99000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000002d5e0d9900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3768	msiexec.exe
3768	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5044	msiexec.exe
Token: SeSecurityPrivilege	3768	msiexec.exe
Token: SeCreateTokenPrivilege	5044	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5044	msiexec.exe
Token: SeLockMemoryPrivilege	5044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5044	msiexec.exe
Token: SeMachineAccountPrivilege	5044	msiexec.exe
Token: SeTcbPrivilege	5044	msiexec.exe
Token: SeSecurityPrivilege	5044	msiexec.exe
Token: SeTakeOwnershipPrivilege	5044	msiexec.exe
Token: SeLoadDriverPrivilege	5044	msiexec.exe
Token: SeSystemProfilePrivilege	5044	msiexec.exe
Token: SeSystemtimePrivilege	5044	msiexec.exe
Token: SeProfSingleProcessPrivilege	5044	msiexec.exe
Token: SeIncBasePriorityPrivilege	5044	msiexec.exe
Token: SeCreatePagefilePrivilege	5044	msiexec.exe
Token: SeCreatePermanentPrivilege	5044	msiexec.exe
Token: SeBackupPrivilege	5044	msiexec.exe
Token: SeRestorePrivilege	5044	msiexec.exe
Token: SeShutdownPrivilege	5044	msiexec.exe
Token: SeDebugPrivilege	5044	msiexec.exe
Token: SeAuditPrivilege	5044	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5044	msiexec.exe
Token: SeChangeNotifyPrivilege	5044	msiexec.exe
Token: SeRemoteShutdownPrivilege	5044	msiexec.exe
Token: SeUndockPrivilege	5044	msiexec.exe
Token: SeSyncAgentPrivilege	5044	msiexec.exe
Token: SeEnableDelegationPrivilege	5044	msiexec.exe
Token: SeManageVolumePrivilege	5044	msiexec.exe
Token: SeImpersonatePrivilege	5044	msiexec.exe
Token: SeCreateGlobalPrivilege	5044	msiexec.exe
Token: SeBackupPrivilege	1808	vssvc.exe
Token: SeRestorePrivilege	1808	vssvc.exe
Token: SeAuditPrivilege	1808	vssvc.exe
Token: SeBackupPrivilege	3768	msiexec.exe
Token: SeRestorePrivilege	3768	msiexec.exe
Token: SeRestorePrivilege	3768	msiexec.exe
Token: SeTakeOwnershipPrivilege	3768	msiexec.exe
Token: SeRestorePrivilege	3768	msiexec.exe
Token: SeTakeOwnershipPrivilege	3768	msiexec.exe
Token: SeRestorePrivilege	3768	msiexec.exe
Token: SeTakeOwnershipPrivilege	3768	msiexec.exe
Token: SeRestorePrivilege	3768	msiexec.exe
Token: SeTakeOwnershipPrivilege	3768	msiexec.exe
Token: SeBackupPrivilege	1116	srtasks.exe
Token: SeRestorePrivilege	1116	srtasks.exe
Token: SeSecurityPrivilege	1116	srtasks.exe
Token: SeTakeOwnershipPrivilege	1116	srtasks.exe
Token: SeBackupPrivilege	1116	srtasks.exe
Token: SeRestorePrivilege	1116	srtasks.exe
Token: SeSecurityPrivilege	1116	srtasks.exe
Token: SeTakeOwnershipPrivilege	1116	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5044	msiexec.exe
5044	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3768 wrote to memory of 1116	3768	msiexec.exe	96
PID 3768 wrote to memory of 1116	3768	msiexec.exe	96
PID 3768 wrote to memory of 4392	3768	msiexec.exe	98
PID 3768 wrote to memory of 4392	3768	msiexec.exe	98
PID 3768 wrote to memory of 4392	3768	msiexec.exe	98
PID 4392 wrote to memory of 2444	4392	MsiExec.exe	99
PID 4392 wrote to memory of 2444	4392	MsiExec.exe	99
PID 4392 wrote to memory of 2444	4392	MsiExec.exe	99
PID 4392 wrote to memory of 1420	4392	MsiExec.exe	101
PID 4392 wrote to memory of 1420	4392	MsiExec.exe	101
PID 4392 wrote to memory of 1420	4392	MsiExec.exe	101
PID 4392 wrote to memory of 3368	4392	MsiExec.exe	103
PID 4392 wrote to memory of 3368	4392	MsiExec.exe	103
PID 4392 wrote to memory of 3368	4392	MsiExec.exe	103
PID 3368 wrote to memory of 2128	3368	windbg.exe	104
PID 3368 wrote to memory of 2128	3368	windbg.exe	104
PID 3368 wrote to memory of 2128	3368	windbg.exe	104
PID 4392 wrote to memory of 4496	4392	MsiExec.exe	105
PID 4392 wrote to memory of 4496	4392	MsiExec.exe	105
PID 4392 wrote to memory of 4496	4392	MsiExec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\destroy.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1116
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5A720399AED59260064E21AF1C622688
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4392
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2444
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1420
- - C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3368
  - - \??\c:\tmpp\Autoit3.exe
      c:\tmpp\Autoit3.exe c:\tmpp\test.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2128
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files.cab

Filesize
3.3MB

MD5
54636fdfd02e0ad39d1aff0ac775729c

SHA1
8c6fc9d9c49d569a3365b0bf5d798b12cfe07f35

SHA256
fbe2e0a67cf4c8429b15c8c55fb400d74fe09b59198ceff1e1dec43802f866dc

SHA512
1531648e7cf629cd454980862e14c1ef80c84b6320d871e2d4f91c0fb4eafcf8df76a260e60d0b5be899afeb64ce54e1501fdb16cc09640fe88d37a3a0b0f846

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\00595-1017085943.png

Filesize
1.1MB

MD5
cc4c3d3cd87934c4befb0e3489ffebf0

SHA1
509b27a80bd2a1d2ca5cfb1316b923698a5fe286

SHA256
a09c328f3d8dd7448491ec7a03ef67432527f9a79156a05151e05964ad6eeedd

SHA512
ebb895bd2a8b022e79b8bf118f785172f4c20a65f13c4f0b862738ebce48fbff8469899ef13f7d19b351303f3d19f764f35a17739a589b32b3316cc2a078df98

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\dbgeng.dll

Filesize
3.8MB

MD5
b2bfbe8610d114f1da56e23be0667eb8

SHA1
8c21239895edf066b376425fe41cc5e268fea430

SHA256
63d35068ba58aa2041d89eeb90bc68ab62c44938ac26332077bd679923baedcf

SHA512
2a9493473146921ba4d18268c79224f4cf9650620ab803dca265f153e3b4f9560f245cabc5c741bdc05f4d04906f216a62a7009197bd7cf0edfab8a0da6bdd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\dbgeng.dll

Filesize
3.8MB

MD5
b2bfbe8610d114f1da56e23be0667eb8

SHA1
8c21239895edf066b376425fe41cc5e268fea430

SHA256
63d35068ba58aa2041d89eeb90bc68ab62c44938ac26332077bd679923baedcf

SHA512
2a9493473146921ba4d18268c79224f4cf9650620ab803dca265f153e3b4f9560f245cabc5c741bdc05f4d04906f216a62a7009197bd7cf0edfab8a0da6bdd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\dbgeng.dll

Filesize
3.8MB

MD5
b2bfbe8610d114f1da56e23be0667eb8

SHA1
8c21239895edf066b376425fe41cc5e268fea430

SHA256
63d35068ba58aa2041d89eeb90bc68ab62c44938ac26332077bd679923baedcf

SHA512
2a9493473146921ba4d18268c79224f4cf9650620ab803dca265f153e3b4f9560f245cabc5c741bdc05f4d04906f216a62a7009197bd7cf0edfab8a0da6bdd61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\unins000.dat

Filesize
62KB

MD5
5f6d7117758a11c5cc96725a4fc72348

SHA1
eede69efecd034bb059b90b1bdd48d406e80f5e9

SHA256
a5e75d0cb8ef19d4c28156a58b14958fee2ca7c8bf69e4cbb3c4333a0fd21202

SHA512
954d8c7ccc171e47ec495af646638e32f712624c707c6c6edcf860161ba337296c2fa955232e39f077d11d772717d47ee44eeb7554ac904d4936ce3b97fcd4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\unins000.exe

Filesize
1.1MB

MD5
a82fd06ad4339762ef1ea3e6ebf28fae

SHA1
5fa84f3ad4a2f1e078562c00e6bbad445418cdb0

SHA256
6c61ce9dec3052ae229596c8a32fc2cf8c9090b8b632998ef69de580cfeb1afd

SHA512
63eda89fb03ae581c888c189906ec84ea8061097ec55296c0c6bbfa649a9d7e58d5a299e6e2bacb7d9aa8abad62ceec1f5f4e47e4236f9d7de9aff76c502d052

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\unins000.msg

Filesize
22KB

MD5
3b1a9a56eede8c6335e94959d5231ac5

SHA1
8d256fc02492b6c51db9f3861746b386e62ba317

SHA256
161a04957d74daafb21d9a03dade488ae7ebcf90af0e7e41cad1445418a9b3ff

SHA512
9fb552bebb2b72cb8f2df55863ba529974ea0d81da83cffb12f95974faaeead1d623f1a6df87478d308cc69a5102cbd01109dd5b8cf0fe11e5132baa903ae6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\uninsTasks.txt

Filesize
22B

MD5
ed8842c313a411cf074fb082b7184ab0

SHA1
2e411a8b4b62c15e31415fa63742d4c40e8265df

SHA256
9bcb8b4872fb35ebb4413b554a9b8402b39119c78d120bdcef353ce511fc93ca

SHA512
019819aacc76617a466da73bfabdd892c407d7e74844329fa47ba3ea1e13379a41950988976b5021ac2cb9068da904ae93c249a229ff6dfa7fdb633f2adc1216

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\msiwrapper.ini

Filesize
1KB

MD5
cf032bc187f713b6567fec35fb4ff425

SHA1
15a9c3d81bc3be3f9938967f5fdfaa23f1bef74a

SHA256
d180fa98618d3693778cdb3315ff6405145812c439bdb49100150bbd81481ae4

SHA512
626d62fc27009eaff90fc8754253174b5f2af5056e584f17816586a72c2870bdab5b2934e272edeec081be59a8649e57615ee8a0911ebe26cd7d40e0fc56d3ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\msiwrapper.ini

Filesize
1KB

MD5
c2b99a55c8e23398093db3e4f36423b1

SHA1
a027c4cffeb23b7609b18a18f2b664714bfa599f

SHA256
66ae04e463b7d8d1017f94cd3971e1062d818088bb484823932ab424eb6f183c

SHA512
8b5ca244332e7f5ab8dea3e313ffc389a7f4521fa9944643d58cbdcf0a2fd61c2cf6c6991a25527048d3edaf6298f3abfe52e7f17a7f9c5b309a37e8b3f98454

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-024397b3-3765-4789-82f1-07beeaf62dc2\msiwrapper.ini

Filesize
1KB

MD5
c2b99a55c8e23398093db3e4f36423b1

SHA1
a027c4cffeb23b7609b18a18f2b664714bfa599f

SHA256
66ae04e463b7d8d1017f94cd3971e1062d818088bb484823932ab424eb6f183c

SHA512
8b5ca244332e7f5ab8dea3e313ffc389a7f4521fa9944643d58cbdcf0a2fd61c2cf6c6991a25527048d3edaf6298f3abfe52e7f17a7f9c5b309a37e8b3f98454

Download Submit
C:\Windows\Installer\MSI6E07.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI6E07.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI83A4.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI83A4.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
67d0d8415c074ef465f96ecf6640c774

SHA1
d3e0d959dd1128dff4111a44244066de1046bbbb

SHA256
0c10756103ff1aee11fe295cff78bb440503414fe821ae956dc836cb65706b83

SHA512
85742ac02d0c9ac6b674c11e663f09d96e44be69957441ca273ab9bf83cfd1b5e03b6dd3d7833bfa11710288a3d2e7491ea47a02f6aed9cc1ea324452e19abf3

Download Submit
\??\Volume{990d5e2d-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a2d63bff-f2b6-4f05-b61f-621fc55420d9}_OnDiskSnapshotProp

Filesize
6KB

MD5
220e182872d74a16dcc1d5ea3377d4cd

SHA1
847acf3df12d2002f3120c86b2881ed132436a8b

SHA256
1a0bab868da5b1aaba6b907df81d39367951bd87bcf9e6854f2fb457017c22ac

SHA512
9f78482a41e90e556552bd1808b8c4fd2a5c11c155f5d7e4206d3f0bad73619faef56caa6e699809c2f144a46c3172991bd66f4dcfdcc66390ecd23abcbf8b7c

Download Submit
\??\c:\tmpp\test.au3

Filesize
496KB

MD5
efeb316519a0592515535e633c620b0a

SHA1
a455786b56d0abd456f5617f2658fc9d537d3efc

SHA256
c71d372afb4862bb075e66a36ca3fe4c76d6983e31bd54645cc8f61f77d58a65

SHA512
fd09e3e15645e5cc03304c23a240c46057bf713c19c651c356333c9cb7ae5fdb6bbade0e75666abea6d04349d683a4ef8933e9bdd4ab8df6912608a1dd83eeae

Download Submit
memory/2128-99-0x0000000003D50000-0x0000000004082000-memory.dmp

Filesize
3.2MB

Download
memory/2128-98-0x0000000000C80000-0x0000000001080000-memory.dmp

Filesize
4.0MB

Download
memory/2128-116-0x0000000003D50000-0x0000000004082000-memory.dmp

Filesize
3.2MB

Download
memory/3368-89-0x0000000001010000-0x00000000013F2000-memory.dmp

Filesize
3.9MB

Download
memory/3368-94-0x0000000001010000-0x00000000013F2000-memory.dmp

Filesize
3.9MB

Download