darkgate | a34413a7e8409d172309a54a60bce2c5594aa71121c7f641275b17ce374be032

Analysis

max time kernel
122s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
19-10-2023 17:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

homedel.msi
Size

2.7MB
MD5

8b0aa279ee95eff228b45180942006bb
SHA1

e74bb3bcb5f099f1c9723206680e5262fb2b5afd
SHA256

a34413a7e8409d172309a54a60bce2c5594aa71121c7f641275b17ce374be032
SHA512

bb81e3fae60947a91ed5a73222fe993e36dec9b908839bba791105b090810a10f2ebb3784d77061352b5fbbdd512a2aef06e91dd39cbf789dbc665f5aaf47ec3
SSDEEP

49152:OpUPVCQMukBtM5X1nMg1Yjk6v/9sKApq+p4/33OHZZh2P6DQFvTxk9VvOdXkL6CE:OpSczg71YjkCAcWK3ss5TMVvwULBNc

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://projecktupdatemonk.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
AlzQrcpAObCSqG
internal_mutex
txtMut
minimum_disk
35
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
1604	windbg.exe
920	Autoit3.exe

Loads dropped DLL 8 IoCs

pid	Process
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
2860	MsiExec.exe
1604	windbg.exe
1604	windbg.exe
2860	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
320	ICACLS.EXE
2968	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 13 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76bae6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSID0A8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f76bae7.ipi	msiexec.exe
File created	C:\Windows\Installer\f76bae6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE31.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f76bae7.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID0F7.tmp	msiexec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2172	msiexec.exe
2172	msiexec.exe

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1080	msiexec.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe
Token: SeSecurityPrivilege	2172	msiexec.exe
Token: SeCreateTokenPrivilege	1080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1080	msiexec.exe
Token: SeLockMemoryPrivilege	1080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1080	msiexec.exe
Token: SeMachineAccountPrivilege	1080	msiexec.exe
Token: SeTcbPrivilege	1080	msiexec.exe
Token: SeSecurityPrivilege	1080	msiexec.exe
Token: SeTakeOwnershipPrivilege	1080	msiexec.exe
Token: SeLoadDriverPrivilege	1080	msiexec.exe
Token: SeSystemProfilePrivilege	1080	msiexec.exe
Token: SeSystemtimePrivilege	1080	msiexec.exe
Token: SeProfSingleProcessPrivilege	1080	msiexec.exe
Token: SeIncBasePriorityPrivilege	1080	msiexec.exe
Token: SeCreatePagefilePrivilege	1080	msiexec.exe
Token: SeCreatePermanentPrivilege	1080	msiexec.exe
Token: SeBackupPrivilege	1080	msiexec.exe
Token: SeRestorePrivilege	1080	msiexec.exe
Token: SeShutdownPrivilege	1080	msiexec.exe
Token: SeDebugPrivilege	1080	msiexec.exe
Token: SeAuditPrivilege	1080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1080	msiexec.exe
Token: SeChangeNotifyPrivilege	1080	msiexec.exe
Token: SeRemoteShutdownPrivilege	1080	msiexec.exe
Token: SeUndockPrivilege	1080	msiexec.exe
Token: SeSyncAgentPrivilege	1080	msiexec.exe
Token: SeEnableDelegationPrivilege	1080	msiexec.exe
Token: SeManageVolumePrivilege	1080	msiexec.exe
Token: SeImpersonatePrivilege	1080	msiexec.exe
Token: SeCreateGlobalPrivilege	1080	msiexec.exe
Token: SeBackupPrivilege	2752	vssvc.exe
Token: SeRestorePrivilege	2752	vssvc.exe
Token: SeAuditPrivilege	2752	vssvc.exe
Token: SeBackupPrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2772	DrvInst.exe
Token: SeRestorePrivilege	2772	DrvInst.exe
Token: SeRestorePrivilege	2772	DrvInst.exe
Token: SeRestorePrivilege	2772	DrvInst.exe
Token: SeRestorePrivilege	2772	DrvInst.exe
Token: SeRestorePrivilege	2772	DrvInst.exe
Token: SeRestorePrivilege	2772	DrvInst.exe
Token: SeLoadDriverPrivilege	2772	DrvInst.exe
Token: SeLoadDriverPrivilege	2772	DrvInst.exe
Token: SeLoadDriverPrivilege	2772	DrvInst.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe
Token: SeRestorePrivilege	2172	msiexec.exe
Token: SeTakeOwnershipPrivilege	2172	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1080	msiexec.exe
1080	msiexec.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 2860	2172	msiexec.exe	32
PID 2172 wrote to memory of 2860	2172	msiexec.exe	32
PID 2172 wrote to memory of 2860	2172	msiexec.exe	32
PID 2172 wrote to memory of 2860	2172	msiexec.exe	32
PID 2172 wrote to memory of 2860	2172	msiexec.exe	32
PID 2172 wrote to memory of 2860	2172	msiexec.exe	32
PID 2172 wrote to memory of 2860	2172	msiexec.exe	32
PID 2860 wrote to memory of 320	2860	MsiExec.exe	33
PID 2860 wrote to memory of 320	2860	MsiExec.exe	33
PID 2860 wrote to memory of 320	2860	MsiExec.exe	33
PID 2860 wrote to memory of 320	2860	MsiExec.exe	33
PID 2860 wrote to memory of 764	2860	MsiExec.exe	35
PID 2860 wrote to memory of 764	2860	MsiExec.exe	35
PID 2860 wrote to memory of 764	2860	MsiExec.exe	35
PID 2860 wrote to memory of 764	2860	MsiExec.exe	35
PID 2860 wrote to memory of 1604	2860	MsiExec.exe	37
PID 2860 wrote to memory of 1604	2860	MsiExec.exe	37
PID 2860 wrote to memory of 1604	2860	MsiExec.exe	37
PID 2860 wrote to memory of 1604	2860	MsiExec.exe	37
PID 2860 wrote to memory of 1604	2860	MsiExec.exe	37
PID 2860 wrote to memory of 1604	2860	MsiExec.exe	37
PID 2860 wrote to memory of 1604	2860	MsiExec.exe	37
PID 1604 wrote to memory of 920	1604	windbg.exe	38
PID 1604 wrote to memory of 920	1604	windbg.exe	38
PID 1604 wrote to memory of 920	1604	windbg.exe	38
PID 1604 wrote to memory of 920	1604	windbg.exe	38
PID 2860 wrote to memory of 2968	2860	MsiExec.exe	40
PID 2860 wrote to memory of 2968	2860	MsiExec.exe	40
PID 2860 wrote to memory of 2968	2860	MsiExec.exe	40
PID 2860 wrote to memory of 2968	2860	MsiExec.exe	40

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\homedel.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 5CD72E814DDC53DE27F4A15EC971C076
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:320
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:764
- - C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - \??\c:\tmpp\Autoit3.exe
      c:\tmpp\Autoit3.exe c:\tmpp\test.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:920
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2968

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2752

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C4" "00000000000004CC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files.cab

Filesize
2.5MB

MD5
106039fe90cdc1a9b9c25e0b6cf40c55

SHA1
f4ef3bae81f7f2322348203e8728fbeba2b4d719

SHA256
b00cfd439e1fd59f4c67e1dc9b1ce53563fc980eda42e259122473f32d37a701

SHA512
766737e7b58c9a18cb2c987360a2f8edec49d9b5ef857bdb69e27ff8ba3d2ffc9cdbf6ba03b9ac207553f75d641f5c9cf6a784295ceaae186750f993d4df4e2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\00595-1017085943.png

Filesize
661KB

MD5
e5f36215426555498dbba13bb15b012c

SHA1
013d8597350e791f68a72dd1b089a3252e67b0e2

SHA256
c67232ee5b6e81e173fb18c7ea395105de9138da921ef17ce2e3d8ff9eb8a8d7

SHA512
d27dfc373ed1054cebfe72141da96f314fbaa826109c3a1ea844be968a7f87ea208efa113a7e785e3619a034c54764b79a5133c20e0193eb225bd62b1647b814

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\dbgeng.dll

Filesize
2.7MB

MD5
6f1258947b9b59a146aad61adef0f82d

SHA1
a0b27fda56bab2595833dee157b8004a6f6eb7b1

SHA256
afd704f60bd4d120d86c4d046474d777471573100f372f0713dbd0a2ed892304

SHA512
d652338ad694e03275db05b3f80a7a13bad3b85bc7bd611a3113a84f3ba97d80c823a297a54ad5080a948d815a802b132016ed6c50a216dafdd40bd48890bf2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\unins000.dat

Filesize
62KB

MD5
5f6d7117758a11c5cc96725a4fc72348

SHA1
eede69efecd034bb059b90b1bdd48d406e80f5e9

SHA256
a5e75d0cb8ef19d4c28156a58b14958fee2ca7c8bf69e4cbb3c4333a0fd21202

SHA512
954d8c7ccc171e47ec495af646638e32f712624c707c6c6edcf860161ba337296c2fa955232e39f077d11d772717d47ee44eeb7554ac904d4936ce3b97fcd4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\unins000.exe

Filesize
1.1MB

MD5
a82fd06ad4339762ef1ea3e6ebf28fae

SHA1
5fa84f3ad4a2f1e078562c00e6bbad445418cdb0

SHA256
6c61ce9dec3052ae229596c8a32fc2cf8c9090b8b632998ef69de580cfeb1afd

SHA512
63eda89fb03ae581c888c189906ec84ea8061097ec55296c0c6bbfa649a9d7e58d5a299e6e2bacb7d9aa8abad62ceec1f5f4e47e4236f9d7de9aff76c502d052

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\unins000.msg

Filesize
22KB

MD5
3b1a9a56eede8c6335e94959d5231ac5

SHA1
8d256fc02492b6c51db9f3861746b386e62ba317

SHA256
161a04957d74daafb21d9a03dade488ae7ebcf90af0e7e41cad1445418a9b3ff

SHA512
9fb552bebb2b72cb8f2df55863ba529974ea0d81da83cffb12f95974faaeead1d623f1a6df87478d308cc69a5102cbd01109dd5b8cf0fe11e5132baa903ae6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\uninsTasks.txt

Filesize
22B

MD5
ed8842c313a411cf074fb082b7184ab0

SHA1
2e411a8b4b62c15e31415fa63742d4c40e8265df

SHA256
9bcb8b4872fb35ebb4413b554a9b8402b39119c78d120bdcef353ce511fc93ca

SHA512
019819aacc76617a466da73bfabdd892c407d7e74844329fa47ba3ea1e13379a41950988976b5021ac2cb9068da904ae93c249a229ff6dfa7fdb633f2adc1216

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\msiwrapper.ini

Filesize
1KB

MD5
c977113ae73ba83ef0b22143977ff08a

SHA1
6a86fea4a0f47a9532b9c67933233ee6755f1bce

SHA256
7816b22ab58a2120b4d24824749ab662aa3aac60d2c5a7916290c8301db65c13

SHA512
4ce29ca6d028439bfd837b1cfa612d566836076a30b22657a6725c19d15cea69246a6fcc555ef11ff35f44feb9ce87bb20409656500c89287cff6e7919bc28b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\msiwrapper.ini

Filesize
1010B

MD5
a535e59b8b6b6a36076d7198c68dcc15

SHA1
9e491159c5e9bb7b6217fbda07a815325218af04

SHA256
43025dbab78708d514a2ad5c648c6a4bf6763001a3284f067d93cebaa29ab117

SHA512
c032bd50a7b286fab4686f490b10814e4328b9f4ac555d4877f13db175ca8ce05718cb93273413757cdc6ad468af6f3035fecb0fbeea467c8c7414824f410213

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\msiwrapper.ini

Filesize
1KB

MD5
d06683f0c30bf25111fa1df41251afd2

SHA1
eb2fbcbf283bf0bf2f1ccb63fcfc198778831910

SHA256
2d0b13c358baa355ca672ec01c4061dfeb37ce74808be22bbad88066d1b57555

SHA512
f28f93171a47cd170d2e3d132fadebbe8a89ca3c429cb08c5e448ec2159825abb9a3d45a8cb544ff9be1c209f3dab766f4e17b4f1e68802f29cde83641b07785

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\msiwrapper.ini

Filesize
1KB

MD5
d06683f0c30bf25111fa1df41251afd2

SHA1
eb2fbcbf283bf0bf2f1ccb63fcfc198778831910

SHA256
2d0b13c358baa355ca672ec01c4061dfeb37ce74808be22bbad88066d1b57555

SHA512
f28f93171a47cd170d2e3d132fadebbe8a89ca3c429cb08c5e448ec2159825abb9a3d45a8cb544ff9be1c209f3dab766f4e17b4f1e68802f29cde83641b07785

Download Submit
C:\Windows\Installer\MSIBE31.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSID0F7.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpp\test.au3

Filesize
497KB

MD5
f0a898c39f575754603f1f431cb3fdec

SHA1
9e0af44a6081e50995e356e1e22b823713f09f77

SHA256
260a872dd640da1903784af3f1575ae42e2d026fa7954d43bac42aa806d17171

SHA512
88a0544236f2ebf20faa1d7a589b63c7f1968a1c151345d62c3f7e1ca5744cc106cabca669b57e4caf0b64f4a3c56dab04212d3247a41edf782791ad46940d18

Download Submit
\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\dbgeng.dll

Filesize
2.7MB

MD5
6f1258947b9b59a146aad61adef0f82d

SHA1
a0b27fda56bab2595833dee157b8004a6f6eb7b1

SHA256
afd704f60bd4d120d86c4d046474d777471573100f372f0713dbd0a2ed892304

SHA512
d652338ad694e03275db05b3f80a7a13bad3b85bc7bd611a3113a84f3ba97d80c823a297a54ad5080a948d815a802b132016ed6c50a216dafdd40bd48890bf2d

Download Submit
\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-874a53a5-bb0c-4121-a985-1efb9af4da08\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Windows\Installer\MSIBE31.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\Windows\Installer\MSID0F7.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/920-105-0x0000000000990000-0x0000000000D90000-memory.dmp

Filesize
4.0MB

Download
memory/920-104-0x0000000002DE0000-0x0000000003112000-memory.dmp

Filesize
3.2MB

Download
memory/920-102-0x0000000000990000-0x0000000000D90000-memory.dmp

Filesize
4.0MB

Download
memory/1604-98-0x0000000000720000-0x00000000009E4000-memory.dmp

Filesize
2.8MB

Download
memory/1604-92-0x0000000000720000-0x00000000009E4000-memory.dmp

Filesize
2.8MB

Download