darkgate | c12c6dd22bbdf170dffd8278facbb834c692c8f5b319e863097869fe94541ba5

Analysis

max time kernel
137s
max time network
171s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
22-10-2023 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.NEASc12c6dd22bbdf170dffd8278facbb834c692c8f5b319e863097869fe94541ba5msiunknown_JC.msi
Size

2.7MB
MD5

de4cd45087a864576240af5d0cd33ee8
SHA1

5629b3684d406e431c6f41c5df56455c3b944c41
SHA256

c12c6dd22bbdf170dffd8278facbb834c692c8f5b319e863097869fe94541ba5
SHA512

8a4e5f40ce5cb7d0eedbcbf142bf05f7fe8da4e579c9b6581acacb1158efb0c0a216bf477cad6cabcd3fab16fd44ec534209d44994e3d6fae5ee7c388c6927db
SSDEEP

49152:GpUPLCQMukBtM5X1nMg1YkStdn6MfBDShK10/doJMzSoj1wPMkncgBWfQ8bpCrbU:GpAczg71YkDMfYhpFEMzHYMqcYWJbUrY

Score

10^/10

darkgate ads5 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

ADS5

http://sftp.bitepieces.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
443
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
cMRrocZshCGeXq
internal_mutex
txtMut
minimum_disk
30
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
ADS5

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
4760	windbg.exe
5092	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
3640	MsiExec.exe
4760	windbg.exe
4760	windbg.exe
3640	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4364	ICACLS.EXE
4328	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIED2B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIED2C.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{09F2FF62-91D6-4070-B93E-D36BEBE7791D}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF5F.tmp	msiexec.exe
File created	C:\Windows\Installer\e58dde8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58dde8.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007ecbe150fca90b1d0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007ecbe1500000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007ecbe150000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7ecbe150000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007ecbe15000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4996	msiexec.exe
4996	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	4996	msiexec.exe
Token: SeCreateTokenPrivilege	1124	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1124	msiexec.exe
Token: SeLockMemoryPrivilege	1124	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1124	msiexec.exe
Token: SeMachineAccountPrivilege	1124	msiexec.exe
Token: SeTcbPrivilege	1124	msiexec.exe
Token: SeSecurityPrivilege	1124	msiexec.exe
Token: SeTakeOwnershipPrivilege	1124	msiexec.exe
Token: SeLoadDriverPrivilege	1124	msiexec.exe
Token: SeSystemProfilePrivilege	1124	msiexec.exe
Token: SeSystemtimePrivilege	1124	msiexec.exe
Token: SeProfSingleProcessPrivilege	1124	msiexec.exe
Token: SeIncBasePriorityPrivilege	1124	msiexec.exe
Token: SeCreatePagefilePrivilege	1124	msiexec.exe
Token: SeCreatePermanentPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1124	msiexec.exe
Token: SeRestorePrivilege	1124	msiexec.exe
Token: SeShutdownPrivilege	1124	msiexec.exe
Token: SeDebugPrivilege	1124	msiexec.exe
Token: SeAuditPrivilege	1124	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1124	msiexec.exe
Token: SeChangeNotifyPrivilege	1124	msiexec.exe
Token: SeRemoteShutdownPrivilege	1124	msiexec.exe
Token: SeUndockPrivilege	1124	msiexec.exe
Token: SeSyncAgentPrivilege	1124	msiexec.exe
Token: SeEnableDelegationPrivilege	1124	msiexec.exe
Token: SeManageVolumePrivilege	1124	msiexec.exe
Token: SeImpersonatePrivilege	1124	msiexec.exe
Token: SeCreateGlobalPrivilege	1124	msiexec.exe
Token: SeBackupPrivilege	1772	vssvc.exe
Token: SeRestorePrivilege	1772	vssvc.exe
Token: SeAuditPrivilege	1772	vssvc.exe
Token: SeBackupPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeRestorePrivilege	4996	msiexec.exe
Token: SeTakeOwnershipPrivilege	4996	msiexec.exe
Token: SeBackupPrivilege	4088	srtasks.exe
Token: SeRestorePrivilege	4088	srtasks.exe
Token: SeSecurityPrivilege	4088	srtasks.exe
Token: SeTakeOwnershipPrivilege	4088	srtasks.exe
Token: SeBackupPrivilege	4088	srtasks.exe
Token: SeRestorePrivilege	4088	srtasks.exe
Token: SeSecurityPrivilege	4088	srtasks.exe
Token: SeTakeOwnershipPrivilege	4088	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1124	msiexec.exe
1124	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 4088	4996	msiexec.exe	97
PID 4996 wrote to memory of 4088	4996	msiexec.exe	97
PID 4996 wrote to memory of 3640	4996	msiexec.exe	100
PID 4996 wrote to memory of 3640	4996	msiexec.exe	100
PID 4996 wrote to memory of 3640	4996	msiexec.exe	100
PID 3640 wrote to memory of 4364	3640	MsiExec.exe	102
PID 3640 wrote to memory of 4364	3640	MsiExec.exe	102
PID 3640 wrote to memory of 4364	3640	MsiExec.exe	102
PID 3640 wrote to memory of 4400	3640	MsiExec.exe	104
PID 3640 wrote to memory of 4400	3640	MsiExec.exe	104
PID 3640 wrote to memory of 4400	3640	MsiExec.exe	104
PID 3640 wrote to memory of 4760	3640	MsiExec.exe	106
PID 3640 wrote to memory of 4760	3640	MsiExec.exe	106
PID 3640 wrote to memory of 4760	3640	MsiExec.exe	106
PID 4760 wrote to memory of 5092	4760	windbg.exe	107
PID 4760 wrote to memory of 5092	4760	windbg.exe	107
PID 4760 wrote to memory of 5092	4760	windbg.exe	107
PID 3640 wrote to memory of 4328	3640	MsiExec.exe	108
PID 3640 wrote to memory of 4328	3640	MsiExec.exe	108
PID 3640 wrote to memory of 4328	3640	MsiExec.exe	108

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.NEASc12c6dd22bbdf170dffd8278facbb834c692c8f5b319e863097869fe94541ba5msiunknown_JC.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1124

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4088
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 27CE36027570ED219E944C4D89578A22
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3640
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4364
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4400
- - C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4760
  - - \??\c:\tmpp\Autoit3.exe
      c:\tmpp\Autoit3.exe c:\tmpp\test.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:5092
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4328

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files.cab

Filesize
2.5MB

MD5
19d2002ca9e4950632ba006f59b2a05d

SHA1
cb7e2c2146be50a73e68ed339ebf4a4a49c07883

SHA256
e28573474b9353c3a353dfbef1f4e0a18c225013df01741758ed7e1f2fc1f3da

SHA512
87b68aec9aac1a85e4d7fb9b98acf4f868c44979a47acf17edbec5878afa9f6d5070fcc51c73958e7a1815b51d27dc755f61aecc8ce26f64e9ebdb1d2b686eb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\00595-1017085943.png

Filesize
661KB

MD5
e5f36215426555498dbba13bb15b012c

SHA1
013d8597350e791f68a72dd1b089a3252e67b0e2

SHA256
c67232ee5b6e81e173fb18c7ea395105de9138da921ef17ce2e3d8ff9eb8a8d7

SHA512
d27dfc373ed1054cebfe72141da96f314fbaa826109c3a1ea844be968a7f87ea208efa113a7e785e3619a034c54764b79a5133c20e0193eb225bd62b1647b814

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\dbgeng.dll

Filesize
2.7MB

MD5
a042bd97749335c9e67a5cf737bfa234

SHA1
3fbd9087b857af7b7a92358b72b0169069d2a8aa

SHA256
80dd10b818fa2154c8433ad693d5801ef45b2853096b257b915a49b8d8769852

SHA512
3f426423d093540918b20e56e40118a36d7159af804ec122fcb90f2d8cf9021b20dd596889e9486c75b351034f82e719fe5e6e7565e1a78add75deadc0d96cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\dbgeng.dll

Filesize
2.7MB

MD5
a042bd97749335c9e67a5cf737bfa234

SHA1
3fbd9087b857af7b7a92358b72b0169069d2a8aa

SHA256
80dd10b818fa2154c8433ad693d5801ef45b2853096b257b915a49b8d8769852

SHA512
3f426423d093540918b20e56e40118a36d7159af804ec122fcb90f2d8cf9021b20dd596889e9486c75b351034f82e719fe5e6e7565e1a78add75deadc0d96cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\dbgeng.dll

Filesize
2.7MB

MD5
a042bd97749335c9e67a5cf737bfa234

SHA1
3fbd9087b857af7b7a92358b72b0169069d2a8aa

SHA256
80dd10b818fa2154c8433ad693d5801ef45b2853096b257b915a49b8d8769852

SHA512
3f426423d093540918b20e56e40118a36d7159af804ec122fcb90f2d8cf9021b20dd596889e9486c75b351034f82e719fe5e6e7565e1a78add75deadc0d96cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\unins000.dat

Filesize
62KB

MD5
5f6d7117758a11c5cc96725a4fc72348

SHA1
eede69efecd034bb059b90b1bdd48d406e80f5e9

SHA256
a5e75d0cb8ef19d4c28156a58b14958fee2ca7c8bf69e4cbb3c4333a0fd21202

SHA512
954d8c7ccc171e47ec495af646638e32f712624c707c6c6edcf860161ba337296c2fa955232e39f077d11d772717d47ee44eeb7554ac904d4936ce3b97fcd4a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\unins000.exe

Filesize
1.1MB

MD5
a82fd06ad4339762ef1ea3e6ebf28fae

SHA1
5fa84f3ad4a2f1e078562c00e6bbad445418cdb0

SHA256
6c61ce9dec3052ae229596c8a32fc2cf8c9090b8b632998ef69de580cfeb1afd

SHA512
63eda89fb03ae581c888c189906ec84ea8061097ec55296c0c6bbfa649a9d7e58d5a299e6e2bacb7d9aa8abad62ceec1f5f4e47e4236f9d7de9aff76c502d052

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\unins000.msg

Filesize
22KB

MD5
3b1a9a56eede8c6335e94959d5231ac5

SHA1
8d256fc02492b6c51db9f3861746b386e62ba317

SHA256
161a04957d74daafb21d9a03dade488ae7ebcf90af0e7e41cad1445418a9b3ff

SHA512
9fb552bebb2b72cb8f2df55863ba529974ea0d81da83cffb12f95974faaeead1d623f1a6df87478d308cc69a5102cbd01109dd5b8cf0fe11e5132baa903ae6e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\uninsTasks.txt

Filesize
22B

MD5
ed8842c313a411cf074fb082b7184ab0

SHA1
2e411a8b4b62c15e31415fa63742d4c40e8265df

SHA256
9bcb8b4872fb35ebb4413b554a9b8402b39119c78d120bdcef353ce511fc93ca

SHA512
019819aacc76617a466da73bfabdd892c407d7e74844329fa47ba3ea1e13379a41950988976b5021ac2cb9068da904ae93c249a229ff6dfa7fdb633f2adc1216

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\msiwrapper.ini

Filesize
1KB

MD5
31a5c8d1aec501479770f96175217cdb

SHA1
21919cd8b1d3b2bd6a58ef919dcac8960963b46f

SHA256
2377e481c02f249d9e48d9cc60286dcc35c8155020012196c668d4bde6ef35ac

SHA512
d3db9ce056c9c3ba4f8f95a0acb612fea5912f50a3872332cc6cd1cff1822488a8bec4c1b1edfd49574a3f19832b9f4f664d65beb30e671d7f74469a6a041627

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\msiwrapper.ini

Filesize
1KB

MD5
c1288e3737461b6a3eae4b2c89faaf1f

SHA1
966554851679b752b098e3e2b51040cfcba88447

SHA256
966bec7535834d30c8c257b6ab249796538652c39adeb45d74a7ff366e7b5301

SHA512
2eacdf227d2669db34a9642582c5e482081d2e805e89f02484655c4a8b41cd18d214d37f53270cc7f1ccbb5434ac8fb75ee3826c2af2347292b0926e25d7e85a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e940e353-f87e-40ed-8448-80fd03c25bc0\msiwrapper.ini

Filesize
1KB

MD5
c1288e3737461b6a3eae4b2c89faaf1f

SHA1
966554851679b752b098e3e2b51040cfcba88447

SHA256
966bec7535834d30c8c257b6ab249796538652c39adeb45d74a7ff366e7b5301

SHA512
2eacdf227d2669db34a9642582c5e482081d2e805e89f02484655c4a8b41cd18d214d37f53270cc7f1ccbb5434ac8fb75ee3826c2af2347292b0926e25d7e85a

Download Submit
C:\Windows\Installer\MSIDF5F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIDF5F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIED2C.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIED2C.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
d2ecc84e48eff5804d9865311d94ab58

SHA1
56db061fb70398cf1a3eb2f2fc08139fd1dfb63d

SHA256
268804e1513bf30ab1b1eda2ff86d9de8e35c6f12820a9c1330b917faa2cc80e

SHA512
3ab679cddae26a4bf322427eb7644a7b9b37382f00305ac85c95673631848d2933fdf20a14c0ac98127f98b9706ff9a0dd7fa27ec206a01f63fac20d102b0eb1

Download Submit
\??\Volume{50e1cb7e-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e5de4919-2bc8-477e-8980-8123bedd6130}_OnDiskSnapshotProp

Filesize
5KB

MD5
1a0c5f012c01f4be26609d0f96b82a08

SHA1
362946fe11fe145b168f0445dac8801e79369a80

SHA256
d7abcbde57472522b83b31510af405365cdb470c22a031b491d0600266d22a55

SHA512
1ef7f49c5ce1d9d719b241523d34110a26c1ca3d58969e710c319a2322cbbdea66ab0eb58a949945295af08cf828609bf159e68855ac44df701ba5543e85f283

Download Submit
\??\c:\tmpp\test.au3

Filesize
493KB

MD5
e6350ddb36e5df564e9694af60c12a0b

SHA1
196bad591cf3158ac312775651b59e2edeea87fb

SHA256
c37d7422358f7009a84ec05845822870d30eca36b1f94df050c29ba60b834995

SHA512
bca15211e4ac4871e67d288551f23ab10e59be9678cee887618089a5c0a5943a6582f5e9f6635c57ed053d01de81a00c2eb50a1508bddb38a2ab1fd4a5484ece

Download Submit
memory/4760-98-0x0000000000C80000-0x0000000000F43000-memory.dmp

Filesize
2.8MB

Download
memory/4760-93-0x0000000000C80000-0x0000000000F43000-memory.dmp

Filesize
2.8MB

Download
memory/5092-113-0x0000000003D40000-0x000000000406A000-memory.dmp

Filesize
3.2MB

Download
memory/5092-101-0x0000000000FF0000-0x00000000013F0000-memory.dmp

Filesize
4.0MB

Download