darkgate | d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236

Analysis

max time kernel
138s
max time network
161s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
26-10-2023 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236_JC.msi
Size

8.6MB
MD5

595527dff7c5234f4509cbbfa7047b6a
SHA1

de4ca2a9726c7963ebe69e7908dd265df5dc81a3
SHA256

d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236
SHA512

e9757d7ea108407afb83021ec0cac72d04a01e587424a1f82878a2e264dbbe8312fe34c4dc5944b8d324321bc39ac3784cc861bbc344e582fe7c1db3655ae383
SSDEEP

196608:9kdAirk9zqV8GinTPMoGkd/ROfL0uUmN4in1VAnEVYxVSe3bvPrsn:ydAirAzqVAnTPMgd+0ogHnF3zI

Score

10^/10

darkgate ads5 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

ADS5

http://sftp.bitepieces.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
443
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
KnqeTJUYsrnUBP
internal_mutex
txtMut
minimum_disk
40
minimum_ram
7000
ping_interval
4
rootkit
true
startup_persistence
true
username
ADS5

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
1080	windbg.exe
1896	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
3436	MsiExec.exe
1080	windbg.exe
3436	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2668	ICACLS.EXE
3596	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e58be2b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{402D72DA-4565-4771-A043-039847D7145B}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSID3D7.tmp	msiexec.exe
File created	C:\Windows\Installer\e58be2b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC147.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSID3D6.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e909c866916b25070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e909c8660000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e909c866000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de909c866000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e909c86600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4704	msiexec.exe
4704	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4724	msiexec.exe
Token: SeSecurityPrivilege	4704	msiexec.exe
Token: SeCreateTokenPrivilege	4724	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4724	msiexec.exe
Token: SeLockMemoryPrivilege	4724	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4724	msiexec.exe
Token: SeMachineAccountPrivilege	4724	msiexec.exe
Token: SeTcbPrivilege	4724	msiexec.exe
Token: SeSecurityPrivilege	4724	msiexec.exe
Token: SeTakeOwnershipPrivilege	4724	msiexec.exe
Token: SeLoadDriverPrivilege	4724	msiexec.exe
Token: SeSystemProfilePrivilege	4724	msiexec.exe
Token: SeSystemtimePrivilege	4724	msiexec.exe
Token: SeProfSingleProcessPrivilege	4724	msiexec.exe
Token: SeIncBasePriorityPrivilege	4724	msiexec.exe
Token: SeCreatePagefilePrivilege	4724	msiexec.exe
Token: SeCreatePermanentPrivilege	4724	msiexec.exe
Token: SeBackupPrivilege	4724	msiexec.exe
Token: SeRestorePrivilege	4724	msiexec.exe
Token: SeShutdownPrivilege	4724	msiexec.exe
Token: SeDebugPrivilege	4724	msiexec.exe
Token: SeAuditPrivilege	4724	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4724	msiexec.exe
Token: SeChangeNotifyPrivilege	4724	msiexec.exe
Token: SeRemoteShutdownPrivilege	4724	msiexec.exe
Token: SeUndockPrivilege	4724	msiexec.exe
Token: SeSyncAgentPrivilege	4724	msiexec.exe
Token: SeEnableDelegationPrivilege	4724	msiexec.exe
Token: SeManageVolumePrivilege	4724	msiexec.exe
Token: SeImpersonatePrivilege	4724	msiexec.exe
Token: SeCreateGlobalPrivilege	4724	msiexec.exe
Token: SeBackupPrivilege	1068	vssvc.exe
Token: SeRestorePrivilege	1068	vssvc.exe
Token: SeAuditPrivilege	1068	vssvc.exe
Token: SeBackupPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeBackupPrivilege	2244	srtasks.exe
Token: SeRestorePrivilege	2244	srtasks.exe
Token: SeSecurityPrivilege	2244	srtasks.exe
Token: SeTakeOwnershipPrivilege	2244	srtasks.exe
Token: SeBackupPrivilege	2244	srtasks.exe
Token: SeRestorePrivilege	2244	srtasks.exe
Token: SeSecurityPrivilege	2244	srtasks.exe
Token: SeTakeOwnershipPrivilege	2244	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4724	msiexec.exe
4724	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 2244	4704	msiexec.exe	98
PID 4704 wrote to memory of 2244	4704	msiexec.exe	98
PID 4704 wrote to memory of 3436	4704	msiexec.exe	100
PID 4704 wrote to memory of 3436	4704	msiexec.exe	100
PID 4704 wrote to memory of 3436	4704	msiexec.exe	100
PID 3436 wrote to memory of 2668	3436	MsiExec.exe	101
PID 3436 wrote to memory of 2668	3436	MsiExec.exe	101
PID 3436 wrote to memory of 2668	3436	MsiExec.exe	101
PID 3436 wrote to memory of 3588	3436	MsiExec.exe	103
PID 3436 wrote to memory of 3588	3436	MsiExec.exe	103
PID 3436 wrote to memory of 3588	3436	MsiExec.exe	103
PID 3436 wrote to memory of 1080	3436	MsiExec.exe	105
PID 3436 wrote to memory of 1080	3436	MsiExec.exe	105
PID 3436 wrote to memory of 1080	3436	MsiExec.exe	105
PID 1080 wrote to memory of 1896	1080	windbg.exe	106
PID 1080 wrote to memory of 1896	1080	windbg.exe	106
PID 1080 wrote to memory of 1896	1080	windbg.exe	106
PID 3436 wrote to memory of 3596	3436	MsiExec.exe	107
PID 3436 wrote to memory of 3596	3436	MsiExec.exe	107
PID 3436 wrote to memory of 3596	3436	MsiExec.exe	107

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d4e766f81e567039c44ccca90ef192a7f063c1783224ee4be3e3d7786980e236_JC.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4724

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2244
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 43DF46D5A84805151A902C6F0C811529
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3436
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2668
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3588
- - C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1896
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:3596

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files.cab

Filesize
8.4MB

MD5
11573546f1cb94036c51e1f256067a9a

SHA1
791d3293afeda092c26d2c237804f7a646d0979b

SHA256
ecd6c5174f7fa2f836b7326c52b31cd4a19e53447b8e4a7d036f8b41c0235054

SHA512
7b8cb6c8972472bf8f8c467cbb510216037f5342babe4cdf6889e20ece8400c80084c96ce6507773fb266f20638c68703d120d3f5b98940eaceda57017891067

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\00000-602071660.png

Filesize
1.2MB

MD5
c5f6eb13db175fbcd0925434424df781

SHA1
2197137928fff79f8b11e966ffb6a9eb5112a3c8

SHA256
6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50

SHA512
40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\00001-3764640629.png

Filesize
1.3MB

MD5
a384c8b03d6d72e9f9e268d265e8b435

SHA1
3b238b66b33e2dc191da037973a79f01d50ee2d4

SHA256
9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b

SHA512
94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\00002-1969081335.png

Filesize
1.1MB

MD5
92028b5b43ea981f2172f2e9ce6556bf

SHA1
6da86abe3bc0caf500908ec7b8e841b797948fec

SHA256
7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed

SHA512
1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\00003-1310450276.png

Filesize
1.2MB

MD5
3f3788816f75078edb9817a98259a223

SHA1
1eb191dd0dcff72f5922aa775dc95dced7967bd5

SHA256
a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0

SHA512
2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\00004-4001132497.png

Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\00005-3931689802.png

Filesize
903KB

MD5
66732fccbeee97415b033c017e594196

SHA1
6db8fada912e6ea219b526cbe1a136a6afdabffb

SHA256
dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc

SHA512
70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\data2.bin

Filesize
1.8MB

MD5
1cdde34f6f487545c26673a907af15f6

SHA1
4da95d333976a15ecd368d8fc04e6331a1952fa9

SHA256
3c1fdbc968598ee048f02a47b9fe888e33bfeff5a55bea059c8cb91e6d0f2c8c

SHA512
e6b1a2ccb7b994aecef47ec035659e720f151a71d6d0db8449266f47e6053238878d635ca45fe2a334b328adf5e008fd0257feb4b5968f23094e62def349365a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\dbgeng.dll

Filesize
1.3MB

MD5
f540f998d60d6fc1c23f942ed5857296

SHA1
1ef333bfea08b37cda99ea1353d52928a4458f28

SHA256
d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11

SHA512
e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\dbgeng.dll

Filesize
1.3MB

MD5
f540f998d60d6fc1c23f942ed5857296

SHA1
1ef333bfea08b37cda99ea1353d52928a4458f28

SHA256
d37e54faccf247c73e59fec33001000567e44a4e0adf6f637c3aea32e76d8b11

SHA512
e3369f9848dcb0661c5d932f0702dffa304541b6a7a0a8c9753247cde1083277cd4ac3600927476dafc7be73fe0bae2ace0c7e7320ae8ac9fea0660edb777b9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\msiwrapper.ini

Filesize
1KB

MD5
8975ac3708ae9ca1020fe662ca735103

SHA1
8077275f25f26e2ca121a9c35425f52b8855859c

SHA256
1151adcb79641e7dbf1e5757de834319d8d60618285a3fdfe60c4a5b4aae659a

SHA512
c7247a4466cc5c8ba040023065e4dd5096236f856be31926e5ffeac4cd223398347ffeebe79cb64c0127349a03b27fbd8831a8bc1137404ec3a4e52da1325c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\msiwrapper.ini

Filesize
370B

MD5
a31703e7e55f74d556d34d03432c7eb6

SHA1
feca7c7f10ae990c3dcec8d982c644d2788a8b41

SHA256
bdb609809d3287dca85fe769b34726701084ef26d2bfb5c2ee988851b4fada47

SHA512
00e616d6a4526cbc927022ad6e0702e5396928dcb501e1577f3376004c2862cfe4bfdb0922c87667ac24d061e86fe19bf74da621c87c14f0319bd6e5e41ba318

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\msiwrapper.ini

Filesize
1010B

MD5
39fbbc9e494077de1ab24deca2b22350

SHA1
e63f16a0f94e0f50ffaa1a0dfb83d97154c27176

SHA256
3495fb29eacc9f42f09a00fa67fe1b292a4cfc14af893f86b00cc621f78ae0ce

SHA512
b96d249089dcb738acdf490dc6c4f91c970aeff5297ccae8114224af4db3e46a9bea3c7df76560c3e9744f89314841200f45f8c652f9e97422c0a6331b324c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\msiwrapper.ini

Filesize
1KB

MD5
c9e66337fb950633174144923b8548e9

SHA1
93441a8a9ac5874632416076c75af11327153e5c

SHA256
f1e390474c3f514b1b2db685d7a755f26513a812447d2234691804d4d05893fd

SHA512
bc3774c77a4ca73c35d1ec345b2692963be7055d7023c412599a70f0a6ef5a2c21bfea70bc7b393e96cdd7b450e71c705bfe58622f4d42cdeefc898f7b10d8f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-5216e139-0370-4fd9-8547-1cb9d2ad84e7\msiwrapper.ini

Filesize
1KB

MD5
c9e66337fb950633174144923b8548e9

SHA1
93441a8a9ac5874632416076c75af11327153e5c

SHA256
f1e390474c3f514b1b2db685d7a755f26513a812447d2234691804d4d05893fd

SHA512
bc3774c77a4ca73c35d1ec345b2692963be7055d7023c412599a70f0a6ef5a2c21bfea70bc7b393e96cdd7b450e71c705bfe58622f4d42cdeefc898f7b10d8f4

Download Submit
C:\Windows\Installer\MSIC147.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIC147.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSID3D7.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSID3D7.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
4137b65576ec3ed606b55897f952e0d8

SHA1
de2729892f00edc6f6cd0b15aac0a884ec383d12

SHA256
7cc6b99ac1800a90dea97c9d73a7d9fec491575c1ac1d4655db5b898e5a70da3

SHA512
1ce71cd11185e54a96d01285bc248483a8ce21a6d4bc9f3cfbf8c21051322eb6798ab8bd65652aa987715374f672ae5c8dbe48cae9c5e932dedaac35ac70986c

Download Submit
\??\Volume{66c809e9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a1c3f86a-bf46-4e62-8e9a-47ee70f21357}_OnDiskSnapshotProp

Filesize
5KB

MD5
7fced42a07956855dbe2241bf89a4d79

SHA1
963509bba23ff5d556ec184ae9f47982849328b2

SHA256
0ed62f3f1c1efcfcf92cb3d925e070a06752368aac941c460db8413f878be35a

SHA512
fcdb012c00276d2fe98179c019f1aaac56a98c95ff484f74f5619e47a367821799eec854b768a23583dbaf9f9e0f5d32840277a4eb87149cac754957fc585d84

Download Submit
\??\c:\tmpa\script.au3

Filesize
498KB

MD5
cd434465236e62f9960f6eaa8ace2bf1

SHA1
45167afe0513736ec52a0a90bd87dd94273a836b

SHA256
f2bdc1b0da1e7270fa3b26a883f5ad4bbf189d8cb593af4c53ab6db680c9258c

SHA512
5b6d58757e222e17c962ad8e52d9e792604a9b898a3c61afa137d8c76a6de674b1dc00f32c9e3e97021a789a9f8e4de61044558ced7e34be84669d74fedf21c2

Download Submit
memory/1080-108-0x0000000000400000-0x000000000054B000-memory.dmp

Filesize
1.3MB

Download
memory/1080-103-0x0000000001470000-0x0000000001570000-memory.dmp

Filesize
1024KB

Download
memory/1896-126-0x0000000000BC0000-0x0000000000FC0000-memory.dmp

Filesize
4.0MB

Download
memory/1896-127-0x0000000003E00000-0x000000000412A000-memory.dmp

Filesize
3.2MB

Download