darkgate | 9a04642537126dfbe384c18c082b04b705e08d1a0b167a7e2dd6c18f02d38054

Analysis

max time kernel
108s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
03-11-2023 01:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd.msi
Size

8.3MB
MD5

2a2cfd61d4ebc2f4956e9a56815b7c0f
SHA1

47718e8df5e7a0d0b2c74f10696ca50cf6e1e0b9
SHA256

3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd
SHA512

96989896a5eb3dc99d602cad4bfa4ced65ac04a1fd5e79c8c09a70e3a5ce6bcd8eb686ab96f55191a2e5712c23f543ac5f29ab11e773238c27c76905cd4cdb22
SSDEEP

196608:ikdAirk9zqV8GinTPMoGkd/ROfL0uUmN4in1VAnEVYxVSe317I:pdAirAzqVAnTPMgd+0ogHnF317I

Score

10^/10

darkgate ads5 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

ADS5

http://sftp.noheroway.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
443
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
ATXtlWVDuHaLOk
internal_mutex
txtMut
minimum_disk
40
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
ADS5

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
3668	windbg.exe
2412	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
1052	MsiExec.exe
3668	windbg.exe
3668	windbg.exe
1052	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4852	ICACLS.EXE
3972	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIC9A5.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2C553FE4-D9D1-4FCD-8E6F-BBC4FF2FC0EA}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI91AC.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIC9E5.tmp	msiexec.exe
File created	C:\Windows\Installer\e5882f6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5882f6.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000299f28d78dcfadf0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000299f28d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809000299f28d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d0299f28d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000299f28d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4076	msiexec.exe
4076	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3108	msiexec.exe
Token: SeSecurityPrivilege	4076	msiexec.exe
Token: SeCreateTokenPrivilege	3108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3108	msiexec.exe
Token: SeLockMemoryPrivilege	3108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3108	msiexec.exe
Token: SeMachineAccountPrivilege	3108	msiexec.exe
Token: SeTcbPrivilege	3108	msiexec.exe
Token: SeSecurityPrivilege	3108	msiexec.exe
Token: SeTakeOwnershipPrivilege	3108	msiexec.exe
Token: SeLoadDriverPrivilege	3108	msiexec.exe
Token: SeSystemProfilePrivilege	3108	msiexec.exe
Token: SeSystemtimePrivilege	3108	msiexec.exe
Token: SeProfSingleProcessPrivilege	3108	msiexec.exe
Token: SeIncBasePriorityPrivilege	3108	msiexec.exe
Token: SeCreatePagefilePrivilege	3108	msiexec.exe
Token: SeCreatePermanentPrivilege	3108	msiexec.exe
Token: SeBackupPrivilege	3108	msiexec.exe
Token: SeRestorePrivilege	3108	msiexec.exe
Token: SeShutdownPrivilege	3108	msiexec.exe
Token: SeDebugPrivilege	3108	msiexec.exe
Token: SeAuditPrivilege	3108	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3108	msiexec.exe
Token: SeChangeNotifyPrivilege	3108	msiexec.exe
Token: SeRemoteShutdownPrivilege	3108	msiexec.exe
Token: SeUndockPrivilege	3108	msiexec.exe
Token: SeSyncAgentPrivilege	3108	msiexec.exe
Token: SeEnableDelegationPrivilege	3108	msiexec.exe
Token: SeManageVolumePrivilege	3108	msiexec.exe
Token: SeImpersonatePrivilege	3108	msiexec.exe
Token: SeCreateGlobalPrivilege	3108	msiexec.exe
Token: SeBackupPrivilege	184	vssvc.exe
Token: SeRestorePrivilege	184	vssvc.exe
Token: SeAuditPrivilege	184	vssvc.exe
Token: SeBackupPrivilege	4076	msiexec.exe
Token: SeRestorePrivilege	4076	msiexec.exe
Token: SeRestorePrivilege	4076	msiexec.exe
Token: SeTakeOwnershipPrivilege	4076	msiexec.exe
Token: SeRestorePrivilege	4076	msiexec.exe
Token: SeTakeOwnershipPrivilege	4076	msiexec.exe
Token: SeBackupPrivilege	4336	srtasks.exe
Token: SeRestorePrivilege	4336	srtasks.exe
Token: SeSecurityPrivilege	4336	srtasks.exe
Token: SeTakeOwnershipPrivilege	4336	srtasks.exe
Token: SeBackupPrivilege	4336	srtasks.exe
Token: SeRestorePrivilege	4336	srtasks.exe
Token: SeSecurityPrivilege	4336	srtasks.exe
Token: SeTakeOwnershipPrivilege	4336	srtasks.exe
Token: SeRestorePrivilege	4076	msiexec.exe
Token: SeTakeOwnershipPrivilege	4076	msiexec.exe
Token: SeRestorePrivilege	4076	msiexec.exe
Token: SeTakeOwnershipPrivilege	4076	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3108	msiexec.exe
3108	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 4336	4076	msiexec.exe	106
PID 4076 wrote to memory of 4336	4076	msiexec.exe	106
PID 4076 wrote to memory of 1052	4076	msiexec.exe	110
PID 4076 wrote to memory of 1052	4076	msiexec.exe	110
PID 4076 wrote to memory of 1052	4076	msiexec.exe	110
PID 1052 wrote to memory of 4852	1052	MsiExec.exe	113
PID 1052 wrote to memory of 4852	1052	MsiExec.exe	113
PID 1052 wrote to memory of 4852	1052	MsiExec.exe	113
PID 1052 wrote to memory of 3964	1052	MsiExec.exe	115
PID 1052 wrote to memory of 3964	1052	MsiExec.exe	115
PID 1052 wrote to memory of 3964	1052	MsiExec.exe	115
PID 1052 wrote to memory of 3668	1052	MsiExec.exe	117
PID 1052 wrote to memory of 3668	1052	MsiExec.exe	117
PID 1052 wrote to memory of 3668	1052	MsiExec.exe	117
PID 3668 wrote to memory of 2412	3668	windbg.exe	118
PID 3668 wrote to memory of 2412	3668	windbg.exe	118
PID 3668 wrote to memory of 2412	3668	windbg.exe	118
PID 1052 wrote to memory of 3972	1052	MsiExec.exe	119
PID 1052 wrote to memory of 3972	1052	MsiExec.exe	119
PID 1052 wrote to memory of 3972	1052	MsiExec.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3a67f1634416de1483327e8cfe38c456f6891512433f5128df07444e44b886cd.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4336
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 01A318491C35EAAB5C08C1905FAF4C5D
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4852
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3668
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2412
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:3972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files.cab

Filesize
8.0MB

MD5
7549bc55ffdc58192eddaaef4a08f040

SHA1
7080f130a8893fe09fc54cf15b87424b57dfe008

SHA256
1f5ceee9b9bb5c3f8619f293a8df9bedb2764d0041e2add91ba04985a5601bee

SHA512
d1b0b09322711ae29f189ae58c1dd3279c7c81f9ad1d4cf4379c42fc82e6361439b877e14fc998ef759af6708cc9880900909efdf5c00331a691ca0d410c1736

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00000-602071660.png

Filesize
1.2MB

MD5
c5f6eb13db175fbcd0925434424df781

SHA1
2197137928fff79f8b11e966ffb6a9eb5112a3c8

SHA256
6571ea1fa9e8427418ab40ab1ea6e1555b7c59a2579b2f34dded39d81e8def50

SHA512
40eca3c9a3c2ca653c5c78d1205250b2077265ad5cfb9609a6b34649699b62236c61d5cdb415767749ff86e91afe6830d98e6f5eb3390b2c57d28b4a45a220a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00001-3764640629.png

Filesize
1.3MB

MD5
a384c8b03d6d72e9f9e268d265e8b435

SHA1
3b238b66b33e2dc191da037973a79f01d50ee2d4

SHA256
9310b4483d9e20dfdc28e8603a026f0c52b07089a290955629970b96a51b977b

SHA512
94ada636935ecf52ce4625b23216b0dde06e58fd09f34a4727531bf5299d45b5e705b8c043713f14cc8c007ba82645a0dc54402badea418bf3677967c960c565

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00002-1969081335.png

Filesize
1.1MB

MD5
92028b5b43ea981f2172f2e9ce6556bf

SHA1
6da86abe3bc0caf500908ec7b8e841b797948fec

SHA256
7d5d5115c1f29592dba340a167e7144a539df8201578913fbbbb428b26d8c7ed

SHA512
1af0cb17ff6b09c49c0ea7433d665b123ea7e7c6a46c06088bfaeaee3a3ce01aab27105a36f906a17dc0c29c830ef54fb4b005b47cdecd3612ce9f0d3059c62f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00003-1310450276.png

Filesize
1.2MB

MD5
3f3788816f75078edb9817a98259a223

SHA1
1eb191dd0dcff72f5922aa775dc95dced7967bd5

SHA256
a2f02cb0c6dbba41b8a4572c4546fbb7216efe8dc18ccef16e1a14d7f8ccddd0

SHA512
2c17408796ba518ad117983526f5c0380a36b6f18974132a69923e95288c3ced9ca05e615ea5d567bde100c4cd8469bf172daba96f4e5032520ccb75560d5b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00004-4001132497.png

Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\00005-3931689802.png

Filesize
903KB

MD5
66732fccbeee97415b033c017e594196

SHA1
6db8fada912e6ea219b526cbe1a136a6afdabffb

SHA256
dbefd6274b1ffc0d387d76972a9d93ea862d3be451aa3d0b8e0335708136addc

SHA512
70b11b616b108e284d8f47e9881db5c15e2a5d8ee41d6d0e26b43de19203811da6402e8f47d1845bc30e9ba8cbe71195c8594723c5ac966521dda2dc39f4a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\data2.bin

Filesize
1.8MB

MD5
ebd72e79cf2fd580561a5fd219f1aa7d

SHA1
57f4b307022a65d1cf6afc60f3717b8c05a88974

SHA256
809b1ac22af6b499e95d7ff48b6d7f14293804889218feb76e875dc05a06bbd2

SHA512
c53cfefd83cabddd90c1acee3a85d0edb364d7d49913e63958374534c6c476329be7264cef3ed8624cfbe3b3bdf9aad1c23be16dc7ea0efc86974fa9b57e873c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\dbgeng.dll

Filesize
359KB

MD5
335f090d924818a80f31463d328b2ee5

SHA1
c4e147102f9c4d4d91f23f832db5880925460123

SHA256
4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e

SHA512
e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\dbgeng.dll

Filesize
359KB

MD5
335f090d924818a80f31463d328b2ee5

SHA1
c4e147102f9c4d4d91f23f832db5880925460123

SHA256
4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e

SHA512
e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\dbgeng.dll

Filesize
359KB

MD5
335f090d924818a80f31463d328b2ee5

SHA1
c4e147102f9c4d4d91f23f832db5880925460123

SHA256
4085eeda23270ed9cb734bd3b29189a3eae7c3659fe3c5f4c9dc5d2cb2b5d97e

SHA512
e3071caa6f142c32691fcca44578235d67666df2aad56052f2b35ba05d21bce78fff7018152e68f81a975c3882606688d986b3fdda02f3b9a319deb33fb03f3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\msiwrapper.ini

Filesize
1KB

MD5
150fc4121bf74eef5542123829211db3

SHA1
a3f8b69c00556bfff7dda2722f88b666fb36b97f

SHA256
fc7d9f9b941b237415d4eb33f085a84b852f929949112e6272ed47c13bee921b

SHA512
158b7afc09074d73b08f069b50356ab1183eb9b07a4006d91f017b50dafe49a9168db92e209f110b13a8fe4a7d06c976e574392d3d3d7e8f1fa75d03352ae6d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\msiwrapper.ini

Filesize
1KB

MD5
0cee3f96f1a6f352d0a3196e72b3c21c

SHA1
b389b9e5ce17660326e02b28b88eb0ebc0dce856

SHA256
911ffb5c3dd8d6d99bcbfee0635d77640c805220af6ce6c95817820618337ec3

SHA512
02bb320269a3b327ac3099880335e3ebf75db6a94937dc8456a02bbd5647a9fe243114519ec2ac47246b0b21ab2cdef2b164fc183340a4c6e6f25b59d3dbee04

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-7b8fa075-15e0-47ce-9825-ffa3322e545c\msiwrapper.ini

Filesize
1KB

MD5
0cee3f96f1a6f352d0a3196e72b3c21c

SHA1
b389b9e5ce17660326e02b28b88eb0ebc0dce856

SHA256
911ffb5c3dd8d6d99bcbfee0635d77640c805220af6ce6c95817820618337ec3

SHA512
02bb320269a3b327ac3099880335e3ebf75db6a94937dc8456a02bbd5647a9fe243114519ec2ac47246b0b21ab2cdef2b164fc183340a4c6e6f25b59d3dbee04

Download Submit
C:\Windows\Installer\MSI91AC.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI91AC.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIC9E5.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIC9E5.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
565e5f06d0779235d33cc56ade754f06

SHA1
bf5b882a51ddb85aca878b7c148332701f2359be

SHA256
24207b1a9defdf83c4f636226559800ef0ee4ea57649e68cc3b6cbfb1e17fb3f

SHA512
1d5d695f8e3a838fde5cb15ee3c0883c75738bbdc5cc4683fd01e632d7897230e18effa38d5d4a1dadc9d15f03b1c7a37bf5b2176fbecf223556e4491941d539

Download Submit
\??\Volume{8df29902-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d79e61de-092d-4b38-8f49-134df5dfa513}_OnDiskSnapshotProp

Filesize
5KB

MD5
775747b367914762dfa46f9825542866

SHA1
3f148b4156c9928d81facf7ce3df8cb532d21de6

SHA256
691ee7752ac750b2730725b3f0983e69a08d28bb0aba1828f9af67d3c0ab193a

SHA512
82f64f70a7ad13c8b12ef460f06dadc500ba427479890ce4d2a76ff022bd7a80f58a8945657b87a007a02dc2792317ec5cfc471dce38b017ccc228ecd30d3cae

Download Submit
\??\c:\tmpa\script.au3

Filesize
490KB

MD5
43457fd457324c4b908952aeb443e119

SHA1
412fdc015fab68ca639b476cdd4109742512676f

SHA256
047f7861cc69dc9dc29e0d240b6c4a2db24f0e82cf61ccd338197cdb7ea175ed

SHA512
4de8dbf26e16a436798d209d07375121108a31c18fd0a303c732473886a78049226226a56a8975b684048491a1d80e32a53084a2056358ebd94ac47e0aa3731e

Download Submit
memory/2412-123-0x0000000001600000-0x0000000001A00000-memory.dmp

Filesize
4.0MB

Download
memory/2412-124-0x00000000044A0000-0x0000000004635000-memory.dmp

Filesize
1.6MB

Download
memory/3668-113-0x0000000002310000-0x000000000239A000-memory.dmp

Filesize
552KB

Download
memory/3668-112-0x0000000000880000-0x00000000008DE000-memory.dmp

Filesize
376KB

Download
memory/3668-107-0x0000000002310000-0x000000000239A000-memory.dmp

Filesize
552KB

Download
memory/3668-104-0x0000000000880000-0x00000000008DE000-memory.dmp

Filesize
376KB

Download