darkgate | 92ffa8c1f772ff5487bb29f1539148bd6893ab4abf1de7ed603f84cbc39deddb

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
07-11-2023 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31ae2a2367b4fc.msi
Size

8.6MB
MD5

37593bb56df9b3ad6c9c8b777a7265ad
SHA1

ee06b5c4da2721323cfef688e48cf917c9f0edce
SHA256

92ffa8c1f772ff5487bb29f1539148bd6893ab4abf1de7ed603f84cbc39deddb
SHA512

f5e041d4ea406cf74fd43fec903ba98881d5762fffd8ee43a3a308a795eb0eeff093507b0b03f14497a5e30908fe5d5118c5a507ec10c78fc90c269f10ddfe2e
SSDEEP

196608:IeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9SyqunTiE7vS+:IdhVs6WXjX9HZ5AQX32WDjyqumI

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://8sjimonstersboonkonline.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
false
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
RndioOljcBmadZ
internal_mutex
txtMut
minimum_disk
42
minimum_ram
6001
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
4432	windbg.exe
1816	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
2924	MsiExec.exe
4432	windbg.exe
4432	windbg.exe
2924	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
552	ICACLS.EXE
3156	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e583294.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3563.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI50CD.tmp	msiexec.exe
File created	C:\Windows\Installer\e583294.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{559494A9-9EB8-4EF4-AE5C-82EEFF40C633}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI50BC.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e177523499fd9a390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e17752340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e1775234000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de1775234000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e177523400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4860	msiexec.exe
4860	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4904	msiexec.exe
Token: SeSecurityPrivilege	4860	msiexec.exe
Token: SeCreateTokenPrivilege	4904	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4904	msiexec.exe
Token: SeLockMemoryPrivilege	4904	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4904	msiexec.exe
Token: SeMachineAccountPrivilege	4904	msiexec.exe
Token: SeTcbPrivilege	4904	msiexec.exe
Token: SeSecurityPrivilege	4904	msiexec.exe
Token: SeTakeOwnershipPrivilege	4904	msiexec.exe
Token: SeLoadDriverPrivilege	4904	msiexec.exe
Token: SeSystemProfilePrivilege	4904	msiexec.exe
Token: SeSystemtimePrivilege	4904	msiexec.exe
Token: SeProfSingleProcessPrivilege	4904	msiexec.exe
Token: SeIncBasePriorityPrivilege	4904	msiexec.exe
Token: SeCreatePagefilePrivilege	4904	msiexec.exe
Token: SeCreatePermanentPrivilege	4904	msiexec.exe
Token: SeBackupPrivilege	4904	msiexec.exe
Token: SeRestorePrivilege	4904	msiexec.exe
Token: SeShutdownPrivilege	4904	msiexec.exe
Token: SeDebugPrivilege	4904	msiexec.exe
Token: SeAuditPrivilege	4904	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4904	msiexec.exe
Token: SeChangeNotifyPrivilege	4904	msiexec.exe
Token: SeRemoteShutdownPrivilege	4904	msiexec.exe
Token: SeUndockPrivilege	4904	msiexec.exe
Token: SeSyncAgentPrivilege	4904	msiexec.exe
Token: SeEnableDelegationPrivilege	4904	msiexec.exe
Token: SeManageVolumePrivilege	4904	msiexec.exe
Token: SeImpersonatePrivilege	4904	msiexec.exe
Token: SeCreateGlobalPrivilege	4904	msiexec.exe
Token: SeBackupPrivilege	1908	vssvc.exe
Token: SeRestorePrivilege	1908	vssvc.exe
Token: SeAuditPrivilege	1908	vssvc.exe
Token: SeBackupPrivilege	4860	msiexec.exe
Token: SeRestorePrivilege	4860	msiexec.exe
Token: SeRestorePrivilege	4860	msiexec.exe
Token: SeTakeOwnershipPrivilege	4860	msiexec.exe
Token: SeRestorePrivilege	4860	msiexec.exe
Token: SeTakeOwnershipPrivilege	4860	msiexec.exe
Token: SeRestorePrivilege	4860	msiexec.exe
Token: SeTakeOwnershipPrivilege	4860	msiexec.exe
Token: SeRestorePrivilege	4860	msiexec.exe
Token: SeTakeOwnershipPrivilege	4860	msiexec.exe
Token: SeBackupPrivilege	4232	srtasks.exe
Token: SeRestorePrivilege	4232	srtasks.exe
Token: SeSecurityPrivilege	4232	srtasks.exe
Token: SeTakeOwnershipPrivilege	4232	srtasks.exe
Token: SeBackupPrivilege	4232	srtasks.exe
Token: SeRestorePrivilege	4232	srtasks.exe
Token: SeSecurityPrivilege	4232	srtasks.exe
Token: SeTakeOwnershipPrivilege	4232	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4904	msiexec.exe
4904	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4860 wrote to memory of 4232	4860	msiexec.exe	104
PID 4860 wrote to memory of 4232	4860	msiexec.exe	104
PID 4860 wrote to memory of 2924	4860	msiexec.exe	107
PID 4860 wrote to memory of 2924	4860	msiexec.exe	107
PID 4860 wrote to memory of 2924	4860	msiexec.exe	107
PID 2924 wrote to memory of 552	2924	MsiExec.exe	109
PID 2924 wrote to memory of 552	2924	MsiExec.exe	109
PID 2924 wrote to memory of 552	2924	MsiExec.exe	109
PID 2924 wrote to memory of 3120	2924	MsiExec.exe	111
PID 2924 wrote to memory of 3120	2924	MsiExec.exe	111
PID 2924 wrote to memory of 3120	2924	MsiExec.exe	111
PID 2924 wrote to memory of 4432	2924	MsiExec.exe	114
PID 2924 wrote to memory of 4432	2924	MsiExec.exe	114
PID 2924 wrote to memory of 4432	2924	MsiExec.exe	114
PID 4432 wrote to memory of 1816	4432	windbg.exe	116
PID 4432 wrote to memory of 1816	4432	windbg.exe	116
PID 4432 wrote to memory of 1816	4432	windbg.exe	116
PID 2924 wrote to memory of 3156	2924	MsiExec.exe	117
PID 2924 wrote to memory of 3156	2924	MsiExec.exe	117
PID 2924 wrote to memory of 3156	2924	MsiExec.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\31ae2a2367b4fc.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4904

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4860
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4232
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3BB9E215FB3258A7863CF8D94C2E7FD2
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:552
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3120
- - C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4432
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1816
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:3156

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files.cab

Filesize
8.3MB

MD5
8dfe2215f1f5a66a982b8828afa4beda

SHA1
e7e8025379766de285ab61a371efaa7165e7a1e0

SHA256
2cb6f675e775f44ef0bfb966ac59852b590bba942030a057539b91f649552eb8

SHA512
0432376a68b2e360f889f79ab5cebe029dd1d13404b5c4fe7f989043ce392ec5d8c2b7206fa97fb0f5fa088d61d7c4a350b8bd31f46733f85dca1f3dd857152e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\00004-4001132497.png

Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\00005-3546315028.png

Filesize
1.8MB

MD5
dee56d4f89c71ea6c4f1e75b82f2e9c9

SHA1
293ce531cddbf4034782d5dfed1e35c807d75c52

SHA256
a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

SHA512
e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\00006-3546315029.png

Filesize
1.8MB

MD5
173a98c6c7a166db7c3caa3a06fec06c

SHA1
3c562051f42353e72ba87b6f54744f6d0107df86

SHA256
212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

SHA512
9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\00007-3546315030.png

Filesize
1.6MB

MD5
94b4895b7b8a60481393b7b8c22ad742

SHA1
902796c4aee78ab74e7ba5004625d797d83a8787

SHA256
f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

SHA512
d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\data.bin

Filesize
92KB

MD5
e5179592738c7480dfd44a1ca5a92989

SHA1
385764acfb9aa2ac691760a798b19f12a87554e6

SHA256
8e31ed927250dbe20dd49670a92218e681419d83147d9a1b359006c841f45401

SHA512
c12119e073f2132fb0f4d1c7fc7c1cb0f16aba572737fc08148a505d6fd9a03afbcd6b0f7942c098429c7ca98b09621a2c4fddec1aa3c688dfa6a0179557b9e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\data2.bin

Filesize
1.9MB

MD5
1ba2eed31eca5e1a7bc3f96e33e8ccf3

SHA1
628ab07e3c09407d33146118aa972393e78ad0b0

SHA256
58a8d56dbb76a953acef0fe9a76a792b0c3fcb717808bcb43cd8fe348ba6a96c

SHA512
2bfca31ff3b634fcd686386a749233f55174ccc7b4f1a3411d10598a7bec4489c328a0d4b66387fc7c8b2c3201c897eb9ac6ab34ff378063bf8bf1ee37e43dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\dbgeng.dll

Filesize
1.9MB

MD5
15e98ad4e85a1d0d961c71b2bb8b90b3

SHA1
ba731e2a312325de390aa8222f0cd48e720007f5

SHA256
327561728b548cd760344fa27d04132c8f9d276dea393fb9b2513561b835ca3b

SHA512
729353f9bd06f79acd7e12614d536fbf589ff7ce447bb9f1569d4bd894f783b708a8a3a8f999f3e57b39d580bb912c978ef2bdcc4b7398686dc830fe5bb229eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\dbgeng.dll

Filesize
1.9MB

MD5
15e98ad4e85a1d0d961c71b2bb8b90b3

SHA1
ba731e2a312325de390aa8222f0cd48e720007f5

SHA256
327561728b548cd760344fa27d04132c8f9d276dea393fb9b2513561b835ca3b

SHA512
729353f9bd06f79acd7e12614d536fbf589ff7ce447bb9f1569d4bd894f783b708a8a3a8f999f3e57b39d580bb912c978ef2bdcc4b7398686dc830fe5bb229eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\dbgeng.dll

Filesize
1.9MB

MD5
15e98ad4e85a1d0d961c71b2bb8b90b3

SHA1
ba731e2a312325de390aa8222f0cd48e720007f5

SHA256
327561728b548cd760344fa27d04132c8f9d276dea393fb9b2513561b835ca3b

SHA512
729353f9bd06f79acd7e12614d536fbf589ff7ce447bb9f1569d4bd894f783b708a8a3a8f999f3e57b39d580bb912c978ef2bdcc4b7398686dc830fe5bb229eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\msiwrapper.ini

Filesize
1KB

MD5
dd6c9b9a08a8938424fff4d48a78d7a1

SHA1
cd8e2845d82f38a1f04bbc518e39f66fe714ff08

SHA256
a70b0fa02453010fe4ab35b5cc100a606e8cf90f8dbedba461b995fabfd7d896

SHA512
7392485a6b10617afc76721e45a99634e9c5eb1f5da91fb74839611fb2601bf0236496e280fb06f672e7f45a1120a9df23061f28a4e593b73b24383339ddb17d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\msiwrapper.ini

Filesize
370B

MD5
6a8856691cc93376a17a3cbddc0e8076

SHA1
c566ffa31186acc3b7f9850c00d2cdd75aaa4ce1

SHA256
7e02f7a12b9d150a0873e594c6f592229a50e0fe0e7aa8258854839047619283

SHA512
df98b7499c65cf88b8c8ee510fe282f1fa35746fdf3b2110d3db7b4390becee24e9bf44e9d83df3565dffade2f2ce1cc96da0f3afdc5c39043434d5bd6c92318

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\msiwrapper.ini

Filesize
1KB

MD5
7d8bdafeb2720d0a8ddd895ecc0201e0

SHA1
d4d261d2de533a6f8b7f2828c42cb18439b51e70

SHA256
e8c8b981fda3cb3128c54f6c00ec502e19878996983316445359ded47bd52029

SHA512
785171291fd98921868ec372b3f40937fc01db3a01ae4ad9c9d13540a524c36cb6df3669388a6174c2c91d49766269def7f4f56200a24549c72966155ae3b66e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4e01cc12-0f63-4367-ae5e-7cb18167ad98\msiwrapper.ini

Filesize
1KB

MD5
7d8bdafeb2720d0a8ddd895ecc0201e0

SHA1
d4d261d2de533a6f8b7f2828c42cb18439b51e70

SHA256
e8c8b981fda3cb3128c54f6c00ec502e19878996983316445359ded47bd52029

SHA512
785171291fd98921868ec372b3f40937fc01db3a01ae4ad9c9d13540a524c36cb6df3669388a6174c2c91d49766269def7f4f56200a24549c72966155ae3b66e

Download Submit
C:\Windows\Installer\MSI3563.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI3563.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI50CD.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI50CD.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
3b1f3f7fcff0233eb73316e8819a9f3b

SHA1
860bdfc714671cd9dd184463353fd34d39b92775

SHA256
0e36a1921fae1ea577b8fc776610c38a04c7784d0cee07e7d9d2f4b49a79e742

SHA512
a95912472958ad09bf853435de447725b25baf6f3b6af22da777f9f9a8363f74119fe9a2be6c678f3a8cfbfba7ac5fdb76a8a284e7e2a4a5ae9bb21883235936

Download Submit
\??\Volume{345277e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{97947278-142e-4d3b-a0ea-e17286151b42}_OnDiskSnapshotProp

Filesize
5KB

MD5
93b04ff6918386fce6473c84d1e6671e

SHA1
f21c5d1c95102a68852b959c3f2e2af9f735bc46

SHA256
2cf7e59c35406ccfad7af1ca1fda91089792c5bf7d95736e3676f156272f7c27

SHA512
f96710909a27fdf849081e97a9545b103f487ed1a9f4b254f3679fba76923fa4ea9cc3ee03b4b16c9d3a2f8f4379e56dac98b7100722c32743bac29c0e6638ea

Download Submit
\??\c:\tmpa\script.au3

Filesize
596KB

MD5
a3ef5b9c4ab8e950ce933d015c24f0fc

SHA1
bb0f4a60bbd8256e42f57d8b0b1269f2ec855428

SHA256
b286eeef01017ef02e18ab6fdf2e5c66ca97825238372e50784ed0baeadf85ca

SHA512
ecccdcddd3836e11f6913c3c3dd6adb95a7aad5be9f8309055f8cc8981be9b6bd850b20f2f7192ef38b983e8d4a2890a0843aac4fbeabd9cd73575a56888f3e5

Download Submit
memory/1816-109-0x0000000003930000-0x0000000003B30000-memory.dmp

Filesize
2.0MB

Download
memory/1816-110-0x0000000004390000-0x0000000004525000-memory.dmp

Filesize
1.6MB

Download
memory/1816-114-0x0000000004390000-0x0000000004525000-memory.dmp

Filesize
1.6MB

Download
memory/4432-101-0x0000000000CF0000-0x0000000000D7A000-memory.dmp

Filesize
552KB

Download
memory/4432-92-0x0000000000E90000-0x0000000001090000-memory.dmp

Filesize
2.0MB

Download
memory/4432-100-0x0000000000E90000-0x0000000001090000-memory.dmp

Filesize
2.0MB

Download
memory/4432-95-0x0000000000CF0000-0x0000000000D7A000-memory.dmp

Filesize
552KB

Download