darkgate | eebf1a462cb8ea88eee8af609fc35d3640a2d5b42355f5d6197c7f51a4bac0bb

Analysis

max time kernel
146s
max time network
130s
platform
windows7_x64
resource
win7-20231020-en
resource tags

arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
submitted
08-11-2023 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70c79c1d95907c47.msi
Size

8.5MB
MD5

4e176a52cd2a43e85549cd10cef5b1f0
SHA1

322a3e3fe1f260493a6f5704608e0bbea15199d6
SHA256

eebf1a462cb8ea88eee8af609fc35d3640a2d5b42355f5d6197c7f51a4bac0bb
SHA512

ea9d8b7101bafeae56b2f0d778fba5440652d88e70ad589be576fcab01d5c41505c1cb14dbcc2a34772da143160e41f694c0b4b5667537838af289a63c537e47
SSDEEP

196608:ieS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9vBiRU/MwZF:idhVs6WXjX9HZ5AQX32WDo0A

Score

10^/10

darkgate plex discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

http://homeservicetreking.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
8443
check_disk
false
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
tJAEBsRlHobUrN
internal_mutex
txtMut
minimum_disk
18
minimum_ram
6009
ping_interval
4
rootkit
true
startup_persistence
true
username
PLEX

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
2464	windbg.exe
432	Autoit3.exe

Loads dropped DLL 7 IoCs

pid	Process
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
2464	windbg.exe
2464	windbg.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1552	ICACLS.EXE
1496	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF0A6.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\f77e87c.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\f77e87b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f77e87b.msi	msiexec.exe
File created	C:\Windows\Installer\f77e87c.ipi	msiexec.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2684	msiexec.exe
2684	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1140	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1140	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeSecurityPrivilege	2684	msiexec.exe
Token: SeCreateTokenPrivilege	1140	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1140	msiexec.exe
Token: SeLockMemoryPrivilege	1140	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1140	msiexec.exe
Token: SeMachineAccountPrivilege	1140	msiexec.exe
Token: SeTcbPrivilege	1140	msiexec.exe
Token: SeSecurityPrivilege	1140	msiexec.exe
Token: SeTakeOwnershipPrivilege	1140	msiexec.exe
Token: SeLoadDriverPrivilege	1140	msiexec.exe
Token: SeSystemProfilePrivilege	1140	msiexec.exe
Token: SeSystemtimePrivilege	1140	msiexec.exe
Token: SeProfSingleProcessPrivilege	1140	msiexec.exe
Token: SeIncBasePriorityPrivilege	1140	msiexec.exe
Token: SeCreatePagefilePrivilege	1140	msiexec.exe
Token: SeCreatePermanentPrivilege	1140	msiexec.exe
Token: SeBackupPrivilege	1140	msiexec.exe
Token: SeRestorePrivilege	1140	msiexec.exe
Token: SeShutdownPrivilege	1140	msiexec.exe
Token: SeDebugPrivilege	1140	msiexec.exe
Token: SeAuditPrivilege	1140	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1140	msiexec.exe
Token: SeChangeNotifyPrivilege	1140	msiexec.exe
Token: SeRemoteShutdownPrivilege	1140	msiexec.exe
Token: SeUndockPrivilege	1140	msiexec.exe
Token: SeSyncAgentPrivilege	1140	msiexec.exe
Token: SeEnableDelegationPrivilege	1140	msiexec.exe
Token: SeManageVolumePrivilege	1140	msiexec.exe
Token: SeImpersonatePrivilege	1140	msiexec.exe
Token: SeCreateGlobalPrivilege	1140	msiexec.exe
Token: SeBackupPrivilege	2804	vssvc.exe
Token: SeRestorePrivilege	2804	vssvc.exe
Token: SeAuditPrivilege	2804	vssvc.exe
Token: SeBackupPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	3048	DrvInst.exe
Token: SeLoadDriverPrivilege	3048	DrvInst.exe
Token: SeLoadDriverPrivilege	3048	DrvInst.exe
Token: SeLoadDriverPrivilege	3048	DrvInst.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe
Token: SeRestorePrivilege	2684	msiexec.exe
Token: SeTakeOwnershipPrivilege	2684	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1140	msiexec.exe
1140	msiexec.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1924	2684	msiexec.exe	34
PID 2684 wrote to memory of 1924	2684	msiexec.exe	34
PID 2684 wrote to memory of 1924	2684	msiexec.exe	34
PID 2684 wrote to memory of 1924	2684	msiexec.exe	34
PID 2684 wrote to memory of 1924	2684	msiexec.exe	34
PID 2684 wrote to memory of 1924	2684	msiexec.exe	34
PID 2684 wrote to memory of 1924	2684	msiexec.exe	34
PID 1924 wrote to memory of 1552	1924	MsiExec.exe	35
PID 1924 wrote to memory of 1552	1924	MsiExec.exe	35
PID 1924 wrote to memory of 1552	1924	MsiExec.exe	35
PID 1924 wrote to memory of 1552	1924	MsiExec.exe	35
PID 1924 wrote to memory of 2104	1924	MsiExec.exe	37
PID 1924 wrote to memory of 2104	1924	MsiExec.exe	37
PID 1924 wrote to memory of 2104	1924	MsiExec.exe	37
PID 1924 wrote to memory of 2104	1924	MsiExec.exe	37
PID 1924 wrote to memory of 2464	1924	MsiExec.exe	39
PID 1924 wrote to memory of 2464	1924	MsiExec.exe	39
PID 1924 wrote to memory of 2464	1924	MsiExec.exe	39
PID 1924 wrote to memory of 2464	1924	MsiExec.exe	39
PID 1924 wrote to memory of 2464	1924	MsiExec.exe	39
PID 1924 wrote to memory of 2464	1924	MsiExec.exe	39
PID 1924 wrote to memory of 2464	1924	MsiExec.exe	39
PID 2464 wrote to memory of 432	2464	windbg.exe	40
PID 2464 wrote to memory of 432	2464	windbg.exe	40
PID 2464 wrote to memory of 432	2464	windbg.exe	40
PID 2464 wrote to memory of 432	2464	windbg.exe	40
PID 1924 wrote to memory of 2036	1924	MsiExec.exe	41
PID 1924 wrote to memory of 2036	1924	MsiExec.exe	41
PID 1924 wrote to memory of 2036	1924	MsiExec.exe	41
PID 1924 wrote to memory of 2036	1924	MsiExec.exe	41
PID 1924 wrote to memory of 1496	1924	MsiExec.exe	43
PID 1924 wrote to memory of 1496	1924	MsiExec.exe	43
PID 1924 wrote to memory of 1496	1924	MsiExec.exe	43
PID 1924 wrote to memory of 1496	1924	MsiExec.exe	43

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\70c79c1d95907c47.msi
1⤵
- Enumerates connected drives
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1140

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C125174329FA7F5385327B1A1661243
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1924
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1552
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2104
- - C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:432
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files"
    3⤵
    PID:2036
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1496

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000574" "00000000000003AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files.cab

Filesize
8.2MB

MD5
c6fcab2f18464ca81312ff555f277766

SHA1
c80fc589cea0864caad5ca1c5f68c79141d32568

SHA256
daf28b35267d95cafff61b0b9821405704a60130b491262f69b7092276ee7b0f

SHA512
117645359ce1a7f3b88b78c0174ac929a204a234beb81344190ee776870c4bce8b07385bca6f670dc71ecbc702294ac61e6e07330f9482bf3ec5efb16464ccce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\00004-~1.PNG

Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\00005-~1.PNG

Filesize
1.8MB

MD5
dee56d4f89c71ea6c4f1e75b82f2e9c9

SHA1
293ce531cddbf4034782d5dfed1e35c807d75c52

SHA256
a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

SHA512
e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\00006-~1.PNG

Filesize
1.8MB

MD5
173a98c6c7a166db7c3caa3a06fec06c

SHA1
3c562051f42353e72ba87b6f54744f6d0107df86

SHA256
212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

SHA512
9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\00007-~1.PNG

Filesize
1.6MB

MD5
94b4895b7b8a60481393b7b8c22ad742

SHA1
902796c4aee78ab74e7ba5004625d797d83a8787

SHA256
f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

SHA512
d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\data.bin

Filesize
92KB

MD5
c60e2e0bea006298e78a5f014a670263

SHA1
c354a0ea8539020b8b2f77e84ba07215524d6e36

SHA256
57bdb6ea4950552ca0ca96afbdd44174cf14c8790844df5ec313658bb95ed49b

SHA512
a2d2657ee40750aa6a6bd6322dbb6460f7ed42eec9c606a904dac9dd6161247fe395ff1af7f7bd9eee6c9c550c6098de6759d46ccbf6b0e24589c7606b4412f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\data2.bin

Filesize
1.8MB

MD5
b1927af0305d495aba773d8c9e0f708f

SHA1
ed6aff796ca21e3edeedd8116045e77a725be43d

SHA256
caa1a27b0bc5b84427051f8f2d16fd28d9038cc4d2a31594ffd322a7d5cf9bdd

SHA512
ded3ad9f9c881c32fdb543ecb3f13919e2efcaeed6079ad2b2232f5ff931a5e651c185dac791988095d9df6d7c08996ff992f8bb48029b5c2ec35628bece18a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\dbgeng.dll

Filesize
1.9MB

MD5
bb74fa8dcec94e66fde2fdf2e3ad37c0

SHA1
f1b95db22c5089281e28040b6c515399a00cba3f

SHA256
d56ee9c7e923ab6e17c65e44674d897aba30abe6625b6bc3dad5e609f14679ca

SHA512
83db8d30f8c5b50a9aa8f1f5f9cb9e1a28b5b7136ff00abf7e3f7ef16d2bc8a96808826ce5fdc4c486670f1edfd1c34492ba5ed2c9c245b4958c492b58dca790

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\msiwrapper.ini

Filesize
330B

MD5
7549566f2663d8124431ab0df03c3e12

SHA1
97b0052a51631b326b7705b7e074323f4f12562b

SHA256
a59e42761b7c823cbf7df55bfca81ed706178cb342927775761176f11a06dab8

SHA512
0e92790098786e85c1e8c3650fc86ce84603d301658ac216c6794d427db9ea0058bd290a5d44e434356d59acc784807989afd44c994c1e2f1d5098d79086237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\msiwrapper.ini

Filesize
1KB

MD5
2815056f7f2550e2441a2ef0d6f8ef29

SHA1
ecc1e875d1e00e73961910a81597fbebb7e2619b

SHA256
fd983827bcd1152e9c43d63bbedcc10c591cf4574b3df62d87f7b7e39e1ad61a

SHA512
84e55ad7b084e42c31601a658b1a939f0b4ab4478bcd46ea410b4ce73cb79a48555ef06730a5c7f51ed99c06019c120d9b985f9a019ceff345f35ca870e990a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\msiwrapper.ini

Filesize
1KB

MD5
2815056f7f2550e2441a2ef0d6f8ef29

SHA1
ecc1e875d1e00e73961910a81597fbebb7e2619b

SHA256
fd983827bcd1152e9c43d63bbedcc10c591cf4574b3df62d87f7b7e39e1ad61a

SHA512
84e55ad7b084e42c31601a658b1a939f0b4ab4478bcd46ea410b4ce73cb79a48555ef06730a5c7f51ed99c06019c120d9b985f9a019ceff345f35ca870e990a9

Download Submit
C:\Windows\Installer\MSIF0A6.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
496KB

MD5
8b186ded457b74ed70971664bdcf9507

SHA1
b8d0905b3f572c40e839a8775a877bdabe1752c8

SHA256
309f35590cb88265c3aa7984ed1e78ab28046a7489dfce881e724d2f089d45b8

SHA512
7d138fb03b473b0c39aeae819a60baaa6c624731d182afec4a36b6997c87de06364181934b8b5e9924d406531b1ef8a45b4a38806e70be91553fe98c1dc31b76

Download Submit
\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\dbgeng.dll

Filesize
1.9MB

MD5
bb74fa8dcec94e66fde2fdf2e3ad37c0

SHA1
f1b95db22c5089281e28040b6c515399a00cba3f

SHA256
d56ee9c7e923ab6e17c65e44674d897aba30abe6625b6bc3dad5e609f14679ca

SHA512
83db8d30f8c5b50a9aa8f1f5f9cb9e1a28b5b7136ff00abf7e3f7ef16d2bc8a96808826ce5fdc4c486670f1edfd1c34492ba5ed2c9c245b4958c492b58dca790

Download Submit
\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Users\Admin\AppData\Local\Temp\MW-c8a2973c-d900-4557-93b0-862a1eb58072\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
\Windows\Installer\MSIF0A6.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
memory/432-115-0x0000000000BE0000-0x0000000000FE0000-memory.dmp

Filesize
4.0MB

Download
memory/432-114-0x0000000002EB0000-0x0000000003045000-memory.dmp

Filesize
1.6MB

Download
memory/2464-103-0x0000000000BE0000-0x0000000000C6A000-memory.dmp

Filesize
552KB

Download
memory/2464-110-0x0000000000400000-0x0000000000600000-memory.dmp

Filesize
2.0MB

Download
memory/2464-112-0x0000000000BE0000-0x0000000000C6A000-memory.dmp

Filesize
552KB

Download