darkgate | cdd23d5f3168d63370d835eed644272de21b3ff86556053686a485b016fe381f

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2023 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1e070c7d2e26a.msi
Size

8.5MB
MD5

d63fda12b0bcaa5f916d6ee1d1b64315
SHA1

8ec3ecd34f9e62a628c9a75744df348820d1ea2a
SHA256

b2e6c0a826feb05452e6c2377fd0e365c269906c964d2ec7cc45b8608c49137e
SHA512

9c13f112b5ca21332837954357bde4d1cc626e4d928cfbb5caad5a74595081fe82f39e85ff5f2107b81b1eb895f985459a83928762fdfbb8bee8642933a6ce9c
SSDEEP

196608:SeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9wiVIu653rGDRBX/:SdhVs6WXjX9HZ5AQX32WDSVo5bKBX/

Score

10^/10

darkgate plex discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

http://homeservicetreking.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
8443
check_disk
false
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
UxRmvbdCWVKFVZ
internal_mutex
txtMut
minimum_disk
20
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
PLEX

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Executes dropped EXE 2 IoCs

Processes:

windbg.exeAutoit3.exe

pid process

3236 windbg.exe
1300 Autoit3.exe
Loads dropped DLL 4 IoCs

Processes:

MsiExec.exewindbg.exe

pid process

2688 MsiExec.exe
3236 windbg.exe
3236 windbg.exe
2688 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

3092 ICACLS.EXE
2580 ICACLS.EXE

pid	process
3236	windbg.exe
1300	Autoit3.exe

pid	process
2688	MsiExec.exe
3236	windbg.exe
3236	windbg.exe
2688	MsiExec.exe

pid	process
3092	ICACLS.EXE
2580	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File opened for modification	C:\Windows\Installer\e5963c1.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{996AC2B8-59E8-4BCC-BA89-0CF32BCF1392}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6548.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e5963c1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EAB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8EAC.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000326c22034809cb6a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000326c22030000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900326c2203000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d326c2203000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000326c220300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Autoit3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4104 msiexec.exe
4104 msiexec.exe

pid	process
4104	msiexec.exe
4104	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4108	msiexec.exe
Token: SeSecurityPrivilege	4104	msiexec.exe
Token: SeCreateTokenPrivilege	4108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4108	msiexec.exe
Token: SeLockMemoryPrivilege	4108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4108	msiexec.exe
Token: SeMachineAccountPrivilege	4108	msiexec.exe
Token: SeTcbPrivilege	4108	msiexec.exe
Token: SeSecurityPrivilege	4108	msiexec.exe
Token: SeTakeOwnershipPrivilege	4108	msiexec.exe
Token: SeLoadDriverPrivilege	4108	msiexec.exe
Token: SeSystemProfilePrivilege	4108	msiexec.exe
Token: SeSystemtimePrivilege	4108	msiexec.exe
Token: SeProfSingleProcessPrivilege	4108	msiexec.exe
Token: SeIncBasePriorityPrivilege	4108	msiexec.exe
Token: SeCreatePagefilePrivilege	4108	msiexec.exe
Token: SeCreatePermanentPrivilege	4108	msiexec.exe
Token: SeBackupPrivilege	4108	msiexec.exe
Token: SeRestorePrivilege	4108	msiexec.exe
Token: SeShutdownPrivilege	4108	msiexec.exe
Token: SeDebugPrivilege	4108	msiexec.exe
Token: SeAuditPrivilege	4108	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4108	msiexec.exe
Token: SeChangeNotifyPrivilege	4108	msiexec.exe
Token: SeRemoteShutdownPrivilege	4108	msiexec.exe
Token: SeUndockPrivilege	4108	msiexec.exe
Token: SeSyncAgentPrivilege	4108	msiexec.exe
Token: SeEnableDelegationPrivilege	4108	msiexec.exe
Token: SeManageVolumePrivilege	4108	msiexec.exe
Token: SeImpersonatePrivilege	4108	msiexec.exe
Token: SeCreateGlobalPrivilege	4108	msiexec.exe
Token: SeBackupPrivilege	376	vssvc.exe
Token: SeRestorePrivilege	376	vssvc.exe
Token: SeAuditPrivilege	376	vssvc.exe
Token: SeBackupPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeBackupPrivilege	1752	srtasks.exe
Token: SeRestorePrivilege	1752	srtasks.exe
Token: SeSecurityPrivilege	1752	srtasks.exe
Token: SeTakeOwnershipPrivilege	1752	srtasks.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeRestorePrivilege	4104	msiexec.exe
Token: SeTakeOwnershipPrivilege	4104	msiexec.exe
Token: SeBackupPrivilege	1752	srtasks.exe
Token: SeRestorePrivilege	1752	srtasks.exe
Token: SeSecurityPrivilege	1752	srtasks.exe
Token: SeTakeOwnershipPrivilege	1752	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4108 msiexec.exe
4108 msiexec.exe

pid	process
4108	msiexec.exe
4108	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

msiexec.exeMsiExec.exewindbg.exe

description	pid	process	target process
PID 4104 wrote to memory of 1752	4104	msiexec.exe	srtasks.exe
PID 4104 wrote to memory of 1752	4104	msiexec.exe	srtasks.exe
PID 4104 wrote to memory of 2688	4104	msiexec.exe	MsiExec.exe
PID 4104 wrote to memory of 2688	4104	msiexec.exe	MsiExec.exe
PID 4104 wrote to memory of 2688	4104	msiexec.exe	MsiExec.exe
PID 2688 wrote to memory of 3092	2688	MsiExec.exe	ICACLS.EXE
PID 2688 wrote to memory of 3092	2688	MsiExec.exe	ICACLS.EXE
PID 2688 wrote to memory of 3092	2688	MsiExec.exe	ICACLS.EXE
PID 2688 wrote to memory of 4976	2688	MsiExec.exe	EXPAND.EXE
PID 2688 wrote to memory of 4976	2688	MsiExec.exe	EXPAND.EXE
PID 2688 wrote to memory of 4976	2688	MsiExec.exe	EXPAND.EXE
PID 2688 wrote to memory of 3236	2688	MsiExec.exe	windbg.exe
PID 2688 wrote to memory of 3236	2688	MsiExec.exe	windbg.exe
PID 2688 wrote to memory of 3236	2688	MsiExec.exe	windbg.exe
PID 3236 wrote to memory of 1300	3236	windbg.exe	Autoit3.exe
PID 3236 wrote to memory of 1300	3236	windbg.exe	Autoit3.exe
PID 3236 wrote to memory of 1300	3236	windbg.exe	Autoit3.exe
PID 2688 wrote to memory of 2580	2688	MsiExec.exe	ICACLS.EXE
PID 2688 wrote to memory of 2580	2688	MsiExec.exe	ICACLS.EXE
PID 2688 wrote to memory of 2580	2688	MsiExec.exe	ICACLS.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1e070c7d2e26a.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 83577C9C4A2FCD949247C36ABA2FD1F1
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2688

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:3092

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:4976

C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\windbg.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3236

\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:1300

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:2580

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files.cab
Filesize
8.3MB

MD5
95bc65caa64ad58cfd30c87fb13fec37

SHA1
539d20551c1467f37dfb1d3723025c190c0bb493

SHA256
fcc1093485b69f3e9d9457ddd58206f018fe96bbb667c73c2fbc845a4c358206

SHA512
77153ec463ba754b93931081ae8290ec282c03841ffc32d22e6901d7e8c170138c4fb8282220b9cdd956a00bb5a42859419f8ded97db9ce26dd19c02b765aac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\00004-4001132497.png
Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\00005-3546315028.png
Filesize
1.8MB

MD5
dee56d4f89c71ea6c4f1e75b82f2e9c9

SHA1
293ce531cddbf4034782d5dfed1e35c807d75c52

SHA256
a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

SHA512
e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\00006-3546315029.png
Filesize
1.8MB

MD5
173a98c6c7a166db7c3caa3a06fec06c

SHA1
3c562051f42353e72ba87b6f54744f6d0107df86

SHA256
212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

SHA512
9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\00007-3546315030.png
Filesize
1.6MB

MD5
94b4895b7b8a60481393b7b8c22ad742

SHA1
902796c4aee78ab74e7ba5004625d797d83a8787

SHA256
f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

SHA512
d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\data.bin
Filesize
92KB

MD5
175da1ba3139e5196fab23f1631c5c5d

SHA1
6174d9b24e149418e08af79045b1d8eb1dd03b99

SHA256
85ddfeabb5d31a71c1297d7d6c894ca915de9d267f345cafa5871a2701ae8894

SHA512
6271c5058442e0530f6df451761c4489493f8320518447aaea3b89e20430fa2291c99493b11389bfcd0b3da0ecbb4c5a85ace69c0c2f081db74a97274c2a2ebd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\data2.bin
Filesize
1.8MB

MD5
6789c4500f158ea0a20356a2ec530cae

SHA1
df8642ade1e4b2bf0e623ddd54d02c2952f78f07

SHA256
3abd9c5ad3e43ec44ce355a0b378aa5596988ae4fa5e32eeb124515fdac52773

SHA512
2bc9c1b448d28311182bbdd4c5dd6522b3d694907ce58da31e7b3a14fc01b3f532032d568dc83a5cf75bdc3d978c2298d2087793adb7d03763fe9dc0a3bf2491

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\dbgeng.dll
Filesize
1.9MB

MD5
893fd607902a4cebceb787ddce21d35e

SHA1
51c7998af63844396e78ac802cef86e7b8bba0b8

SHA256
b6a092efcbb8883009dddd855af3d006a691ca533c421676348ebc7018a03898

SHA512
7a114093b672ce214e1bf3add84f24b98dc9bdb5e9691fb4b06394e038e201c3b2241b34f2c548d4454067cd51a6dc787e023c05a180d89c6ecd9b261651bbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\dbgeng.dll
Filesize
1.9MB

MD5
893fd607902a4cebceb787ddce21d35e

SHA1
51c7998af63844396e78ac802cef86e7b8bba0b8

SHA256
b6a092efcbb8883009dddd855af3d006a691ca533c421676348ebc7018a03898

SHA512
7a114093b672ce214e1bf3add84f24b98dc9bdb5e9691fb4b06394e038e201c3b2241b34f2c548d4454067cd51a6dc787e023c05a180d89c6ecd9b261651bbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\dbgeng.dll
Filesize
1.9MB

MD5
893fd607902a4cebceb787ddce21d35e

SHA1
51c7998af63844396e78ac802cef86e7b8bba0b8

SHA256
b6a092efcbb8883009dddd855af3d006a691ca533c421676348ebc7018a03898

SHA512
7a114093b672ce214e1bf3add84f24b98dc9bdb5e9691fb4b06394e038e201c3b2241b34f2c548d4454067cd51a6dc787e023c05a180d89c6ecd9b261651bbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\windbg.exe
Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\files\windbg.exe
Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\msiwrapper.ini
Filesize
1KB

MD5
dc086ae7a217b667449ef8ab76cfa4ca

SHA1
ee7901c9e442de259684be4d6b86920aaeb8699f

SHA256
76f3924942e98805bdb2aef00dec7b5546bd0a9686299b0434b6ca9daad72af9

SHA512
782c85b1ba422ae5d3dac2b7496a0d66d3dd2a5f1280f4a3af943c1a3d03c614460cd6c486d678380cbfe592901eb51c310e4140e8d19ca3eca6fdd873521cde

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\msiwrapper.ini
Filesize
370B

MD5
d0ed1c838a17fc3dc48935d3630dea2f

SHA1
4e27f33c14ab69addbb6b11bd9a0771c230b8984

SHA256
272cd21eaf976abc6843ca1960ab97bde7027544e1b2667209a0378cf62ce36c

SHA512
833684bfb13ca46e40fc172049122f178f73e680b3bbcefc39ecf2e537905bc78339b8310e5733f010776c3dc04e92c8ed79cc938bc4741d361b34c928181777

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\msiwrapper.ini
Filesize
1010B

MD5
187da1d03086cd06ad5d386c553d570d

SHA1
db59725d177d644292b4b3bf509ce3d5e8df97a3

SHA256
d0739d851916eefcf697fa90d9d85b5ef136942c08d92cee202d3c6b43949584

SHA512
4d6130367fe5e801c1afd03448c7fbc55f9359e91e31be4943670bda3ffa5c4b781db5646cd7c227e34d42147a3b1b0fffd2f8f9536c311dc8d59b185e7a2e39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\msiwrapper.ini
Filesize
1KB

MD5
5df0d964b46829e1f3b2d551a8f63fce

SHA1
3642c384f493335167262cec9038491931341c06

SHA256
778e3c589771b54c57b31b301f5efc5443055c24d6c66dbc529b05953ab40f8f

SHA512
70abf229e4474f18cdea0d96fdce5e48fc6437568af7c36d9f9edceaa30dca6f3a27eeabbf9dc3b35ae30da882729f030bc692c69fe8a74ee400dc146b72c7e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-64cb37a8-53a2-4512-8976-1452835ddc11\msiwrapper.ini
Filesize
1KB

MD5
5df0d964b46829e1f3b2d551a8f63fce

SHA1
3642c384f493335167262cec9038491931341c06

SHA256
778e3c589771b54c57b31b301f5efc5443055c24d6c66dbc529b05953ab40f8f

SHA512
70abf229e4474f18cdea0d96fdce5e48fc6437568af7c36d9f9edceaa30dca6f3a27eeabbf9dc3b35ae30da882729f030bc692c69fe8a74ee400dc146b72c7e1

Download Submit
C:\Windows\Installer\MSI6548.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI6548.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI8EAC.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI8EAC.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
6e29c11e6552b7aab72d118afcf5770d

SHA1
fdce3955f22f009a9fb2538d18fe554b354368e4

SHA256
6a82083d09d4f264380fc265008f358fa8a9d02a3c4a3abb23efaca3017629d1

SHA512
7653f55151fe8fcdd3b8a85999847520e58245c4f2152cfa9df81c7dfdc22020b66649f4a57f1f6168daed6c87ff76e418eb4a975e2936124ad7d4ab670d7a5a

Download Submit
\??\Volume{03226c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{39433c2b-66c0-465b-bfe7-095580655b3b}_OnDiskSnapshotProp
Filesize
5KB

MD5
517f015c4b1b31560ccdf33765681daa

SHA1
88dc329409926b26932bdf175d6223203036ceb4

SHA256
36a9689cd64d8496dd1dd9b035c9c9bcab7c4ee422f2a5cd8b4b9f681114e066

SHA512
2f32242f0aed3ca0ab4bee6961ebc17411bb370a2f2244e9964b51cb2a5c29bf99aa19738bd0e1e2a286946f8322f7f86ba3e967368f37cda7bb5d65a4509415

Download Submit
\??\c:\tmpa\script.au3
Filesize
525KB

MD5
8d68640ef1f8448ffb3431f5c757b4cb

SHA1
4a961594137184fdd5c9fbe22bef77a6384c3d40

SHA256
147406be6ee73373bb9e1650a3be6a5919d973647ededaf3018be51c29e9fdf3

SHA512
148c3b3ff25d208652ba24e35e0bd7f9f914e7682b18efe2ba2c9fdaabe2ee0f20aa6e7607af9e66f92cf8c905f0420deca354269332b44b217281fd0af4fceb

Download Submit
memory/1300-119-0x0000000003350000-0x0000000003450000-memory.dmp

Filesize
1024KB

Download
memory/1300-120-0x0000000003A30000-0x0000000003BC5000-memory.dmp

Filesize
1.6MB

Download
memory/1300-121-0x0000000003A30000-0x0000000003BC5000-memory.dmp

Filesize
1.6MB

Download
memory/3236-107-0x0000000002490000-0x000000000251A000-memory.dmp

Filesize
552KB

Download
memory/3236-106-0x00000000007F0000-0x00000000009F0000-memory.dmp

Filesize
2.0MB

Download
memory/3236-96-0x00000000007F0000-0x00000000009F0000-memory.dmp

Filesize
2.0MB

Download
memory/3236-99-0x0000000002490000-0x000000000251A000-memory.dmp

Filesize
552KB

Download