darkgate | 6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d

Analysis

max time kernel
142s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2023 16:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1c532f2594.msi
Size

8.5MB
MD5

fbf5d7b4c5f0e86a95b4fcd5c5ccc534
SHA1

51588315ff4ae36412c337361ea65f84810938d8
SHA256

6da198925581418863170f05b832cd1584b923278d0730d779a30ec96513111d
SHA512

3ef2d34071fc10bed59dbe60df3789524f62b89284cc011f1ab0a790196f9010ef6fa41d809947f52668918aa72c90c17211d6be82707b0f8099df548fb40588
SSDEEP

196608:0eS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9OtaQCK0Ex7FVJi0:0dhVs6WXjX9HZ5AQX32WDb0ExZV8

Score

10^/10

darkgate plex discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

http://jordanmikejeforse.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
8443
check_disk
false
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
yIzFYincIffips
internal_mutex
txtMut
minimum_disk
20
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
PLEX

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Executes dropped EXE 2 IoCs

Processes:

windbg.exeAutoit3.exe

pid process

1620 windbg.exe
116 Autoit3.exe
Loads dropped DLL 4 IoCs

Processes:

MsiExec.exewindbg.exe

pid process

1660 MsiExec.exe
1620 windbg.exe
1620 windbg.exe
1660 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

4968 ICACLS.EXE
5000 ICACLS.EXE

pid	process
1620	windbg.exe
116	Autoit3.exe

pid	process
1660	MsiExec.exe
1620	windbg.exe
1620	windbg.exe
1660	MsiExec.exe

pid	process
4968	ICACLS.EXE
5000	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 11 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File created	C:\Windows\Installer\SourceHash{D70D8767-7D90-4463-918C-930A0DC2454D}	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2AA5.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI3E5D.tmp	msiexec.exe
File created	C:\Windows\Installer\e582853.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582853.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E5E.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e909c866916b25070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e909c8660000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e909c866000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de909c866000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e909c86600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Autoit3.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

4372 msiexec.exe
4372 msiexec.exe

pid	process
4372	msiexec.exe
4372	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	2772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2772	msiexec.exe
Token: SeSecurityPrivilege	4372	msiexec.exe
Token: SeCreateTokenPrivilege	2772	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2772	msiexec.exe
Token: SeLockMemoryPrivilege	2772	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2772	msiexec.exe
Token: SeMachineAccountPrivilege	2772	msiexec.exe
Token: SeTcbPrivilege	2772	msiexec.exe
Token: SeSecurityPrivilege	2772	msiexec.exe
Token: SeTakeOwnershipPrivilege	2772	msiexec.exe
Token: SeLoadDriverPrivilege	2772	msiexec.exe
Token: SeSystemProfilePrivilege	2772	msiexec.exe
Token: SeSystemtimePrivilege	2772	msiexec.exe
Token: SeProfSingleProcessPrivilege	2772	msiexec.exe
Token: SeIncBasePriorityPrivilege	2772	msiexec.exe
Token: SeCreatePagefilePrivilege	2772	msiexec.exe
Token: SeCreatePermanentPrivilege	2772	msiexec.exe
Token: SeBackupPrivilege	2772	msiexec.exe
Token: SeRestorePrivilege	2772	msiexec.exe
Token: SeShutdownPrivilege	2772	msiexec.exe
Token: SeDebugPrivilege	2772	msiexec.exe
Token: SeAuditPrivilege	2772	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2772	msiexec.exe
Token: SeChangeNotifyPrivilege	2772	msiexec.exe
Token: SeRemoteShutdownPrivilege	2772	msiexec.exe
Token: SeUndockPrivilege	2772	msiexec.exe
Token: SeSyncAgentPrivilege	2772	msiexec.exe
Token: SeEnableDelegationPrivilege	2772	msiexec.exe
Token: SeManageVolumePrivilege	2772	msiexec.exe
Token: SeImpersonatePrivilege	2772	msiexec.exe
Token: SeCreateGlobalPrivilege	2772	msiexec.exe
Token: SeBackupPrivilege	2592	vssvc.exe
Token: SeRestorePrivilege	2592	vssvc.exe
Token: SeAuditPrivilege	2592	vssvc.exe
Token: SeBackupPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeRestorePrivilege	4372	msiexec.exe
Token: SeTakeOwnershipPrivilege	4372	msiexec.exe
Token: SeBackupPrivilege	2944	srtasks.exe
Token: SeRestorePrivilege	2944	srtasks.exe
Token: SeSecurityPrivilege	2944	srtasks.exe
Token: SeTakeOwnershipPrivilege	2944	srtasks.exe
Token: SeBackupPrivilege	2944	srtasks.exe
Token: SeRestorePrivilege	2944	srtasks.exe
Token: SeSecurityPrivilege	2944	srtasks.exe
Token: SeTakeOwnershipPrivilege	2944	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2772 msiexec.exe
2772 msiexec.exe

pid	process
2772	msiexec.exe
2772	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

msiexec.exeMsiExec.exewindbg.exe

description	pid	process	target process
PID 4372 wrote to memory of 2944	4372	msiexec.exe	srtasks.exe
PID 4372 wrote to memory of 2944	4372	msiexec.exe	srtasks.exe
PID 4372 wrote to memory of 1660	4372	msiexec.exe	MsiExec.exe
PID 4372 wrote to memory of 1660	4372	msiexec.exe	MsiExec.exe
PID 4372 wrote to memory of 1660	4372	msiexec.exe	MsiExec.exe
PID 1660 wrote to memory of 4968	1660	MsiExec.exe	ICACLS.EXE
PID 1660 wrote to memory of 4968	1660	MsiExec.exe	ICACLS.EXE
PID 1660 wrote to memory of 4968	1660	MsiExec.exe	ICACLS.EXE
PID 1660 wrote to memory of 3744	1660	MsiExec.exe	EXPAND.EXE
PID 1660 wrote to memory of 3744	1660	MsiExec.exe	EXPAND.EXE
PID 1660 wrote to memory of 3744	1660	MsiExec.exe	EXPAND.EXE
PID 1660 wrote to memory of 1620	1660	MsiExec.exe	windbg.exe
PID 1660 wrote to memory of 1620	1660	MsiExec.exe	windbg.exe
PID 1660 wrote to memory of 1620	1660	MsiExec.exe	windbg.exe
PID 1620 wrote to memory of 116	1620	windbg.exe	Autoit3.exe
PID 1620 wrote to memory of 116	1620	windbg.exe	Autoit3.exe
PID 1620 wrote to memory of 116	1620	windbg.exe	Autoit3.exe
PID 1660 wrote to memory of 5000	1660	MsiExec.exe	ICACLS.EXE
PID 1660 wrote to memory of 5000	1660	MsiExec.exe	ICACLS.EXE
PID 1660 wrote to memory of 5000	1660	MsiExec.exe	ICACLS.EXE

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1c532f2594.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2772

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4372

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2944

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 0A8A970A761138B7B1B8717908D01F75
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:4968

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:3744

C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\windbg.exe
"C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\windbg.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1620

\??\c:\tmpa\Autoit3.exe
c:\tmpa\Autoit3.exe c:\tmpa\script.au3
4⤵
- Executes dropped EXE
- Checks processor information in registry
PID:116

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:5000

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2592

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files.cab
Filesize
8.3MB

MD5
d5298413b9d6dc59e277eb08f6e4431c

SHA1
55d71275c8737068b130dade96a8354d966e295a

SHA256
5d8fea0c2e3a41247dada38ccaf7222aef40fc485e26e54dbee1fbcadb3079c0

SHA512
983fee4dd48b55eb572b09eb1d743a61a67d320c23b55f7b9e8a9e55e407b8b3db00ffe5ca4c6793d26b436decb9dac9323003692c8ebac291c70396e6a0e2b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\00004-4001132497.png
Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\00005-3546315028.png
Filesize
1.8MB

MD5
dee56d4f89c71ea6c4f1e75b82f2e9c9

SHA1
293ce531cddbf4034782d5dfed1e35c807d75c52

SHA256
a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

SHA512
e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\00006-3546315029.png
Filesize
1.8MB

MD5
173a98c6c7a166db7c3caa3a06fec06c

SHA1
3c562051f42353e72ba87b6f54744f6d0107df86

SHA256
212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

SHA512
9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\00007-3546315030.png
Filesize
1.6MB

MD5
94b4895b7b8a60481393b7b8c22ad742

SHA1
902796c4aee78ab74e7ba5004625d797d83a8787

SHA256
f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

SHA512
d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\data.bin
Filesize
92KB

MD5
472526a8c742a25296b345509638c863

SHA1
345523ddcd3216cf060ce242071374614fc372a6

SHA256
5d7aace8eb61d1fb4553069d8501100d64abb9968b1f20f84f3d23c71dab1366

SHA512
8ab00a37557e6e92476a85ae8e5f71fa1a84e54a0e60e5f75eb553d12e145b17fd4b82b81cf2610435976c828f29865df41c4cddc2224e55dfa0edf7375f67f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\data2.bin
Filesize
1.8MB

MD5
5be4a940ee8e35bafe74fb4b80c81ef1

SHA1
aaef9c2779ce4a43859248a181b30f70bb947a50

SHA256
61e7a91c74b852f0eec7587bed6080d2950769b7b7587927d8dcfafe03e9d670

SHA512
d6d6dd61af6f3a0ee3db240b6b341fd310716c3f5fe78ee79a8cfc39349ad5ab8ec3823d15acc8cf56e03d78e30734beae9cd151bced6e42b3123b0f00e73930

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\dbgeng.dll
Filesize
1.9MB

MD5
a5fcc0097a7eca9ed79596243aac4652

SHA1
865f03e10c56d2d1c30f500597a6d0dbd1030f68

SHA256
8e8ea3571042dffcd35491bfd1530a7e4c10ee04efd3ab181bdde37ef1e07e0d

SHA512
1644a70d039aa9b221e5d65a2879ffabd1cfd0798d6be31ba16938225286a465281ae768d396203668ee6aec417216018a1ad833124d63e1ddbbd667ab097505

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\dbgeng.dll
Filesize
1.9MB

MD5
a5fcc0097a7eca9ed79596243aac4652

SHA1
865f03e10c56d2d1c30f500597a6d0dbd1030f68

SHA256
8e8ea3571042dffcd35491bfd1530a7e4c10ee04efd3ab181bdde37ef1e07e0d

SHA512
1644a70d039aa9b221e5d65a2879ffabd1cfd0798d6be31ba16938225286a465281ae768d396203668ee6aec417216018a1ad833124d63e1ddbbd667ab097505

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\dbgeng.dll
Filesize
1.9MB

MD5
a5fcc0097a7eca9ed79596243aac4652

SHA1
865f03e10c56d2d1c30f500597a6d0dbd1030f68

SHA256
8e8ea3571042dffcd35491bfd1530a7e4c10ee04efd3ab181bdde37ef1e07e0d

SHA512
1644a70d039aa9b221e5d65a2879ffabd1cfd0798d6be31ba16938225286a465281ae768d396203668ee6aec417216018a1ad833124d63e1ddbbd667ab097505

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\windbg.exe
Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\files\windbg.exe
Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\msiwrapper.ini
Filesize
1KB

MD5
aa11d04a16afc97802883031b5f1de68

SHA1
6c6a6e3840ce3cd7c896618bd1dae2eda726edda

SHA256
d6bb187d3ef9b218b4f1fb8b3ba18958cc10d19dcda245376e5871df7ff80e82

SHA512
7806a09d57cb09417bbeff4199d925e627e8d3acd8687eae476635398dc543d33d33c88ddfcb21b75d71e808aa6ae7b0309cfda8187be7246460bb4056aa6986

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\msiwrapper.ini
Filesize
1010B

MD5
f6b13b4cbc78dcc1f933582960d08dee

SHA1
0f2b48bb6e9fc233d86acbe70bc30ecc6e9d636e

SHA256
f28e7cb895fa7621992b11aae436734ae271aa0128642c9fecc358ee85c739f2

SHA512
4ff821a276a7bd6f1a619898e27dd0e4ed3f6d46330af99d60a8220c219c0dbc98df1d5e870c9db768232c38c90144d023fabfc83cc13326202aa26cecc0a19d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\msiwrapper.ini
Filesize
1KB

MD5
a7aff19b286f30f5b265aee32fd42df3

SHA1
b84cf8010398e08f6a82d3d566b12f9d4fd4eada

SHA256
9022ee8e40c2bc66e01843d8e8f2c770e7d642d5d4812ceacef7122f41eabbf8

SHA512
c5688047a5a2be13a93384572abaa8e8fe3e469c30d8b2bc00de1991d28ccbfcac5ca0eeffbb942b37d0be2121ba944fcd26e09efc12150d3ffd161f91a3d206

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-73d77c32-5ed2-4b75-8369-bcdca09916f8\msiwrapper.ini
Filesize
1KB

MD5
a7aff19b286f30f5b265aee32fd42df3

SHA1
b84cf8010398e08f6a82d3d566b12f9d4fd4eada

SHA256
9022ee8e40c2bc66e01843d8e8f2c770e7d642d5d4812ceacef7122f41eabbf8

SHA512
c5688047a5a2be13a93384572abaa8e8fe3e469c30d8b2bc00de1991d28ccbfcac5ca0eeffbb942b37d0be2121ba944fcd26e09efc12150d3ffd161f91a3d206

Download Submit
C:\Windows\Installer\MSI2AA5.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI2AA5.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI3E5E.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI3E5E.tmp
Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
6ad56837d9475da696196a76337c1b36

SHA1
7fe06c6258e60fee2e5e5931883f1916967b0ad2

SHA256
5bedb18f0a20f8556640223bbf16b6e05d40509ca08f1834419820ecf4f9d5c5

SHA512
665f66e23d6c9ece54cd2fd938b68eb5a4dff1b8f8400492192e8d4a2537b630dad2f9e0c6c938c2154aeb4a23dee77751e89fa00b3f8511b7a9eba37eb71487

Download Submit
\??\Volume{66c809e9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{ac4e7553-6873-42d8-b455-59d55e8c4d6d}_OnDiskSnapshotProp
Filesize
5KB

MD5
af8213b4dadcc7c8a2b1a9e9778e6f2d

SHA1
556fed323a3060d882567dae4050d35cc87d68b1

SHA256
2112b0b233fed63a8cf8f34580acaba8f188b5dbc5844385a5813e9162868eb4

SHA512
5834acf0ea44c99fb5f27e702e951f4d2ac389a7f564d0cd96edee23dad6c11db7aad04f568c593ab73c67353b72238a5f0a8f0030094bc73b45a32556ce7767

Download Submit
\??\c:\tmpa\script.au3
Filesize
536KB

MD5
53041e3e4bae56f12d3b1b8e395f0055

SHA1
ff1ccc146e62dd9f4a0f233d9a37854b1190f6c0

SHA256
65f996a60954e9c328624ff8f76ed150cc9facfde950e223bc4f8e1554a40b3f

SHA512
5560e86341cb2c07a5cc4aca14c07b463e3d6b18691a07ebfc85ff8079b5adb12b68c659278f7e402921f8990f00ef7c5946a0a30b7d41abb55b2ea68f87a7e5

Download Submit
memory/116-113-0x00000000042A0000-0x00000000043A0000-memory.dmp

Filesize
1024KB

Download
memory/116-114-0x0000000004980000-0x0000000004B15000-memory.dmp

Filesize
1.6MB

Download
memory/116-115-0x0000000004980000-0x0000000004B15000-memory.dmp

Filesize
1.6MB

Download
memory/1620-101-0x0000000002FF0000-0x000000000307A000-memory.dmp

Filesize
552KB

Download
memory/1620-100-0x0000000001090000-0x0000000001290000-memory.dmp

Filesize
2.0MB

Download
memory/1620-95-0x0000000002FF0000-0x000000000307A000-memory.dmp

Filesize
552KB

Download
memory/1620-92-0x0000000001090000-0x0000000001290000-memory.dmp

Filesize
2.0MB

Download