darkgate | 3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
09-11-2023 20:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a.msi
Size

8.5MB
MD5

5e5704e30401f1ba9906e382f6a7c684
SHA1

f3d67076e491ab59f33a06afcd00a42d9a344711
SHA256

3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a
SHA512

a83c23efb0cc54a666a322a8d492c53ea9fc5a2de9b53dfadaab7d98724fcb53c93edbddb174f381e02e9cc47b0a4ba5bb217ce01069937c6e4bdd1a7dedd514
SSDEEP

196608:xeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9lqFM2CMhimhs4W:xdhVs6WXjX9HZ5AQX32WDuqRCMhif4W

Score

10^/10

darkgate plex discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

PLEX

http://homeservicetreking.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
8443
check_disk
false
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
mnNxiNpBWVirQR
internal_mutex
txtMut
minimum_disk
20
minimum_ram
6024
ping_interval
4
rootkit
true
startup_persistence
true
username
PLEX

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
5104	windbg.exe
4680	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
2604	MsiExec.exe
5104	windbg.exe
5104	windbg.exe
2604	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
372	ICACLS.EXE
1108	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIC60C.tmp	msiexec.exe
File created	C:\Windows\Installer\e58a284.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58a284.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6D10BDA0-92A9-4D34-AD07-0BEAD9804F2B}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6F9.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIC5FC.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e909c866916b25070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e909c8660000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e909c866000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de909c866000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e909c86600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3776	msiexec.exe
3776	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4136	msiexec.exe
Token: SeSecurityPrivilege	3776	msiexec.exe
Token: SeCreateTokenPrivilege	4136	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4136	msiexec.exe
Token: SeLockMemoryPrivilege	4136	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4136	msiexec.exe
Token: SeMachineAccountPrivilege	4136	msiexec.exe
Token: SeTcbPrivilege	4136	msiexec.exe
Token: SeSecurityPrivilege	4136	msiexec.exe
Token: SeTakeOwnershipPrivilege	4136	msiexec.exe
Token: SeLoadDriverPrivilege	4136	msiexec.exe
Token: SeSystemProfilePrivilege	4136	msiexec.exe
Token: SeSystemtimePrivilege	4136	msiexec.exe
Token: SeProfSingleProcessPrivilege	4136	msiexec.exe
Token: SeIncBasePriorityPrivilege	4136	msiexec.exe
Token: SeCreatePagefilePrivilege	4136	msiexec.exe
Token: SeCreatePermanentPrivilege	4136	msiexec.exe
Token: SeBackupPrivilege	4136	msiexec.exe
Token: SeRestorePrivilege	4136	msiexec.exe
Token: SeShutdownPrivilege	4136	msiexec.exe
Token: SeDebugPrivilege	4136	msiexec.exe
Token: SeAuditPrivilege	4136	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4136	msiexec.exe
Token: SeChangeNotifyPrivilege	4136	msiexec.exe
Token: SeRemoteShutdownPrivilege	4136	msiexec.exe
Token: SeUndockPrivilege	4136	msiexec.exe
Token: SeSyncAgentPrivilege	4136	msiexec.exe
Token: SeEnableDelegationPrivilege	4136	msiexec.exe
Token: SeManageVolumePrivilege	4136	msiexec.exe
Token: SeImpersonatePrivilege	4136	msiexec.exe
Token: SeCreateGlobalPrivilege	4136	msiexec.exe
Token: SeBackupPrivilege	3880	vssvc.exe
Token: SeRestorePrivilege	3880	vssvc.exe
Token: SeAuditPrivilege	3880	vssvc.exe
Token: SeBackupPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeRestorePrivilege	3776	msiexec.exe
Token: SeTakeOwnershipPrivilege	3776	msiexec.exe
Token: SeBackupPrivilege	4356	srtasks.exe
Token: SeRestorePrivilege	4356	srtasks.exe
Token: SeSecurityPrivilege	4356	srtasks.exe
Token: SeTakeOwnershipPrivilege	4356	srtasks.exe
Token: SeBackupPrivilege	4356	srtasks.exe
Token: SeRestorePrivilege	4356	srtasks.exe
Token: SeSecurityPrivilege	4356	srtasks.exe
Token: SeTakeOwnershipPrivilege	4356	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4136	msiexec.exe
4136	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3776 wrote to memory of 4356	3776	msiexec.exe	111
PID 3776 wrote to memory of 4356	3776	msiexec.exe	111
PID 3776 wrote to memory of 2604	3776	msiexec.exe	113
PID 3776 wrote to memory of 2604	3776	msiexec.exe	113
PID 3776 wrote to memory of 2604	3776	msiexec.exe	113
PID 2604 wrote to memory of 372	2604	MsiExec.exe	114
PID 2604 wrote to memory of 372	2604	MsiExec.exe	114
PID 2604 wrote to memory of 372	2604	MsiExec.exe	114
PID 2604 wrote to memory of 3748	2604	MsiExec.exe	116
PID 2604 wrote to memory of 3748	2604	MsiExec.exe	116
PID 2604 wrote to memory of 3748	2604	MsiExec.exe	116
PID 2604 wrote to memory of 5104	2604	MsiExec.exe	118
PID 2604 wrote to memory of 5104	2604	MsiExec.exe	118
PID 2604 wrote to memory of 5104	2604	MsiExec.exe	118
PID 5104 wrote to memory of 4680	5104	windbg.exe	119
PID 5104 wrote to memory of 4680	5104	windbg.exe	119
PID 5104 wrote to memory of 4680	5104	windbg.exe	119
PID 2604 wrote to memory of 1108	2604	MsiExec.exe	120
PID 2604 wrote to memory of 1108	2604	MsiExec.exe	120
PID 2604 wrote to memory of 1108	2604	MsiExec.exe	120

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3d36c21c7f255ba1596da6e9a771b61d5120113376f519d13b336343362f2b4a.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4136

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3776
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 31571ADB3904A3F03F54C2B795EC2A8E
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:372
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3748
- - C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:5104
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:4680
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1108

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files.cab

Filesize
8.2MB

MD5
45ea45931d4cc5f462573ba4503e4bdd

SHA1
a9c09bf4f404cabca7e1c42f9d7a17e0ee35299a

SHA256
654a2af82cc18ca71cea6fab7ec3d96c309d8a2bbbeef2776aabd6b5c708f195

SHA512
703a53fe9564008f5cca31e16e8d49852873a6de3930b7ec21100ed40e0a93c729827d2bc5d4bda557325af8f7ab6c6b8c7f5446d5a0628d500d83d9621a56f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\00004-4001132497.png

Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\00005-3546315028.png

Filesize
1.8MB

MD5
dee56d4f89c71ea6c4f1e75b82f2e9c9

SHA1
293ce531cddbf4034782d5dfed1e35c807d75c52

SHA256
a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

SHA512
e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\00006-3546315029.png

Filesize
1.8MB

MD5
173a98c6c7a166db7c3caa3a06fec06c

SHA1
3c562051f42353e72ba87b6f54744f6d0107df86

SHA256
212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

SHA512
9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\00007-3546315030.png

Filesize
1.6MB

MD5
94b4895b7b8a60481393b7b8c22ad742

SHA1
902796c4aee78ab74e7ba5004625d797d83a8787

SHA256
f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

SHA512
d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\data.bin

Filesize
92KB

MD5
839c48c1fa948c4ae211efefc0866bda

SHA1
af2d588b109fced20671a0f576e8719dc70cb678

SHA256
5e31861fd1a143ceaee3a8d376e8bf331184bcde27e43b9529f5e29706604286

SHA512
e1b6e2cffe429429704bc6808136c9b82be262494827dd0b02b96d33166d905d52f0277f81e15647b594a0867e2e60b7bd07dd7f605cca650dd82a8472a7c0af

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\data2.bin

Filesize
1.8MB

MD5
89276a5bfac1a0b7475db20a318ef009

SHA1
f93a6c6b793aae9a04da34a6f8df42e24d0f18f7

SHA256
3fb15da8c290eeb0e80724c943013e13ece6ab82e2ebedff65e64e20ba250321

SHA512
428acdc83330c91d7dbe1193f593155636bda4633f9d27601943e9c8d307e8a3794146857cc5f988b08736ff2ad760afa4a8080b4734e719e1ef36ef9be5f643

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\dbgeng.dll

Filesize
1.9MB

MD5
55c0ffe2002889efe4aefc035738c17f

SHA1
35e0f048544ee7e4599b73d0e739ce12b1558dae

SHA256
7a8e13aa55800172b1249de1334c9eacabd56947f3851d9b40a05b9a21089c2b

SHA512
78677d2d255429d6530bfd0e00c10222a1c0bee4f22dff6b79f1ae289be6dac3c41d989fe67fb44dba5e4c32ddcb5b46d57d7fdbe945f0c2b9da0ae33fbd5a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\dbgeng.dll

Filesize
1.9MB

MD5
55c0ffe2002889efe4aefc035738c17f

SHA1
35e0f048544ee7e4599b73d0e739ce12b1558dae

SHA256
7a8e13aa55800172b1249de1334c9eacabd56947f3851d9b40a05b9a21089c2b

SHA512
78677d2d255429d6530bfd0e00c10222a1c0bee4f22dff6b79f1ae289be6dac3c41d989fe67fb44dba5e4c32ddcb5b46d57d7fdbe945f0c2b9da0ae33fbd5a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\dbgeng.dll

Filesize
1.9MB

MD5
55c0ffe2002889efe4aefc035738c17f

SHA1
35e0f048544ee7e4599b73d0e739ce12b1558dae

SHA256
7a8e13aa55800172b1249de1334c9eacabd56947f3851d9b40a05b9a21089c2b

SHA512
78677d2d255429d6530bfd0e00c10222a1c0bee4f22dff6b79f1ae289be6dac3c41d989fe67fb44dba5e4c32ddcb5b46d57d7fdbe945f0c2b9da0ae33fbd5a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\msiwrapper.ini

Filesize
1KB

MD5
93f9c901d2acb9894c6600b8fb337a17

SHA1
d21d110611842022795ff17e9ee89c967ff87c93

SHA256
4a49fcce71685618557abd81f0a356e6a43d9658bbcba9edd2d3aeb3df67958a

SHA512
1240733335d91a958ef751cf010f18a6718b4a9108281ed968de9f4c7f46ebbceb62831cc98e5e343b42cdac7e90b304160cfc105bc81ffd92a6d70285d987c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\msiwrapper.ini

Filesize
330B

MD5
2082362e4ef52e0f573f27995552b284

SHA1
8a5c3274249ab99df8b22b173082066aae6aeb09

SHA256
684da25bf108771b5c58df6226697fb520e14da7f930961fee0a8bb035114d2e

SHA512
f1d0a16bb22d0f0637e8d7a9bec372e25ff502a6de07cf9ee4b30a48c7ec2fcd36e3881b91eed0a26e96000dcd7eb6d00d6c5b9b383d6470f2c6d8e7591d271f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\msiwrapper.ini

Filesize
1010B

MD5
26236c5e9c293474446fc0cafc3fabda

SHA1
e86d1ddfbbcd909a419a6f937d46cbc25e55eb03

SHA256
5f9ec208daf17f98ce8fd41ccf3b5f27456e3e5f7ffe114ddc6d23f108d804e7

SHA512
7a4814359a562720c827306a2e4baa91c5ca3c2930bcf3de7b15a342f4ceabb2abb263e7d694c60f834a75b11a8b6bd78114a2d5407684a12a56597daac2e4b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\msiwrapper.ini

Filesize
1KB

MD5
64e5d44d40d264bbcfb555a49068626a

SHA1
bcaab64043175776a1cd4cab7ac60a654563e341

SHA256
9f4b748235562bc366b7615182c1cc3254df2f27850d088fac6c8521eda11f88

SHA512
ecf049eee386626c94155fe8853d5b3d22f29500aff01957c06f4074b8549f19a558ad074533ce91bbbe39f97823fab30e066e8fb18373a845aa2be698c3fea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-1fd59d9b-1ce9-44cf-8fb9-cee0e0e52c49\msiwrapper.ini

Filesize
1KB

MD5
64e5d44d40d264bbcfb555a49068626a

SHA1
bcaab64043175776a1cd4cab7ac60a654563e341

SHA256
9f4b748235562bc366b7615182c1cc3254df2f27850d088fac6c8521eda11f88

SHA512
ecf049eee386626c94155fe8853d5b3d22f29500aff01957c06f4074b8549f19a558ad074533ce91bbbe39f97823fab30e066e8fb18373a845aa2be698c3fea2

Download Submit
C:\Windows\Installer\MSIA6F9.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIA6F9.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIC60C.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIC60C.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
38aae99abba31ff48f89e17d800ea148

SHA1
47e5f03866badfe60df88b1ca1646199c4d9db58

SHA256
f093d0580a77148aa32c223598ef85b01d2518ad8210dae17290da9a21c9c8e3

SHA512
4dfa7da69cca0587efd0ebb390a4c28061d5666f1dee58e45cb29ae9110cd43a4e819a64407b4dccb1a83f5052eb1a451d3ead6773137e9c534c55c216b5b678

Download Submit
\??\Volume{66c809e9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9ae9d7d7-ed99-4161-9396-6ea1805ef9d2}_OnDiskSnapshotProp

Filesize
5KB

MD5
bea61793a6e4d8ddb03b2b155cd9781b

SHA1
232615068286328d2bc5c34385e39454558fb9b7

SHA256
5550b4708607c783c8429a964f647e2f464a7c7eaa9a16031876e74cd8c6d737

SHA512
8c7a3f9dd7343c86134b37f15537919fd776ee18dbe6b5c79e651d3011962b732b81ab9a66a65904cb89c76752bac21a2359979aeefe5d123afb00c0cc25e388

Download Submit
\??\c:\tmpa\script.au3

Filesize
494KB

MD5
fdd3bf444218b7f28f4fc7f05bd9ea4a

SHA1
e94b7a58147ef90efcd77c7576a746ce1a9d9b66

SHA256
a00836365798182edba7f92296c52152ccbf12dcb5ad61a0410b34edc5ee6464

SHA512
3232f9d88ec51193884e2c13eedd69a4c83b80c54e404da2e46cb8e973235e7f21cbf85788a186dc110ae2ac5db184409f79931a3c0e3c8304e6402b4d3182aa

Download Submit
memory/4680-108-0x0000000000F30000-0x0000000001330000-memory.dmp

Filesize
4.0MB

Download
memory/4680-114-0x0000000003A80000-0x0000000003C15000-memory.dmp

Filesize
1.6MB

Download
memory/4680-125-0x0000000003A80000-0x0000000003C15000-memory.dmp

Filesize
1.6MB

Download
memory/5104-105-0x0000000002B40000-0x0000000002BCA000-memory.dmp

Filesize
552KB

Download
memory/5104-104-0x0000000000B80000-0x0000000000D80000-memory.dmp

Filesize
2.0MB

Download
memory/5104-99-0x0000000002B40000-0x0000000002BCA000-memory.dmp

Filesize
552KB

Download
memory/5104-96-0x0000000000B80000-0x0000000000D80000-memory.dmp

Filesize
2.0MB

Download