darkgate | a2f2d75d5d822af00d66ab0de4fee633e3c89ae4512219d83a74d034f0ad5ef3

Analysis

max time kernel
142s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2023 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d81c4c5fd1.msi
Size

8.7MB
MD5

df958065715bfa16d27a40331a2fa2b6
SHA1

6492750661945ac8604fb2bd92944b9a18eccdd4
SHA256

525b43c320e55981503e6bcb925da6eaf8ff02c692434e10e51562984831a6d0
SHA512

6c6784d193775f419ab23d106ccce76b51a84c5c4ab7770a1908f731f278398a3b0f45477b097cb336ae8ee48d980cc23fbdba8af72445a3365acbd2a90d9e26
SSDEEP

196608:PeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9rRlMtLt:PdhVs6WXjX9HZ5AQX32WDKMtL

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://adhufdauifadhj13.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
pIXXemAHboYTbK
internal_mutex
txtMut
minimum_disk
40
minimum_ram
6001
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
3412	windbg.exe
2188	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
2500	MsiExec.exe
3412	windbg.exe
3412	windbg.exe
2500	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
628	ICACLS.EXE
4408	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI34E7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI34F8.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI211F.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\e581f0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581f0c.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B441FFDB-27BB-49C3-8AEC-1E9A545DCC25}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e177523499fd9a390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e17752340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e1775234000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de1775234000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e177523400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2456	msiexec.exe
2456	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	916	msiexec.exe
Token: SeSecurityPrivilege	2456	msiexec.exe
Token: SeCreateTokenPrivilege	916	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	916	msiexec.exe
Token: SeLockMemoryPrivilege	916	msiexec.exe
Token: SeIncreaseQuotaPrivilege	916	msiexec.exe
Token: SeMachineAccountPrivilege	916	msiexec.exe
Token: SeTcbPrivilege	916	msiexec.exe
Token: SeSecurityPrivilege	916	msiexec.exe
Token: SeTakeOwnershipPrivilege	916	msiexec.exe
Token: SeLoadDriverPrivilege	916	msiexec.exe
Token: SeSystemProfilePrivilege	916	msiexec.exe
Token: SeSystemtimePrivilege	916	msiexec.exe
Token: SeProfSingleProcessPrivilege	916	msiexec.exe
Token: SeIncBasePriorityPrivilege	916	msiexec.exe
Token: SeCreatePagefilePrivilege	916	msiexec.exe
Token: SeCreatePermanentPrivilege	916	msiexec.exe
Token: SeBackupPrivilege	916	msiexec.exe
Token: SeRestorePrivilege	916	msiexec.exe
Token: SeShutdownPrivilege	916	msiexec.exe
Token: SeDebugPrivilege	916	msiexec.exe
Token: SeAuditPrivilege	916	msiexec.exe
Token: SeSystemEnvironmentPrivilege	916	msiexec.exe
Token: SeChangeNotifyPrivilege	916	msiexec.exe
Token: SeRemoteShutdownPrivilege	916	msiexec.exe
Token: SeUndockPrivilege	916	msiexec.exe
Token: SeSyncAgentPrivilege	916	msiexec.exe
Token: SeEnableDelegationPrivilege	916	msiexec.exe
Token: SeManageVolumePrivilege	916	msiexec.exe
Token: SeImpersonatePrivilege	916	msiexec.exe
Token: SeCreateGlobalPrivilege	916	msiexec.exe
Token: SeBackupPrivilege	1388	vssvc.exe
Token: SeRestorePrivilege	1388	vssvc.exe
Token: SeAuditPrivilege	1388	vssvc.exe
Token: SeBackupPrivilege	2456	msiexec.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeTakeOwnershipPrivilege	2456	msiexec.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeTakeOwnershipPrivilege	2456	msiexec.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeTakeOwnershipPrivilege	2456	msiexec.exe
Token: SeRestorePrivilege	2456	msiexec.exe
Token: SeTakeOwnershipPrivilege	2456	msiexec.exe
Token: SeBackupPrivilege	3984	srtasks.exe
Token: SeRestorePrivilege	3984	srtasks.exe
Token: SeSecurityPrivilege	3984	srtasks.exe
Token: SeTakeOwnershipPrivilege	3984	srtasks.exe
Token: SeBackupPrivilege	3984	srtasks.exe
Token: SeRestorePrivilege	3984	srtasks.exe
Token: SeSecurityPrivilege	3984	srtasks.exe
Token: SeTakeOwnershipPrivilege	3984	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
916	msiexec.exe
916	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2456 wrote to memory of 3984	2456	msiexec.exe	106
PID 2456 wrote to memory of 3984	2456	msiexec.exe	106
PID 2456 wrote to memory of 2500	2456	msiexec.exe	109
PID 2456 wrote to memory of 2500	2456	msiexec.exe	109
PID 2456 wrote to memory of 2500	2456	msiexec.exe	109
PID 2500 wrote to memory of 628	2500	MsiExec.exe	111
PID 2500 wrote to memory of 628	2500	MsiExec.exe	111
PID 2500 wrote to memory of 628	2500	MsiExec.exe	111
PID 2500 wrote to memory of 3428	2500	MsiExec.exe	113
PID 2500 wrote to memory of 3428	2500	MsiExec.exe	113
PID 2500 wrote to memory of 3428	2500	MsiExec.exe	113
PID 2500 wrote to memory of 3412	2500	MsiExec.exe	116
PID 2500 wrote to memory of 3412	2500	MsiExec.exe	116
PID 2500 wrote to memory of 3412	2500	MsiExec.exe	116
PID 3412 wrote to memory of 2188	3412	windbg.exe	118
PID 3412 wrote to memory of 2188	3412	windbg.exe	118
PID 3412 wrote to memory of 2188	3412	windbg.exe	118
PID 2500 wrote to memory of 4408	2500	MsiExec.exe	119
PID 2500 wrote to memory of 4408	2500	MsiExec.exe	119
PID 2500 wrote to memory of 4408	2500	MsiExec.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\d81c4c5fd1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:916

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3984
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 11340DE849F24312D94343714C472B84
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2500
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:628
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3428
- - C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3412
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2188
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files.cab

Filesize
8.4MB

MD5
c5838722d0d37fc92213494a94164dea

SHA1
34a88d90b4a86944c0fc15603f02ad7937bb7681

SHA256
7faba3c5424ceae3f3a6b6d6a497f6a490d34eb857f6bfa722688aebff5d2bda

SHA512
8f4dce3693c0ca4200e74f91e24f7eb86aeb9476a79d03e50730da7f353c7a4b6e0d281e3db1e2a0e690c820cd3543018416de24c716618b442c61df6873cfc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\00004-4001132497.png

Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\00005-3546315028.png

Filesize
1.8MB

MD5
dee56d4f89c71ea6c4f1e75b82f2e9c9

SHA1
293ce531cddbf4034782d5dfed1e35c807d75c52

SHA256
a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

SHA512
e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\00006-3546315029.png

Filesize
1.8MB

MD5
173a98c6c7a166db7c3caa3a06fec06c

SHA1
3c562051f42353e72ba87b6f54744f6d0107df86

SHA256
212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

SHA512
9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\00007-3546315030.png

Filesize
1.6MB

MD5
94b4895b7b8a60481393b7b8c22ad742

SHA1
902796c4aee78ab74e7ba5004625d797d83a8787

SHA256
f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

SHA512
d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\data.bin

Filesize
92KB

MD5
16f4aaaf24cff067ecf8de4aa8005fe4

SHA1
1916630a88c6e7c696932e4a8bdcf8da9199dcec

SHA256
00a26f7b0efc9ea14469e9276c4c1f06855aba8cacd155ec02ec8e37e8457ca8

SHA512
91fe0dd77e8ba80f6983b58b53a05535bab223bb0880e1427ec6f28352f2f6a4246d316332592d6db240368f76634eb4cced104b392c96038dc40ce4398ad3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\data2.bin

Filesize
2.0MB

MD5
6f5789e9889332afb380e9788aeef823

SHA1
10af9a59a77c5200f4bc5b725841df8c5dfa5271

SHA256
faed1f3284116efcb406c7999fad56817c6d69925de5425bf48c1d54564230d7

SHA512
6a602f09e801a1384170710ebcbe51a328bb3e66312100776142d634856cefc4b196d7fedc5bab6b51ea200043b46135d73d7564cb93bb8acd536ae9f8316a14

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\dbgeng.dll

Filesize
1.9MB

MD5
cbb98bb1b5c503cab6f136e03f35337a

SHA1
5c4d4c9b8681b53767a8b84b225d9b90a9e37521

SHA256
4c7b64a903c4156fbad9f5e59f653fe5bab25acf3b5c50fc447e3cf1b96e8f01

SHA512
7ac39457cb6c57789d339f3d64fd939e3d04bf890320889ab2c419dc1217242f74cc9949c5fa6889f52bf86051ff8b8b2826f31989bf2cc43a0d7e8da5933102

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\dbgeng.dll

Filesize
1.9MB

MD5
cbb98bb1b5c503cab6f136e03f35337a

SHA1
5c4d4c9b8681b53767a8b84b225d9b90a9e37521

SHA256
4c7b64a903c4156fbad9f5e59f653fe5bab25acf3b5c50fc447e3cf1b96e8f01

SHA512
7ac39457cb6c57789d339f3d64fd939e3d04bf890320889ab2c419dc1217242f74cc9949c5fa6889f52bf86051ff8b8b2826f31989bf2cc43a0d7e8da5933102

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\dbgeng.dll

Filesize
1.9MB

MD5
cbb98bb1b5c503cab6f136e03f35337a

SHA1
5c4d4c9b8681b53767a8b84b225d9b90a9e37521

SHA256
4c7b64a903c4156fbad9f5e59f653fe5bab25acf3b5c50fc447e3cf1b96e8f01

SHA512
7ac39457cb6c57789d339f3d64fd939e3d04bf890320889ab2c419dc1217242f74cc9949c5fa6889f52bf86051ff8b8b2826f31989bf2cc43a0d7e8da5933102

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\msiwrapper.ini

Filesize
1KB

MD5
e0609a2ec5c501f1a851882b803e89eb

SHA1
6d3a27347477978528305d9a807c106e0dd3d290

SHA256
5f2b3cf1a5e063ac2e48d76245c2ed8a4eb7082b6d512ef7f60a5b81cebd891d

SHA512
6b6174fbce0297a48f31b12b992c8ef05cef6f13012d320d28c42fe1c5099683719f6741c49b614fef33ab89e6ff143395acc24e80590d50ca606c058df9c1e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\msiwrapper.ini

Filesize
370B

MD5
4ef3ce805e64063100321ebd6a857897

SHA1
cb2e2bca289fb5c907ff801db6d96db83d2d13b4

SHA256
95b61905c6ececcc51eca34d6027db562abb0cad4943bb228e1fc9052e0d9bf5

SHA512
ddbe10519e2d1949b25a5abd12265f834fee5d3ac2d8082587efa4a2078b7e5a54b3c89a160839928049fe0cd211aa61be5bea08e307db3a91a887b7bbc629e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\msiwrapper.ini

Filesize
1KB

MD5
034759618a0760c0f2db41bc19527798

SHA1
eac262247dc3d669a7cbad2183c0d354a5bf0081

SHA256
d6f79fa51fd1737c20a9fa32840f3b41716f218579bccf81bc33be3910f9b208

SHA512
badd98d75398e416a83fb1b0304a8571a875476dc034c5ec52b7781730e85d16a315083e6aeda3c771fdb041338a2adebbb63408d0e913cd4e4cfecbe199d156

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b4199087-00c5-4828-ade1-12d52cf35838\msiwrapper.ini

Filesize
1KB

MD5
034759618a0760c0f2db41bc19527798

SHA1
eac262247dc3d669a7cbad2183c0d354a5bf0081

SHA256
d6f79fa51fd1737c20a9fa32840f3b41716f218579bccf81bc33be3910f9b208

SHA512
badd98d75398e416a83fb1b0304a8571a875476dc034c5ec52b7781730e85d16a315083e6aeda3c771fdb041338a2adebbb63408d0e913cd4e4cfecbe199d156

Download Submit
C:\Windows\Installer\MSI211F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI211F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI34F8.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI34F8.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
4e5a8b1fb50bb269543adb401bbf55c9

SHA1
abac6a5b4de3ab5055e5a12a06558851ae88ea9e

SHA256
4053ac13dc780cb1f9394c67f6b84f1bf160f838bf7759a6ea2f413ad52ddaf9

SHA512
2e6a06a318865f5c3d051aa454b14d200acd8e6f947fdc9052fb16e2e16c51da60eda16c32007f62916e27db3e51de3cdd1263a6a88a694b3a44eb54ace7571a

Download Submit
\??\Volume{345277e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eca210f4-a096-4897-97d9-6a4d641eb6b2}_OnDiskSnapshotProp

Filesize
5KB

MD5
ffafc8666c1ec5acaa7b4e6559d72fa5

SHA1
76de3b4d3e4ffdcf46bbe91562ae5b8423ec299b

SHA256
05c49440e221174c311eced51e52f2b8216f1c42822c0cb8f066bb8c1a2df5b4

SHA512
d4a8c15b41b7b03b77f91d097495f2019c52225c46d6d0f477e69dfc83df08c5a467a63d45ffd585c725f6092f3ec45f1b62455b46280c292dc28cee6c18a396

Download Submit
\??\c:\tmpa\script.au3

Filesize
666KB

MD5
e89c0798322de95734d6499959c3a0e5

SHA1
b5375c0edcec401e9b43af9a83f3229a7907b084

SHA256
ef114b57f8144a8745cfd78407ac498b89303c4824a95e6a5dc44b460105b1c4

SHA512
fdeb2941cff4a51234b312edf0e50eebaa42fb1c2dc801c22f4af9a2cb3b8d9440cf0f46b2c4810cabc765d44177d24ea5b8b1e6218c25701c3a1c8baa04cab0

Download Submit
memory/2188-113-0x0000000003C10000-0x0000000004010000-memory.dmp

Filesize
4.0MB

Download
memory/2188-114-0x00000000044D0000-0x0000000004665000-memory.dmp

Filesize
1.6MB

Download
memory/2188-124-0x00000000044D0000-0x0000000004665000-memory.dmp

Filesize
1.6MB

Download
memory/3412-100-0x0000000000B60000-0x0000000000D60000-memory.dmp

Filesize
2.0MB

Download
memory/3412-101-0x0000000002AB0000-0x0000000002B3A000-memory.dmp

Filesize
552KB

Download
memory/3412-95-0x0000000002AB0000-0x0000000002B3A000-memory.dmp

Filesize
552KB

Download
memory/3412-92-0x0000000000B60000-0x0000000000D60000-memory.dmp

Filesize
2.0MB

Download