darkgate | 6ea1a16bf4c3bcb7f4cf450d1a7be36073f61e68c2f66689521e0f497b517c1f

Analysis

max time kernel
157s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20231025-en
resource tags

arch:x64arch:x86image:win10v2004-20231025-enlocale:en-usos:windows10-2004-x64system
submitted
19/11/2023, 21:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e91874c5d8c2.msi
Size

8.7MB
MD5

1170e2b02b92895d9db0be336d032d90
SHA1

18f49619d69b057e81163bdf08eab5f355ce662c
SHA256

8b6c6c007efa8e1a7da241564142f8a8a934dcce451c7e522cdd86292e81ead7
SHA512

bd1ceeee7928592e318b7f28b557bfcb97e4bb8f65f8c09001f19a746c7532f4f9d86aa54aab2866b5852921aa04a4f8de18e6c9109cc91c94c34879013c0134
SSDEEP

196608:YeS5hV9/S6WXbfXlTrn7HZ5AQX3AveLukj1w9cNzvhXoZJ+:YdhVs6WXjX9HZ5AQX32WD/oZY

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://adhufdauifadhj13.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
false
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
stanpttaHMuhnz
internal_mutex
txtMut
minimum_disk
40
minimum_ram
6002
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
4324	windbg.exe
460	Autoit3.exe

Loads dropped DLL 4 IoCs

pid	Process
1928	MsiExec.exe
4324	windbg.exe
4324	windbg.exe
1928	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2224	ICACLS.EXE
640	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e589a86.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{3D6CC9D9-208A-4C2E-8054-F677C4EFB216}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIB255.tmp	msiexec.exe
File created	C:\Windows\Installer\e589a86.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9F0A.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIB245.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e177523499fd9a390000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e17752340000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e1775234000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de1775234000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e177523400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4544	msiexec.exe
4544	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2108	msiexec.exe
Token: SeSecurityPrivilege	4544	msiexec.exe
Token: SeCreateTokenPrivilege	2108	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2108	msiexec.exe
Token: SeLockMemoryPrivilege	2108	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2108	msiexec.exe
Token: SeMachineAccountPrivilege	2108	msiexec.exe
Token: SeTcbPrivilege	2108	msiexec.exe
Token: SeSecurityPrivilege	2108	msiexec.exe
Token: SeTakeOwnershipPrivilege	2108	msiexec.exe
Token: SeLoadDriverPrivilege	2108	msiexec.exe
Token: SeSystemProfilePrivilege	2108	msiexec.exe
Token: SeSystemtimePrivilege	2108	msiexec.exe
Token: SeProfSingleProcessPrivilege	2108	msiexec.exe
Token: SeIncBasePriorityPrivilege	2108	msiexec.exe
Token: SeCreatePagefilePrivilege	2108	msiexec.exe
Token: SeCreatePermanentPrivilege	2108	msiexec.exe
Token: SeBackupPrivilege	2108	msiexec.exe
Token: SeRestorePrivilege	2108	msiexec.exe
Token: SeShutdownPrivilege	2108	msiexec.exe
Token: SeDebugPrivilege	2108	msiexec.exe
Token: SeAuditPrivilege	2108	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2108	msiexec.exe
Token: SeChangeNotifyPrivilege	2108	msiexec.exe
Token: SeRemoteShutdownPrivilege	2108	msiexec.exe
Token: SeUndockPrivilege	2108	msiexec.exe
Token: SeSyncAgentPrivilege	2108	msiexec.exe
Token: SeEnableDelegationPrivilege	2108	msiexec.exe
Token: SeManageVolumePrivilege	2108	msiexec.exe
Token: SeImpersonatePrivilege	2108	msiexec.exe
Token: SeCreateGlobalPrivilege	2108	msiexec.exe
Token: SeBackupPrivilege	464	vssvc.exe
Token: SeRestorePrivilege	464	vssvc.exe
Token: SeAuditPrivilege	464	vssvc.exe
Token: SeBackupPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeRestorePrivilege	4544	msiexec.exe
Token: SeTakeOwnershipPrivilege	4544	msiexec.exe
Token: SeBackupPrivilege	4276	srtasks.exe
Token: SeRestorePrivilege	4276	srtasks.exe
Token: SeSecurityPrivilege	4276	srtasks.exe
Token: SeTakeOwnershipPrivilege	4276	srtasks.exe
Token: SeBackupPrivilege	4276	srtasks.exe
Token: SeRestorePrivilege	4276	srtasks.exe
Token: SeSecurityPrivilege	4276	srtasks.exe
Token: SeTakeOwnershipPrivilege	4276	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2108	msiexec.exe
2108	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 4544 wrote to memory of 4276	4544	msiexec.exe	103
PID 4544 wrote to memory of 4276	4544	msiexec.exe	103
PID 4544 wrote to memory of 1928	4544	msiexec.exe	105
PID 4544 wrote to memory of 1928	4544	msiexec.exe	105
PID 4544 wrote to memory of 1928	4544	msiexec.exe	105
PID 1928 wrote to memory of 2224	1928	MsiExec.exe	107
PID 1928 wrote to memory of 2224	1928	MsiExec.exe	107
PID 1928 wrote to memory of 2224	1928	MsiExec.exe	107
PID 1928 wrote to memory of 1020	1928	MsiExec.exe	109
PID 1928 wrote to memory of 1020	1928	MsiExec.exe	109
PID 1928 wrote to memory of 1020	1928	MsiExec.exe	109
PID 1928 wrote to memory of 4324	1928	MsiExec.exe	111
PID 1928 wrote to memory of 4324	1928	MsiExec.exe	111
PID 1928 wrote to memory of 4324	1928	MsiExec.exe	111
PID 4324 wrote to memory of 460	4324	windbg.exe	113
PID 4324 wrote to memory of 460	4324	windbg.exe	113
PID 4324 wrote to memory of 460	4324	windbg.exe	113
PID 1928 wrote to memory of 640	1928	MsiExec.exe	114
PID 1928 wrote to memory of 640	1928	MsiExec.exe	114
PID 1928 wrote to memory of 640	1928	MsiExec.exe	114

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\e91874c5d8c2.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2108

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4276
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AB032D1509114B403998CE55334A3F27
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2224
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1020
- - C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4324
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:460
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files.cab

Filesize
8.4MB

MD5
c2861c23df5ad7a31c8ae622dc87f867

SHA1
0c50bc37cbf26c1e91f34b4a617f7ad663c78b13

SHA256
beee92357f4f194dcb2dda5b751939cb7218a090cdf05266c24ba52fcf51f013

SHA512
81d756790c8b2c9c3c8ef487968a977cd630bbcd7aa809519fc7358643981b6025556443de2672e9b6d5f8b43611ff771b8a36f99003985aaa068105585a4eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\00004-4001132497.png

Filesize
1.1MB

MD5
2ccc17c1a5bb5e656e7f3bb09ff0beff

SHA1
05866cf7dd5fa99ea852b01c2791b30e7741ea19

SHA256
411b6ce9e97a4d828ab43dcf896f8ea09b5e9dc02874909f53ca1e0f10caeed2

SHA512
46b7362a2df870018707d89a7340ac0c07a2a357c504dbd944699c0231b4f984661b9f112b9d4869e55cf208ed5968f3ec5b5b35a956329679fb6e48ada7c4c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\00005-3546315028.png

Filesize
1.8MB

MD5
dee56d4f89c71ea6c4f1e75b82f2e9c9

SHA1
293ce531cddbf4034782d5dfed1e35c807d75c52

SHA256
a8f1ffb62d49d35a0f838f358614333e3d5d68ce5409fdfefcd1aa218d4639cf

SHA512
e8c38dc1d7a49d9cb919eae5294cc64379a933cdbd5427ed38c5f915271655f9bd6363e131f9d8a74ffdda23c7b155cc5200ddf999339ea611b98e74355faa0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\00006-3546315029.png

Filesize
1.8MB

MD5
173a98c6c7a166db7c3caa3a06fec06c

SHA1
3c562051f42353e72ba87b6f54744f6d0107df86

SHA256
212a80b3f8e68d00dbd8fc55fc8c4b30ee996348262d5d37e8b3f431a4b2fdad

SHA512
9dcd341937eff32762767d3538499d211f5a50fddb4e83d5d1afbeb87a5420c1fb9952ef2ecc744c460b7d53baa2bffbe99087a9f794d25ba78d1af61ea8b54d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\00007-3546315030.png

Filesize
1.6MB

MD5
94b4895b7b8a60481393b7b8c22ad742

SHA1
902796c4aee78ab74e7ba5004625d797d83a8787

SHA256
f449409c8747d8e73ac7f8539c6e26d526ef51d267fed40eadce138389db5973

SHA512
d1ed6f5a1920eca041a683d71ac562058bc513877e3ae8be18888797d0713e25964c610428f9474d9b539097441002275e1f0023a565bd205cd4153ac282b61e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\data.bin

Filesize
92KB

MD5
bb8c7df11b277155036fd6f62110d818

SHA1
c7f7413f4e525822be37b33817a1755a04fec4e8

SHA256
742f8df79f6dd2bd16d00d7235f655b32b687886cda485808d1c1762ba44336a

SHA512
a568949fcef56f0db85c5f452b345f4912c8ce9435915b9380b21f97bebbcc0961e9739b8c62fa5181d527e1852c72e3bd947a56dddb0a3031c6f2c9d67e1b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\data2.bin

Filesize
2.0MB

MD5
148787dfd8c9b0d3c0681f0a984cbcf0

SHA1
0456d2fd54da6e9eaa239b9620efcf17c9cf95c5

SHA256
4f1c84df725ddff0403f24080baff45abc06a1191b43c00f9847d791b7b79488

SHA512
e0e4c8fc3953e48f253f3b762f6df6ec7bce0067e6f867eb1e8e5b3921ea7eada1993f8a173ae7f29103927b4e339374425b9f2a729da075fa142a8b5440e830

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\dbgeng.dll

Filesize
1.9MB

MD5
ed7798f01f00f2ce332053e85b73d512

SHA1
9dcbe0d54f61a0d5acda7e18dc47a247f598edd4

SHA256
b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942

SHA512
9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\dbgeng.dll

Filesize
1.9MB

MD5
ed7798f01f00f2ce332053e85b73d512

SHA1
9dcbe0d54f61a0d5acda7e18dc47a247f598edd4

SHA256
b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942

SHA512
9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\dbgeng.dll

Filesize
1.9MB

MD5
ed7798f01f00f2ce332053e85b73d512

SHA1
9dcbe0d54f61a0d5acda7e18dc47a247f598edd4

SHA256
b4401b1eae7f8a6c8bef9ba12daab302e41d25f5b8eff4b1a94bca0fc7990942

SHA512
9ce56059b2866cbb4662683bfa20565fead108dc4807ea095aeb6d4a86a6b47f6e2d6c7129097e5bf80b10a311217d0e3f75f65e3aa0058648a18faf92641bee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\msiwrapper.ini

Filesize
1KB

MD5
f4211092038f4612b4033b6f6d687874

SHA1
7a065b36ec43eaa4e0edfc100c780fee05894cec

SHA256
3b901876dce426ab887f410183ec6a872d4de01a19347125b5f0f720e7d63d0a

SHA512
db2c6f45837c655c64b3b926a30f471ad2eb13083324e13a9eb1cc1a41218e849afc0b393dcafb04d6cb094559f7ebeea573ca808a0aa1df82f2a5494649b263

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\msiwrapper.ini

Filesize
370B

MD5
8d206ded398594077806fbadc9540368

SHA1
f758aef892d5d85af9ed07fa2649bc7d18f67e0d

SHA256
76469a026c8c880713dd1e9f5a0743df767fa2aeb688cf722393cbacdb82a636

SHA512
7ac43833eb312a8763e5b8085b0247c9e506079742b973803da760b72567254d1279d1dfa0b012b266d27f0891cd9b96d72f954804d949cddc30e1aac2871012

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\msiwrapper.ini

Filesize
1KB

MD5
93a6432e7b6046b046977316115c6e58

SHA1
fce4445773e1011c55221719792e17d13c67c420

SHA256
03fc95f4f32dbb5496419cd77e697877f09eea209077aaf249cd8cf32b031c2f

SHA512
62e0dd4faf00d01d875d815ee08fcd8a62221d163bdc7caeb15989bd6cd8a6c449593221a8e1a1c2fdfde080e2ae7b4f0e919c66a1c9778935919ade5e1f892c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\msiwrapper.ini

Filesize
1KB

MD5
345ecd0fd1983dfa161cdafbc9059af0

SHA1
95dd00379ad9d0964f30d68cc8b3cb5233981065

SHA256
d7bf8a808e5eaef26948fb4923c3f718086d90fd025750b8baac83fc7bed1d98

SHA512
047847476ed09d204a310254947ef9737bf71becd671effa6e7a15b91d2f95d6181aa05f59a03302dbf814609f77ab1b4bff46686a3e14c10dae7edd0c58940e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-dee9e908-9c7c-4102-894c-4a056f6702f9\msiwrapper.ini

Filesize
1KB

MD5
345ecd0fd1983dfa161cdafbc9059af0

SHA1
95dd00379ad9d0964f30d68cc8b3cb5233981065

SHA256
d7bf8a808e5eaef26948fb4923c3f718086d90fd025750b8baac83fc7bed1d98

SHA512
047847476ed09d204a310254947ef9737bf71becd671effa6e7a15b91d2f95d6181aa05f59a03302dbf814609f77ab1b4bff46686a3e14c10dae7edd0c58940e

Download Submit
C:\Windows\Installer\MSI9F0A.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSI9F0A.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIB255.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIB255.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
21ef80c31064d04d97a4b6b19dc43891

SHA1
5237340c5c72325acb774d7c22def404002b9b43

SHA256
bab34cc28480475f18c4bad1c4234d76062a8d9e7e48d50d17d1c98aacb9f3e6

SHA512
feb7d60ed6c907511ea786498569f030ca631bb6d4957f8a2ce192d2cd7424cf0eb8a70395069fdea24f7e946a829e918725aa7c2de6d95428d22922519a09c1

Download Submit
\??\Volume{345277e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{941ad023-8f42-4fe1-9648-d868d0770d7e}_OnDiskSnapshotProp

Filesize
5KB

MD5
2a8835c2a67cccb892214be09dbea521

SHA1
254d1abfc9a8bb78401d84fbcf3e74a7c4ee3cac

SHA256
f55c6dffb986911ee1b986fbeb4a2e7c36e3ee1678a01d41a14fd0d5589fc744

SHA512
d650362f15a3e504fea45473ce558105130af0fefaf7ae4bf6912a6055786e8c860af328845830f45ba049414ca30444243373ea5fd87954c49ba7348f5051cd

Download Submit
\??\c:\tmpa\script.au3

Filesize
698KB

MD5
74de66e9523816a5b1dfbdb31b56cb3b

SHA1
9b0bd88932223c819d2c10d5739abdaf4f1a3cec

SHA256
91323b304dead6738f2652334e01bc2219751ea749501cf53f2f04573cd7cdd2

SHA512
21da2c017084db3e74447dd95478b4984a99494b8792ebde07fee9ed3c9114abe3491532bb89da47736098de8aa0e76e8313a28e26dca581f284fcc5b2e1df5a

Download Submit
memory/460-117-0x0000000003E10000-0x0000000004210000-memory.dmp

Filesize
4.0MB

Download
memory/460-119-0x0000000004710000-0x00000000048A5000-memory.dmp

Filesize
1.6MB

Download
memory/4324-97-0x0000000000B30000-0x0000000000D30000-memory.dmp

Filesize
2.0MB

Download
memory/4324-106-0x00000000026C0000-0x000000000274A000-memory.dmp

Filesize
552KB

Download
memory/4324-105-0x0000000000B30000-0x0000000000D30000-memory.dmp

Filesize
2.0MB

Download
memory/4324-100-0x00000000026C0000-0x000000000274A000-memory.dmp

Filesize
552KB

Download