darkgate | 5e94aa172460e74293db106a98327778ae2d32c6ce6592857a1ec0c581543572

Analysis

max time kernel
223s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2023 19:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e94aa172460e74293db106a98327778ae2d32c6ce6592857a1ec0c581543572.msi
Size

7.7MB
MD5

6c3599836e9a3ee7839b5e214681cd94
SHA1

3fb8d21c788229278a7156cda7e8df9f92b25cf0
SHA256

5e94aa172460e74293db106a98327778ae2d32c6ce6592857a1ec0c581543572
SHA512

ad8f4555e9008f02079d002080c81d9c19a2b15a9739f6450ef2356cfe4ea1bb989e5c11921c440df4d9d90f67719be16ec830c1fedb7ee8aa3aa9264ef7a9bb
SSDEEP

98304:vpuKjsEZcgsdUqakFRFawTV82ASqQBW9vpWzxjFycvniqy33XglSB2CiU39q/C+w:B1NsUqai/pTOryNnxyXxBTir/R

Score

10^/10

darkgate user_871236672 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

user_871236672

http://taochinashowwers.com

Attributes

alternative_c2_port
8080
anti_analysis
true
anti_debug
true
anti_vm
true
c2_port
2351
check_disk
true
check_ram
true
check_xeon
true
crypter_au3
false
crypter_dll
false
crypter_rawstub
true
crypto_key
MImlcsfyPCPETh
internal_mutex
txtMut
minimum_disk
35
minimum_ram
6000
ping_interval
4
rootkit
true
startup_persistence
true
username
user_871236672

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Executes dropped EXE 2 IoCs

pid	Process
4316	windbg.exe
2596	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
3044	MsiExec.exe
4316	windbg.exe
3044	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4688	ICACLS.EXE
1464	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{924AAE56-446B-4BD1-A80A-42844A328C27}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\e57f5ca.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF712.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIB27.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB28.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f5ca.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000326c22034809cb6a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000326c22030000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900326c2203000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d326c2203000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000326c220300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2880	msiexec.exe
2880	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3280	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3280	msiexec.exe
Token: SeSecurityPrivilege	2880	msiexec.exe
Token: SeCreateTokenPrivilege	3280	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3280	msiexec.exe
Token: SeLockMemoryPrivilege	3280	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3280	msiexec.exe
Token: SeMachineAccountPrivilege	3280	msiexec.exe
Token: SeTcbPrivilege	3280	msiexec.exe
Token: SeSecurityPrivilege	3280	msiexec.exe
Token: SeTakeOwnershipPrivilege	3280	msiexec.exe
Token: SeLoadDriverPrivilege	3280	msiexec.exe
Token: SeSystemProfilePrivilege	3280	msiexec.exe
Token: SeSystemtimePrivilege	3280	msiexec.exe
Token: SeProfSingleProcessPrivilege	3280	msiexec.exe
Token: SeIncBasePriorityPrivilege	3280	msiexec.exe
Token: SeCreatePagefilePrivilege	3280	msiexec.exe
Token: SeCreatePermanentPrivilege	3280	msiexec.exe
Token: SeBackupPrivilege	3280	msiexec.exe
Token: SeRestorePrivilege	3280	msiexec.exe
Token: SeShutdownPrivilege	3280	msiexec.exe
Token: SeDebugPrivilege	3280	msiexec.exe
Token: SeAuditPrivilege	3280	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3280	msiexec.exe
Token: SeChangeNotifyPrivilege	3280	msiexec.exe
Token: SeRemoteShutdownPrivilege	3280	msiexec.exe
Token: SeUndockPrivilege	3280	msiexec.exe
Token: SeSyncAgentPrivilege	3280	msiexec.exe
Token: SeEnableDelegationPrivilege	3280	msiexec.exe
Token: SeManageVolumePrivilege	3280	msiexec.exe
Token: SeImpersonatePrivilege	3280	msiexec.exe
Token: SeCreateGlobalPrivilege	3280	msiexec.exe
Token: SeBackupPrivilege	1600	vssvc.exe
Token: SeRestorePrivilege	1600	vssvc.exe
Token: SeAuditPrivilege	1600	vssvc.exe
Token: SeBackupPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeRestorePrivilege	2880	msiexec.exe
Token: SeTakeOwnershipPrivilege	2880	msiexec.exe
Token: SeBackupPrivilege	3324	srtasks.exe
Token: SeRestorePrivilege	3324	srtasks.exe
Token: SeSecurityPrivilege	3324	srtasks.exe
Token: SeTakeOwnershipPrivilege	3324	srtasks.exe
Token: SeBackupPrivilege	3324	srtasks.exe
Token: SeRestorePrivilege	3324	srtasks.exe
Token: SeSecurityPrivilege	3324	srtasks.exe
Token: SeTakeOwnershipPrivilege	3324	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3280	msiexec.exe
3280	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 3324	2880	msiexec.exe	93
PID 2880 wrote to memory of 3324	2880	msiexec.exe	93
PID 2880 wrote to memory of 3044	2880	msiexec.exe	95
PID 2880 wrote to memory of 3044	2880	msiexec.exe	95
PID 2880 wrote to memory of 3044	2880	msiexec.exe	95
PID 3044 wrote to memory of 4688	3044	MsiExec.exe	99
PID 3044 wrote to memory of 4688	3044	MsiExec.exe	99
PID 3044 wrote to memory of 4688	3044	MsiExec.exe	99
PID 3044 wrote to memory of 3952	3044	MsiExec.exe	101
PID 3044 wrote to memory of 3952	3044	MsiExec.exe	101
PID 3044 wrote to memory of 3952	3044	MsiExec.exe	101
PID 3044 wrote to memory of 4316	3044	MsiExec.exe	103
PID 3044 wrote to memory of 4316	3044	MsiExec.exe	103
PID 3044 wrote to memory of 4316	3044	MsiExec.exe	103
PID 4316 wrote to memory of 2596	4316	windbg.exe	104
PID 4316 wrote to memory of 2596	4316	windbg.exe	104
PID 4316 wrote to memory of 2596	4316	windbg.exe	104
PID 3044 wrote to memory of 1464	3044	MsiExec.exe	105
PID 3044 wrote to memory of 1464	3044	MsiExec.exe	105
PID 3044 wrote to memory of 1464	3044	MsiExec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\5e94aa172460e74293db106a98327778ae2d32c6ce6592857a1ec0c581543572.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3324
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0A5EE5B5074D19B522CD387E736F459F
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4688
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2596
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1464

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files.cab

Filesize
7.4MB

MD5
c62341284a519d5cc5f5b47784277c29

SHA1
3ddcbb9c849a3cb090332b90581b473cbd21a21e

SHA256
ee3f6d643429f67d3354580b331265a086166cc038eaf091bedda6b5dcd2e99f

SHA512
e0774b0577f30202a631a70071197fd18a798403f6c2595e145e1beab440402e8e264dbb8d8c49d1e1e478a1e4ed9fd4d9dd9e935e74516353de61f6922ef69c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\00147-1040811655.png

Filesize
1.3MB

MD5
7ec930b1536750116c13b06313286cf5

SHA1
adc543581e4acbaffd5593d07346296bbda1ede5

SHA256
1d18677415ff9d03c8e3accde3ab0786d33985f3d6b3855eca632c07fc4de547

SHA512
531887e99339aa19cef104226074cdbfb74d8e31cb535cf232b241f4cb05550ac33504ad58dc9b3eaa2c5dbb0a2eb32e9cc06a754b00618485d625ca4c3415db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\00148-1040811656.png

Filesize
1.2MB

MD5
bb581ea56d0940dc4d002a902e0fb0c9

SHA1
226afeb98300bc51a4e80e112b38bfbf9ef8f706

SHA256
84e19377a78d441de940eb1943edddc5720aafb67aed7dc30c281b98c3d0a201

SHA512
3237d3a234549704af058e64c4e190f07023e44164bae66e31c87a733ed215c827d2c29facce53a1dc781cc31f538f8f17e4a389ca21354c111ed9da04429511

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\00149-438824465.png

Filesize
1.2MB

MD5
5cf577304c7231e35ab9296db1207993

SHA1
6deec1a72be8e657dcb484d58e81d138cfd8f25d

SHA256
ad7544c407ec1655adc699e70b75b5d75c3a7f28538a9738925b5f020b5e571c

SHA512
e1615432911024c9ad9abca3f851a94647f22b2600160dca9ad6ac18c2830d78e6e87f96cc4ecb2d9b597b66b0a7ddf5774299415cc0bd40d4e19741352aa37f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\00150-438824466.png

Filesize
1.2MB

MD5
09f104f5af838fc714ba3d17623008b9

SHA1
842bcd3e250ab2ee598947ba241cafb274dda591

SHA256
caf1252510b1be93214fc9d464a20fdbf81a89839f7e0bc9156190762af3714f

SHA512
c37105eeaf8659546922066ffc712f88527adb59954c74381a53afa3623b8bedbdad548f26d3ecfd43cb0f0eca7f052ddf953358ece96d1199ff1e5e76e5604c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\00151-438824467.png

Filesize
1.1MB

MD5
64d144051485b81b8a7c83476ba59427

SHA1
044bd6b794414b82d1579d309d3762d02e39d292

SHA256
f63482d06fbe08336aa1b7b7ec813bad196bba9f60a6a27363a82c9da9cc17f0

SHA512
d38f9ca097277cf6500258e16cb183deaa07b10e2060d93810af3eb97e8c97285817b32ab5876d5f42b0ca504dd5b562f421b7eb2ad65be5d950eb52f6ead1db

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\data2.bin

Filesize
1.8MB

MD5
455f351ea2e345b341df5b381db0e722

SHA1
f0b046d064062cd16e79e440eb1eea846988b21e

SHA256
a1830d364ab7c592b577e261dd2d146fbbbed672b299f03b3e2e152a9ab5e719

SHA512
4b08f20d4a50d4d0fb46d5a4087626ab366065e38fd53d4bdeb3168d131371ee61167f100ce7a4e21115aaee0623e5a0398018c6f1fb0f8c0caf2a6f73aff2b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\dbgeng.dll

Filesize
736KB

MD5
0e15cf36767154814fb8e6b61c726e19

SHA1
1f7bae6cb38aa8da60723ead126840f49e7af07d

SHA256
036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b

SHA512
4135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\msiwrapper.ini

Filesize
1KB

MD5
11ba76865f588975af3e7b92ebc1414f

SHA1
7b077c9deaf979dfc7bddfe19120f89167ff7902

SHA256
be7fa1c10fd6ab84fc67038246e0b6f2a8cf077636f818e05d86391b9acde695

SHA512
165745fd8b20b97908764bb831dd99e674016ac195d43632984fa8a96c0c7a4bb212c3606e8523a901da04fc02a48bf704cd19ef0746a2764c4a21ef69a7e2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\msiwrapper.ini

Filesize
1KB

MD5
99baae7c878e15a16b99ea81bf7c4792

SHA1
f0f00c981bf6631c667578c33d35df2e2475497b

SHA256
37ae51ec29b02e970d3e66dc2bc3a940b0f9dd27413af125c023935c1bc8bb42

SHA512
bb3bf3c4a1e657fae504b2e1aecacdc49b0d35fc7694c873596c00ca741f7cbd3408700c224a3d7c5a2f6a308770be946fca9be153d0cb340cd7659d20846c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b82d3d42-9d6c-4215-b4a4-e41553a393a4\msiwrapper.ini

Filesize
1KB

MD5
99baae7c878e15a16b99ea81bf7c4792

SHA1
f0f00c981bf6631c667578c33d35df2e2475497b

SHA256
37ae51ec29b02e970d3e66dc2bc3a940b0f9dd27413af125c023935c1bc8bb42

SHA512
bb3bf3c4a1e657fae504b2e1aecacdc49b0d35fc7694c873596c00ca741f7cbd3408700c224a3d7c5a2f6a308770be946fca9be153d0cb340cd7659d20846c46

Download Submit
C:\Windows\Installer\MSIB28.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIB28.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIF712.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIF712.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\tmpa\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
ba516b4d7f8521b1906416dfce0a54ba

SHA1
c35237271a2e8d6c5eeab33024bd6f408ed0f6e4

SHA256
d4d0c794008c921f32ac10c030179b5cead722bc14a2364fa2e9c0b0258d6e39

SHA512
e434d850a91fdbae302840c05cc6439a3cd2298fbfee7302f9d7280ee0542e1b285331f5f9721d3f3105c900a0076e028f1b699eba1396f34870235a43ba03a1

Download Submit
\??\Volume{03226c32-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dd5f8e62-1e87-434d-9ba9-d8768e807de2}_OnDiskSnapshotProp

Filesize
5KB

MD5
30158482cbb644bb26d1d425941923b5

SHA1
203e393fa23a7d243e8367d0a6802c4f3c56b5bc

SHA256
a9ca57ed2f6c88a67e42b6a38e871b85ab68f761cdbd43ab9fbd41b25810b8ee

SHA512
4e9a8f135799fde089607fe4f7d4a0b98f284fcf1c98d0e081df167cc8e07f2ec92e8e114c49c9a8b424d13b8b7a36a571d3ef4d64a22280bb35de09cce2aa5a

Download Submit
\??\c:\tmpa\script.au3

Filesize
490KB

MD5
a2b8963a76c61a711df9565c520f6fc8

SHA1
bc2ae649ebcdd936f406d211650ef24ff05e9d98

SHA256
6795bfc89b2aa521703501b0c4ad652777543573cdb28dd12d80f7a6b49b50a1

SHA512
c1459054e16eb1068be971cd095a30933f26d67c33b1ab418cde17316dc740dcdf11525686e107211c851f55f68f51480ce30e3ac2cb6d66fb6859ea1a3c85d3

Download Submit
memory/2596-112-0x0000000004170000-0x000000000449A000-memory.dmp

Filesize
3.2MB

Download
memory/2596-105-0x0000000001460000-0x0000000001860000-memory.dmp

Filesize
4.0MB

Download
memory/4316-97-0x0000000000BC0000-0x0000000000CC0000-memory.dmp

Filesize
1024KB

Download
memory/4316-102-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download