darkgate | 1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7

Analysis

max time kernel
46s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 08:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
Size

9.2MB
MD5

69f900118f985990f488121cd1cf5e2b
SHA1

33f6b7aac2afaba74eeac1a44ba9ec5d0a53d00c
SHA256

1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7
SHA512

09ae36c29bfbb09ed1fdc3da5ed365fa61cf2905e177909b6a8fcef8e0a25742d1acffdb13378b91c3fa607ecece4de39b380894b6df9152f06350972bbfaa42
SSDEEP

196608:zhbWzPMCeNrs0rczeuNr/QnMOsaB9QVuHSzdUupBqbHSDjs6cv1HDQfgaP:FbWzPM5HCZNrgMVw6wyZUupkjSPcv1jO

Score

10^/10

darkgate civilian1337 discovery stealer

Malware Config

Extracted

Family

darkgate

Version

5.2.4

Botnet

civilian1337

http://185.130.227.202

Attributes

alternative_c2_port
8080
anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
2351
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
true
crypto_key
VPsTDMdPtonzYs
internal_mutex
txtMut
minimum_disk
100
minimum_ram
4096
ping_interval
4
rootkit
true
startup_persistence
true
username
civilian1337

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Suspicious use of NtCreateUserProcessOtherParentProcess 10 IoCs

description	pid	Process	procid_target
PID 1628 created 2404	1628	Autoit3.exe	53
PID 1628 created 512	1628	Autoit3.exe	115
PID 1628 created 3496	1628	Autoit3.exe	22
PID 1628 created 4376	1628	Autoit3.exe	113
PID 1628 created 3496	1628	Autoit3.exe	22
PID 3156 created 3736	3156	cmd.exe	37
PID 3156 created 4376	3156	cmd.exe	113
PID 3156 created 3924	3156	cmd.exe	8
PID 3156 created 3736	3156	cmd.exe	37
PID 3156 created 3496	3156	cmd.exe	22

Blocklisted process makes network request 4 IoCs

flow	pid	Process
46	3156	cmd.exe
47	3156	cmd.exe
48	3156	cmd.exe
49	3156	cmd.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cfacfka.lnk	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
4888	windbg.exe
1628	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
3604	MsiExec.exe
4888	windbg.exe
3604	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4788	ICACLS.EXE
4088	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1628 set thread context of 3156	1628	Autoit3.exe	117

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2B99EF3E-10B9-44A2-AA7C-FA01E82FF4F3}	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIEABF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEAC0.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e57d736.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d736.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID8DB.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000006c2b12180e4adb550000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800006c2b12180000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809006c2b1218000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d6c2b1218000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000006c2b121800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	cmd.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	cmd.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	Autoit3.exe
Key created	\REGISTRY\USER\S-1-5-21-2398549320-3657759451-817663969-1000_Classes\Local Settings	OpenWith.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4480	PING.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3952	msiexec.exe
3952	msiexec.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
1628	Autoit3.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe
3156	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3156	cmd.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5048	msiexec.exe
Token: SeSecurityPrivilege	3952	msiexec.exe
Token: SeCreateTokenPrivilege	5048	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5048	msiexec.exe
Token: SeLockMemoryPrivilege	5048	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5048	msiexec.exe
Token: SeMachineAccountPrivilege	5048	msiexec.exe
Token: SeTcbPrivilege	5048	msiexec.exe
Token: SeSecurityPrivilege	5048	msiexec.exe
Token: SeTakeOwnershipPrivilege	5048	msiexec.exe
Token: SeLoadDriverPrivilege	5048	msiexec.exe
Token: SeSystemProfilePrivilege	5048	msiexec.exe
Token: SeSystemtimePrivilege	5048	msiexec.exe
Token: SeProfSingleProcessPrivilege	5048	msiexec.exe
Token: SeIncBasePriorityPrivilege	5048	msiexec.exe
Token: SeCreatePagefilePrivilege	5048	msiexec.exe
Token: SeCreatePermanentPrivilege	5048	msiexec.exe
Token: SeBackupPrivilege	5048	msiexec.exe
Token: SeRestorePrivilege	5048	msiexec.exe
Token: SeShutdownPrivilege	5048	msiexec.exe
Token: SeDebugPrivilege	5048	msiexec.exe
Token: SeAuditPrivilege	5048	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5048	msiexec.exe
Token: SeChangeNotifyPrivilege	5048	msiexec.exe
Token: SeRemoteShutdownPrivilege	5048	msiexec.exe
Token: SeUndockPrivilege	5048	msiexec.exe
Token: SeSyncAgentPrivilege	5048	msiexec.exe
Token: SeEnableDelegationPrivilege	5048	msiexec.exe
Token: SeManageVolumePrivilege	5048	msiexec.exe
Token: SeImpersonatePrivilege	5048	msiexec.exe
Token: SeCreateGlobalPrivilege	5048	msiexec.exe
Token: SeBackupPrivilege	4112	vssvc.exe
Token: SeRestorePrivilege	4112	vssvc.exe
Token: SeAuditPrivilege	4112	vssvc.exe
Token: SeBackupPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeRestorePrivilege	3952	msiexec.exe
Token: SeTakeOwnershipPrivilege	3952	msiexec.exe
Token: SeBackupPrivilege	3128	srtasks.exe
Token: SeRestorePrivilege	3128	srtasks.exe
Token: SeSecurityPrivilege	3128	srtasks.exe
Token: SeTakeOwnershipPrivilege	3128	srtasks.exe
Token: SeBackupPrivilege	3128	srtasks.exe
Token: SeRestorePrivilege	3128	srtasks.exe
Token: SeSecurityPrivilege	3128	srtasks.exe
Token: SeTakeOwnershipPrivilege	3128	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5048	msiexec.exe
5048	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4376	OpenWith.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 3952 wrote to memory of 3128	3952	msiexec.exe	101
PID 3952 wrote to memory of 3128	3952	msiexec.exe	101
PID 3952 wrote to memory of 3604	3952	msiexec.exe	103
PID 3952 wrote to memory of 3604	3952	msiexec.exe	103
PID 3952 wrote to memory of 3604	3952	msiexec.exe	103
PID 3604 wrote to memory of 4088	3604	MsiExec.exe	104
PID 3604 wrote to memory of 4088	3604	MsiExec.exe	104
PID 3604 wrote to memory of 4088	3604	MsiExec.exe	104
PID 3604 wrote to memory of 4028	3604	MsiExec.exe	106
PID 3604 wrote to memory of 4028	3604	MsiExec.exe	106
PID 3604 wrote to memory of 4028	3604	MsiExec.exe	106
PID 3604 wrote to memory of 4888	3604	MsiExec.exe	108
PID 3604 wrote to memory of 4888	3604	MsiExec.exe	108
PID 3604 wrote to memory of 4888	3604	MsiExec.exe	108
PID 4888 wrote to memory of 1628	4888	windbg.exe	110
PID 4888 wrote to memory of 1628	4888	windbg.exe	110
PID 4888 wrote to memory of 1628	4888	windbg.exe	110
PID 3604 wrote to memory of 4788	3604	MsiExec.exe	112
PID 3604 wrote to memory of 4788	3604	MsiExec.exe	112
PID 3604 wrote to memory of 4788	3604	MsiExec.exe	112
PID 1628 wrote to memory of 512	1628	Autoit3.exe	115
PID 1628 wrote to memory of 512	1628	Autoit3.exe	115
PID 1628 wrote to memory of 512	1628	Autoit3.exe	115
PID 512 wrote to memory of 4480	512	cmd.exe	116
PID 512 wrote to memory of 4480	512	cmd.exe	116
PID 512 wrote to memory of 4480	512	cmd.exe	116
PID 1628 wrote to memory of 3156	1628	Autoit3.exe	117
PID 1628 wrote to memory of 3156	1628	Autoit3.exe	117
PID 1628 wrote to memory of 3156	1628	Autoit3.exe	117
PID 1628 wrote to memory of 3156	1628	Autoit3.exe	117
PID 1628 wrote to memory of 3156	1628	Autoit3.exe	117

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3924

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1fb6b8bed3a67ee4225f852c3d90fd2b629f2541ab431b4bd4d9d9f5bbd2c4b7.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5048

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:3496

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2404

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3952
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3128
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E988C42B75CA7093FD36DBBB8C149463
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4088
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4028
- - C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\windbg.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\windbg.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4888
  - - \??\c:\tmpa\Autoit3.exe
      c:\tmpa\Autoit3.exe c:\tmpa\script.au3
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Checks processor information in registry
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:1628
    - - \??\c:\windows\SysWOW64\cmd.exe
        
        "c:\windows\system32\cmd.exe" /c ping 127.0.0.1 & del /q /f c:\tmpa\* & rmdir /s /q c:\tmpa\ exit
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:512
      - \??\c:\windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1
        6⤵
        Runs ping.exe
        
        PID:4480
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ping 127.0.0.1
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Blocklisted process makes network request
        Drops startup file
        Checks processor information in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:3156
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4788

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\dhffhec\edegdhf\dheefhf

Filesize
170B

MD5
f7f69c4d1498e45fb3c6d6bfa0a31190

SHA1
c5ec7d30aee97d3bbf9bb9436ad8b00d2c1a1160

SHA256
4cbfb341af33757b05fad61a8ccfd955df45f926bb98a0492297be6995d5f8d1

SHA512
18d4ac7551d4514d39bff88db382b87680b6556b54174663bde86d6e6e347e80c639c3931b928a5be235235fc98534c3e157411a45e3635e99994736a758728b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files.cab

Filesize
5.7MB

MD5
4ed3c8920a6d1f5bff64728dd5757cf9

SHA1
0ecb6b4e7bdbfdf53ea1adf6f2e66f4db9b24be6

SHA256
e2e475fc5f294d7b53f86825588a3623c63f133a642bf1d2468151d862463fa1

SHA512
c7f5cd07f00d3e14147f9d018c9dda6405b8d35418a69aa036b580a442d252b73f6694e05a43404856d51d3479f5ace0bd0cce1fb8e83ced4af543fdcc1c30c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\00001-337121377.png

Filesize
384KB

MD5
c2c3039041f9a6241ce37458dfbc987d

SHA1
a43138e27e5674a7763dacfececcbad6d7e58723

SHA256
b2c434247f8d04a3cff59113566f20450d3041097e01377659b3d8f1100885a3

SHA512
71cfbaded68be2ded2f413dace134d7b30da7692ff3c72b02c531672ce6fd47126bd379ceafa1a2ef7043c5ab08682fc83765fa42c824df277851e5fb55a153c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\00002-337121378.png

Filesize
193KB

MD5
a11760f2b9fc0cc179acb855f8e2cf46

SHA1
a602bd8a2d80a77b800f2d60411ec81ff1f5b10c

SHA256
e33d62269bda353329332328f825b63ffcc87c558916588c1f0d8a189810d8c1

SHA512
4b3e1ee5bfae7bdea9939d408d55f755fc18fa9d0302c68ed5c8fcefc2f144105d6d702fed16d8ae45d18975bbe53066a2377afca4dccb03fc8b5fa8031cdc06

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\00003-337121379.png

Filesize
305KB

MD5
04cbd119260cc2e9b31a1807cb77b5bc

SHA1
a1d182cc9f9fbd43aa9178aa471b0307aee0e5de

SHA256
bef9d8d0c311e67dfa71be7d73e37210abe9625a47a918812d2fd0b55f6d6414

SHA512
7ec1ad58fe4c22364a03a675ce2c6512ce1fc8576881d6140702a1750202fa8d72a01057a3303defed9fa777d3d2152980bfcb803e32f5935e76137780f2b50e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\00004-337121380.png

Filesize
290KB

MD5
5a9ae4a058fe91cefee2478e60806bf3

SHA1
5fd088fd237f69c6d19d92c53cba0fa6b153de7e

SHA256
b7f37c1cc19da809637afdcb7b803f471a3a52914680225ff9343e254b7949a3

SHA512
e898014cfc3548ccdd6a40cb3c7e1b77d84a423458c30fcddf262e2e722b8501e5988ca9ab76cb96ba6e3faaa41bb9bc23dc861a9eb18e458914ace5710424ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\00005-337121381.png

Filesize
96KB

MD5
c712700ea2346b6eb3f87d5d5d3dc4d0

SHA1
8bbac98eef2538c4c4cfad0588768a742f84004c

SHA256
e3ba7fae585bf46c262f2561589d045695694f45be1c37bb4c63ddd8c775ef04

SHA512
d887e12350acf3e63867d345b3e79de064e91a410f9a8558c86e0989b354bef86314798438c14effd47149dc0c6aea1fd549bc58468a21f50e1aca55c960893d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\00007-337121383.png

Filesize
247KB

MD5
fd1afc3d9d6bc0856f4c6a8d6f22b578

SHA1
ca7679a1e4592ff3248130d0b5e5dfbd4e2c4200

SHA256
614da20f1bf11d8f14d6ce2486167376d10ab29b3f9ddc1508e71814fb974134

SHA512
7342453c2029595e4097ca8692c8314d8d2205f641a549560001f424b0a479a075e934b3ef4a6cbe5176f15fbc0a4bc2678faaf012ea806129cfb309159f1efc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\00008-337121384.png

Filesize
305KB

MD5
788e0684f04967f01aa01d8ab8a8b86b

SHA1
c4edaa80e7eae6187254cd2a36c759cd9afc9e72

SHA256
72989a1d49094a29195313edf2fd4bfd2607ffd213ec34a0551e0703429ec2f9

SHA512
a4a3e6f85d7c32bc35c4d85396d1eea385385ad4f167bf7ad22acd54dc568166c01ddcbae380c769b4c5d4b99859ce16f281cc4733c05f97a4d0207b2c877f61

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\data.bin

Filesize
92KB

MD5
8b305b67e45165844d2f8547a085d782

SHA1
92b8ed7652e61fdf3acb4ce74f48bcc9ed14b722

SHA256
776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b

SHA512
2bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\data2.bin

Filesize
300KB

MD5
fe8b2ecc7443e4ea9195767c82b009b2

SHA1
d09a01946dec32f32fd9590249702ce1ee7f03ea

SHA256
ae9099a32f3bad8374a35174fb7a8085fdc002bae39ad81c3316a4acac86e160

SHA512
2fdf9ad90142d7e08b752ee1deaaec25b6f995ca8b97fd77950827e22d1504ad6eaa3cdca6ded6f50779dab7fd64bd4ccbaca5836831c0d3a6194f97d3541750

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\dataPicture.jpg

Filesize
159KB

MD5
008b295295c49c6d07161baff5f7212b

SHA1
f89d13817531957967be21327c8180a35960d04d

SHA256
9f42965324b20db9ad4b9ab00217eade01e6978d9e68d03669adbe9a9fe66134

SHA512
6d8aae2cca7f283c0b850236763a0cb51947053b50758e4be7515ce76fc4e47876e6478e08934922e57ba9646e2fe35be23369617b7904038eee452ba363495e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\dbgeng.dll

Filesize
266KB

MD5
b723f926520c088ba7e01b37486f33cf

SHA1
a2a01e87caf33d0f58f6cd885f0e42c8b2872843

SHA256
572056dbca20854fd3e686cd491feee9a3cf2b03f79d937a4f2f1d724d8b6bca

SHA512
c2fa4a68ce3b98b3425f108f0fe4066707556f48f8b6fb128231e41bf397390b4ba66a9d9379bb90610c9faa69ae3b4a8375bb3e8563b16414e5a670a83cc95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\dbgeng.dll

Filesize
458KB

MD5
973c6a73fa32b12f0038b17a9eb04e0d

SHA1
ee7c7a686671789c34d7c32d99176644c7c807de

SHA256
f6dd7e5251edfe28211b3d908f8f2d86d9eadbdfce5c076065ffca73d9f65dea

SHA512
e15c95c5ddf357e79e2c1ecdb9d517546403f3262cc355843053d88fb4a368bed083a49868d2e0c4492618b188d327080a8a45fecfbd8355ab5f28fcd62d052a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\windbg.exe

Filesize
283KB

MD5
d410f9338c3a97a7f6b5f97b8f6a505d

SHA1
e5c2e088eaff0e4638c81cc3026e044553b34d67

SHA256
66ae3371cb380aea91b18b531adf3e75a66fe86ba8d1bf0294269e7f8d240838

SHA512
2e532286c150d51b45d060bc274e3cdbcba754744a149792061dd28e418467399786fe65a325f97134587d7f4c761800f3fddd3c49bf09802c0fe0c90637f5e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\files\windbg.exe

Filesize
474KB

MD5
04ec4f58a1f4a87b5eeb1f4b7afc48e0

SHA1
58dcb1cbbec071d036a07f0e8feb858e4c5b96e7

SHA256
bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4

SHA512
5b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\msiwrapper.ini

Filesize
1KB

MD5
0548ad355ef5099f423397ce68b10a10

SHA1
1fee489b6ba0cfdc1f69805b3d3d22ad6c97c8b7

SHA256
e11fc521ec143e343e702f25691e8c89396fa83d3ee90c8a96ad5fcfee879039

SHA512
25d9583b06101a354601f35504f8ed6dfb09ae000bb084d332e84a2adfffd113d611cc8e3e581d642f4fe9ec1b87a558bdeffb3dea3706d3d37aa389234edba8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\msiwrapper.ini

Filesize
1010B

MD5
6e04bdb625d1537f39adedf7a454a5bd

SHA1
7969f620bdcc6c2b2b38c732f2ec4a9c0a0658fc

SHA256
e95b26d8a87250576b02a9cf47dd575aede5b92dce0de9f2493d39f6884d907c

SHA512
8a14b012858ac6cde122d413420889cc10d7c5aa6da66404dfc42acbb48cd19d3daaace96e46870697a34aa3810b54412e51db87e2dd224ffcbfc498e3c65439

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-fbeb46c1-93a8-4993-b2a9-d739ef7d3840\msiwrapper.ini

Filesize
1KB

MD5
8decdb670017447315bc36293faeb713

SHA1
aa1261ec784fbdcc77e64cd70da551381c8a5e0f

SHA256
4bddc1b1c7a3de777c929332435116b4ab53111d2ce815dce71f379447c15d57

SHA512
cd756fb7e7411b2d8e1d530623112f7ce2061df9cef738e73200bc432b1c35400e6594dd3346052c12aaad965f09b364f24cd6d3ba11f7899e4f369aaf7d6a48

Download Submit
C:\Windows\Installer\MSID8DB.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIEAC0.tmp

Filesize
125KB

MD5
fec2e2ad58b7b9b97769d6c1d34b30cc

SHA1
b0a1024406f434cd05f50e670b4dbc742a17370f

SHA256
c91a992923d577d99af81c7d06429eac3faaa090eaec346a6714feaf93691380

SHA512
c687424de7e98eb2672623e86d873495be033ab135daa40dbf1b08ab11bf2b1ec8102b08e90c91a7ed529438e53a04527c1467ab19766c65eea672a8d1e129ac

Download Submit
C:\Windows\Installer\MSIEAC0.tmp

Filesize
126KB

MD5
68c07f8b751e9d3ba06ccf1e66a8b1c0

SHA1
6dfeb31e8cd9dfc8fb4375920aacdb88552908ea

SHA256
20830759ddc751836a938e9fb0f42295478a0b3184809f512fbd7528fa9c8895

SHA512
370c933b28cbe8114fb70dc18692c3571908c8779159ff7ca730d7a6a78115018f94c609c75b7854f617b6c03798a16b124662af6a891b5b5ed4fa58a9764eaf

Download Submit
C:\tmpa\Autoit3.exe

Filesize
258KB

MD5
942d840ba8efc7b47ef12de63f121358

SHA1
cd1b21084bebce308fd7c8b4fb2114412faa0b24

SHA256
3660e366f53f00cca56ff3946caa25f5a94bc439987ca6fb97ad2ecfcfacc595

SHA512
cfb728b6e660a09465117074d50877b4f2438e103ffa58c114cb342225abe7adc3b56d54dc65d3e57d18eb0ee272822f259b5892315bfcbaf261354ac0a7b43b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
b0f9f3b0226c162728af733e7db2e12d

SHA1
ae3170187e100de13b7d1dc0b7cf73eebec2d57d

SHA256
083222ccfaf326489aaca0a17d685a53dc1b9d11f7da89dc1261ebac53d26303

SHA512
00780882ce4d603866d62a482f245df70088bb1398e34dd347785d215b2c828e872c1da2aeb05f3aeee9f76e14878d2d4b9396732dc573e6cdf72807e1ef1abc

Download Submit
\??\Volume{18122b6c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{375144f8-dea9-47f3-8319-a7e47f6caabd}_OnDiskSnapshotProp

Filesize
6KB

MD5
6ff614da3fb6ec6a73bdcc9112866af8

SHA1
c296c49f5060ebbac0a13611cbaee65c63e64eaa

SHA256
5a4a7a8e89b7dc1c7022b9da0b59937d401d67c52495406438efaf398f282db2

SHA512
3b083cf3db7fa0b1cad2b097190696b4f08c2e0abaf54b0fc0b343fe91c9b7deab5ae60576e771554591a1ff059f1a69f18c2434556c7938818b8b06a46d4b5a

Download Submit
\??\c:\temp\bdaehgf.au3

Filesize
490KB

MD5
e6c14274f52c3de09b65c182807d6fe9

SHA1
5bd19f63092e62a0071af3bf031bea6fc8071cc8

SHA256
5fde42453eb2e4f1eef7cec5667093bd52d4712bffef4e383f154286b7ee9aa9

SHA512
7aa121c8d0d6f979c960882cd72a6c4766535bb277879b5040723fce3e206cc64df5c8438d5fe05e219796be4795cf25aacd13e91d8e0e24a58a17bd07f0ec4e

Download Submit
\??\c:\tmpa\AutoIt3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tmpa\script.au3

Filesize
150KB

MD5
07fb21b093c7ab0a314948aa5cc798e5

SHA1
b0597aab8af4e095791c8a9fb9ff34d12c3461d6

SHA256
0d0ba37cca7ed6d750e770af59d19c1fb78c5f83d9a6f8cd67453310e8ea52b0

SHA512
f6088c24826d3ee314cab4c60be5295a2ae6357e2543719c411bc44c1a7e7e276cdd3c954af7a9c4ef31bdf9b379938c7fb52c4b542bb83e9a90a5ae05f50052

Download Submit
memory/1628-141-0x0000000003D10000-0x000000000403A000-memory.dmp

Filesize
3.2MB

Download
memory/1628-145-0x0000000003D10000-0x000000000403A000-memory.dmp

Filesize
3.2MB

Download
memory/1628-133-0x0000000003D10000-0x000000000403A000-memory.dmp

Filesize
3.2MB

Download
memory/1628-131-0x00000000010B0000-0x00000000014B0000-memory.dmp

Filesize
4.0MB

Download
memory/1628-140-0x0000000003D10000-0x000000000403A000-memory.dmp

Filesize
3.2MB

Download
memory/3156-162-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-147-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-148-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-150-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-155-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-156-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-144-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-163-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-164-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-166-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3156-165-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/4888-106-0x00000000026B0000-0x00000000027B0000-memory.dmp

Filesize
1024KB

Download
memory/4888-111-0x0000000000400000-0x000000000048D000-memory.dmp

Filesize
564KB

Download