Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

fc6ab939f5...12.msi

windows7-x64

10

fc6ab939f5...12.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/03/2024, 19:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112.msi

  • Size

    4.3MB

  • MD5

    b88352bde539f79207be209759505f02

  • SHA1

    8ede7ee0a43c4282b41687408ddc38a243ac4bfd

  • SHA256

    fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112

  • SHA512

    104d4330c05e41d2039a0b61438565c88138ec9b2c55632ab0ec8eaf70840b095e1dd5bb5d55b65373099df80896632499ff5b3c85240d7a389824cb72268921

  • SSDEEP

    49152:zpUPB9qhCxzT+WKjSX15zLVI4vLeY9xV4qtGvmKBteU5oBgffUBS88qAU8:zpECQ1FLeYLVTV4WMVf

Score
10/10
darkgateadmin888discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

stachmentsuprimeresult.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    veVumtze

  • minimum_disk

    30

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 4 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:556
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5D46BC4C2F51136E5A4D03BA6AF2CEF3
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:4208
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:60
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:3104
      • C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4356
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.au3
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:716
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\temp\Rivers HHBC info .pdf"
            5⤵
            • Checks processor information in registry
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4032
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1152
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=982F80E8BC1E75DFF62096704FEC32A5 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                7⤵
                  PID:3044
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=24475C9619373C9F992F188D0961EB11 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=24475C9619373C9F992F188D0961EB11 --renderer-client-id=2 --mojo-platform-channel-handle=1780 --allow-no-sandbox-job /prefetch:1
                  7⤵
                    PID:3124
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=2D8C45F48632D03EDC4DCC23F4C094CC --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=2D8C45F48632D03EDC4DCC23F4C094CC --renderer-client-id=4 --mojo-platform-channel-handle=2196 --allow-no-sandbox-job /prefetch:1
                    7⤵
                      PID:4180
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6C56021EA9B3A48E72F0498881487F85 --mojo-platform-channel-handle=2444 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      7⤵
                        PID:2380
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=A827E48FE96FB24A37E7AE6D54ED1DE3 --mojo-platform-channel-handle=1980 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        7⤵
                          PID:648
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=C8865963AC2DA8159E03E71DBEF27DAC --mojo-platform-channel-handle=2540 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                          7⤵
                            PID:4216
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files"
                    3⤵
                      PID:3408
                    • C:\Windows\SysWOW64\ICACLS.EXE
                      "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\." /SETINTEGRITYLEVEL (CI)(OI)LOW
                      3⤵
                      • Modifies file permissions
                      PID:560
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Checks SCSI registry key(s)
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1980

                Network

                MITRE ATT&CK Enterprise v15

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                  Filesize

                  36KB

                  MD5

                  b30d3becc8731792523d599d949e63f5

                  SHA1

                  19350257e42d7aee17fb3bf139a9d3adb330fad4

                  SHA256

                  b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                  SHA512

                  523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                  Filesize

                  56KB

                  MD5

                  752a1f26b18748311b691c7d8fc20633

                  SHA1

                  c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                  SHA256

                  111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                  SHA512

                  a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                  Download Submit

                • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                  Filesize

                  64KB

                  MD5

                  9bbba7f67486427831f7d2c0e626d4ca

                  SHA1

                  0b126887878dd54df537d278de07967bfe5994a3

                  SHA256

                  f430b31bd27fb4a3bbe8ca9dd10eb2f0f1f788ccfc959444941e91f3e298cdd9

                  SHA512

                  8d54fc23eb8eadfbe8d2262c22b135666de06f2e1e596ecdc7c825f6d012c5d61d04c6957538661775a7bb4e7f98703a017dcc1323ba521b4938d900a10df04e

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files.cab
                  Filesize

                  4.1MB

                  MD5

                  7333aa36063f51a7f1f9bb05fa679ab4

                  SHA1

                  2944bfdccabb766254b94c0a1d3665ec423d114b

                  SHA256

                  2d550bcc063ba4c3cd852edc0b36c49c1d70fbcd44a63ff035153b9f574b65e3

                  SHA512

                  0c89804413e0f4cb35c1a6c50d460da241aa8e0d011c1f4e1e813f3002093fc661c59adfc58ea4369f79f0c8d785b72d31ce965ccfe3a259d5eff485b5a80d3d

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files\CoreFoundation.dll
                  Filesize

                  1.5MB

                  MD5

                  ce8ee7e4e7b695d4af2c3ecf8411e637

                  SHA1

                  dd7ea41c7c351e82ab5438b75a3d830574a0aa58

                  SHA256

                  7cdb07238c8cc903e13e689d4de1129f5fb3b647e4a1c1e98c5a0e8516184ed1

                  SHA512

                  ad3492b03af2d9b6bf2632fcc65703c0e06116ea3945c4bc401047842514e7789c31912e0887f20e234b58ce970ebd1486d9b5521a76c02dcc5e58804873c3b2

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files\iTunesHelper.exe
                  Filesize

                  358KB

                  MD5

                  ed6a1c72a75dee15a6fa75873cd64975

                  SHA1

                  67a15ca72e3156f8be6c46391e184087e47f4a0d

                  SHA256

                  0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

                  SHA512

                  256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\files\sqlite3.dll
                  Filesize

                  2.2MB

                  MD5

                  7f84dfa82977609c70e15708df513a0e

                  SHA1

                  4bc3db683396cda2b80e0e35650234574e6f78f3

                  SHA256

                  087ff871a8d10cb876601850d8c2bc976ac213ededda4fcc29056639f0888074

                  SHA512

                  adec7d2cd6776e8da52ccbb968d29f3b2ff1d091173211f7fc7e972f46cdbb486544fe877327b28295a3f53fce162f9179a20d6b5e60d950fb13fae3e4c00863

                  Download Submit

                • C:\Users\Admin\AppData\Local\Temp\MW-924575cc-0f86-426b-a209-a9dd0ed00ec5\msiwrapper.ini
                  Filesize

                  1KB

                  MD5

                  7920688cfc858d4ddd5ff5d0d4e2bed4

                  SHA1

                  1b71200216603ec9d476447eedc67c16037ee00b

                  SHA256

                  b05afb785fa6343c167faad9921505847a86b08cd9411d231113f27f5d29d205

                  SHA512

                  b550466f9adf89e6e71c000f6b7444a87aa138d0192d1823cfa796e8678a2ba88d0f5cbbb051b8d6ce2621276e3c33fcb3cc9461596361abbd2bd271c97c0351

                  Download Submit

                • C:\Windows\Installer\MSI4F54.tmp
                  Filesize

                  208KB

                  MD5

                  d82b3fb861129c5d71f0cd2874f97216

                  SHA1

                  f3fe341d79224126e950d2691d574d147102b18d

                  SHA256

                  107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

                  SHA512

                  244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

                  Download Submit

                • C:\temp\Autoit3.exe
                  Filesize

                  872KB

                  MD5

                  c56b5f0201a3b3de53e561fe76912bfd

                  SHA1

                  2a4062e10a5de813f5688221dbeb3f3ff33eb417

                  SHA256

                  237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                  SHA512

                  195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                  Download Submit

                • C:\temp\Rivers HHBC info .pdf
                  Filesize

                  452KB

                  MD5

                  83a4aa4e048bd8b95e99c0b33746bdc3

                  SHA1

                  ef39e3b288cfd0c268c5fbc794f0863d2edd33e3

                  SHA256

                  7a80069879f0ff1457a52225113a81dc6fdf3cf152dabc1f5f77a5dd815c96fa

                  SHA512

                  b24d5ec5c3c212f4a36c600b20bb5b020066b1e535f6d0640cfde7ca94baafb5950d5c665d2e03508fc453cd8f9e54aecce0bf4914461a11ab23b3083df8c7ba

                  Download Submit

                • C:\temp\cc.txt
                  Filesize

                  4B

                  MD5

                  43208a29fcebf0f85ff4fb3dee4fbebc

                  SHA1

                  abbb4dd59ac51984157e1e1b4742496405ae5c3d

                  SHA256

                  b9333e242fc219b03950ab9aad5fe39b0cb0e854fc44d6719924277225b81450

                  SHA512

                  b403e49510d6b131552479e3268dfbb10b43fdf082bd32c6c417fa404211e1a3094705231f81761e2d651571f247fd3ef3f9072815320749e24081cc7946f340

                  Download Submit

                • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                  Filesize

                  11.9MB

                  MD5

                  cdf5fd8df112699f3b55611342f4bf34

                  SHA1

                  d927ca5e1d52621ed8433b12c436619f92e0d16e

                  SHA256

                  8f065086ea54d0942e88da3d44c340ff14bb7352533db833cf04201a414456aa

                  SHA512

                  5fa3cffda76f725cca6f174a1df71340762e00784d4acb3d44897b8aa72711abc012d269f18d54b0957424184c2c59122652e76faef25eefbca40d217a3d43fb

                  Download Submit

                • \??\Volume{eb4950db-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{67532655-71af-4759-9131-771f2a6c5124}_OnDiskSnapshotProp
                  Filesize

                  6KB

                  MD5

                  8e7037276846203266c61835753fa8b7

                  SHA1

                  2c84645ec386c44932931def881ddf9eaf7d3cec

                  SHA256

                  63bc31a1508d7fc0bc502ceb398910de10324bb795f5d9f34ae0f611d956be6f

                  SHA512

                  71886a2e044efa3368f1d432b42777d50631d8f6c060f7807449644d328480bf9eda94cc03a5f62e06f7736429b17cd742e8be05587f06a1178650c9b07af75c

                  Download Submit

                • \??\c:\temp\script.au3
                  Filesize

                  1.0MB

                  MD5

                  ff77fd2453e50e3d846587ec60ac8027

                  SHA1

                  4a7c389d241f7f486ee24229d13c0e553d255a8a

                  SHA256

                  43ed3e85a7f0c80a9b532c11853a30a39a570b57f9e61703426bd6f25c30dbab

                  SHA512

                  bf79b53049f947e9947a383677a6e797e703fada5eef96a762b11b7df727db6630c1697485861d9bfad0057865e119c86d10198d269cd144e4289b97992f040c

                  Download Submit

                • \??\c:\temp\test.txt
                  Filesize

                  76B

                  MD5

                  2b5beed06469bc15ef9d3fc81026d520

                  SHA1

                  32b9af19321d3a95a566f2720bf3594c8709017e

                  SHA256

                  bc694c165646842697db370a7688753a08bed7803aa9aaaf626e54ad77b3b0fe

                  SHA512

                  78963f15247f17099214e7c33d2fb9c3b01f1986334da01c2cddda957d7d916f74a0e7f1cf2d57b1afe6f52eb999e1cf2cf6b9fd3d2afdf7f6ec6b0a8532742a

                  Download Submit

                • memory/716-91-0x0000000004440000-0x0000000005410000-memory.dmp

                  Filesize

                  15.8MB

                  Download

                • memory/716-93-0x0000000005DD0000-0x000000000611E000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/716-112-0x0000000005DD0000-0x000000000611E000-memory.dmp

                  Filesize

                  3.3MB

                  Download

                • memory/4032-254-0x000000000DAC0000-0x000000000DD6B000-memory.dmp

                  Filesize

                  2.7MB

                  Download

                • memory/4208-110-0x0000000003400000-0x0000000003BA2000-memory.dmp

                  Filesize

                  7.6MB

                  Download

                • memory/4208-116-0x0000000003400000-0x0000000003BA2000-memory.dmp

                  Filesize

                  7.6MB

                  Download

                • memory/4208-105-0x00000000032F0000-0x00000000032F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/4356-92-0x0000024C3A1C0000-0x0000024C3A3F5000-memory.dmp

                  Filesize

                  2.2MB

                  Download

                • memory/4356-89-0x00000000640B0000-0x000000006424D000-memory.dmp

                  Filesize

                  1.6MB

                  Download

                • memory/4356-79-0x0000024C3A1C0000-0x0000024C3A3F5000-memory.dmp

                  Filesize

                  2.2MB

                  Download