darkgate | 752cba77262a6d90b64495efe6254761034a0539024f1847f8c6c441d8a7144e

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deckfeauture.msi
Size

3.9MB
MD5

7fd755d14e74c0af0d1c6b448fea8b5a
SHA1

d41b9481f94ca0d5017e6c1eba0086afbeb744a0
SHA256

3b953ef40eede72755e5562996fb6854b031440ac535f2f16e86bfdcf1e85132
SHA512

14c496cb7db7cd3dd5a44c16a1ba39d82a31ede1c6638c555b085a98728d193bfc4d891c4e5a54b86f9088b15f3812775ff7917413b62f67b80491486ac971b1
SSDEEP

49152:BpUPG9qhCxzT+WKjSXNJzLVI42Hdd8PWokdCvmmmmmmmmE/5vfH2xexG8JN6DB:BpLCQNVLe5HXSW55vfHkexGs

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

strongdomainsercgerhhost.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
VMKaaNDw
minimum_disk
70
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 3 IoCs

resource	yara_rule
behavioral1/memory/1236-90-0x0000000003600000-0x00000000045D0000-memory.dmp	family_darkgate_v6
behavioral1/memory/1236-93-0x0000000004D00000-0x000000000504E000-memory.dmp	family_darkgate_v6
behavioral1/memory/1236-96-0x0000000004D00000-0x000000000504E000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1816	ICACLS.EXE
1928	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f762f7a.ipi	msiexec.exe
File created	C:\Windows\Installer\f762f7a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3034.tmp	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f762f79.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f762f79.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe

Executes dropped EXE 2 IoCs

pid	Process
1508	iTunesHelper.exe
1236	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
804	MsiExec.exe
804	MsiExec.exe
1508	iTunesHelper.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2696	msiexec.exe
2696	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeSecurityPrivilege	2696	msiexec.exe
Token: SeCreateTokenPrivilege	2028	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2028	msiexec.exe
Token: SeLockMemoryPrivilege	2028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2028	msiexec.exe
Token: SeMachineAccountPrivilege	2028	msiexec.exe
Token: SeTcbPrivilege	2028	msiexec.exe
Token: SeSecurityPrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeLoadDriverPrivilege	2028	msiexec.exe
Token: SeSystemProfilePrivilege	2028	msiexec.exe
Token: SeSystemtimePrivilege	2028	msiexec.exe
Token: SeProfSingleProcessPrivilege	2028	msiexec.exe
Token: SeIncBasePriorityPrivilege	2028	msiexec.exe
Token: SeCreatePagefilePrivilege	2028	msiexec.exe
Token: SeCreatePermanentPrivilege	2028	msiexec.exe
Token: SeBackupPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeShutdownPrivilege	2028	msiexec.exe
Token: SeDebugPrivilege	2028	msiexec.exe
Token: SeAuditPrivilege	2028	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2028	msiexec.exe
Token: SeChangeNotifyPrivilege	2028	msiexec.exe
Token: SeRemoteShutdownPrivilege	2028	msiexec.exe
Token: SeUndockPrivilege	2028	msiexec.exe
Token: SeSyncAgentPrivilege	2028	msiexec.exe
Token: SeEnableDelegationPrivilege	2028	msiexec.exe
Token: SeManageVolumePrivilege	2028	msiexec.exe
Token: SeImpersonatePrivilege	2028	msiexec.exe
Token: SeCreateGlobalPrivilege	2028	msiexec.exe
Token: SeBackupPrivilege	2488	vssvc.exe
Token: SeRestorePrivilege	2488	vssvc.exe
Token: SeAuditPrivilege	2488	vssvc.exe
Token: SeBackupPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2440	DrvInst.exe
Token: SeRestorePrivilege	2440	DrvInst.exe
Token: SeRestorePrivilege	2440	DrvInst.exe
Token: SeRestorePrivilege	2440	DrvInst.exe
Token: SeRestorePrivilege	2440	DrvInst.exe
Token: SeRestorePrivilege	2440	DrvInst.exe
Token: SeRestorePrivilege	2440	DrvInst.exe
Token: SeLoadDriverPrivilege	2440	DrvInst.exe
Token: SeLoadDriverPrivilege	2440	DrvInst.exe
Token: SeLoadDriverPrivilege	2440	DrvInst.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe
Token: SeRestorePrivilege	2696	msiexec.exe
Token: SeTakeOwnershipPrivilege	2696	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2028	msiexec.exe
2028	msiexec.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 804	2696	msiexec.exe	32
PID 2696 wrote to memory of 804	2696	msiexec.exe	32
PID 2696 wrote to memory of 804	2696	msiexec.exe	32
PID 2696 wrote to memory of 804	2696	msiexec.exe	32
PID 2696 wrote to memory of 804	2696	msiexec.exe	32
PID 2696 wrote to memory of 804	2696	msiexec.exe	32
PID 2696 wrote to memory of 804	2696	msiexec.exe	32
PID 804 wrote to memory of 1816	804	MsiExec.exe	33
PID 804 wrote to memory of 1816	804	MsiExec.exe	33
PID 804 wrote to memory of 1816	804	MsiExec.exe	33
PID 804 wrote to memory of 1816	804	MsiExec.exe	33
PID 804 wrote to memory of 1932	804	MsiExec.exe	35
PID 804 wrote to memory of 1932	804	MsiExec.exe	35
PID 804 wrote to memory of 1932	804	MsiExec.exe	35
PID 804 wrote to memory of 1932	804	MsiExec.exe	35
PID 804 wrote to memory of 1508	804	MsiExec.exe	37
PID 804 wrote to memory of 1508	804	MsiExec.exe	37
PID 804 wrote to memory of 1508	804	MsiExec.exe	37
PID 804 wrote to memory of 1508	804	MsiExec.exe	37
PID 1508 wrote to memory of 1236	1508	iTunesHelper.exe	38
PID 1508 wrote to memory of 1236	1508	iTunesHelper.exe	38
PID 1508 wrote to memory of 1236	1508	iTunesHelper.exe	38
PID 1508 wrote to memory of 1236	1508	iTunesHelper.exe	38
PID 804 wrote to memory of 628	804	MsiExec.exe	39
PID 804 wrote to memory of 628	804	MsiExec.exe	39
PID 804 wrote to memory of 628	804	MsiExec.exe	39
PID 804 wrote to memory of 628	804	MsiExec.exe	39
PID 804 wrote to memory of 1928	804	MsiExec.exe	41
PID 804 wrote to memory of 1928	804	MsiExec.exe	41
PID 804 wrote to memory of 1928	804	MsiExec.exe	41
PID 804 wrote to memory of 1928	804	MsiExec.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\deckfeauture.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 99D086DDC2C08132A4128589CE0581DC
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:804
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1816
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\files\iTunesHelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1508
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\files"
    3⤵
    PID:628
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005AC" "00000000000004B4"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\files.cab

Filesize
3.6MB

MD5
9e1703f962e0783e4554f48e0ff47fa6

SHA1
e451d50985eacf7b716870e0062f062003f327b5

SHA256
255c0904241488153c4ee4f07bfbf5f8e8165aa32b73a8f5eb58c65dabf6fdec

SHA512
09ee93e2dc06c046af86d7923b8b3f7884226f16b652e240a710945831b421993ad6abbd282be959329e8a3546fa1fa6eff964e81e76067b1e734d440fcff45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\files\iTunesHelper.exe

Filesize
358KB

MD5
ed6a1c72a75dee15a6fa75873cd64975

SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d

SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\files\sqlite3.dll

Filesize
1.7MB

MD5
287027032e669b51f5ff290c71b7de88

SHA1
e81d5d9b2cc16acc9902e38fd4c1fe21d0c5d4e1

SHA256
6b7d5b7b647ed232ad25aa1a33597f4c75a5fe78b657378fc00de3987cc7c1e7

SHA512
5c405c82d392bd22246a9df04332bbb5cc29b4c9e2c9b26eadc89259b141984a78d35d11d331c96e797e525254bc55bcb87fe86aa5fc569e27b638ec806aa2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\msiwrapper.ini

Filesize
448B

MD5
397a85ec9508f803aba56e35287ab7a9

SHA1
d4c29e9befbdbfc094725179326accd30eab1201

SHA256
8096584561dc444301fbd9d51330568eaf1207c87ede2b2d60e298e8ca031da4

SHA512
afaafd8489014d04ecd5468b11ed85409a62c0e691a5d229aef1904c11c09032ea2b33241b7f740807b80e08ec46044182b959744cb2e842e25e74ec3ff248ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\msiwrapper.ini

Filesize
1KB

MD5
7c561f6719b8d0fb69e22c2b433cc817

SHA1
946a2476b4ac56a1ca83e956de6179b242a8d9e0

SHA256
992cd06409f824f894c347943cc0f061f86ab2756e356a58f70e7f7886b4dc1c

SHA512
0343f4a7a853cad6bb0916c07cabbdecac586d03ba442cfc550b9e18441ad68930645a878aa3699ce73ed7442ee6ee15feef52f45aa17098a061daf50cfdd24f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\msiwrapper.ini

Filesize
1KB

MD5
fcb072d0035213fe017e547fd48e4162

SHA1
7ee01fc9360a6bad03a92e9e6bbdbeb1b56419de

SHA256
6e4f8fee6144d39b49016d228b44e8f12e14744ffda8e37c8a6edca838b4ddef

SHA512
de271dddcf50778983ab9ee5ac74b243dee9e0e7b432fe740576ff4b0ee2163d205a58425d2c4e7096ae9f58d8ae35e661670c0264e6b7459a491d5fdf96bee0

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\script.au3

Filesize
589KB

MD5
553e714a2687a08fbc44a82c671c28a3

SHA1
f59b1e863a894b8dac8a736c4aa634a9ca963ce4

SHA256
008bbbff530daf5d53663a32f1355cc787eb14c485ee74ee03f7f33993db33f3

SHA512
5ab27b0de45f25e2c75269686b88708b56331503fde85f295d4d2195e748be559511808b5723aae5a32c64cd900f7c65ce54a1e3e201673bf8558181a3a6945e

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
8dc057073df6807a01f60fd32e8ff18a

SHA1
8f65a20a1d2c2675ec90a6a39dd2b6554335a9f1

SHA256
f8b27df7da307d0d58e1b971b8080af872a3125e229bdcbdfb95c64e8542c9dc

SHA512
23b4fb16dd61f88136c27d14c4450c638900e941771dde51368c0b08831d994dfb911a0c31088ec3dfbbd21ce1f3a48b0da3ba8cfd361f56f63e449d89a9f557

Download Submit
\Users\Admin\AppData\Local\Temp\MW-8fd11ca9-00f7-41df-9d30-a101ecaf6651\files\CoreFoundation.dll

Filesize
1.5MB

MD5
92e50709f753055dc70693e2dcfeccbb

SHA1
1d3199705e9fa09e5693800a91e882f2c0bafa22

SHA256
e9b65b8f156750e62f742680fd1e476cebf2491dc191d9c4480597f3eafcdb83

SHA512
b40670d441c0c4f209eb832a1a6846266dbdf65a4a4b6f540d68cf908186009126b3e1518e408311e0207c7f15f9abac48f4b39cc5b3236fb2697d59656bc722

Download Submit
\Windows\Installer\MSI3034.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
memory/1236-90-0x0000000003600000-0x00000000045D0000-memory.dmp

Filesize
15.8MB

Download
memory/1236-93-0x0000000004D00000-0x000000000504E000-memory.dmp

Filesize
3.3MB

Download
memory/1236-96-0x0000000004D00000-0x000000000504E000-memory.dmp

Filesize
3.3MB

Download
memory/1508-78-0x0000000001FD0000-0x000000000218C000-memory.dmp

Filesize
1.7MB

Download
memory/1508-85-0x0000000001FD0000-0x000000000218C000-memory.dmp

Filesize
1.7MB

Download
memory/1508-83-0x0000000074540000-0x00000000746DD000-memory.dmp

Filesize
1.6MB

Download