darkgate | b5e3be1d34811cfa64393cec0987cb16f8e08a111109fd641c9b5416da4f3e7b

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad.msi
Size

3.2MB
MD5

6922c8d97e6d60135a3c55302ce1eecf
SHA1

f3714edb96b5db59b392058292ed486dfd3d3629
SHA256

de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad
SHA512

2477b8432ffd9a0873608d978b30a8eea129d6180a18437a3a204c875ec2469e4eb0db2a6c52b6d2bb3e1881fcb0e1e29934d73608499694545cfdda5bf53494
SSDEEP

49152:qpUPqczdMZnZajVw8XsmOL8ruQO7/rsGQNTRJD+jQW/XRaWEr1bCU:qpmBUZaZw8u8rJOjrsG2apKGU

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

pjnbadfjandkadm3kd.com

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
80
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
wVImrJRl
minimum_disk
100
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 3 IoCs

resource	yara_rule
behavioral1/memory/1964-95-0x0000000004C10000-0x0000000004F5E000-memory.dmp	family_darkgate_v6
behavioral1/memory/1964-94-0x0000000003790000-0x0000000004760000-memory.dmp	family_darkgate_v6
behavioral1/memory/1964-97-0x0000000004C10000-0x0000000004F5E000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2380	ICACLS.EXE
1400	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f763100.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f7630ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI31AB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\f763100.ipi	msiexec.exe
File created	C:\Windows\Installer\f7630ff.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2208	KeyScramblerLogon.exe
1964	Autoit3.exe

Loads dropped DLL 7 IoCs

pid	Process
2628	MsiExec.exe
2628	MsiExec.exe
2628	MsiExec.exe
2628	MsiExec.exe
2628	MsiExec.exe
2208	KeyScramblerLogon.exe
2208	KeyScramblerLogon.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2968	msiexec.exe
2968	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	2968	msiexec.exe
Token: SeTakeOwnershipPrivilege	2968	msiexec.exe
Token: SeSecurityPrivilege	2968	msiexec.exe
Token: SeCreateTokenPrivilege	1924	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1924	msiexec.exe
Token: SeLockMemoryPrivilege	1924	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1924	msiexec.exe
Token: SeMachineAccountPrivilege	1924	msiexec.exe
Token: SeTcbPrivilege	1924	msiexec.exe
Token: SeSecurityPrivilege	1924	msiexec.exe
Token: SeTakeOwnershipPrivilege	1924	msiexec.exe
Token: SeLoadDriverPrivilege	1924	msiexec.exe
Token: SeSystemProfilePrivilege	1924	msiexec.exe
Token: SeSystemtimePrivilege	1924	msiexec.exe
Token: SeProfSingleProcessPrivilege	1924	msiexec.exe
Token: SeIncBasePriorityPrivilege	1924	msiexec.exe
Token: SeCreatePagefilePrivilege	1924	msiexec.exe
Token: SeCreatePermanentPrivilege	1924	msiexec.exe
Token: SeBackupPrivilege	1924	msiexec.exe
Token: SeRestorePrivilege	1924	msiexec.exe
Token: SeShutdownPrivilege	1924	msiexec.exe
Token: SeDebugPrivilege	1924	msiexec.exe
Token: SeAuditPrivilege	1924	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1924	msiexec.exe
Token: SeChangeNotifyPrivilege	1924	msiexec.exe
Token: SeRemoteShutdownPrivilege	1924	msiexec.exe
Token: SeUndockPrivilege	1924	msiexec.exe
Token: SeSyncAgentPrivilege	1924	msiexec.exe
Token: SeEnableDelegationPrivilege	1924	msiexec.exe
Token: SeManageVolumePrivilege	1924	msiexec.exe
Token: SeImpersonatePrivilege	1924	msiexec.exe
Token: SeCreateGlobalPrivilege	1924	msiexec.exe
Token: SeBackupPrivilege	2528	vssvc.exe
Token: SeRestorePrivilege	2528	vssvc.exe
Token: SeAuditPrivilege	2528	vssvc.exe
Token: SeBackupPrivilege	2968	msiexec.exe
Token: SeRestorePrivilege	2968	msiexec.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe
Token: SeLoadDriverPrivilege	2676	DrvInst.exe
Token: SeRestorePrivilege	2968	msiexec.exe
Token: SeTakeOwnershipPrivilege	2968	msiexec.exe
Token: SeRestorePrivilege	2968	msiexec.exe
Token: SeTakeOwnershipPrivilege	2968	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1924	msiexec.exe
1924	msiexec.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2628	2968	msiexec.exe	32
PID 2968 wrote to memory of 2628	2968	msiexec.exe	32
PID 2968 wrote to memory of 2628	2968	msiexec.exe	32
PID 2968 wrote to memory of 2628	2968	msiexec.exe	32
PID 2968 wrote to memory of 2628	2968	msiexec.exe	32
PID 2968 wrote to memory of 2628	2968	msiexec.exe	32
PID 2968 wrote to memory of 2628	2968	msiexec.exe	32
PID 2628 wrote to memory of 2380	2628	MsiExec.exe	33
PID 2628 wrote to memory of 2380	2628	MsiExec.exe	33
PID 2628 wrote to memory of 2380	2628	MsiExec.exe	33
PID 2628 wrote to memory of 2380	2628	MsiExec.exe	33
PID 2628 wrote to memory of 628	2628	MsiExec.exe	35
PID 2628 wrote to memory of 628	2628	MsiExec.exe	35
PID 2628 wrote to memory of 628	2628	MsiExec.exe	35
PID 2628 wrote to memory of 628	2628	MsiExec.exe	35
PID 2628 wrote to memory of 2208	2628	MsiExec.exe	37
PID 2628 wrote to memory of 2208	2628	MsiExec.exe	37
PID 2628 wrote to memory of 2208	2628	MsiExec.exe	37
PID 2628 wrote to memory of 2208	2628	MsiExec.exe	37
PID 2208 wrote to memory of 1964	2208	KeyScramblerLogon.exe	38
PID 2208 wrote to memory of 1964	2208	KeyScramblerLogon.exe	38
PID 2208 wrote to memory of 1964	2208	KeyScramblerLogon.exe	38
PID 2208 wrote to memory of 1964	2208	KeyScramblerLogon.exe	38
PID 2628 wrote to memory of 788	2628	MsiExec.exe	39
PID 2628 wrote to memory of 788	2628	MsiExec.exe	39
PID 2628 wrote to memory of 788	2628	MsiExec.exe	39
PID 2628 wrote to memory of 788	2628	MsiExec.exe	39
PID 2628 wrote to memory of 1400	2628	MsiExec.exe	41
PID 2628 wrote to memory of 1400	2628	MsiExec.exe	41
PID 2628 wrote to memory of 1400	2628	MsiExec.exe	41
PID 2628 wrote to memory of 1400	2628	MsiExec.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\de69281050c18627c8e75a3f4cdf933db77ace2a8dd13ef753f61ad6e0a405ad.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1924

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 910E53B2BA7D4B54A7152451DCE9A0F8
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2380
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:628
- - C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\files"
    3⤵
    PID:788
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1400

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2528

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000594" "00000000000003A8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\files.cab

Filesize
2.9MB

MD5
01d622632dbbacf38144c286e0592ca2

SHA1
7c580efe8be24bb5b347ff123bf649b63c9a77ce

SHA256
e2141b7864c5e8ebf0fadb016afa9648ef9d46df9fa26dce5f913387acec219d

SHA512
3826bd82e78b2e301c4eab4d893f4e72a36fd4be170a00ef3cb34ad647b00e9bd201f24fe436fa80909671a7038c2128b7c4d5e489f4104b9525957e6ea1b895

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\files\sqlite3.dll

Filesize
1.5MB

MD5
fc125c903267e34c6729a7b74d2267e6

SHA1
654473ea4e18623909df5369ae6f75564699c175

SHA256
3aea69935cd5759732e403dc3b220b062f8fa582066d32be59a11b2d78ab19b4

SHA512
a7a886b6aec0ee89f1dd137c06a338035c3a304f588dba318ab5e7bf63d6c109c7fb420d063ed244d8b351ee4390d24505ad6294e9250d691662a06dfd878a7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\msiwrapper.ini

Filesize
458B

MD5
7b9a5a744bb558141d8feb533536b364

SHA1
0b03e380139f320789c4458ee0c5665c6e92ea0c

SHA256
5e0f8def257665ac3f5b0c2b2a02eb509dc99f9449291a43cdee5755a38430b4

SHA512
81343f2c835ce095dd8f21baf87296b2e1612ec235c8868ae2bb04a89f5a8df5bc70bc04fe77ab205fd164616b8a53fdb6bf7265ede759dc3e5b6544f0fbd4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\msiwrapper.ini

Filesize
1KB

MD5
d535acab2e0a96d7d2357cd6bfd4b17e

SHA1
b6b9080b29c50a5ce222c46659a778a1012d639e

SHA256
43b145144af8940a9e22a90a2896c3cc398cde31e901075ce2a6da2e4b13c65b

SHA512
64322727585d7044d83341e0d48295d6cdb3b20872602ed7f0ba624b56d04ec1f7d2cb8916c35e126e398a5f88f5938aad37626b9b2008eadd5fc36e62d85660

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\msiwrapper.ini

Filesize
1KB

MD5
10241b125fb25b8b2882f08aa39f4e87

SHA1
e6621e52a9c50205159056a569831b7cb3db22f7

SHA256
518b479da0bfe704f5682ebc98e05e17a5257e5c75398edcbeb1a36d8041de66

SHA512
3fd619128d571a5814c8fc0869bcd7c609b1b682f82c11535b7691b3772b745f14069ab504f0c19e082dd6400c53b13130c01dc9b648e0d591f7b810f66ccb0a

Download Submit
C:\Windows\Installer\MSI31AB.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\script.au3

Filesize
469KB

MD5
5d96e041da78366fb70f972308ebc5d9

SHA1
8dcc25d1bb736adf3b94e9a415597b45df0f1828

SHA256
009bf4414bd1e2d3fe7757d5302c9dc52d686235cab6df278df79db67cedecd3

SHA512
d3d25de8c0843e102cd9d34f8fcb674b067c501d97bcf72bbdae7bdc65f333e9d6b01f78bb6059e7b0ea6f2482f0aff018aa9f934f736224a8c8589559b4c742

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
e9fd91421b3e079be0052a2fc206283b

SHA1
0f09e6fcfc81a628190a6920fc9deee2b99632e9

SHA256
10c491967d675c25b67030162be119894b99396cf60db4663a92ef9df4e2df25

SHA512
ff8188de44e2881799e91c5761ecae9f3646f8e8d283f34aad71cee5f5d0b24d2ba7f11413b72af3caa60ce2cebf89cf649125e8a9b3dfb5c6540421196f1d5e

Download Submit
\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\files\KeyScramblerIE.dll

Filesize
929KB

MD5
cbdebca0624a78f0d9adbd4af5c4773f

SHA1
7256fcaf986e685e7c5ca4f69178b386ccb2e59f

SHA256
1afac9ba20b60b6fee7708026165f089ab28f28b868166789c6ae2eb1d4f5a8f

SHA512
dfad441832a63efff88f97dd2e0327b2864819113aff7041f1409059da6d06896fa45470a2ca4119277aa33f611dcb302ddaf8ad93498883f1790bc04f5b03d6

Download Submit
\Users\Admin\AppData\Local\Temp\MW-4c91f275-7d55-4467-8228-7280b849b298\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
memory/1964-95-0x0000000004C10000-0x0000000004F5E000-memory.dmp

Filesize
3.3MB

Download
memory/1964-94-0x0000000003790000-0x0000000004760000-memory.dmp

Filesize
15.8MB

Download
memory/1964-97-0x0000000004C10000-0x0000000004F5E000-memory.dmp

Filesize
3.3MB

Download
memory/2208-88-0x0000000074770000-0x0000000074864000-memory.dmp

Filesize
976KB

Download
memory/2208-90-0x0000000000C70000-0x0000000000DF4000-memory.dmp

Filesize
1.5MB

Download
memory/2208-81-0x0000000000C70000-0x0000000000DF4000-memory.dmp

Filesize
1.5MB

Download