darkgate | b8c3f3119bbdcc44f23cd143033ffad6190fad35b69ff05d2d6462af9a765609

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
02-04-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

trefald.msi
Size

4.3MB
MD5

693c4acd02bea0abe6223a62dc2d4016
SHA1

d8f49b7896fb4e93cdb9602d604538cbdec2d043
SHA256

1927c89e8514cc8d7516d4513331a6c461d00547d107ffb7985742c46806f8f5
SHA512

435fb4c18e48a359b031c0c94d9cb31c49f4fff04b2df53ed3c29373446edca937f1af81d444d2199a505816ec9cc81a5bbf0ac5f6fb07bffb05f1a4182bfdbb
SSDEEP

49152:ApUPZ9qhCxzT+WKjSXBuX/MDiypVytj5hgleknccaUBj6oz0aHxAiToxZyiWtB96:ApOCQk/K6hgg4HomJ

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

newdomainfortesteenestle.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
false
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
ZLhPAWah
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
false
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 3 IoCs

resource	yara_rule
behavioral1/memory/2080-90-0x0000000003740000-0x0000000004710000-memory.dmp	family_darkgate_v6
behavioral1/memory/2080-91-0x0000000004DD0000-0x000000000511E000-memory.dmp	family_darkgate_v6
behavioral1/memory/2080-97-0x0000000004DD0000-0x000000000511E000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2880	ICACLS.EXE
1020	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\f76230c.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File created	C:\Windows\Installer\f76230b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76230b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23C6.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76230c.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
2240	vlc.exe
2080	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
636	MsiExec.exe
636	MsiExec.exe
2240	vlc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2936	msiexec.exe
2936	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1720	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeSecurityPrivilege	2936	msiexec.exe
Token: SeCreateTokenPrivilege	1720	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1720	msiexec.exe
Token: SeLockMemoryPrivilege	1720	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1720	msiexec.exe
Token: SeMachineAccountPrivilege	1720	msiexec.exe
Token: SeTcbPrivilege	1720	msiexec.exe
Token: SeSecurityPrivilege	1720	msiexec.exe
Token: SeTakeOwnershipPrivilege	1720	msiexec.exe
Token: SeLoadDriverPrivilege	1720	msiexec.exe
Token: SeSystemProfilePrivilege	1720	msiexec.exe
Token: SeSystemtimePrivilege	1720	msiexec.exe
Token: SeProfSingleProcessPrivilege	1720	msiexec.exe
Token: SeIncBasePriorityPrivilege	1720	msiexec.exe
Token: SeCreatePagefilePrivilege	1720	msiexec.exe
Token: SeCreatePermanentPrivilege	1720	msiexec.exe
Token: SeBackupPrivilege	1720	msiexec.exe
Token: SeRestorePrivilege	1720	msiexec.exe
Token: SeShutdownPrivilege	1720	msiexec.exe
Token: SeDebugPrivilege	1720	msiexec.exe
Token: SeAuditPrivilege	1720	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1720	msiexec.exe
Token: SeChangeNotifyPrivilege	1720	msiexec.exe
Token: SeRemoteShutdownPrivilege	1720	msiexec.exe
Token: SeUndockPrivilege	1720	msiexec.exe
Token: SeSyncAgentPrivilege	1720	msiexec.exe
Token: SeEnableDelegationPrivilege	1720	msiexec.exe
Token: SeManageVolumePrivilege	1720	msiexec.exe
Token: SeImpersonatePrivilege	1720	msiexec.exe
Token: SeCreateGlobalPrivilege	1720	msiexec.exe
Token: SeBackupPrivilege	3064	vssvc.exe
Token: SeRestorePrivilege	3064	vssvc.exe
Token: SeAuditPrivilege	3064	vssvc.exe
Token: SeBackupPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2856	DrvInst.exe
Token: SeLoadDriverPrivilege	2856	DrvInst.exe
Token: SeLoadDriverPrivilege	2856	DrvInst.exe
Token: SeLoadDriverPrivilege	2856	DrvInst.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1720	msiexec.exe
1720	msiexec.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 636	2936	msiexec.exe	32
PID 2936 wrote to memory of 636	2936	msiexec.exe	32
PID 2936 wrote to memory of 636	2936	msiexec.exe	32
PID 2936 wrote to memory of 636	2936	msiexec.exe	32
PID 2936 wrote to memory of 636	2936	msiexec.exe	32
PID 2936 wrote to memory of 636	2936	msiexec.exe	32
PID 2936 wrote to memory of 636	2936	msiexec.exe	32
PID 636 wrote to memory of 2880	636	MsiExec.exe	33
PID 636 wrote to memory of 2880	636	MsiExec.exe	33
PID 636 wrote to memory of 2880	636	MsiExec.exe	33
PID 636 wrote to memory of 2880	636	MsiExec.exe	33
PID 636 wrote to memory of 1248	636	MsiExec.exe	35
PID 636 wrote to memory of 1248	636	MsiExec.exe	35
PID 636 wrote to memory of 1248	636	MsiExec.exe	35
PID 636 wrote to memory of 1248	636	MsiExec.exe	35
PID 636 wrote to memory of 2240	636	MsiExec.exe	37
PID 636 wrote to memory of 2240	636	MsiExec.exe	37
PID 636 wrote to memory of 2240	636	MsiExec.exe	37
PID 636 wrote to memory of 2240	636	MsiExec.exe	37
PID 2240 wrote to memory of 2080	2240	vlc.exe	38
PID 2240 wrote to memory of 2080	2240	vlc.exe	38
PID 2240 wrote to memory of 2080	2240	vlc.exe	38
PID 2240 wrote to memory of 2080	2240	vlc.exe	38
PID 636 wrote to memory of 604	636	MsiExec.exe	39
PID 636 wrote to memory of 604	636	MsiExec.exe	39
PID 636 wrote to memory of 604	636	MsiExec.exe	39
PID 636 wrote to memory of 604	636	MsiExec.exe	39
PID 636 wrote to memory of 1020	636	MsiExec.exe	41
PID 636 wrote to memory of 1020	636	MsiExec.exe	41
PID 636 wrote to memory of 1020	636	MsiExec.exe	41
PID 636 wrote to memory of 1020	636	MsiExec.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\trefald.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1720

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1CA07632E1F3513C49BAE924436E49D0
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2880
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1248
- - C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\files\vlc.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\files\vlc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\files"
    3⤵
    PID:604
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1020

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3064

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000574" "00000000000005B8"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:2856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\files.cab

Filesize
4.0MB

MD5
0578a9b3f1f5efcfcabd1b4129bcaa0b

SHA1
b3c1079cc69f45faf9863d233d8765ac6c301850

SHA256
234e25efdc6685d98d99ffa87f0aabe4a41a62d2f0147d5f9e246d7c3be7d015

SHA512
05c48b8f062ff70a1014efbb8f7232a7e9eeed9b2096cf81b6b40d3ff9b83b33b81365e98e2988320c4e90f8c1b94b3577baa6fd0d502734d02f5c256e07c076

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\files\libvlc.dll

Filesize
1.5MB

MD5
0a95072b247d25671784f7904ff96c2b

SHA1
7eb59ffc0798cfddbb81ab606778c361a223f3ac

SHA256
e05a7b47a4ddf8e85c1dd406fcf62d4cd3de7208212a6d0e9360c06e1acfc1bf

SHA512
b00f8e2b28dde8a88a923062c57cd727cceac6bb6db1e61b6600c3ed6dbf7a5559a673ea5e16bf4b538325b82137bd39c94765d8987210d9b63078cc571cc73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\files\sqlite3.dll

Filesize
1.6MB

MD5
7004c5b33f5e25bcf30296f0f73d9d9a

SHA1
c41409ebd54a2fcf6384c5da731ad72379d7bbe2

SHA256
f4fa5b3e56077d29e3877dbc1f2c8feb507fb4add72f6023ddb6af00bab7fcf7

SHA512
52a0d605dfcf4e07bd07c41c38e6e65eb91f6bdc7aad323d8b1c1b90b1bb2c093443a4567bb8c1dac2b67ef050c322e6b60a76c366b76176117650beebc3afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\msiwrapper.ini

Filesize
396B

MD5
0605e2d7d70d9f7506e2b36e7a418dd0

SHA1
a7eab6732f199b4866d052bd3490253ba593be2f

SHA256
7cb13347bd953d93859c616508767549b98a90f3c50bd7978cd5da3d5e60c7dc

SHA512
acfecbda4c0b75e806976085ca826bc5fc24a2fbe931e3b854febb2d2d0cd9b963941c84311eaf0872940d47d15a7867e5031c30d5c60c59c50eb8a9a1b42126

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\msiwrapper.ini

Filesize
1KB

MD5
900b1b22f736d0f35b8f4dce2077a854

SHA1
2df97cfdcd579ef07511041998deaa00bd4b4a8a

SHA256
a8e4d415e4beacf890157d85aced2978b69b69a0f2f4ce6df08020f34eefe97b

SHA512
bb11dbc4eb5dc54be1527eb8264746a58fc7d5f43b0456e77532da06c985e68171a266a5667fe566f55635981da0c7afb4cc760dbc852a800ab5c912085bb137

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\msiwrapper.ini

Filesize
1KB

MD5
b58d14b92e913084f01996aeed19b3ba

SHA1
6c701a80ebde1401d3f3261725a156867874ed60

SHA256
b4cc737c00dc0da3b1129853244ef6ba846c6fa451117b560ac0e63ef9526c82

SHA512
55cf3bf90b3cefb831ca50bf9dc3273d1db4b3093a04ddf732b339ce249bdbc8c011a3702a78f508d1ada639445ad06b95d5c4277f98875a93e99ce909e1d9d4

Download Submit
C:\Windows\Installer\MSI23C6.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\temp\script.au3

Filesize
469KB

MD5
e1803b01e3f187355dbeb87a0c91b76c

SHA1
b78bc11afacf9cfcaade0e200a344c4602f2053d

SHA256
46c5ed90e3d6b8bc85ae369aa87ba75a12eed6a7cfa8edeb497e5ec7f7c75d9e

SHA512
bfcc8cf7c72bcbf2aa2586a653df00e5c0e7fccb748a5fcdf97ebfaa594fbf81e1c24ce1f5ced039dea76bf251a76ec85db2187614039fa882d702bdc14c6bda

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
6f142d573154e352f3787270e5adc50a

SHA1
9dd1b5353225ff98b9a6d5a58a20d5bf6757fa90

SHA256
32133d31a507047ae10993a7f9634e3613d8b894fd07315db266d82dd40976f9

SHA512
5a72458d310f4c1ab1e6a7a6c2ae41ab4debe02b3eeadce73ee26dd64ce25e7044fef20d1aa4716a5212fcdd9bd01c52a6b0df67fcd6c052aff84bd7ee954237

Download Submit
\Users\Admin\AppData\Local\Temp\MW-d77b9ec9-cede-4d4d-bbe6-54f766bce3d9\files\vlc.exe

Filesize
966KB

MD5
035860e139ba6db1b38d5346cb6ff5b6

SHA1
d515303cbca3a8ae7a0463fecd418d81b314e650

SHA256
16197a321fc7b0a2a311e689621fe4a7cd50fdcb2d163973a31e4fd6352232d7

SHA512
14dab9108d85af72001631130923b94483dd1440f24a8eedad41756db3030c5e11e80ec894922c389e09c86e8b721bcbd8594bd3646f484560f89963a7e18cc7

Download Submit
memory/2080-90-0x0000000003740000-0x0000000004710000-memory.dmp

Filesize
15.8MB

Download
memory/2080-91-0x0000000004DD0000-0x000000000511E000-memory.dmp

Filesize
3.3MB

Download
memory/2080-97-0x0000000004DD0000-0x000000000511E000-memory.dmp

Filesize
3.3MB

Download
memory/2240-84-0x000000013F910000-0x000000013FA08000-memory.dmp

Filesize
992KB

Download
memory/2240-86-0x00000000746F0000-0x000000007487D000-memory.dmp

Filesize
1.6MB

Download
memory/2240-78-0x0000000002140000-0x00000000022DE000-memory.dmp

Filesize
1.6MB

Download
memory/2240-89-0x0000000002140000-0x00000000022DE000-memory.dmp

Filesize
1.6MB

Download