Overview

overview

10

Static

static

1

pullofmaster.msi

windows7-x64

10

pullofmaster.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-04-2024 10:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    pullofmaster.msi

  • Size

    4.3MB

  • MD5

    b88352bde539f79207be209759505f02

  • SHA1

    8ede7ee0a43c4282b41687408ddc38a243ac4bfd

  • SHA256

    fc6ab939f5f2d6f12cb1edbe2babd5b180d8d036fc0b37a77f784d1c52162112

  • SHA512

    104d4330c05e41d2039a0b61438565c88138ec9b2c55632ab0ec8eaf70840b095e1dd5bb5d55b65373099df80896632499ff5b3c85240d7a389824cb72268921

  • SSDEEP

    49152:zpUPB9qhCxzT+WKjSX15zLVI4vLeY9xV4qtGvmKBteU5oBgffUBS88qAU8:zpECQ1FLeYLVTV4WMVf

Score
10/10
darkgateadmin888discoverystealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

C2

stachmentsuprimeresult.com

Attributes
  • anti_analysis

    false

  • anti_debug

    false

  • anti_vm

    false

  • c2_port

    443

  • check_disk

    false

  • check_ram

    true

  • check_xeon

    false

  • crypter_au3

    false

  • crypter_dll

    false

  • crypter_raw_stub

    false

  • internal_mutex

    veVumtze

  • minimum_disk

    30

  • minimum_ram

    4096

  • ping_interval

    6

  • rootkit

    false

  • startup_persistence

    true

  • username

    admin888

Signatures

  • DarkGate

    DarkGate is an infostealer written in C++.

    stealerdarkgate
  • Detect DarkGate stealer 3 IoCs
  • Modifies file permissions 1 TTPs 2 IoCs
    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 49 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\pullofmaster.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2256
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2412
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4040
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding DD4F3193063C428F8BCF09825927A23A
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Windows\SysWOW64\ICACLS.EXE
        "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
        3⤵
        • Modifies file permissions
        PID:3600
      • C:\Windows\SysWOW64\EXPAND.EXE
        "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
        3⤵
        • Drops file in Windows directory
        PID:3948
      • C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\files\iTunesHelper.exe
        "C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\files\iTunesHelper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:4976
        • \??\c:\temp\Autoit3.exe
          "c:\temp\Autoit3.exe" c:\temp\script.au3
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Checks processor information in registry
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
            "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\temp\Rivers HHBC info .pdf"
            5⤵
            • Checks processor information in registry
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4292
            • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
              "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2024
              • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F3BF7E31AA043E0B16D21F553974EF3D --mojo-platform-channel-handle=1740 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                7⤵
                  PID:2040
                • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=1060514C2B57144F479CA0CF69B36D26 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=1060514C2B57144F479CA0CF69B36D26 --renderer-client-id=2 --mojo-platform-channel-handle=1752 --allow-no-sandbox-job /prefetch:1
                  7⤵
                    PID:1408
                  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=55678042158C36C0379FAE8038BCFEFF --mojo-platform-channel-handle=2296 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                    7⤵
                      PID:4788
                    • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=44FAA463D2AB631110C881B4417F4B4F --mojo-platform-channel-handle=1940 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                      7⤵
                        PID:2088
                      • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=EDDFC7320C019B0354BD4DDD940D5701 --mojo-platform-channel-handle=2384 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
                        7⤵
                          PID:3148
                        • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
                          "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B5803D160487345D2B5A90013E061CA3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B5803D160487345D2B5A90013E061CA3 --renderer-client-id=7 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job /prefetch:1
                          7⤵
                            PID:1576
                  • C:\Windows\SysWOW64\cmd.exe
                    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\files"
                    3⤵
                      PID:4296
                    • C:\Windows\SysWOW64\ICACLS.EXE
                      "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\." /SETINTEGRITYLEVEL (CI)(OI)LOW
                      3⤵
                      • Modifies file permissions
                      PID:4600
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Checks SCSI registry key(s)
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4084
                • C:\Windows\System32\CompPkgSrv.exe
                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                  1⤵
                    PID:4924

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                    Filesize

                    36KB

                    MD5

                    b30d3becc8731792523d599d949e63f5

                    SHA1

                    19350257e42d7aee17fb3bf139a9d3adb330fad4

                    SHA256

                    b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

                    SHA512

                    523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                    Filesize

                    56KB

                    MD5

                    752a1f26b18748311b691c7d8fc20633

                    SHA1

                    c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

                    SHA256

                    111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

                    SHA512

                    a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

                    Download Submit

                  • C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages
                    Filesize

                    64KB

                    MD5

                    432fe4becfbf8f905aa7458461d5c7b5

                    SHA1

                    f4908f8d1180ce68a13f1edaae60bbf16e1e1158

                    SHA256

                    c5645a16ba50a629dc5bfa0f448cb23a0a33a5ccc46f4028c5fabf49237f5ec7

                    SHA512

                    1a454658412fd803e7221ea8fc54cee758489555441fbc4e0d50b8ff4d3fd626e4d41fabb433e0c4ad4391b31d80d28aea03e73ae735d01bc62bc1520190fb5b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\files.cab
                    Filesize

                    4.1MB

                    MD5

                    7333aa36063f51a7f1f9bb05fa679ab4

                    SHA1

                    2944bfdccabb766254b94c0a1d3665ec423d114b

                    SHA256

                    2d550bcc063ba4c3cd852edc0b36c49c1d70fbcd44a63ff035153b9f574b65e3

                    SHA512

                    0c89804413e0f4cb35c1a6c50d460da241aa8e0d011c1f4e1e813f3002093fc661c59adfc58ea4369f79f0c8d785b72d31ce965ccfe3a259d5eff485b5a80d3d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\files\CoreFoundation.dll
                    Filesize

                    1.5MB

                    MD5

                    ce8ee7e4e7b695d4af2c3ecf8411e637

                    SHA1

                    dd7ea41c7c351e82ab5438b75a3d830574a0aa58

                    SHA256

                    7cdb07238c8cc903e13e689d4de1129f5fb3b647e4a1c1e98c5a0e8516184ed1

                    SHA512

                    ad3492b03af2d9b6bf2632fcc65703c0e06116ea3945c4bc401047842514e7789c31912e0887f20e234b58ce970ebd1486d9b5521a76c02dcc5e58804873c3b2

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\files\iTunesHelper.exe
                    Filesize

                    358KB

                    MD5

                    ed6a1c72a75dee15a6fa75873cd64975

                    SHA1

                    67a15ca72e3156f8be6c46391e184087e47f4a0d

                    SHA256

                    0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

                    SHA512

                    256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\files\sqlite3.dll
                    Filesize

                    2.2MB

                    MD5

                    7f84dfa82977609c70e15708df513a0e

                    SHA1

                    4bc3db683396cda2b80e0e35650234574e6f78f3

                    SHA256

                    087ff871a8d10cb876601850d8c2bc976ac213ededda4fcc29056639f0888074

                    SHA512

                    adec7d2cd6776e8da52ccbb968d29f3b2ff1d091173211f7fc7e972f46cdbb486544fe877327b28295a3f53fce162f9179a20d6b5e60d950fb13fae3e4c00863

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\msiwrapper.ini
                    Filesize

                    448B

                    MD5

                    b061648ccb90786018ab12e6e8c1ced5

                    SHA1

                    a2aa000db77b38634239bb3c2a7cadf7bea46d58

                    SHA256

                    254a9954b1857b893a209006b4ad76f4a7024b6337cb0ce047c5a7f37bf06f5e

                    SHA512

                    1476659aeb7792e625ebbdf646900d1f0ecdc1be971b3e819e9fa980efd296c61049d9ba6839bd1b649fae98016d65269de98c10f8eb8b07b7e0fcdb58130aca

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\MW-3da490aa-f4f1-432d-a881-3524822a4ef3\msiwrapper.ini
                    Filesize

                    1KB

                    MD5

                    c1fb92edf65cb4a69ecb20bccced96a0

                    SHA1

                    478ea3ebd95229ff90daa50bf02a8f60bcd2c695

                    SHA256

                    f09a92a7581c5688bbbdf058bd6d1abf4c6fd800f3ee5dd8f346096e754dfb76

                    SHA512

                    4175b56e3542978abbaae68919baeed3c61eb81d9276adb0d0540d8767d42b87b427a41b090749adc67cee3744a6f1b522bae67b893d4ffcd60b0a1aa2fb2852

                    Download Submit

                  • C:\Windows\Installer\MSI7242.tmp
                    Filesize

                    208KB

                    MD5

                    d82b3fb861129c5d71f0cd2874f97216

                    SHA1

                    f3fe341d79224126e950d2691d574d147102b18d

                    SHA256

                    107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

                    SHA512

                    244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

                    Download Submit

                  • C:\temp\Autoit3.exe
                    Filesize

                    872KB

                    MD5

                    c56b5f0201a3b3de53e561fe76912bfd

                    SHA1

                    2a4062e10a5de813f5688221dbeb3f3ff33eb417

                    SHA256

                    237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

                    SHA512

                    195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

                    Download Submit

                  • C:\temp\Rivers HHBC info .pdf
                    Filesize

                    452KB

                    MD5

                    83a4aa4e048bd8b95e99c0b33746bdc3

                    SHA1

                    ef39e3b288cfd0c268c5fbc794f0863d2edd33e3

                    SHA256

                    7a80069879f0ff1457a52225113a81dc6fdf3cf152dabc1f5f77a5dd815c96fa

                    SHA512

                    b24d5ec5c3c212f4a36c600b20bb5b020066b1e535f6d0640cfde7ca94baafb5950d5c665d2e03508fc453cd8f9e54aecce0bf4914461a11ab23b3083df8c7ba

                    Download Submit

                  • C:\temp\cc.txt
                    Filesize

                    4B

                    MD5

                    e7361a02148c8044865645a712d2a7fa

                    SHA1

                    d7a4b590bfc1aabe38f03b202506e513b25b85ea

                    SHA256

                    510ab3e56cd023430496b8998942091b0ee354f5f52e7f068a569e068b0ec769

                    SHA512

                    3b5e792911583a9e419c1363af699060bb03acaa516d0bf19bb05e08228775bff71a12e07ba8d7df043f7c53e519670345416b74e952d86ef3578a1510bebc70

                    Download Submit

                  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                    Filesize

                    23.0MB

                    MD5

                    2200668486a3948be6aa588285034419

                    SHA1

                    907b2493d89eec8b89aa1fc053f860281e00702f

                    SHA256

                    8f199e3bfe8c36c500b08a3f6ed8067173f289e6e3797b62b03d3e605e7b50ba

                    SHA512

                    091b99bc9d262061dadc03ae2684bf58d1deb6e2cc15cbdae4fdb2370c7af252d723ef99a931063d13ecef43fae08917a27302cfaa639cadbb07ba831448caaa

                    Download Submit

                  • \??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{8fc36a3c-de5f-4db1-a2ea-5986274ca6e8}_OnDiskSnapshotProp
                    Filesize

                    6KB

                    MD5

                    48921d25973bc4357da0c2afbb7e1c59

                    SHA1

                    83ea9aa629d9e4c1f911e18f94d53a635403d5dc

                    SHA256

                    fce93b78e00cef3f0abba29c5dcf40496fa30eec5c7130590b16ccad83b71415

                    SHA512

                    b8757f8d0fb6f33a3d2f5c146a3f8eda52c2c1787621c27050691c0354f521847862a39911aa212196fa813b4dc899bc91c212052f3c270322dfde10b1d47c2f

                    Download Submit

                  • \??\c:\temp\script.au3
                    Filesize

                    1.0MB

                    MD5

                    ff77fd2453e50e3d846587ec60ac8027

                    SHA1

                    4a7c389d241f7f486ee24229d13c0e553d255a8a

                    SHA256

                    43ed3e85a7f0c80a9b532c11853a30a39a570b57f9e61703426bd6f25c30dbab

                    SHA512

                    bf79b53049f947e9947a383677a6e797e703fada5eef96a762b11b7df727db6630c1697485861d9bfad0057865e119c86d10198d269cd144e4289b97992f040c

                    Download Submit

                  • \??\c:\temp\test.txt
                    Filesize

                    76B

                    MD5

                    2b5beed06469bc15ef9d3fc81026d520

                    SHA1

                    32b9af19321d3a95a566f2720bf3594c8709017e

                    SHA256

                    bc694c165646842697db370a7688753a08bed7803aa9aaaf626e54ad77b3b0fe

                    SHA512

                    78963f15247f17099214e7c33d2fb9c3b01f1986334da01c2cddda957d7d916f74a0e7f1cf2d57b1afe6f52eb999e1cf2cf6b9fd3d2afdf7f6ec6b0a8532742a

                    Download Submit

                  • memory/2244-102-0x0000000003BE0000-0x0000000003BE1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/2244-105-0x0000000003CE0000-0x0000000004482000-memory.dmp

                    Filesize

                    7.6MB

                    Download

                  • memory/2472-86-0x0000000004500000-0x00000000054D0000-memory.dmp

                    Filesize

                    15.8MB

                    Download

                  • memory/2472-110-0x0000000005FA0000-0x00000000062EE000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/2472-87-0x0000000005FA0000-0x00000000062EE000-memory.dmp

                    Filesize

                    3.3MB

                    Download

                  • memory/4976-91-0x00000191671B0000-0x00000191673E5000-memory.dmp

                    Filesize

                    2.2MB

                    Download

                  • memory/4976-90-0x000000006E400000-0x000000006E59D000-memory.dmp

                    Filesize

                    1.6MB

                    Download

                  • memory/4976-77-0x00000191671B0000-0x00000191673E5000-memory.dmp

                    Filesize

                    2.2MB

                    Download