darkgate | 846f339f39e82f358fe5d0985afde119563754c9a8030dc237eac1a963a8bbf4

Analysis

max time kernel
438s
max time network
1169s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
08-02-2024 02:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

independert.msi
Size

4.0MB
MD5

484bea10f5d2a0c4bdfa342e133033c6
SHA1

6860971d489198df13c64a295999ba3cc7c9c654
SHA256

846f339f39e82f358fe5d0985afde119563754c9a8030dc237eac1a963a8bbf4
SHA512

ce74de9217edd30ad96e00dea9ac8783284c26f93e7271f45e406880b46dbdcf8d71feafa26881d069b8b20b62e66e4a0fc3ccd428512fa45af319663720f20e
SSDEEP

49152:bpUPCczdSZ4Yx87nxODZGMFLnd8q67DZQlXvAoxS1mvXpiIg7W:bpSBx7nxOtFjOq67DcO1mh

Score

10^/10

darkgate discovery stealer

Malware Config

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 1 IoCs

resource	yara_rule
behavioral3/memory/2284-110-0x0000000006560000-0x00000000068AE000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1004	ICACLS.EXE
4472	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEADF.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DF15D4649D8B49391F.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\SystemTemp\~DF0291991A9D51E2FC.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIEADE.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFCFE5BFBCCBF3CF61.TMP	msiexec.exe
File created	C:\Windows\Installer\e57dbd9.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4475B07E-B24B-45AB-9BE0-ED99A7F14744}	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\SystemTemp\~DFCAAB1A5CFF6855D1.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dbd9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDD02.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1392	apdproxy.exe
2284	Autoit3.exe

Loads dropped DLL 5 IoCs

pid	Process
4792	MsiExec.exe
1392	apdproxy.exe
1392	apdproxy.exe
1392	apdproxy.exe
4792	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000003b7761683ffe8b050000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800003b7761680000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809003b776168000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d3b776168000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000003b77616800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
436	msiexec.exe
436	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2028	msiexec.exe
Token: SeSecurityPrivilege	436	msiexec.exe
Token: SeCreateTokenPrivilege	2028	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2028	msiexec.exe
Token: SeLockMemoryPrivilege	2028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2028	msiexec.exe
Token: SeMachineAccountPrivilege	2028	msiexec.exe
Token: SeTcbPrivilege	2028	msiexec.exe
Token: SeSecurityPrivilege	2028	msiexec.exe
Token: SeTakeOwnershipPrivilege	2028	msiexec.exe
Token: SeLoadDriverPrivilege	2028	msiexec.exe
Token: SeSystemProfilePrivilege	2028	msiexec.exe
Token: SeSystemtimePrivilege	2028	msiexec.exe
Token: SeProfSingleProcessPrivilege	2028	msiexec.exe
Token: SeIncBasePriorityPrivilege	2028	msiexec.exe
Token: SeCreatePagefilePrivilege	2028	msiexec.exe
Token: SeCreatePermanentPrivilege	2028	msiexec.exe
Token: SeBackupPrivilege	2028	msiexec.exe
Token: SeRestorePrivilege	2028	msiexec.exe
Token: SeShutdownPrivilege	2028	msiexec.exe
Token: SeDebugPrivilege	2028	msiexec.exe
Token: SeAuditPrivilege	2028	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2028	msiexec.exe
Token: SeChangeNotifyPrivilege	2028	msiexec.exe
Token: SeRemoteShutdownPrivilege	2028	msiexec.exe
Token: SeUndockPrivilege	2028	msiexec.exe
Token: SeSyncAgentPrivilege	2028	msiexec.exe
Token: SeEnableDelegationPrivilege	2028	msiexec.exe
Token: SeManageVolumePrivilege	2028	msiexec.exe
Token: SeImpersonatePrivilege	2028	msiexec.exe
Token: SeCreateGlobalPrivilege	2028	msiexec.exe
Token: SeBackupPrivilege	3752	vssvc.exe
Token: SeRestorePrivilege	3752	vssvc.exe
Token: SeAuditPrivilege	3752	vssvc.exe
Token: SeBackupPrivilege	436	msiexec.exe
Token: SeRestorePrivilege	436	msiexec.exe
Token: SeRestorePrivilege	436	msiexec.exe
Token: SeTakeOwnershipPrivilege	436	msiexec.exe
Token: SeRestorePrivilege	436	msiexec.exe
Token: SeTakeOwnershipPrivilege	436	msiexec.exe
Token: SeRestorePrivilege	436	msiexec.exe
Token: SeTakeOwnershipPrivilege	436	msiexec.exe
Token: SeRestorePrivilege	436	msiexec.exe
Token: SeTakeOwnershipPrivilege	436	msiexec.exe
Token: SeBackupPrivilege	3284	srtasks.exe
Token: SeRestorePrivilege	3284	srtasks.exe
Token: SeSecurityPrivilege	3284	srtasks.exe
Token: SeTakeOwnershipPrivilege	3284	srtasks.exe
Token: SeBackupPrivilege	3284	srtasks.exe
Token: SeRestorePrivilege	3284	srtasks.exe
Token: SeSecurityPrivilege	3284	srtasks.exe
Token: SeTakeOwnershipPrivilege	3284	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2028	msiexec.exe
2028	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 3284	436	msiexec.exe	83
PID 436 wrote to memory of 3284	436	msiexec.exe	83
PID 436 wrote to memory of 4792	436	msiexec.exe	85
PID 436 wrote to memory of 4792	436	msiexec.exe	85
PID 436 wrote to memory of 4792	436	msiexec.exe	85
PID 4792 wrote to memory of 1004	4792	MsiExec.exe	86
PID 4792 wrote to memory of 1004	4792	MsiExec.exe	86
PID 4792 wrote to memory of 1004	4792	MsiExec.exe	86
PID 4792 wrote to memory of 3304	4792	MsiExec.exe	88
PID 4792 wrote to memory of 3304	4792	MsiExec.exe	88
PID 4792 wrote to memory of 3304	4792	MsiExec.exe	88
PID 4792 wrote to memory of 1392	4792	MsiExec.exe	90
PID 4792 wrote to memory of 1392	4792	MsiExec.exe	90
PID 4792 wrote to memory of 1392	4792	MsiExec.exe	90
PID 1392 wrote to memory of 2284	1392	apdproxy.exe	91
PID 1392 wrote to memory of 2284	1392	apdproxy.exe	91
PID 1392 wrote to memory of 2284	1392	apdproxy.exe	91
PID 4792 wrote to memory of 4472	4792	MsiExec.exe	93
PID 4792 wrote to memory of 4472	4792	MsiExec.exe	93
PID 4792 wrote to memory of 4472	4792	MsiExec.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\independert.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:436
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3284
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 328DA1E2444593BD8010C86422F640E9
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4792
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1004
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3304
- - C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\files\apdproxy.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\files\apdproxy.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:2284
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\files.cab

Filesize
3.7MB

MD5
b5a1995210150c6e9d362e967d83b590

SHA1
f4642b8b5e125863cea56196b584cefa5861aebd

SHA256
e0a36182df70d6af3289ea7c430874b8281db531c767beab5131f6726f5635a2

SHA512
94ad3c4e539ef8cb50dfb81e4c1ca6ffeb3da18718c40a77b0c160354b7994896b54edc8ec94a552395d7fd529d95bc16e4e5baedd8c91a8fdb8777c85e00901

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\files\MSVCP71.dll

Filesize
488KB

MD5
561fa2abb31dfa8fab762145f81667c2

SHA1
c8ccb04eedac821a13fae314a2435192860c72b8

SHA256
df96156f6a548fd6fe5672918de5ae4509d3c810a57bffd2a91de45a3ed5b23b

SHA512
7d960aa8e3cce22d63a6723d7f00c195de7de83b877eca126e339e2d8cc9859e813e05c5c0a5671a75bb717243e9295fd13e5e17d8c6660eb59f5baee63a7c43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\files\MSVCR71.dll

Filesize
340KB

MD5
86f1895ae8c5e8b17d99ece768a70732

SHA1
d5502a1d00787d68f548ddeebbde1eca5e2b38ca

SHA256
8094af5ee310714caebccaeee7769ffb08048503ba478b879edfef5f1a24fefe

SHA512
3b7ce2b67056b6e005472b73447d2226677a8cadae70428873f7efa5ed11a3b3dbf6b1a42c5b05b1f2b1d8e06ff50dfc6532f043af8452ed87687eefbf1791da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\files\apdboot.dll

Filesize
931KB

MD5
7514fa4d5d1162f631ed5fea0884c0f4

SHA1
a39e56a89b546b1ad55e531e62240586b9489234

SHA256
e1f5396d6c9e0d82c45fb48c723460709706398078546bca83e123ca9eb4036f

SHA512
5822def0a35098f80cd570f79a848b639681d21eae4c79479e562907c58c42a218ba786df7ab328532dee1e8f6bc3a7da5c1529f17b93d759df328603ec02b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\files\apdproxy.exe

Filesize
62KB

MD5
fc9e59fe8bc4fe05382cff5c8fc59de1

SHA1
69423bc900644a910936d2c5828348d188e5d750

SHA256
a16b93c374e77f98889d7ad7f38b2282dbc5a40511541b9105b1dcf9216c3cf3

SHA512
1d34be70cd701b606873aaf6910ab7fa7a3c4a81e0398d9bdcf8e8aac3dd63ec888c478e45600bf7e34301bec231038e8dccb457e49db8b5ff1c0740b68d072c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\files\sqlite3.dll

Filesize
1.9MB

MD5
4bf9a5f13e33c3dcecbe82dc1fec647d

SHA1
1e42b49470db763528f6ba7380aa9e3fedb03949

SHA256
3c3015717fec9fcb191b2722efe58fed15c89d553532fe9ba3b6393661aa365e

SHA512
3a5d1f605056db1072d310a7c4a9df84952a816e994d6dd64a734e3bd7faf96a7fedfba0e0a96128acab6adc8e6430dd95a30a49abbf0f5a7fc9c0b68c69d75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\msiwrapper.ini

Filesize
708B

MD5
a298fba72d02f5330bf03a0cdeaa2b6e

SHA1
ae2b2dcf69b30247f083c72c4291369117db209c

SHA256
a0a078b96f7194ceddfbacbfdf8b4e32514a78135878303a9145e996730fc1af

SHA512
2941ab0b4005ed33fce656ac5760a4a9257a3ddb8f33682162b667c931ef31321082a1d3bfc2f113454bb124f87e0ee9a8799c364710bd7ecf883c38cc9e6bce

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\msiwrapper.ini

Filesize
1KB

MD5
c783b15ad1f1cc8a57bd536f17a92386

SHA1
7afaa1d54706ad48e833c1e9abe88d2a41b0c6f6

SHA256
efd4ff2b7f5d6eecfcd8b8c45320a0dd2f23b699040636b0734a65dd59162c4a

SHA512
f8e93ec28007b28eea0ba4265a36bd60653f2b04a9ac02450a6efea9af5890201116b4397b2f4e44a105f4213fa4f20bcb17814f37d71d3bc7c2ac802d87037c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\msiwrapper.ini

Filesize
1KB

MD5
f25eb7b0b60145a62f8306499d2011f7

SHA1
4658b7a93f9371d93ed200256d6f2a5bbbd940ce

SHA256
fb10fdc5c24ed7d1ff38945934174f0cae64e8cd8655f41cbffdf5166325884d

SHA512
b17cece8fa420354fafd74dee0310f0a5723d04806a1802eeec4638577421e4886971ba0296edc77fb8b44296d79b1d2f880c6d6a096efd9a98815028f9d2362

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-a63815a1-c32a-41e1-a056-af3128484176\msiwrapper.ini

Filesize
1KB

MD5
03b0f4b5d5a283e5d4c581ecf30dff53

SHA1
9ac9124dc328924fc2e722e78d2526901d4f043e

SHA256
d125340ea437d874ca98da9a8788b6bc281b7af5ebde8c4eb5742ab2985c639c

SHA512
23ca4261d97d2bb79a128d1879cec6f0cbdd4bbc523c78d7dbb4890c87a6df533721d3029b0d8bda17b3f8d8d46be2ddedfe888613914644fd599af76ca19cf9

Download Submit
C:\Windows\Installer\MSIDD02.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
6.9MB

MD5
f4faddeb5859bc7e89a6efadde9824e1

SHA1
3630101eaee8910f3cd0539c0874a96c8b2c9633

SHA256
44c684c2bb52c2db1e5aa5281b1e9d3c3587776360361b6e51839b3f9080a2db

SHA512
4b156dc9d80a25b7269fb0224cda535cada5dcae743cbdc965b9d08871416a8519dc3883834431235a45aa77cd45f51e32154d8e24a9346fc4dc531159faf831

Download Submit
\??\Volume{6861773b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5d275f77-bae9-4f4e-b512-975fae317ddf}_OnDiskSnapshotProp

Filesize
6KB

MD5
2b7ea7966f51102122915dd4ef9f46bd

SHA1
28ce50eec88cea695f048b4bd0b5673e69bee8b2

SHA256
97e015d20b098147a49674bb7e58f7a7442ebeb8505e0035ab58cc4dc5adbb16

SHA512
19bffd67ef349c365c38214b63a0f596075fef1b36324f2881f2581b865f0114071c2f9fe2baa5acbe9764740d3a7eafef7d31df52fd29b5f97b30564389cb45

Download Submit
\??\c:\temp\script.au3

Filesize
910KB

MD5
5ae10e98b7f01a0433b18c66dd7ff7d3

SHA1
7043ab94fcd76c9a7afb91e2adae691358796eb5

SHA256
c83870e8f4884f6653ad7fe43d43e9ab8d6c8b3c295d10f1f1921acd8f1e42a8

SHA512
4c337d91ca76844dbebd186df0a165efea46a0234b8472f7b4fcc9c844917eb7a8449fc3e3e9006e8f5ad3e1df716d19f7dd212cfdf44268caaa3ea72f53aeb8

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
af2e30edcb89c0b9ca2bc4ccc519e5b0

SHA1
c93d528cd43890fef9841708a825b02133a07734

SHA256
f8b5bfd9bff557bcd6326949ad261e74edc463350a276fb080a250f76284de45

SHA512
4279afcf1f76d411b766e51ee207b8cb5dc5914c409359387b74ed0fc1f26db134592fdd4030b650e05d7fd7f7d5ffb4c0d5f3e67b548c224fa910b880db35d8

Download Submit
memory/1392-87-0x0000000002730000-0x0000000002923000-memory.dmp

Filesize
1.9MB

Download
memory/1392-93-0x0000000073640000-0x0000000073734000-memory.dmp

Filesize
976KB

Download
memory/1392-95-0x0000000002730000-0x0000000002923000-memory.dmp

Filesize
1.9MB

Download
memory/2284-109-0x0000000004BD0000-0x0000000005BA0000-memory.dmp

Filesize
15.8MB

Download
memory/2284-110-0x0000000006560000-0x00000000068AE000-memory.dmp

Filesize
3.3MB

Download