darkgate | 6155bc23b47bf621a4723c6226816365eb922fb984fe1616495f4e0bbbe5806c

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x64.msi
Size

5.8MB
MD5

2999391319cda1be5dacfaf5b05062b2
SHA1

c983b7dff2ea4c63f3944e639eb54d0e6b0b655f
SHA256

3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e
SHA512

1b9a7e5211979f37097c28122cbe99b5ec81ca3caa07944ddaba1afb2515ef3545f92bce35efa87914221016867f88b9b64c7a6a07e8e3f0cb556182047c7f27
SSDEEP

49152:NpUPFUhtSTK+0THkWsN8SDYdvH5eoQDWeEHHhRgWEF9nuriG7DrFWoRRRJuGgagL:NpMnFDcEWoVoFWRGga5q

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

prodomainnameeforappru.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
WeBiMyRU
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/3904-104-0x0000000006300000-0x000000000665B000-memory.dmp	family_darkgate_v6
behavioral2/memory/3904-109-0x0000000006300000-0x000000000665B000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4376	ICACLS.EXE
3764	ICACLS.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
10	4024	msiexec.exe
17	4024	msiexec.exe
24	4024	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e578f01.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9059.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\e578f01.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FC678715-A87F-41A8-9C4F-2D3417298150}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4964	iTunesHelper.exe
3904	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
2932	MsiExec.exe
4964	iTunesHelper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000042283678384db7f50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000422836780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090042283678000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d42283678000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004228367800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
408	msiexec.exe
408	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4024	msiexec.exe
Token: SeSecurityPrivilege	408	msiexec.exe
Token: SeCreateTokenPrivilege	4024	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4024	msiexec.exe
Token: SeLockMemoryPrivilege	4024	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4024	msiexec.exe
Token: SeMachineAccountPrivilege	4024	msiexec.exe
Token: SeTcbPrivilege	4024	msiexec.exe
Token: SeSecurityPrivilege	4024	msiexec.exe
Token: SeTakeOwnershipPrivilege	4024	msiexec.exe
Token: SeLoadDriverPrivilege	4024	msiexec.exe
Token: SeSystemProfilePrivilege	4024	msiexec.exe
Token: SeSystemtimePrivilege	4024	msiexec.exe
Token: SeProfSingleProcessPrivilege	4024	msiexec.exe
Token: SeIncBasePriorityPrivilege	4024	msiexec.exe
Token: SeCreatePagefilePrivilege	4024	msiexec.exe
Token: SeCreatePermanentPrivilege	4024	msiexec.exe
Token: SeBackupPrivilege	4024	msiexec.exe
Token: SeRestorePrivilege	4024	msiexec.exe
Token: SeShutdownPrivilege	4024	msiexec.exe
Token: SeDebugPrivilege	4024	msiexec.exe
Token: SeAuditPrivilege	4024	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4024	msiexec.exe
Token: SeChangeNotifyPrivilege	4024	msiexec.exe
Token: SeRemoteShutdownPrivilege	4024	msiexec.exe
Token: SeUndockPrivilege	4024	msiexec.exe
Token: SeSyncAgentPrivilege	4024	msiexec.exe
Token: SeEnableDelegationPrivilege	4024	msiexec.exe
Token: SeManageVolumePrivilege	4024	msiexec.exe
Token: SeImpersonatePrivilege	4024	msiexec.exe
Token: SeCreateGlobalPrivilege	4024	msiexec.exe
Token: SeBackupPrivilege	4416	vssvc.exe
Token: SeRestorePrivilege	4416	vssvc.exe
Token: SeAuditPrivilege	4416	vssvc.exe
Token: SeBackupPrivilege	408	msiexec.exe
Token: SeRestorePrivilege	408	msiexec.exe
Token: SeRestorePrivilege	408	msiexec.exe
Token: SeTakeOwnershipPrivilege	408	msiexec.exe
Token: SeRestorePrivilege	408	msiexec.exe
Token: SeTakeOwnershipPrivilege	408	msiexec.exe
Token: SeBackupPrivilege	5076	srtasks.exe
Token: SeRestorePrivilege	5076	srtasks.exe
Token: SeSecurityPrivilege	5076	srtasks.exe
Token: SeTakeOwnershipPrivilege	5076	srtasks.exe
Token: SeBackupPrivilege	5076	srtasks.exe
Token: SeRestorePrivilege	5076	srtasks.exe
Token: SeSecurityPrivilege	5076	srtasks.exe
Token: SeTakeOwnershipPrivilege	5076	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4024	msiexec.exe
4024	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 5076	408	msiexec.exe	95
PID 408 wrote to memory of 5076	408	msiexec.exe	95
PID 408 wrote to memory of 2932	408	msiexec.exe	98
PID 408 wrote to memory of 2932	408	msiexec.exe	98
PID 408 wrote to memory of 2932	408	msiexec.exe	98
PID 2932 wrote to memory of 4376	2932	MsiExec.exe	99
PID 2932 wrote to memory of 4376	2932	MsiExec.exe	99
PID 2932 wrote to memory of 4376	2932	MsiExec.exe	99
PID 2932 wrote to memory of 2388	2932	MsiExec.exe	101
PID 2932 wrote to memory of 2388	2932	MsiExec.exe	101
PID 2932 wrote to memory of 2388	2932	MsiExec.exe	101
PID 2932 wrote to memory of 4964	2932	MsiExec.exe	103
PID 2932 wrote to memory of 4964	2932	MsiExec.exe	103
PID 4964 wrote to memory of 3904	4964	iTunesHelper.exe	104
PID 4964 wrote to memory of 3904	4964	iTunesHelper.exe	104
PID 4964 wrote to memory of 3904	4964	iTunesHelper.exe	104
PID 2932 wrote to memory of 4052	2932	MsiExec.exe	107
PID 2932 wrote to memory of 4052	2932	MsiExec.exe	107
PID 2932 wrote to memory of 4052	2932	MsiExec.exe	107
PID 2932 wrote to memory of 3764	2932	MsiExec.exe	109
PID 2932 wrote to memory of 3764	2932	MsiExec.exe	109
PID 2932 wrote to memory of 3764	2932	MsiExec.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4024

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:408
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5076
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding ECAAFBF39F2D033425310ED91CE563F7
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4376
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2388
- - C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files\iTunesHelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4964
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:3904
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files"
    3⤵
    PID:4052
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:3764

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4416

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

Filesize
1KB

MD5
9aa70830da5b14164634aa17358f6aa2

SHA1
e31a14348b0b34eac8ab558c5ca6c619bb50de68

SHA256
373d3b07ff3b384d7007abcd5e852757392757a52542b24d8e38f39b4b670a24

SHA512
50f9adba968fd388615e38df958599916efc1125f83926f41ca8d1260155da2c22fa06bb9a69931cb95a814fbedcd5148dd5e29704306f8e1a74f908358fbcf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
10f11afb27e102107ac97aedee0e9a38

SHA1
35798b7532048de8d4a90012c15a55ebd45fc003

SHA256
ad9e9eaeaf520074ef734a6498c61bcdec95ccde72851b3bf1c741c09d236afa

SHA512
76f344bce8663514c93f181c73878f8ae97df3d9440933c6b2a5f3d0998c6df8ddc899748eca3231d54773cb3076e9f386ddea62342d0ac5bf7b883749be6c01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

Filesize
540B

MD5
ef4b6cbe67b138dd85416b1bc144841e

SHA1
ca4bf4fe53a353e582e6222ab4c9b0b8485878de

SHA256
9ccb9eb8bf843077bd9eda4294d9a3620211148d325c7acf4d540c2e58a5390a

SHA512
74dc3b55d997f4fdb5ea71b04318bd53d89a0a27da91df162d38efa2658074aa71395f508ab633edec3f1bc4d269892ad395d6328167b40f2ffde35d90601340

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
aa6b9597dcf312c99d6667f4420e0a78

SHA1
3a09d9d8ecf8eadbeeabe7872b26689f2b1d4bbe

SHA256
6610d8ba8581049d0607d7527454d8dcbb2f835897858e6d4e1ab20b53fb736a

SHA512
f5c6d1fd2b9c5eb77bda92af4bb213e69682966c610934b0fdf93bf2546e0d7e99dc016a7646f91b8348fd91c248adc088c51fee363ffd2bdcebb2fa14afc23e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files.cab

Filesize
2.2MB

MD5
3c5dc490f56201fc042f5cd2f2b16c96

SHA1
cf4e0ecd48c8d04b5db336d140be9a65a1df7e4f

SHA256
47a200a4fbc628bc4ce3f5a370124c7002f8da7e855d3f22de77b35a08426118

SHA512
bf4695a96725aa09578dcae6033b8ecd1d58dd2ba5e1e91bd322b937ce3865dc55a1eded3e4b2390c05b52da246dfee446f36683fa533047b9d8c4b414f5d4fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files\CoreFoundation.dll

Filesize
327KB

MD5
16dfc06932e69ec6149028017d7de45f

SHA1
bf7dc95633a8cf6d15fb36b2d9bdaec35e436572

SHA256
226e71dbeb69a8baf6888bc843498192459ffac6c99082a4096900716513b0bc

SHA512
ffc677f5587b1186db70e43fd941e5c717c938f029bced6466754f5a0b27af5c7f584a89d03de58fafe0e1015d6bd842fb9f717a14b9604be8f9a1ab7b5ac72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files\CoreFoundation.dll

Filesize
361KB

MD5
25e50ab5f25b005cfcfbb30816e505e6

SHA1
0030a963a51d176536df901a9c80e58e762476c3

SHA256
3aa754504f9d26610d1a1c833949c4f4cea723ea523c5ac6c892cb7b1d33056e

SHA512
c4e8f995a28d5af9244f2bb8633bb5d4faf7a9301ceabed8012cac0dff8aa56e213eca2425468dc307f58fb77171ea3452f546f2f79000aa5789760d7eccfedc

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files\iTunesHelper.exe

Filesize
312KB

MD5
787ad760e03ffab7db0b52cd19da488d

SHA1
11fecffb624415a4def9409e368bc8cabcabee82

SHA256
cc6c219732731cb7c83b598c40b2edb953d9b925cfb6bb0acd1a45d2a2296156

SHA512
99672ae4e237a14c695e783a959bb6c8ffa48b738da05ded091ba14386efe95ec9797abadfc95e237cb64f06626cf99c01df927fea4a94ff4b910787b1990cfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files\iTunesHelper.exe

Filesize
282KB

MD5
f5a490ddbbb1a66e8271e7b90eb58a33

SHA1
8c8747b1b7688cde7bfde1e105415869fbcd83c8

SHA256
19f23c3691022a5b0b4c6e7284dc44bad47615fd5224c784a10a42c4d496cf6f

SHA512
fbdfc58a28916e2195d05c65868cd62b95fa7e68622dfc20e62819260ee8e4a278351d785684b6ee6976f8ae2514e1a19cbfb3ef8c479b758125f3c7cc331a28

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\files\sqlite3.dll

Filesize
207KB

MD5
1d0783f4a6a8f15753d6772ea0549b4c

SHA1
6a5bda99b06a202a7f9b605473163c98788a154c

SHA256
8e20a090116adb8cef8008b7fab6c8f4c8348cc8eaa43f5cb0529dae597da80a

SHA512
2e0f162956e935e6c9da6459847703108f17b78bab7d30dde54a11c0ab544c636c998273329e899b6f099b88663feb0adea2c1f63fedfdec1792845771b51ae0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-8d4f79d3-d035-4d05-95e9-362db91418af\msiwrapper.ini

Filesize
1KB

MD5
b341bf7c14108784cb09723e18546ae3

SHA1
041441bb5273c32e12c6fa4fd568effba19d30d3

SHA256
973428d61c05dc420fb3fd0fcb929e758fc6cf34c75189dae7ae86c7d6d4c64b

SHA512
8057afec0c96b6fa9827db8749941673864dc99d7dd99f3538aede5f1eb311f6b0361be3b4857eb524130c4c79161cf52bbbaa427c565b776a35636ec989fc40

Download Submit
C:\Windows\Installer\MSI9059.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
57KB

MD5
507e9c060e3ba87ee33fde655b2ec37c

SHA1
28e798d30fc916dc0dbed793c277ca4d390de640

SHA256
f14d90f0d47460622cb155b96f42cb4a08f785e2f19f98e9cdc2c296f8272c7d

SHA512
772f6de065d8de864c28d2ebefec1f1d6331048b9d373eb89e2494a60fb5ea74d95dead4b6bea6b652d04bec3217588046b16d850c3495806891ca9a05d4e84d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
7.3MB

MD5
6cdd92aa5f66908defa79ad56a8b77e2

SHA1
d10a13e800c2d5b61e374a71bf300af3f482a605

SHA256
d97938485bb1b53a6347421540cb949513502c15a4b12c4c895e591264c98558

SHA512
883ead2c0d9619a0cf93c844db9cd7ee12e4f5e8897f5be19d245e2a32d2a443b25d8017538a80dc3ff94a4dc616d8fd6e77f0ed0918f7c1d0b40822dc724813

Download Submit
\??\Volume{78362842-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{584b4fa6-7be5-4411-a4c2-81506b6793fb}_OnDiskSnapshotProp

Filesize
6KB

MD5
2e909ac324f2677a3116858fe87b66ee

SHA1
9b3656db4b79858f53dcae5a8f5389c2a0ff94fa

SHA256
e38a0f2c564c852f4814a61e5ac855c36356e72e829309bd030b7b32cf19d133

SHA512
6afcb5672bf58a926793f73637acfee5ab7aa47521d97b791804b951e3318d4517d8ab2d0bb3f5ff25318f553c335ae2a5ed91f3aadd6ee08d97d5a0a2c27b07

Download Submit
\??\c:\temp\script.a3x

Filesize
31KB

MD5
53af6be8219d45806c41222342d3d339

SHA1
88dbe42b8d6646bae452d6951396b9d90ff86a0f

SHA256
70eb9c9b9bbea0493bf840f5961f6ab9c34d11e8a50f51b927ff209bf45582d7

SHA512
8d4df3a18f27fb83992a38d2e2a28504e6ae6f1da5fdc9ed5baf888c1c52833216a7d8519683ee8fa0baad111b0bc024935b9b170af7f88a6dcc55bdf4511b31

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
45306f5622da212035662680f1c09e0e

SHA1
a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb

SHA256
2a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e

SHA512
99c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0

Download Submit
memory/3904-103-0x0000000004E00000-0x0000000005DD0000-memory.dmp

Filesize
15.8MB

Download
memory/3904-104-0x0000000006300000-0x000000000665B000-memory.dmp

Filesize
3.4MB

Download
memory/3904-109-0x0000000006300000-0x000000000665B000-memory.dmp

Filesize
3.4MB

Download
memory/4964-93-0x0000020AE7BD0000-0x0000020AE7D70000-memory.dmp

Filesize
1.6MB

Download
memory/4964-105-0x0000000076530000-0x00000000768D8000-memory.dmp

Filesize
3.7MB

Download
memory/4964-106-0x0000020AE7BD0000-0x0000020AE7D70000-memory.dmp

Filesize
1.6MB

Download