darkgate | 9ee6fba890ea014703b2c9511f6b244d381fa55dae320122b309b6c47d2ab2e8

Analysis

max time kernel
144s
max time network
167s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-03-2024 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi
Size

5.8MB
MD5

9c02a9298b97fcfc5a75fbedf08002bd
SHA1

2d3bc2856c015914f2856331a0315298f3c34b0c
SHA256

693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a
SHA512

fafe5dddb610068cb1044c803a6d681d1739904d8e0c4b2b0fc05bcd55cf9344f69e77c8627ae73713f759117d81a78855ff937ee8650b47ab18d37cb9ca34bc
SSDEEP

49152:ppUP3UhtSTK+0THkWsN8SDYdvH5eoQDWhbHHhZgWEF94FJy5jvrgFdbBUleY82cp:pp6nFDkEWoyvy5jvcdbBUkYC+XCFmpC

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

prodomainnameeforappru.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
true
c2_port
443
check_disk
true
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
VzXLKSZE
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 1 IoCs

resource	yara_rule
behavioral2/memory/1608-107-0x0000000006640000-0x000000000699C000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2400	ICACLS.EXE
1048	ICACLS.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
11	60	msiexec.exe
15	60	msiexec.exe
18	60	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI39A9.tmp	msiexec.exe
File created	C:\Windows\Installer\e583718.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e583718.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8F7994CB-D53E-4E42-B335-CF29C4D0CA5C}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3988	iTunesHelper.exe
1608	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
2752	MsiExec.exe
3988	iTunesHelper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000db5049eb9f24a4820000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000db5049eb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900db5049eb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ddb5049eb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000db5049eb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2452	msiexec.exe
2452	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	60	msiexec.exe
Token: SeIncreaseQuotaPrivilege	60	msiexec.exe
Token: SeSecurityPrivilege	2452	msiexec.exe
Token: SeCreateTokenPrivilege	60	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	60	msiexec.exe
Token: SeLockMemoryPrivilege	60	msiexec.exe
Token: SeIncreaseQuotaPrivilege	60	msiexec.exe
Token: SeMachineAccountPrivilege	60	msiexec.exe
Token: SeTcbPrivilege	60	msiexec.exe
Token: SeSecurityPrivilege	60	msiexec.exe
Token: SeTakeOwnershipPrivilege	60	msiexec.exe
Token: SeLoadDriverPrivilege	60	msiexec.exe
Token: SeSystemProfilePrivilege	60	msiexec.exe
Token: SeSystemtimePrivilege	60	msiexec.exe
Token: SeProfSingleProcessPrivilege	60	msiexec.exe
Token: SeIncBasePriorityPrivilege	60	msiexec.exe
Token: SeCreatePagefilePrivilege	60	msiexec.exe
Token: SeCreatePermanentPrivilege	60	msiexec.exe
Token: SeBackupPrivilege	60	msiexec.exe
Token: SeRestorePrivilege	60	msiexec.exe
Token: SeShutdownPrivilege	60	msiexec.exe
Token: SeDebugPrivilege	60	msiexec.exe
Token: SeAuditPrivilege	60	msiexec.exe
Token: SeSystemEnvironmentPrivilege	60	msiexec.exe
Token: SeChangeNotifyPrivilege	60	msiexec.exe
Token: SeRemoteShutdownPrivilege	60	msiexec.exe
Token: SeUndockPrivilege	60	msiexec.exe
Token: SeSyncAgentPrivilege	60	msiexec.exe
Token: SeEnableDelegationPrivilege	60	msiexec.exe
Token: SeManageVolumePrivilege	60	msiexec.exe
Token: SeImpersonatePrivilege	60	msiexec.exe
Token: SeCreateGlobalPrivilege	60	msiexec.exe
Token: SeBackupPrivilege	556	vssvc.exe
Token: SeRestorePrivilege	556	vssvc.exe
Token: SeAuditPrivilege	556	vssvc.exe
Token: SeBackupPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeRestorePrivilege	2452	msiexec.exe
Token: SeTakeOwnershipPrivilege	2452	msiexec.exe
Token: SeBackupPrivilege	3880	srtasks.exe
Token: SeRestorePrivilege	3880	srtasks.exe
Token: SeSecurityPrivilege	3880	srtasks.exe
Token: SeTakeOwnershipPrivilege	3880	srtasks.exe
Token: SeBackupPrivilege	3880	srtasks.exe
Token: SeRestorePrivilege	3880	srtasks.exe
Token: SeSecurityPrivilege	3880	srtasks.exe
Token: SeTakeOwnershipPrivilege	3880	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
60	msiexec.exe
60	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2452 wrote to memory of 3880	2452	msiexec.exe	98
PID 2452 wrote to memory of 3880	2452	msiexec.exe	98
PID 2452 wrote to memory of 2752	2452	msiexec.exe	101
PID 2452 wrote to memory of 2752	2452	msiexec.exe	101
PID 2452 wrote to memory of 2752	2452	msiexec.exe	101
PID 2752 wrote to memory of 2400	2752	MsiExec.exe	102
PID 2752 wrote to memory of 2400	2752	MsiExec.exe	102
PID 2752 wrote to memory of 2400	2752	MsiExec.exe	102
PID 2752 wrote to memory of 5088	2752	MsiExec.exe	104
PID 2752 wrote to memory of 5088	2752	MsiExec.exe	104
PID 2752 wrote to memory of 5088	2752	MsiExec.exe	104
PID 2752 wrote to memory of 3988	2752	MsiExec.exe	107
PID 2752 wrote to memory of 3988	2752	MsiExec.exe	107
PID 3988 wrote to memory of 1608	3988	iTunesHelper.exe	108
PID 3988 wrote to memory of 1608	3988	iTunesHelper.exe	108
PID 3988 wrote to memory of 1608	3988	iTunesHelper.exe	108
PID 2752 wrote to memory of 1116	2752	MsiExec.exe	111
PID 2752 wrote to memory of 1116	2752	MsiExec.exe	111
PID 2752 wrote to memory of 1116	2752	MsiExec.exe	111
PID 2752 wrote to memory of 1048	2752	MsiExec.exe	113
PID 2752 wrote to memory of 1048	2752	MsiExec.exe	113
PID 2752 wrote to memory of 1048	2752	MsiExec.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\693ff5db0a085db5094bb96cd4c0ce1d1d3fdc2fbf6b92c32836f3e61a089e7a.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:60

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2452
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E94E5086DF894680D2E4DB2E9CD26B19
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:2400
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:5088
- - C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\files\iTunesHelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3988
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1608
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\files"
    3⤵
    PID:1116
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:1048

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

Filesize
1KB

MD5
9aa70830da5b14164634aa17358f6aa2

SHA1
e31a14348b0b34eac8ab558c5ca6c619bb50de68

SHA256
373d3b07ff3b384d7007abcd5e852757392757a52542b24d8e38f39b4b670a24

SHA512
50f9adba968fd388615e38df958599916efc1125f83926f41ca8d1260155da2c22fa06bb9a69931cb95a814fbedcd5148dd5e29704306f8e1a74f908358fbcf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
0cd4e8dbae8facfeb9ca2c02bf3011c1

SHA1
9eadfc8ea1b14ced31ae20ca1b11144469adaf54

SHA256
1ec0389bcdfabe49ad9ae928b3731934e54662b87c6b52912c600c4c8cafb542

SHA512
0081234b1479f3c450aa156990ea643d875d8db314f1693dcffa16935fbda34af00e7e46f5ed8d150e123c22540572624d1bbd3bfc4f9fa37aaa5771d374fa50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

Filesize
540B

MD5
6f7e8284a663679920b3a018e94d8ce9

SHA1
f5b7426b862bd6df57b6753a27d4997cee8cd481

SHA256
f52b174cb1b4074291a275fc12bf291f750cd9c494bc732b8c234209fb1714eb

SHA512
f99ae1a3afb9b07bda843205130b0782e8d421913f8f59bd8eed0736e09e87e8e455d643ea03f7ee2cafcb40ed68185d29bf2269f1dd25ab8039166435dba084

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
00a3ac273a2699f5b744b8ac08119885

SHA1
93e1a0739018db2c1e85ebcdf2308dbebc3da266

SHA256
daef714fa80cf24deb31f6e4757de571672d9b359f80dfc3987580dfa3200dc2

SHA512
f2ccff1674b9f9f8bbe7c0480d9c20cd323ea01245d861191d3eb9e9f6469459dc411997de519d7b59c550e442c7ae0b401af7cb2708c3a130983286bd2ee43a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\files.cab

Filesize
5.6MB

MD5
a6f0fa38c1ef89290ee787f7577993ad

SHA1
1b03510e8c5a1a3c976086327ebab3c8acc19550

SHA256
599ab65935afd40c3bc7f1734cbb8f3c8c7b4b16333b994472f34585ebebe882

SHA512
9040548c6937e93168e57c1b3d18c20d21702d9632096191bab84929f18de0bce4cc31bb0f178b9d34f9259e6176bc4a8d5b86fe21ceec0b5a24ea2809acc68c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\files\CoreFoundation.dll

Filesize
2.2MB

MD5
fc50574abc9fb51d82aebdd977fc2d85

SHA1
06a56b3aab5447b033e24bb16c949dccc086935a

SHA256
a0ae6d98d441ef6c2d4a6706a9d51c57e8d64751aafa23bc496d37a6e361d86b

SHA512
b031ad8614ae586f5b4f777ae147ab9818dcb70de27300d87f9ef9665e2780ee2da70bd4171f9f5020ce8dbd080bed127ab298b6bbfe1ba58161b1178d4f642b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\files\CoreFoundation.dll

Filesize
1.6MB

MD5
9ed4fff209ad1123fff623847ba5cc97

SHA1
0d3db195f041106c68ea32f685ac8200194ceb1f

SHA256
4f5e28d60cdf1b3ada88dc25e5e9b2ec75724fe9d0d5f82a43d31d988b753b8f

SHA512
cdd6ed0a695397b7673abe312a2aecdb1c5d4e4f2d90b5f7793257d0cfcd794c428360c8ea37a013885e3d44b0f73e9ceac444f1f9f3aa09e73cb8d4ccba705f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\files\iTunesHelper.exe

Filesize
358KB

MD5
ed6a1c72a75dee15a6fa75873cd64975

SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d

SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\files\sqlite3.dll

Filesize
1.6MB

MD5
0f64a8b96eee3823ec3a1bfe253e82be

SHA1
e47acbb2fb97d05ce5222ba2737a5b0c0f039a0c

SHA256
17158c1a804bbf073d7f0f64a9c974312b3967a43bdc029219ab62545b94e724

SHA512
4d08d96bfe4ed497ca01d6f76acf1f5138d775b56556923b24e1e86cbd26fd54b6f517c8d3211b80332f90fe46cb77e347280636dc984ded2da8842aff9a5f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\msiwrapper.ini

Filesize
448B

MD5
f6c6fad78da2b9e3f9ea338b81f741b1

SHA1
934ff982c462bef2c9ec3c3301d63c0e4dc833dd

SHA256
01d8079a5f450f3ff714db806d5eff30c0ed904493e0aa0d4b8077c0103b491f

SHA512
fc153b03e08180ddc6b185518088c81ab3187065d92427f1ea2cb15c3a4c0b9096cfc24d6327677437c849e664825c067047a3ea6f28d51f0f3821aea283f9f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-e690ee49-1596-4eee-93f1-9e3be6d164fb\msiwrapper.ini

Filesize
1KB

MD5
16052a20f36d2a6fb2bbc8b9cd2e666f

SHA1
d432a8dd6e5435592b5f972d605e401e7b82ba1e

SHA256
b59c90493b345880f4b8e2dc43f8e89a7f47644aa7efe3bc25cd5d8f5eae7607

SHA512
3b14d6ae225b6ab94e829e0a2f37e05d65df53554419aae140c8145fef437819682757235d16f47f6171fccc4d5c077500b055960faab45f5178b5d281780fbe

Download Submit
C:\Windows\Installer\MSI39A9.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
13.0MB

MD5
e81b099e61b7a31924556143f8c46d3a

SHA1
6f1798b918b6c835c58e67423fac8777c548c371

SHA256
075ea03c3792b2f8b95ed3c1828c4ed8808f53b6da4de40673fd9cc08199cb49

SHA512
77b60a1991db0f6240173cb0228e1ef09a561fcfafd2fa08e9f328f72d282b3bd39c160253b5baa5cd3c4fdd171bc55386a9438a9533bbe6a0e8116ec674ddce

Download Submit
\??\Volume{eb4950db-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4abc70e3-c0db-439e-9356-7092e6a8b0a7}_OnDiskSnapshotProp

Filesize
6KB

MD5
b031d39b879d7b638b69eda4bd761c8a

SHA1
c31968136e8787bfaf738bf583ae5af3f6dcb248

SHA256
f437b5e2faa0b488d1e70a738470160eac98c6eb4d5c567f5528e3dd834abfe6

SHA512
6610b2875fb12c960ec21d8820417ccb30f154a3afd9771aacda467718b87168fe64ccd1877a10e6f6cbd7bfd33cb8918f24a4fba691c274501de36092eea1ec

Download Submit
\??\c:\temp\script.a3x

Filesize
473KB

MD5
33ca8bc4ac593027fd3e83ba44be54fc

SHA1
07e2e129a5b0a694d38ac29bc21f74eda100519f

SHA256
2296f929340976c680d199ce8e47bd7136d9f4c1f7abc9df79843e094f894236

SHA512
05f6f03e69a7d31686f422e422d61161bde45173a6453fdf0392a7a084c9bd69c7c0ed11eb7a37281481eea14497e95c51dfaded21e2ff943fee3f371592db61

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
e0cb113b19ce53ef7b72edbb0a4937dc

SHA1
2499a76ad9ec4a44571bfd8083e09b23373f9f69

SHA256
03bed76f17b8574d05e84b81f81c09a33b1ae1555c2caf4783e059b689879ab6

SHA512
0b046a6d16d22c0faa3eb729d9b74bfbc87f3cc847fd5ddfa89e573893d215841bae320f0697090b9a30778a07210929ac9c440fca884e920b369698d90a17ca

Download Submit
memory/1608-105-0x0000000005140000-0x0000000006110000-memory.dmp

Filesize
15.8MB

Download
memory/1608-107-0x0000000006640000-0x000000000699C000-memory.dmp

Filesize
3.4MB

Download
memory/1608-115-0x0000000006640000-0x000000000699C000-memory.dmp

Filesize
3.4MB

Download
memory/3988-93-0x000002091F170000-0x000002091F310000-memory.dmp

Filesize
1.6MB

Download
memory/3988-104-0x00000000553B0000-0x0000000055758000-memory.dmp

Filesize
3.7MB

Download
memory/3988-106-0x000002091F170000-0x000002091F310000-memory.dmp

Filesize
1.6MB

Download