darkgate | e10ebb5b883b98fffa190aa1434e81aef3d88342db7ddace332f24a533c78642

Analysis

max time kernel
114s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

build-x64.msi
Size

5.8MB
MD5

2999391319cda1be5dacfaf5b05062b2
SHA1

c983b7dff2ea4c63f3944e639eb54d0e6b0b655f
SHA256

3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e
SHA512

1b9a7e5211979f37097c28122cbe99b5ec81ca3caa07944ddaba1afb2515ef3545f92bce35efa87914221016867f88b9b64c7a6a07e8e3f0cb556182047c7f27
SSDEEP

49152:NpUPFUhtSTK+0THkWsN8SDYdvH5eoQDWeEHHhRgWEF9nuriG7DrFWoRRRJuGgagL:NpMnFDcEWoVoFWRGga5q

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

prodomainnameeforappru.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
WeBiMyRU
minimum_disk
50
minimum_ram
7000
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/468-105-0x00000000066F0000-0x0000000006A4B000-memory.dmp	family_darkgate_v6
behavioral2/memory/468-109-0x00000000066F0000-0x0000000006A4B000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5008	ICACLS.EXE
232	ICACLS.EXE

Blocklisted process makes network request 3 IoCs

flow	pid	Process
6	4084	msiexec.exe
7	4084	msiexec.exe
12	4084	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57de5a.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57de5a.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FC678715-A87F-41A8-9C4F-2D3417298150}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDFB1.tmp	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3524	iTunesHelper.exe
468	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
3976	MsiExec.exe
3524	iTunesHelper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ed06fb648d6ef2080000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ed06fb640000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ed06fb64000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1ded06fb64000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ed06fb6400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4288	msiexec.exe
4288	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4084	msiexec.exe
Token: SeSecurityPrivilege	4288	msiexec.exe
Token: SeCreateTokenPrivilege	4084	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4084	msiexec.exe
Token: SeLockMemoryPrivilege	4084	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4084	msiexec.exe
Token: SeMachineAccountPrivilege	4084	msiexec.exe
Token: SeTcbPrivilege	4084	msiexec.exe
Token: SeSecurityPrivilege	4084	msiexec.exe
Token: SeTakeOwnershipPrivilege	4084	msiexec.exe
Token: SeLoadDriverPrivilege	4084	msiexec.exe
Token: SeSystemProfilePrivilege	4084	msiexec.exe
Token: SeSystemtimePrivilege	4084	msiexec.exe
Token: SeProfSingleProcessPrivilege	4084	msiexec.exe
Token: SeIncBasePriorityPrivilege	4084	msiexec.exe
Token: SeCreatePagefilePrivilege	4084	msiexec.exe
Token: SeCreatePermanentPrivilege	4084	msiexec.exe
Token: SeBackupPrivilege	4084	msiexec.exe
Token: SeRestorePrivilege	4084	msiexec.exe
Token: SeShutdownPrivilege	4084	msiexec.exe
Token: SeDebugPrivilege	4084	msiexec.exe
Token: SeAuditPrivilege	4084	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4084	msiexec.exe
Token: SeChangeNotifyPrivilege	4084	msiexec.exe
Token: SeRemoteShutdownPrivilege	4084	msiexec.exe
Token: SeUndockPrivilege	4084	msiexec.exe
Token: SeSyncAgentPrivilege	4084	msiexec.exe
Token: SeEnableDelegationPrivilege	4084	msiexec.exe
Token: SeManageVolumePrivilege	4084	msiexec.exe
Token: SeImpersonatePrivilege	4084	msiexec.exe
Token: SeCreateGlobalPrivilege	4084	msiexec.exe
Token: SeBackupPrivilege	3864	vssvc.exe
Token: SeRestorePrivilege	3864	vssvc.exe
Token: SeAuditPrivilege	3864	vssvc.exe
Token: SeBackupPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeRestorePrivilege	4288	msiexec.exe
Token: SeTakeOwnershipPrivilege	4288	msiexec.exe
Token: SeBackupPrivilege	1052	srtasks.exe
Token: SeRestorePrivilege	1052	srtasks.exe
Token: SeSecurityPrivilege	1052	srtasks.exe
Token: SeTakeOwnershipPrivilege	1052	srtasks.exe
Token: SeBackupPrivilege	1052	srtasks.exe
Token: SeRestorePrivilege	1052	srtasks.exe
Token: SeSecurityPrivilege	1052	srtasks.exe
Token: SeTakeOwnershipPrivilege	1052	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4084	msiexec.exe
4084	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 1052	4288	msiexec.exe	109
PID 4288 wrote to memory of 1052	4288	msiexec.exe	109
PID 4288 wrote to memory of 3976	4288	msiexec.exe	111
PID 4288 wrote to memory of 3976	4288	msiexec.exe	111
PID 4288 wrote to memory of 3976	4288	msiexec.exe	111
PID 3976 wrote to memory of 5008	3976	MsiExec.exe	112
PID 3976 wrote to memory of 5008	3976	MsiExec.exe	112
PID 3976 wrote to memory of 5008	3976	MsiExec.exe	112
PID 3976 wrote to memory of 4956	3976	MsiExec.exe	114
PID 3976 wrote to memory of 4956	3976	MsiExec.exe	114
PID 3976 wrote to memory of 4956	3976	MsiExec.exe	114
PID 3976 wrote to memory of 3524	3976	MsiExec.exe	116
PID 3976 wrote to memory of 3524	3976	MsiExec.exe	116
PID 3524 wrote to memory of 468	3524	iTunesHelper.exe	117
PID 3524 wrote to memory of 468	3524	iTunesHelper.exe	117
PID 3524 wrote to memory of 468	3524	iTunesHelper.exe	117
PID 3976 wrote to memory of 932	3976	MsiExec.exe	121
PID 3976 wrote to memory of 932	3976	MsiExec.exe	121
PID 3976 wrote to memory of 932	3976	MsiExec.exe	121
PID 3976 wrote to memory of 232	3976	MsiExec.exe	123
PID 3976 wrote to memory of 232	3976	MsiExec.exe	123
PID 3976 wrote to memory of 232	3976	MsiExec.exe	123

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\build-x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4084

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A4AAF30C79C8F40F5667D6C5D84DC530
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:5008
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4956
- - C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\files\iTunesHelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3524
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.a3x
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\files"
    3⤵
    PID:932
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:232

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4428 --field-trial-handle=2496,i,15897292497548307209,13920214570023230813,262144 --variations-seed-version /prefetch:8
1⤵
PID:2888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

Filesize
1KB

MD5
f2c51cddf80c2616c1b9692642678161

SHA1
cc52f08cf46662375f9a4382dfa5bcddba6c291a

SHA256
51ab0274069ff0a3683e12aa37033417b8b2bf779292176034789143c5234d7a

SHA512
6689c9bc5d373f7b6cf2d96f11167bc2d31116c179fff3db018f16d8cca78d404896e815717ddf4d0d364559f6ea12526b0de182934b14a068ad975951a47eac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
45e87685c7dca740ac43a31d4848a4ab

SHA1
f98bafd50a8c9cb5b5aba7e57ae2b94209db9b53

SHA256
7d7d43fa21aa7361cc2ed20a86238345ffce780d1223d56b43fef36e82f1bdd7

SHA512
babf4d077d6bec860371b3663cc358a12665619859472c52c611db6cff76dddae24b58120e82cb3a965986ae5f793ee8303aff4086a4ddbf2f13cf87229bff14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5

Filesize
540B

MD5
12d840ce2a91a56cece1a976d9c27c77

SHA1
c13530877128a6c2e05939ef1189b80a8849502b

SHA256
2bcea9bf6934604a4823213b9d08ad69be80b0cb48082931194204dd8eb6f198

SHA512
44f73b7fa0d489c1b6edbfc9f812c1864cfd88bc203706cd57b5a393523308fff2d1d5efa5f1a5e331f5bd13a80311b5b8f4f8a5e920425e0e379cdea5621491

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
0f6148610b441ca2a397da9fcf838c9d

SHA1
17150961e090cb73b5c0a8706ca8066047e60323

SHA256
f3c0955b6805b0532c03ea507403cc3dcae87cca0a494530df10ab74f5928d1c

SHA512
7c7874cb9f319535f7f0c782df8b70a90d35cc78c8468e986fb545cf24420d4f00d35792ec1e52509fb5ccdf21f65d8a35a117a6fda730ef27f5cfb7284b3b65

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\files.cab

Filesize
5.6MB

MD5
d339565d7c5224c45092b3aaeeb3797f

SHA1
c85565693714583e57fb9addb64368cc87288efa

SHA256
359e387871378831eb1293f41b54436abc6357733d1a573f0caff90ab1cbf07d

SHA512
14b3cb62aa99f53a8205783297285b38268306d4876ebdc65ab42d2c7c5613dc4b7010d3f25f2ad60747e136ff5939dca8f6a986f7161f27c0d791f4e874062b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\files\CoreFoundation.dll

Filesize
3.6MB

MD5
b4677a50c291d7c5a7f9f1b80f39a37f

SHA1
76d183107f9a8f89f09e25149e6e3de777b25d5a

SHA256
c2d43d768cebcf63e8d0c3ae8ffd2cd5070e4ac656a132b63d5e7372cef69c62

SHA512
bb2a3bb016cca60bd5f8a33773752e8f88bae764a6497eaaccf563da8607805b5723b30135c001f2fbc20c628e75c099410d9fd09b375c3d2901b6e7f70ba356

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\files\iTunesHelper.exe

Filesize
358KB

MD5
ed6a1c72a75dee15a6fa75873cd64975

SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d

SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\files\sqlite3.dll

Filesize
1.6MB

MD5
ce6e163809f5e817ef0c259672f7a1cd

SHA1
123e2f032b2fc45d6d9fe482756243ed61137476

SHA256
28ead67d2352ddd11f963e8b23930905ecbaff371162dfdae5ed096f62eb3d79

SHA512
07766db4cf023bf059415a58a9e1384acb39260ba71587b4eadb99f84d307c0ab70f76390894ab786a6461a0c809f8e9fe435f7bf9b334a369a178c54b295229

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\msiwrapper.ini

Filesize
1KB

MD5
544137036c043bbed7da34678d9fa966

SHA1
8d6eaa250a0879f9575c8d1ac125931c11377f65

SHA256
4bbdf60b95e5a25a1bb80c780306eaa401ccc784257544ac17bd0bdabec832f2

SHA512
c94c9d24c9d095c2b8b85afb05b14c9981cec90151af4c9a493e044eca14fba186c0db9d174a1f7a862ff5e7960b7de9127b3d82428c6653f13537772bfdfee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a597ab-eace-4b08-8bbd-8aadf0b7f1a9\msiwrapper.ini

Filesize
1KB

MD5
08ba3112e994e5ca9ff06a1da486fd3d

SHA1
d5eb100623f8152c0cd726385d22e82894dad6c4

SHA256
823bf3705e7e74fba108641ff2d4f6ae459fdee2cfb74fdfdf6a5164cb82019b

SHA512
f3a04379b8d66ce70de0f5efb54bc2fff621e99abe9432e54aba9f8e04a1b49038837c5f1d7e738d1d05ed7c8d757c0b93f8d317ba6be9f9767218b08fed3ee2

Download Submit
C:\Windows\Installer\MSIDFB1.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
35ffda6b25d77d874b32738327e20e78

SHA1
a874779b88f5479a78bcb947eeb00c6cfceedf2d

SHA256
7bdeeb33a770f97028ff11a69b13424cbf876d5a760bd2c09550c3856c5ad54f

SHA512
42008de291bbb36d4478036be73738e90bdae7bc01a0a7de11dd0ed4077b2f46a7e972ca8b89c988dc445990e7e6d8d83c04266ea66e82661ca1688c523f772b

Download Submit
\??\Volume{64fb06ed-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{eae7c11e-791b-4a54-be40-ec433e1945c0}_OnDiskSnapshotProp

Filesize
6KB

MD5
f5d07fe4e2353f008575424f9674ef43

SHA1
9b39c281868e12eb1d1e856ee9c3331d53e89d69

SHA256
17523d6db7d9f0965ccc1c07e61fb61763588166bdb15345dc35127fdb0edd4a

SHA512
55fbf56ff165b80b930630e0b720182433cf1fb33afbdffc24a3f1c46a37dc1ff4bb12e641d6ca12928e04d89e93378d09906878b323644ce9eb3b345de71d5f

Download Submit
\??\c:\temp\script.a3x

Filesize
474KB

MD5
6354b28ac4bc8fa465d80c3ea3893116

SHA1
0eea737ad0a1a0cb5c3f14279a05d1fba6c6216d

SHA256
9515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7

SHA512
6150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
45306f5622da212035662680f1c09e0e

SHA1
a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb

SHA256
2a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e

SHA512
99c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0

Download Submit
memory/468-104-0x00000000051F0000-0x00000000061C0000-memory.dmp

Filesize
15.8MB

Download
memory/468-109-0x00000000066F0000-0x0000000006A4B000-memory.dmp

Filesize
3.4MB

Download
memory/468-105-0x00000000066F0000-0x0000000006A4B000-memory.dmp

Filesize
3.4MB

Download
memory/3524-106-0x000000006E480000-0x000000006E828000-memory.dmp

Filesize
3.7MB

Download
memory/3524-107-0x00000245DE940000-0x00000245DEAE0000-memory.dmp

Filesize
1.6MB

Download
memory/3524-93-0x00000245DE940000-0x00000245DEAE0000-memory.dmp

Filesize
1.6MB

Download