Analysis
-
max time kernel
137s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231023-en -
resource tags
arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2023 18:48
Static task
static1
Behavioral task
behavioral1
Sample
NEAS.68952e8c311d1573b62d02c60a189e8c248530d4584eef1c7f0ff5ee20d730abmsi_JC.msi
Resource
win7-20231020-en
Behavioral task
behavioral2
Sample
NEAS.68952e8c311d1573b62d02c60a189e8c248530d4584eef1c7f0ff5ee20d730abmsi_JC.msi
Resource
win10v2004-20231023-en
General
-
Target
NEAS.68952e8c311d1573b62d02c60a189e8c248530d4584eef1c7f0ff5ee20d730abmsi_JC.msi
-
Size
7.6MB
-
MD5
377d8d910f7d6747727ca413967d6395
-
SHA1
36aa20471f41b5814e3c1436cd0de3396267a623
-
SHA256
68952e8c311d1573b62d02c60a189e8c248530d4584eef1c7f0ff5ee20d730ab
-
SHA512
15a43cc07fc4b0deb267f8b243e0b23eee8a63d1178b1a23b8cfcfe52fa8a7ebd04a8b588ca19adabfc8ea198166350f3b78765fd1736ca844fd83e93b306c98
-
SSDEEP
98304:kpMKjsEZcgsdUqakFRFawTV82ASqQBW9vpWzxjFycvniqy33XglSB2CiU39XdiC9:M1NsUqai/pTOryNnxyXxBTi4iCo4N
Malware Config
Extracted
darkgate
user_871236672
http://taochinashowwers.com
-
alternative_c2_port
8080
-
anti_analysis
true
-
anti_debug
true
-
anti_vm
true
-
c2_port
2351
-
check_disk
true
-
check_ram
true
-
check_xeon
true
-
crypter_au3
false
-
crypter_dll
false
-
crypter_rawstub
true
-
crypto_key
nOuJEtbQBOlJBY
-
internal_mutex
txtMut
-
minimum_disk
40
-
minimum_ram
7000
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
-
username
user_871236672
Signatures
-
Executes dropped EXE 2 IoCs
Processes:
windbg.exeAutoit3.exepid Process 4468 windbg.exe 772 Autoit3.exe -
Loads dropped DLL 3 IoCs
Processes:
MsiExec.exewindbg.exepid Process 2248 MsiExec.exe 4468 windbg.exe 2248 MsiExec.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid Process 4296 ICACLS.EXE 3992 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe -
Drops file in Windows directory 11 IoCs
Processes:
msiexec.exeEXPAND.EXEdescription ioc Process File opened for modification C:\Windows\Installer\e599fa1.msi msiexec.exe File created C:\Windows\Installer\SourceHash{96D4BD60-7079-4480-896B-0B7B3E0C4FDE} msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSIDC1F.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIDE14.tmp msiexec.exe File created C:\Windows\Installer\e599fa1.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIA34B.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Autoit3.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
msiexec.exepid Process 440 msiexec.exe 440 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid Process Token: SeShutdownPrivilege 4060 msiexec.exe Token: SeIncreaseQuotaPrivilege 4060 msiexec.exe Token: SeSecurityPrivilege 440 msiexec.exe Token: SeCreateTokenPrivilege 4060 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4060 msiexec.exe Token: SeLockMemoryPrivilege 4060 msiexec.exe Token: SeIncreaseQuotaPrivilege 4060 msiexec.exe Token: SeMachineAccountPrivilege 4060 msiexec.exe Token: SeTcbPrivilege 4060 msiexec.exe Token: SeSecurityPrivilege 4060 msiexec.exe Token: SeTakeOwnershipPrivilege 4060 msiexec.exe Token: SeLoadDriverPrivilege 4060 msiexec.exe Token: SeSystemProfilePrivilege 4060 msiexec.exe Token: SeSystemtimePrivilege 4060 msiexec.exe Token: SeProfSingleProcessPrivilege 4060 msiexec.exe Token: SeIncBasePriorityPrivilege 4060 msiexec.exe Token: SeCreatePagefilePrivilege 4060 msiexec.exe Token: SeCreatePermanentPrivilege 4060 msiexec.exe Token: SeBackupPrivilege 4060 msiexec.exe Token: SeRestorePrivilege 4060 msiexec.exe Token: SeShutdownPrivilege 4060 msiexec.exe Token: SeDebugPrivilege 4060 msiexec.exe Token: SeAuditPrivilege 4060 msiexec.exe Token: SeSystemEnvironmentPrivilege 4060 msiexec.exe Token: SeChangeNotifyPrivilege 4060 msiexec.exe Token: SeRemoteShutdownPrivilege 4060 msiexec.exe Token: SeUndockPrivilege 4060 msiexec.exe Token: SeSyncAgentPrivilege 4060 msiexec.exe Token: SeEnableDelegationPrivilege 4060 msiexec.exe Token: SeManageVolumePrivilege 4060 msiexec.exe Token: SeImpersonatePrivilege 4060 msiexec.exe Token: SeCreateGlobalPrivilege 4060 msiexec.exe Token: SeBackupPrivilege 3260 vssvc.exe Token: SeRestorePrivilege 3260 vssvc.exe Token: SeAuditPrivilege 3260 vssvc.exe Token: SeBackupPrivilege 440 msiexec.exe Token: SeRestorePrivilege 440 msiexec.exe Token: SeRestorePrivilege 440 msiexec.exe Token: SeTakeOwnershipPrivilege 440 msiexec.exe Token: SeRestorePrivilege 440 msiexec.exe Token: SeTakeOwnershipPrivilege 440 msiexec.exe Token: SeBackupPrivilege 4304 srtasks.exe Token: SeRestorePrivilege 4304 srtasks.exe Token: SeSecurityPrivilege 4304 srtasks.exe Token: SeTakeOwnershipPrivilege 4304 srtasks.exe Token: SeBackupPrivilege 4304 srtasks.exe Token: SeRestorePrivilege 4304 srtasks.exe Token: SeSecurityPrivilege 4304 srtasks.exe Token: SeTakeOwnershipPrivilege 4304 srtasks.exe Token: SeRestorePrivilege 440 msiexec.exe Token: SeTakeOwnershipPrivilege 440 msiexec.exe Token: SeRestorePrivilege 440 msiexec.exe Token: SeTakeOwnershipPrivilege 440 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid Process 4060 msiexec.exe 4060 msiexec.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
msiexec.exeMsiExec.exewindbg.exedescription pid Process procid_target PID 440 wrote to memory of 4304 440 msiexec.exe 100 PID 440 wrote to memory of 4304 440 msiexec.exe 100 PID 440 wrote to memory of 2248 440 msiexec.exe 102 PID 440 wrote to memory of 2248 440 msiexec.exe 102 PID 440 wrote to memory of 2248 440 msiexec.exe 102 PID 2248 wrote to memory of 4296 2248 MsiExec.exe 103 PID 2248 wrote to memory of 4296 2248 MsiExec.exe 103 PID 2248 wrote to memory of 4296 2248 MsiExec.exe 103 PID 2248 wrote to memory of 864 2248 MsiExec.exe 105 PID 2248 wrote to memory of 864 2248 MsiExec.exe 105 PID 2248 wrote to memory of 864 2248 MsiExec.exe 105 PID 2248 wrote to memory of 4468 2248 MsiExec.exe 107 PID 2248 wrote to memory of 4468 2248 MsiExec.exe 107 PID 2248 wrote to memory of 4468 2248 MsiExec.exe 107 PID 4468 wrote to memory of 772 4468 windbg.exe 108 PID 4468 wrote to memory of 772 4468 windbg.exe 108 PID 4468 wrote to memory of 772 4468 windbg.exe 108 PID 2248 wrote to memory of 3992 2248 MsiExec.exe 109 PID 2248 wrote to memory of 3992 2248 MsiExec.exe 109 PID 2248 wrote to memory of 3992 2248 MsiExec.exe 109 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\NEAS.68952e8c311d1573b62d02c60a189e8c248530d4584eef1c7f0ff5ee20d730abmsi_JC.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4060
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:440 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 52D9E61CB3C5EFB4D117DCAFC904BA2C2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2248 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-49925122-c501-41b5-83f7-60fdb5b01378\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:4296
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:864
-
-
C:\Users\Admin\AppData\Local\Temp\MW-49925122-c501-41b5-83f7-60fdb5b01378\files\windbg.exe"C:\Users\Admin\AppData\Local\Temp\MW-49925122-c501-41b5-83f7-60fdb5b01378\files\windbg.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4468 -
\??\c:\tmpa\Autoit3.exec:\tmpa\Autoit3.exe c:\tmpa\script.au34⤵
- Executes dropped EXE
- Checks processor information in registry
PID:772
-
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-49925122-c501-41b5-83f7-60fdb5b01378\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:3992
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD5fd55268461849507861a1343fa82b973
SHA1c2ace65d364c0ac66c5b2fe880a613c66c00f35c
SHA2564cf5e9b1cc80a543ae684a863feb93aed225a9e096985fc61ac5b02315e4e4c9
SHA5122fc1481de5b0acce57cb90450142ecd2cfde4e89dd0dc910947587c9306774c41b4c503494910324c50ff802b5b38b9be83803d5ce36ccf358699c67e1f87bef
-
C:\Users\Admin\AppData\Local\Temp\MW-49925122-c501-41b5-83f7-60fdb5b01378\files\00147-1040811655.png
Filesize1.3MB
MD57ec930b1536750116c13b06313286cf5
SHA1adc543581e4acbaffd5593d07346296bbda1ede5
SHA2561d18677415ff9d03c8e3accde3ab0786d33985f3d6b3855eca632c07fc4de547
SHA512531887e99339aa19cef104226074cdbfb74d8e31cb535cf232b241f4cb05550ac33504ad58dc9b3eaa2c5dbb0a2eb32e9cc06a754b00618485d625ca4c3415db
-
C:\Users\Admin\AppData\Local\Temp\MW-49925122-c501-41b5-83f7-60fdb5b01378\files\00148-1040811656.png
Filesize1.2MB
MD5bb581ea56d0940dc4d002a902e0fb0c9
SHA1226afeb98300bc51a4e80e112b38bfbf9ef8f706
SHA25684e19377a78d441de940eb1943edddc5720aafb67aed7dc30c281b98c3d0a201
SHA5123237d3a234549704af058e64c4e190f07023e44164bae66e31c87a733ed215c827d2c29facce53a1dc781cc31f538f8f17e4a389ca21354c111ed9da04429511
-
Filesize
1.2MB
MD55cf577304c7231e35ab9296db1207993
SHA16deec1a72be8e657dcb484d58e81d138cfd8f25d
SHA256ad7544c407ec1655adc699e70b75b5d75c3a7f28538a9738925b5f020b5e571c
SHA512e1615432911024c9ad9abca3f851a94647f22b2600160dca9ad6ac18c2830d78e6e87f96cc4ecb2d9b597b66b0a7ddf5774299415cc0bd40d4e19741352aa37f
-
Filesize
1.2MB
MD509f104f5af838fc714ba3d17623008b9
SHA1842bcd3e250ab2ee598947ba241cafb274dda591
SHA256caf1252510b1be93214fc9d464a20fdbf81a89839f7e0bc9156190762af3714f
SHA512c37105eeaf8659546922066ffc712f88527adb59954c74381a53afa3623b8bedbdad548f26d3ecfd43cb0f0eca7f052ddf953358ece96d1199ff1e5e76e5604c
-
Filesize
1.1MB
MD564d144051485b81b8a7c83476ba59427
SHA1044bd6b794414b82d1579d309d3762d02e39d292
SHA256f63482d06fbe08336aa1b7b7ec813bad196bba9f60a6a27363a82c9da9cc17f0
SHA512d38f9ca097277cf6500258e16cb183deaa07b10e2060d93810af3eb97e8c97285817b32ab5876d5f42b0ca504dd5b562f421b7eb2ad65be5d950eb52f6ead1db
-
Filesize
92KB
MD58b305b67e45165844d2f8547a085d782
SHA192b8ed7652e61fdf3acb4ce74f48bcc9ed14b722
SHA256776622a88a71b989ae022dae2bfbe52d5f00024970548a465046b742089aa50b
SHA5122bd688ab072464ed54ea111a07e44f130a6db2c51e6f5ede1d8583b31791ad3eb2ea51114e6ac624a50118f17dfd3ec3d72c7df00d8be3b4ef4dcd7b72a0dfe6
-
Filesize
1.8MB
MD5041ffcecc589583aa15167c80b870dca
SHA1edef701de3dcf4202eedb184cacd95e469d50096
SHA256f7acfe746105d694caea7c93feeebb93bb488884988beede93fe3144024361db
SHA5121f45c84375e3c3abeaf03fc1e2806b65d9b27b51e29d587d1ca9ca1e7f7e88feff06c7ae9b85627ec41b8249a95bf9b8f3eb66a097c805b1319874835707c961
-
Filesize
736KB
MD50e15cf36767154814fb8e6b61c726e19
SHA11f7bae6cb38aa8da60723ead126840f49e7af07d
SHA256036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b
SHA5124135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58
-
Filesize
736KB
MD50e15cf36767154814fb8e6b61c726e19
SHA11f7bae6cb38aa8da60723ead126840f49e7af07d
SHA256036ba93b0ffb331a11ce1ddabc19fc6fd41824dd053fdce3c1d3942910480f7b
SHA5124135b5d3f3081369060ee915f8595fd86353277c2910cedd524b1df3494a51d56ef11247efac01770c3d4be43e6911ee1f2f77495d7250dd170c3965a8cd3d58
-
Filesize
474KB
MD504ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA158dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA5125b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80
-
Filesize
474KB
MD504ec4f58a1f4a87b5eeb1f4b7afc48e0
SHA158dcb1cbbec071d036a07f0e8feb858e4c5b96e7
SHA256bd1af3dba56b129e6c624297eeed40c898fa2981fce5caafe467d88a748988a4
SHA5125b572a504fac599e7e3f726d391e8ffdc2d083745609315a203000e8dc79b94d777fc520eb6530444d84f1ac9aad51406b91b527d8434077a58524feeccbbd80
-
Filesize
1KB
MD5fa5fbf7ab669e3a8f3d5d15ae8995cf1
SHA13ff0e96093b7f29677e58f9532edee9efe7f2662
SHA256af4d5e7c4410809494698355487cf5b8f4093c0b55df551447fc52022c9c1f8e
SHA512ce4593ec97b2dff6f83e39e9d3274be6194538ac97f10337da6e657c58d8f220db7fed912e7a5e5884b7ca7ed0879ce1ab38b987a39c46afb23cb4f4055415c2
-
Filesize
1010B
MD5033481c83cf2411b8d4368204359cd94
SHA15fb9138a985ecb8ef912f95b180610e48f9afd4c
SHA25690bf13479b3609c0b6c90c63fb588d0b78252353c3049a12fa25b03b3287f7bd
SHA512f804546e7aa88df766b81607de94960ede6c36dc6fda8cf67931377e7f680ce5bcf762974c59b68bf541561f45e9022a15c13fdd64a76b0594e8c6e57ce5344c
-
Filesize
1KB
MD5bdf68bcb2c77a02e27b72df565595a7e
SHA1354a4e65395c974d794367a0166854b6fc167ad7
SHA25666e3760d07a0be1dbe26ee6857ee82eade77ee3c07c6f9792d87089737b5f649
SHA51212519070e1c8a4094962c4015b1da71997c4ea51454e4ad4cb26620653b392bb1682286dafb4fa002198d9ad13a8a7ede0adb6fcc96d85d1289f3d7cda721bb9
-
Filesize
1KB
MD5bdf68bcb2c77a02e27b72df565595a7e
SHA1354a4e65395c974d794367a0166854b6fc167ad7
SHA25666e3760d07a0be1dbe26ee6857ee82eade77ee3c07c6f9792d87089737b5f649
SHA51212519070e1c8a4094962c4015b1da71997c4ea51454e4ad4cb26620653b392bb1682286dafb4fa002198d9ad13a8a7ede0adb6fcc96d85d1289f3d7cda721bb9
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
23.0MB
MD5602901a894c8970d1954126611c85aca
SHA1a1bc148274e3b939c2eab10b362cc00d246d53b2
SHA256bc93b848b95566cc118faccaa8db929dea00e94166e3f1f71777a56b6346e08a
SHA5127322a9cb4ea0f6ba897fae65d29759edd653647978b982fda6f8089bd960a0b80170068df4990b377fca9aab4f20706718c157ae0c796fdae6de1d9071395bf7
-
\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2b994a98-7126-4542-ac74-ff8d5f23fbf6}_OnDiskSnapshotProp
Filesize5KB
MD5432d317420260a1a642c02e078ef94f4
SHA1797f3f5d32c3097667652ec6d786593ca7dc6446
SHA2564732a9c15837d8d3e70bfd17ea496b05fa2dad4d7a66219732d8598f3a7250f9
SHA512e24c18ab694c03055274b2cc107f7290e177a9855e56a157d868d45f65816c7feb1342d5ade78337a2c6c29fa4f0906b723dfdf5565676fa31bc184e06720754
-
Filesize
489KB
MD5698d299b604f8750aadc3362290ad13e
SHA1117f5e98644c5e905f9f966d9815bd874d23d6b8
SHA256b13b795f369654dd25bc0ffa2bc26b3d2eb07270df04cfd197ffdf8a6c61cde8
SHA512b1190912eafba8a50f39718bbe2197cbdf2743e3961f9da49f68449d87f0660151129c5ad6c9d9841ef53644cf75916abf5df8dba8e7f2d97bd46fa0bf38e69c