darkgate | 964fa0512b4b0bcc0e5c134ca5338afeb6122fb47df3142d2147d84772027837

Analysis

max time kernel
121s
platform
windows7_x64
resource
win7-20231215-en
submitted
06/02/2024, 13:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

document_reader - Copy.exe
Size

3.9MB
MD5

0b3862697827944cc338f06ba9105afa
SHA1

c4b09f47e7942f487986622e61643c347311436a
SHA256

964fa0512b4b0bcc0e5c134ca5338afeb6122fb47df3142d2147d84772027837
SHA512

6b1d4ececa6d88166ed538958ecc85731100600468484e4f52e826e0e7a2733dbb1eccaedc7ae66902fbd2cdf7acae2ee70d2cc65c745ed39d8ecf687f599224
SSDEEP

49152:xsoCGLD9MP+a3FLiyDxn8P7Sfcaf+eHMms:xsrBVV

Score

10^/10

darkgate xiputin2 discovery execution link pdf stealer

Malware Config

Extracted

Family

darkgate

Botnet

xiputin2

bizabiza.mywire.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
OvQSCXBO
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
xiputin2

Extracted

Family

darkgate

Version

6.1.7

Botnet

xiputin2

bizabiza.mywire.org

Attributes

anti_analysis
false
anti_debug
false
anti_vm
false
c2_port
8094
check_disk
false
check_ram
false
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
OvQSCXBO
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
xiputin2

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate
Darkgate family
darkgate

Detect DarkGate stealer 6 IoCs

resource	yara_rule
behavioral1/memory/2876-151-0x00000000037B0000-0x0000000004780000-memory.dmp	family_darkgate_v6
behavioral1/memory/2876-153-0x0000000004CA0000-0x0000000004FFB000-memory.dmp	family_darkgate_v6
behavioral1/memory/1736-166-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral1/memory/1736-167-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6
behavioral1/memory/2876-168-0x0000000004CA0000-0x0000000004FFB000-memory.dmp	family_darkgate_v6
behavioral1/memory/1736-169-0x0000000000400000-0x0000000000472000-memory.dmp	family_darkgate_v6

Suspicious use of NtCreateUserProcessOtherParentProcess 7 IoCs

description	pid	Process	procid_target
PID 2876 created 1124	2876	Autoit3.exe	18
PID 2876 created 3068	2876	Autoit3.exe	29
PID 2876 created 1232	2876	Autoit3.exe	17
PID 2876 created 1124	2876	Autoit3.exe	18
PID 2876 created 1124	2876	Autoit3.exe	18
PID 2876 created 1124	2876	Autoit3.exe	18
PID 2876 created 1124	2876	Autoit3.exe	18

Executes dropped EXE 1 IoCs

pid	Process
2876	Autoit3.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs

Using AutoIT for possible automate script.

execution

AutoHotKey & AutoIT

T1059.010

pid	Process
2876	Autoit3.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2876 set thread context of 1736	2876	Autoit3.exe	48

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral1/files/0x002e000000015c9f-20.dat	pdf_with_link_action

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Autoit3.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2332	chrome.exe
2332	chrome.exe
2876	Autoit3.exe
2876	Autoit3.exe
2876	Autoit3.exe
2876	Autoit3.exe
2876	Autoit3.exe
2876	Autoit3.exe
2876	Autoit3.exe
2876	Autoit3.exe
2876	Autoit3.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe
Token: SeShutdownPrivilege	2332	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe
2332	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2332	2256	document_reader - Copy.exe	28
PID 2256 wrote to memory of 2332	2256	document_reader - Copy.exe	28
PID 2256 wrote to memory of 2332	2256	document_reader - Copy.exe	28
PID 2332 wrote to memory of 3068	2332	chrome.exe	29
PID 2332 wrote to memory of 3068	2332	chrome.exe	29
PID 2332 wrote to memory of 3068	2332	chrome.exe	29
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2600	2332	chrome.exe	31
PID 2332 wrote to memory of 2980	2332	chrome.exe	32
PID 2332 wrote to memory of 2980	2332	chrome.exe	32
PID 2332 wrote to memory of 2980	2332	chrome.exe	32
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33
PID 2332 wrote to memory of 2628	2332	chrome.exe	33

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1232
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:1908

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1124
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:2552
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:2612
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:1952
- \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  2⤵
  PID:1704
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe
  2⤵
  PID:1736

C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe
"C:\Users\Admin\AppData\Local\Temp\document_reader - Copy.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" "c:\temp\document.pdf"
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef68c9758,0x7fef68c9768,0x7fef68c9778
    3⤵
    PID:3068
  - - \??\c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      c:\windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      4⤵
      PID:896
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:2
    3⤵
    PID:2600
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1520 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:8
    3⤵
    PID:2980
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1608 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:8
    3⤵
    PID:2628
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2296 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:1
    3⤵
    PID:1728
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2284 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:1
    3⤵
    PID:572
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1476 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:2
    3⤵
    PID:2344
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2988 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:1
    3⤵
    PID:1664
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --pdf-renderer --disable-gpu-compositing --lang=en-US --js-flags=--jitless --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=1404 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:1
    3⤵
    PID:2340
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3812 --field-trial-handle=1224,i,18343050581449018266,16309935475031586337,131072 /prefetch:8
    3⤵
    PID:2020
- \??\c:\tes2\Autoit3.exe
  c:\tes2\Autoit3.exe c:\tes2\script.au3
  2⤵
  - Suspicious use of NtCreateUserProcessOtherParentProcess
  - Executes dropped EXE
  - Command and Scripting Interpreter: AutoIT
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AutoHotKey & AutoIT

T1059.010

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\6c1137dd-bc65-4446-ae6d-bdbe4df68d7d.tmp

Filesize
233KB

MD5
0dbd5b2fd4d896bae8ff87eed34cbdd7

SHA1
cbd5395e263d843ed8716abf9e5b7db34f474a06

SHA256
1510bc7064c3d20da6070f8626c40544d740f5f2e16148949f1c7861dfc068e3

SHA512
46b6620e4ba9285ceea1713b432516eb764313acea006324b17d0060613d0f0e5e44f6c537ff06674f2e765c036fa0d08bfbd15dd4ff0a90c84261177cfe2c95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\temp\document.pdf

Filesize
448KB

MD5
a26f0dc347b844309a57cb651f03e243

SHA1
2d1c78b1b8d776cbbb6e443458e8733d8315b911

SHA256
68d7a72f821bae0a1466aa88f5d43ea11740c323e52e578629f8842a994ea2d6

SHA512
8cb31d86b02802fa53273b54edd42c8d208aa3296519e8ec332b1ea51c079b0592b24a9b2c9e533c24c31dea31fcfff52c5d1e6fcfb1cdeb23f4cb48fadf9a35

Download Submit
C:\tes2\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\c:\tes2\script.au3

Filesize
583KB

MD5
c37514367bf7b08d6cd30f938b33146a

SHA1
06f277690f2bbe71bdfc77ca227455657bd02c31

SHA256
9dd25ba75e415f2e6260de78977091e1ada7b6f0f5cba7c4944673c65fbd7609

SHA512
3a009923ff8152720b1e327b0dfd159122d4282f12d7ad540837111226ec3535eb2d550adf065729ea9155f4eb4f46128d0d91bc87a083bcc176f062df2d6b23

Download Submit
\??\c:\tes2\test.txt

Filesize
76B

MD5
4252e248997cb141c0d2b5211d9459f7

SHA1
cad24dbb355b37345b85c9e276931ba6b3a7dd1c

SHA256
c8fd4ff9ccaca0d223aaf28f8a25b54a241666b5ddd81f0ea16217868d7025d8

SHA512
25ddfeca9124262bf7f8963585729cc95ecf17584cb2265d2f71b07f5846c1e5b38f15209a5b2a94cc0a38e83e6f6a2eefc339948e15f01aaf0caf74060ca8e2

Download Submit
memory/1736-166-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1736-169-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/1736-167-0x0000000000400000-0x0000000000472000-memory.dmp

Filesize
456KB

Download
memory/2256-147-0x0000000000C10000-0x000000000100E000-memory.dmp

Filesize
4.0MB

Download
memory/2256-0-0x00000000000E0000-0x00000000000E1000-memory.dmp

Filesize
4KB

Download
memory/2256-59-0x0000000000C10000-0x000000000100E000-memory.dmp

Filesize
4.0MB

Download
memory/2876-153-0x0000000004CA0000-0x0000000004FFB000-memory.dmp

Filesize
3.4MB

Download
memory/2876-151-0x00000000037B0000-0x0000000004780000-memory.dmp

Filesize
15.8MB

Download
memory/2876-168-0x0000000004CA0000-0x0000000004FFB000-memory.dmp

Filesize
3.4MB

Download