Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
88s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
submitted
15/02/2024, 05:12
Static task
static1
Behavioral task
behavioral1
Sample
3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi
Resource
win10v2004-20231222-en
General
-
Target
3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi
-
Size
5.8MB
-
MD5
2999391319cda1be5dacfaf5b05062b2
-
SHA1
c983b7dff2ea4c63f3944e639eb54d0e6b0b655f
-
SHA256
3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e
-
SHA512
1b9a7e5211979f37097c28122cbe99b5ec81ca3caa07944ddaba1afb2515ef3545f92bce35efa87914221016867f88b9b64c7a6a07e8e3f0cb556182047c7f27
-
SSDEEP
49152:NpUPFUhtSTK+0THkWsN8SDYdvH5eoQDWeEHHhRgWEF9nuriG7DrFWoRRRJuGgagL:NpMnFDcEWoVoFWRGga5q
Malware Config
Extracted
darkgate
admin888
prodomainnameeforappru.com
-
anti_analysis
true
-
anti_debug
false
-
anti_vm
false
-
c2_port
443
-
check_disk
false
-
check_ram
false
-
check_xeon
false
-
crypter_au3
false
-
crypter_dll
false
-
crypter_raw_stub
false
-
internal_mutex
WeBiMyRU
-
minimum_disk
50
-
minimum_ram
7000
-
ping_interval
6
-
rootkit
false
-
startup_persistence
true
-
username
admin888
Signatures
-
Darkgate family
-
Detect DarkGate stealer 2 IoCs
resource yara_rule behavioral2/memory/2560-104-0x0000000006000000-0x000000000635B000-memory.dmp family_darkgate_v6 behavioral2/memory/2560-105-0x0000000006000000-0x000000000635B000-memory.dmp family_darkgate_v6 -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 3928 ICACLS.EXE 4924 ICACLS.EXE -
Blocklisted process makes network request 3 IoCs
flow pid Process 5 3360 msiexec.exe 7 3360 msiexec.exe 9 3360 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe -
Command and Scripting Interpreter: AutoIT 1 TTPs 1 IoCs
Using AutoIT for possible automate script.
pid Process 2560 Autoit3.exe -
Drops file in Windows directory 9 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\SourceHash{FC678715-A87F-41A8-9C4F-2D3417298150} msiexec.exe File opened for modification C:\Windows\Installer\MSI7242.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File created C:\Windows\Installer\e577148.msi msiexec.exe File opened for modification C:\Windows\Installer\e577148.msi msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 4380 iTunesHelper.exe 2560 Autoit3.exe -
Loads dropped DLL 2 IoCs
pid Process 3908 MsiExec.exe 4380 iTunesHelper.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3360 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ICACLS.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXPAND.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Autoit3.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000da362e54a03ebf190000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000da362e540000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900da362e54000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dda362e54000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000da362e5400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2716 msiexec.exe 2716 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeShutdownPrivilege 3360 msiexec.exe Token: SeIncreaseQuotaPrivilege 3360 msiexec.exe Token: SeSecurityPrivilege 2716 msiexec.exe Token: SeCreateTokenPrivilege 3360 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3360 msiexec.exe Token: SeLockMemoryPrivilege 3360 msiexec.exe Token: SeIncreaseQuotaPrivilege 3360 msiexec.exe Token: SeMachineAccountPrivilege 3360 msiexec.exe Token: SeTcbPrivilege 3360 msiexec.exe Token: SeSecurityPrivilege 3360 msiexec.exe Token: SeTakeOwnershipPrivilege 3360 msiexec.exe Token: SeLoadDriverPrivilege 3360 msiexec.exe Token: SeSystemProfilePrivilege 3360 msiexec.exe Token: SeSystemtimePrivilege 3360 msiexec.exe Token: SeProfSingleProcessPrivilege 3360 msiexec.exe Token: SeIncBasePriorityPrivilege 3360 msiexec.exe Token: SeCreatePagefilePrivilege 3360 msiexec.exe Token: SeCreatePermanentPrivilege 3360 msiexec.exe Token: SeBackupPrivilege 3360 msiexec.exe Token: SeRestorePrivilege 3360 msiexec.exe Token: SeShutdownPrivilege 3360 msiexec.exe Token: SeDebugPrivilege 3360 msiexec.exe Token: SeAuditPrivilege 3360 msiexec.exe Token: SeSystemEnvironmentPrivilege 3360 msiexec.exe Token: SeChangeNotifyPrivilege 3360 msiexec.exe Token: SeRemoteShutdownPrivilege 3360 msiexec.exe Token: SeUndockPrivilege 3360 msiexec.exe Token: SeSyncAgentPrivilege 3360 msiexec.exe Token: SeEnableDelegationPrivilege 3360 msiexec.exe Token: SeManageVolumePrivilege 3360 msiexec.exe Token: SeImpersonatePrivilege 3360 msiexec.exe Token: SeCreateGlobalPrivilege 3360 msiexec.exe Token: SeBackupPrivilege 396 vssvc.exe Token: SeRestorePrivilege 396 vssvc.exe Token: SeAuditPrivilege 396 vssvc.exe Token: SeBackupPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeRestorePrivilege 2716 msiexec.exe Token: SeTakeOwnershipPrivilege 2716 msiexec.exe Token: SeBackupPrivilege 4948 srtasks.exe Token: SeRestorePrivilege 4948 srtasks.exe Token: SeSecurityPrivilege 4948 srtasks.exe Token: SeTakeOwnershipPrivilege 4948 srtasks.exe Token: SeBackupPrivilege 4948 srtasks.exe Token: SeRestorePrivilege 4948 srtasks.exe Token: SeSecurityPrivilege 4948 srtasks.exe Token: SeTakeOwnershipPrivilege 4948 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3360 msiexec.exe 3360 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2716 wrote to memory of 4948 2716 msiexec.exe 94 PID 2716 wrote to memory of 4948 2716 msiexec.exe 94 PID 2716 wrote to memory of 3908 2716 msiexec.exe 96 PID 2716 wrote to memory of 3908 2716 msiexec.exe 96 PID 2716 wrote to memory of 3908 2716 msiexec.exe 96 PID 3908 wrote to memory of 3928 3908 MsiExec.exe 97 PID 3908 wrote to memory of 3928 3908 MsiExec.exe 97 PID 3908 wrote to memory of 3928 3908 MsiExec.exe 97 PID 3908 wrote to memory of 516 3908 MsiExec.exe 99 PID 3908 wrote to memory of 516 3908 MsiExec.exe 99 PID 3908 wrote to memory of 516 3908 MsiExec.exe 99 PID 3908 wrote to memory of 4380 3908 MsiExec.exe 102 PID 3908 wrote to memory of 4380 3908 MsiExec.exe 102 PID 4380 wrote to memory of 2560 4380 iTunesHelper.exe 104 PID 4380 wrote to memory of 2560 4380 iTunesHelper.exe 104 PID 4380 wrote to memory of 2560 4380 iTunesHelper.exe 104 PID 3908 wrote to memory of 3336 3908 MsiExec.exe 108 PID 3908 wrote to memory of 3336 3908 MsiExec.exe 108 PID 3908 wrote to memory of 3336 3908 MsiExec.exe 108 PID 3908 wrote to memory of 4924 3908 MsiExec.exe 110 PID 3908 wrote to memory of 4924 3908 MsiExec.exe 110 PID 3908 wrote to memory of 4924 3908 MsiExec.exe 110 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\3bf99810510c197b9cd6e434d95417515dbc42f94b11bbf9916ec160066eb77e.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3360
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4948
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 5B6613AF15B0B43473CF1DE59C72BB3F2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3908 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3928
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:516
-
-
C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\iTunesHelper.exe"C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files\iTunesHelper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4380 -
\??\c:\temp\Autoit3.exe"c:\temp\Autoit3.exe" c:\temp\script.a3x4⤵
- Command and Scripting Interpreter: AutoIT
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:2560
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\files"3⤵
- System Location Discovery: System Language Discovery
PID:3336
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f5cba9c5-9eaa-4dcd-84d4-8f5bb283c405\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:4924
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:396
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5
Filesize1KB
MD5d08c751a9d8c6794b80c2d62acb8b45e
SHA11a33e5b50afc6e6060e73f5bd4417ac370d080f0
SHA256ed236bef3acda783c8085cf3756a72e8677d8f4b2fdd5d4002fc0dc3d77977d7
SHA512dd701e2c460260ea50f867e2402820a66faeedca2b03741aacb2a3893df45d00339c6525bcb63c2825f811fcd9b832ddab79e4e8b1b963e5bff6f09ec1688dca
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize1KB
MD5bc0bd376d9c972f09fec5f2c71f7b89b
SHA16acdafbaf0c3df78fa25a96129194bfeddebb746
SHA2560d2f2d28d06b39384d958aaf0e693edf6a319e48612e50737a95c1f7658763cb
SHA5120b0b7329cd51c1521ffba23edf7cc828be53ef6674f8546572e146e55d487acfadb32938b8fdb8260a146055ebce56f087f9428afcc275206d5e29d9c99cc805
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_A55A1F98A2E2349B736808E9897028A5
Filesize540B
MD5bb1c156e401a6dbd5faf59e8fae3f08a
SHA1ffc06be2f5f0138bf99be74cf4fa0913f8e5262a
SHA25667621c305c3037e7b44332597eb5199471cff76dbed35f4e6f66b31f340e72af
SHA512c518125dd957d20932b86ddd6eab9e6866e257f36a5ca7c515e87421400aa667b37d440e7055dedb7b8b38f2a4fe3fb5fa0dec6b2fcb089b1d6cccecd17ced14
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
Filesize536B
MD52c19f80ba805b5b3b28f59f2aceaf518
SHA14251d62af85a2362b50ef632f0beeb17d4d710a1
SHA2566060352128864a9cb2c890970c3607716129f39310375a6445b4133378f34ddb
SHA512bd93830d0e8d494008b5b6b41aaa58f2953a0ded8867b8d3362e71105de4be7c61bf6bd02a4a7a4048667997ad773b408da3e872d48bb1c6ef90e74bf3db34b8
-
Filesize
5.6MB
MD5d339565d7c5224c45092b3aaeeb3797f
SHA1c85565693714583e57fb9addb64368cc87288efa
SHA256359e387871378831eb1293f41b54436abc6357733d1a573f0caff90ab1cbf07d
SHA51214b3cb62aa99f53a8205783297285b38268306d4876ebdc65ab42d2c7c5613dc4b7010d3f25f2ad60747e136ff5939dca8f6a986f7161f27c0d791f4e874062b
-
Filesize
3.6MB
MD5b4677a50c291d7c5a7f9f1b80f39a37f
SHA176d183107f9a8f89f09e25149e6e3de777b25d5a
SHA256c2d43d768cebcf63e8d0c3ae8ffd2cd5070e4ac656a132b63d5e7372cef69c62
SHA512bb2a3bb016cca60bd5f8a33773752e8f88bae764a6497eaaccf563da8607805b5723b30135c001f2fbc20c628e75c099410d9fd09b375c3d2901b6e7f70ba356
-
Filesize
358KB
MD5ed6a1c72a75dee15a6fa75873cd64975
SHA167a15ca72e3156f8be6c46391e184087e47f4a0d
SHA2560d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda
SHA512256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03
-
Filesize
1.6MB
MD5ce6e163809f5e817ef0c259672f7a1cd
SHA1123e2f032b2fc45d6d9fe482756243ed61137476
SHA25628ead67d2352ddd11f963e8b23930905ecbaff371162dfdae5ed096f62eb3d79
SHA51207766db4cf023bf059415a58a9e1384acb39260ba71587b4eadb99f84d307c0ab70f76390894ab786a6461a0c809f8e9fe435f7bf9b334a369a178c54b295229
-
Filesize
1KB
MD58aeecbf7b5c6f62f16b16bf2e094f548
SHA106c8190b197b0f76b6e03bf353a1ccc441856ada
SHA25658916fbf9c9dbeeec72a2f32d7d1f7de328866c6c638be488f62a1871e92723b
SHA5120607aff08519a7d55b49bbaa4df26ce469b2b28abfd4e5a71f3944c863dbedcbc13b5ed53a2e12f67f5983a8706668c289d24802ee514b7cc8094983bda936ba
-
Filesize
1KB
MD551492fc1931b0ba45a4ab6cfb0951142
SHA15d8e47662e2a26c272c0f20b4f8cdd6ce4f7f4a8
SHA2567195a0c8cbda25f0178ccbd2eefb3058b611e12e76a252374c7cd3855461f933
SHA5128f6e6e6afea089493b9d32d47fed5b61e22589d289c0075bc99bcdd97c38c999e0e5898ea76d99e5f6dadc9842ac618b4d0412548b6381fd5bbda0bc9ac64fe2
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
23.0MB
MD59c0014f314604e535cd3ec22976385e9
SHA1f7a65d49cac154d7f5fe0af523f9785b8965f08b
SHA2569f3f5dd0c4969e33667f325b6dd59c56b924d9ff5410310e853c951ea44221b8
SHA5124cc389ade68b839450d5b520a892e2ad0ce1d10e488da4942e3ce130403b126e5be94742dfb5cd5d0c4450ac2cc3660620e804b810408b7d5677aa5dbed5cdbe
-
\??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9fa214e9-1ae8-4049-a33d-403725184eb5}_OnDiskSnapshotProp
Filesize6KB
MD5c7ddeb1560af057f088c9b233cd02c93
SHA1f201e5146889c0eee990dea4ad98357318756d5c
SHA2561e5742d84a1e070e932dce276ef3d6ef2ee5cd1a739daecfe23e04864ecff58b
SHA5128cb9fe0716cdff54b823cb7f34034ba496f0f14d72ab862fb598d2081b0f30bea67d11e623a40408863762a94fc78d49540e4b0ab4f76919dd7c09fb9c78a88d
-
Filesize
474KB
MD56354b28ac4bc8fa465d80c3ea3893116
SHA10eea737ad0a1a0cb5c3f14279a05d1fba6c6216d
SHA2569515b7b3ebe97e51842be2e91241f0332916d6ec8aecb767ba418de4d21f57f7
SHA5126150a7b646326f01118535c2469628de79e20b7461dccf44a2311d0c1f7e4ed2d8523e7671e26d9c843fabce2946ea33adf4cc4e6acfd3216e1e06cdc1efa53b
-
Filesize
76B
MD545306f5622da212035662680f1c09e0e
SHA1a89ae25df7b6bc8a30c4dcfdc267cf912e17f1bb
SHA2562a5eaa4fb540232306ee036ed870369570744b34d8bd17743293e4763d19933e
SHA51299c9a4c77b346cf95930575fdb6a0c7ef4fe3cc75831e8f4c5d8114d0b35ff8c7fa6ca4f4dca6b34b53bd133766565318da0904fb467f88a1d7f47d0577115b0