darkgate | 8738866be2f39ac05df243bbe2c82dfc6c125643cc5c75e5f199701fbacc90c9

Analysis

max time kernel
144s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

roamingkiller.msi
Size

4.0MB
MD5

986f09656e4864f9731312b0343df116
SHA1

c83264f9d18f45359a3c31822a35eeea24218e0e
SHA256

8738866be2f39ac05df243bbe2c82dfc6c125643cc5c75e5f199701fbacc90c9
SHA512

61c92dee7d1d26738f4fb447d5272b85f7b82aa7e15ace3bedc815d0542477435c7b33a517362fa70db70d09d4d55cb538413f7c22820dd8db46cbd80d271b73
SSDEEP

49152:apUPV9qhCxzT+WKjSX1dzLVI4QNhhg7HAS35gqffIn2VvsOUxNUP/YN6bhvqIis:apECQ15Le07H1WqHF9jUvUP/YE1v

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

strongdomainsercgerhhost.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
oMCbXETF
minimum_disk
70
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/4992-89-0x00000000063E0000-0x000000000672E000-memory.dmp	family_darkgate_v6
behavioral2/memory/4992-91-0x00000000063E0000-0x000000000672E000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1864	ICACLS.EXE
4772	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{02EE5C4D-1371-4EB9-AC2D-AC44224C64E8}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6409.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e57633e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57633e.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
4612	iTunesHelper.exe
4992	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
1060	MsiExec.exe
4612	iTunesHelper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000009b9629f4dfdec3790000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800009b9629f40000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809009b9629f4000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d9b9629f4000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000009b9629f400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1164	msiexec.exe
1164	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2984	msiexec.exe
Token: SeSecurityPrivilege	1164	msiexec.exe
Token: SeCreateTokenPrivilege	2984	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2984	msiexec.exe
Token: SeLockMemoryPrivilege	2984	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2984	msiexec.exe
Token: SeMachineAccountPrivilege	2984	msiexec.exe
Token: SeTcbPrivilege	2984	msiexec.exe
Token: SeSecurityPrivilege	2984	msiexec.exe
Token: SeTakeOwnershipPrivilege	2984	msiexec.exe
Token: SeLoadDriverPrivilege	2984	msiexec.exe
Token: SeSystemProfilePrivilege	2984	msiexec.exe
Token: SeSystemtimePrivilege	2984	msiexec.exe
Token: SeProfSingleProcessPrivilege	2984	msiexec.exe
Token: SeIncBasePriorityPrivilege	2984	msiexec.exe
Token: SeCreatePagefilePrivilege	2984	msiexec.exe
Token: SeCreatePermanentPrivilege	2984	msiexec.exe
Token: SeBackupPrivilege	2984	msiexec.exe
Token: SeRestorePrivilege	2984	msiexec.exe
Token: SeShutdownPrivilege	2984	msiexec.exe
Token: SeDebugPrivilege	2984	msiexec.exe
Token: SeAuditPrivilege	2984	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2984	msiexec.exe
Token: SeChangeNotifyPrivilege	2984	msiexec.exe
Token: SeRemoteShutdownPrivilege	2984	msiexec.exe
Token: SeUndockPrivilege	2984	msiexec.exe
Token: SeSyncAgentPrivilege	2984	msiexec.exe
Token: SeEnableDelegationPrivilege	2984	msiexec.exe
Token: SeManageVolumePrivilege	2984	msiexec.exe
Token: SeImpersonatePrivilege	2984	msiexec.exe
Token: SeCreateGlobalPrivilege	2984	msiexec.exe
Token: SeBackupPrivilege	452	vssvc.exe
Token: SeRestorePrivilege	452	vssvc.exe
Token: SeAuditPrivilege	452	vssvc.exe
Token: SeBackupPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeRestorePrivilege	1164	msiexec.exe
Token: SeTakeOwnershipPrivilege	1164	msiexec.exe
Token: SeBackupPrivilege	3908	srtasks.exe
Token: SeRestorePrivilege	3908	srtasks.exe
Token: SeSecurityPrivilege	3908	srtasks.exe
Token: SeTakeOwnershipPrivilege	3908	srtasks.exe
Token: SeBackupPrivilege	3908	srtasks.exe
Token: SeRestorePrivilege	3908	srtasks.exe
Token: SeSecurityPrivilege	3908	srtasks.exe
Token: SeTakeOwnershipPrivilege	3908	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2984	msiexec.exe
2984	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1164 wrote to memory of 3908	1164	msiexec.exe	103
PID 1164 wrote to memory of 3908	1164	msiexec.exe	103
PID 1164 wrote to memory of 1060	1164	msiexec.exe	105
PID 1164 wrote to memory of 1060	1164	msiexec.exe	105
PID 1164 wrote to memory of 1060	1164	msiexec.exe	105
PID 1060 wrote to memory of 1864	1060	MsiExec.exe	106
PID 1060 wrote to memory of 1864	1060	MsiExec.exe	106
PID 1060 wrote to memory of 1864	1060	MsiExec.exe	106
PID 1060 wrote to memory of 2804	1060	MsiExec.exe	110
PID 1060 wrote to memory of 2804	1060	MsiExec.exe	110
PID 1060 wrote to memory of 2804	1060	MsiExec.exe	110
PID 1060 wrote to memory of 4612	1060	MsiExec.exe	112
PID 1060 wrote to memory of 4612	1060	MsiExec.exe	112
PID 4612 wrote to memory of 4992	4612	iTunesHelper.exe	113
PID 4612 wrote to memory of 4992	4612	iTunesHelper.exe	113
PID 4612 wrote to memory of 4992	4612	iTunesHelper.exe	113
PID 1060 wrote to memory of 1896	1060	MsiExec.exe	117
PID 1060 wrote to memory of 1896	1060	MsiExec.exe	117
PID 1060 wrote to memory of 1896	1060	MsiExec.exe	117
PID 1060 wrote to memory of 4772	1060	MsiExec.exe	119
PID 1060 wrote to memory of 4772	1060	MsiExec.exe	119
PID 1060 wrote to memory of 4772	1060	MsiExec.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\roamingkiller.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2984

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1164
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3908
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 17061FF9CF4114D0DC3A640EFE6C2F26
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1864
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\files\iTunesHelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:4612
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:4992
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\files"
    3⤵
    PID:1896
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\files.cab

Filesize
3.7MB

MD5
6c0cd2b7849bef143981adacb882d293

SHA1
cb9ba3050851451a3eb545f69fba11d75428c86e

SHA256
ebc07602baa657c8cce1feb5f182f573fde28a87df27bfefa89eccd78810c3ba

SHA512
ab5cf5f143a4886e3c2f2381cd4c381a98ae54ba3e9bc6ed7986585debd18b46402ddd9e946ffbdb7aa035529cb3b1ef42a8dfc8ddfd36f3d0ab9892ee2e18a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\files\CoreFoundation.dll

Filesize
1.5MB

MD5
8e29a460d6c90af9538038dd4a656f76

SHA1
3fc0be858e9d01d0dc8cb376b16123c7bfeff686

SHA256
b9ad4d86a0f379c117fa0bf2551fbf8b6edbc3ecfa2dc20636261d5cfc06e211

SHA512
5f93b41ec0591dc8039d875b0ec3fd6f3fec6971d2bc79ef91c9f4fc61623ae64e75f4bd02c135375c4ce345c250d0bef61d2f79189e1d9f9f6cb8cfcb17c892

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\files\iTunesHelper.exe

Filesize
358KB

MD5
ed6a1c72a75dee15a6fa75873cd64975

SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d

SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\files\sqlite3.dll

Filesize
1.8MB

MD5
f58600c235e6945c85bce5ebab240f1f

SHA1
c3f1e5fb06654d0b05c71e31ffebb004e464a532

SHA256
6c9e0fae988f29598bdebf2c3744083a22f444e7e91f48e63349e1268794e84d

SHA512
b42b849d0b76f7aa050194ca27897c8b0ef940265ffc3284ff3d54361727679642b3d2db25f78d6aad00d0944887f11bb0bd75a3b5d6ca00d54e2c3fad43de5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\msiwrapper.ini

Filesize
1KB

MD5
9f3d8f125e71b02bf1c538d0210d138a

SHA1
381a088b4c4fd2bdb9852e7b64679bdfc132ab20

SHA256
4c9fffb9a443a3b3926b65bc06c31663ccb6584e6c7d35b8297d19c1af2b4c95

SHA512
3ec9fd7a33ae51d345257a4354e7c21583e125358625905c57b9c996becb5b238bef08922f42144747224b578b52d01f4460dab8f36af2df7aea89b17319a1f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-98e06e83-3bd6-42e0-91e0-4bcb3d439c02\msiwrapper.ini

Filesize
1KB

MD5
281785dddc56ac07572cad5183ffb7a8

SHA1
dcbf2f7d79ce7cd060d7f7ed878acb1c251e6dc3

SHA256
6a9212e0fef6a480b2f393e173fd7cfc316bdc7f1823eb1eceba4504df9b36b6

SHA512
6e04610881331098bb8798fd45b5b938e73350256f51797f8e9798379dd74a2688d3f63a5b8b6a912bb594fad189b5ec1818b05de06f4355316af0a282402170

Download Submit
C:\Windows\Installer\MSI6409.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
2a410ae2ddd02249518202614095908e

SHA1
c1e938be86b7181f8a0826f1320bdb12e4c5f352

SHA256
b2675c4524972c2ef2745080171ae561c3ab66f2ff209c0f41c2024a75e04579

SHA512
799b61ad991ed11df6692e0f8bcaa023a692f47c7a93e1e0e9b73a2f8dd574912432e7e25586df48ec350f3227802c8b408ca239166be715653906f8d6690250

Download Submit
\??\Volume{f429969b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{82d89733-7b37-45b6-896f-da516cf79870}_OnDiskSnapshotProp

Filesize
6KB

MD5
9562e3b27d29f56630d0c07591446fbf

SHA1
a1c40660c421cf3865e407e97744b14220102a0f

SHA256
7274d11ac24f8af12b907d76807d29f92405a4a9e46ab6d580f6d70335e16ae9

SHA512
b5cc7ad3bc8e1bc9e23e64b64ba27b5acc06db0394d91dfb12cc961a1e9fbc0229a7ec1f94c9ba5a18e1df5269698f5601508a2c6b9c434457366513bab4b888

Download Submit
\??\c:\temp\script.au3

Filesize
707KB

MD5
4f4edda4d1d8ac1123055e770d0683fc

SHA1
0a555542ca086297cc055059b553c6bc8053441d

SHA256
2d61625a0e63ab4491deab98c76aa02ba583b4c655b55c1672b74338c20e39dd

SHA512
956cd425b935a2055d10fc13961de5c55967ac7aeddb8c20598c26a46b27bfdf6c52c7ee66690bb629dbb56f4c33c69f6184371dbf23e6042bedfad9d22772d8

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
2c2c4f33155ed9938468ac12099f263a

SHA1
5d323c3a86a886dc42b346f93644f67e83ca07dd

SHA256
6570f12a91bc387e6fcf9e9489eebb9876e0552d88e3d1bfa94624a5da0c511d

SHA512
64e6a06936b2227685cf84f204998130faad0d3ea6915936e37c19659c4a16e400b8849294f1eaabc3ffb36e59c44699c71c01f6a3907d120df46959889f5172

Download Submit
memory/4612-80-0x000001826F1C0000-0x000001826F39A000-memory.dmp

Filesize
1.9MB

Download
memory/4612-92-0x0000000073480000-0x000000007361D000-memory.dmp

Filesize
1.6MB

Download
memory/4612-93-0x000001826F1C0000-0x000001826F39A000-memory.dmp

Filesize
1.9MB

Download
memory/4992-88-0x0000000004BC0000-0x0000000005B90000-memory.dmp

Filesize
15.8MB

Download
memory/4992-89-0x00000000063E0000-0x000000000672E000-memory.dmp

Filesize
3.3MB

Download
memory/4992-91-0x00000000063E0000-0x000000000672E000-memory.dmp

Filesize
3.3MB

Download