darkgate | 752cba77262a6d90b64495efe6254761034a0539024f1847f8c6c441d8a7144e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

deckfeauture.msi
Size

3.9MB
MD5

7fd755d14e74c0af0d1c6b448fea8b5a
SHA1

d41b9481f94ca0d5017e6c1eba0086afbeb744a0
SHA256

3b953ef40eede72755e5562996fb6854b031440ac535f2f16e86bfdcf1e85132
SHA512

14c496cb7db7cd3dd5a44c16a1ba39d82a31ede1c6638c555b085a98728d193bfc4d891c4e5a54b86f9088b15f3812775ff7917413b62f67b80491486ac971b1
SSDEEP

49152:BpUPG9qhCxzT+WKjSXNJzLVI42Hdd8PWokdCvmmmmmmmmE/5vfH2xexG8JN6DB:BpLCQNVLe5HXSW55vfHkexGs

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

strongdomainsercgerhhost.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
true
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
VMKaaNDw
minimum_disk
70
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
true
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/412-87-0x0000000006750000-0x0000000006A9E000-memory.dmp	family_darkgate_v6
behavioral2/memory/412-90-0x0000000006750000-0x0000000006A9E000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1756	ICACLS.EXE
2296	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\SourceHash{19CE3AB3-6719-4329-B01E-F981D61A2A85}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6726.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File created	C:\Windows\Installer\e57666b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57666b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3388	iTunesHelper.exe
412	Autoit3.exe

Loads dropped DLL 2 IoCs

pid	Process
2144	MsiExec.exe
3388	iTunesHelper.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000982641fbe24eac720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000982641fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900982641fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d982641fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000982641fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4636	msiexec.exe
4636	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1356	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1356	msiexec.exe
Token: SeSecurityPrivilege	4636	msiexec.exe
Token: SeCreateTokenPrivilege	1356	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1356	msiexec.exe
Token: SeLockMemoryPrivilege	1356	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1356	msiexec.exe
Token: SeMachineAccountPrivilege	1356	msiexec.exe
Token: SeTcbPrivilege	1356	msiexec.exe
Token: SeSecurityPrivilege	1356	msiexec.exe
Token: SeTakeOwnershipPrivilege	1356	msiexec.exe
Token: SeLoadDriverPrivilege	1356	msiexec.exe
Token: SeSystemProfilePrivilege	1356	msiexec.exe
Token: SeSystemtimePrivilege	1356	msiexec.exe
Token: SeProfSingleProcessPrivilege	1356	msiexec.exe
Token: SeIncBasePriorityPrivilege	1356	msiexec.exe
Token: SeCreatePagefilePrivilege	1356	msiexec.exe
Token: SeCreatePermanentPrivilege	1356	msiexec.exe
Token: SeBackupPrivilege	1356	msiexec.exe
Token: SeRestorePrivilege	1356	msiexec.exe
Token: SeShutdownPrivilege	1356	msiexec.exe
Token: SeDebugPrivilege	1356	msiexec.exe
Token: SeAuditPrivilege	1356	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1356	msiexec.exe
Token: SeChangeNotifyPrivilege	1356	msiexec.exe
Token: SeRemoteShutdownPrivilege	1356	msiexec.exe
Token: SeUndockPrivilege	1356	msiexec.exe
Token: SeSyncAgentPrivilege	1356	msiexec.exe
Token: SeEnableDelegationPrivilege	1356	msiexec.exe
Token: SeManageVolumePrivilege	1356	msiexec.exe
Token: SeImpersonatePrivilege	1356	msiexec.exe
Token: SeCreateGlobalPrivilege	1356	msiexec.exe
Token: SeBackupPrivilege	2492	vssvc.exe
Token: SeRestorePrivilege	2492	vssvc.exe
Token: SeAuditPrivilege	2492	vssvc.exe
Token: SeBackupPrivilege	4636	msiexec.exe
Token: SeRestorePrivilege	4636	msiexec.exe
Token: SeRestorePrivilege	4636	msiexec.exe
Token: SeTakeOwnershipPrivilege	4636	msiexec.exe
Token: SeRestorePrivilege	4636	msiexec.exe
Token: SeTakeOwnershipPrivilege	4636	msiexec.exe
Token: SeBackupPrivilege	4964	srtasks.exe
Token: SeRestorePrivilege	4964	srtasks.exe
Token: SeSecurityPrivilege	4964	srtasks.exe
Token: SeTakeOwnershipPrivilege	4964	srtasks.exe
Token: SeBackupPrivilege	4964	srtasks.exe
Token: SeRestorePrivilege	4964	srtasks.exe
Token: SeSecurityPrivilege	4964	srtasks.exe
Token: SeTakeOwnershipPrivilege	4964	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1356	msiexec.exe
1356	msiexec.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 4636 wrote to memory of 4964	4636	msiexec.exe	99
PID 4636 wrote to memory of 4964	4636	msiexec.exe	99
PID 4636 wrote to memory of 2144	4636	msiexec.exe	101
PID 4636 wrote to memory of 2144	4636	msiexec.exe	101
PID 4636 wrote to memory of 2144	4636	msiexec.exe	101
PID 2144 wrote to memory of 1756	2144	MsiExec.exe	102
PID 2144 wrote to memory of 1756	2144	MsiExec.exe	102
PID 2144 wrote to memory of 1756	2144	MsiExec.exe	102
PID 2144 wrote to memory of 1004	2144	MsiExec.exe	104
PID 2144 wrote to memory of 1004	2144	MsiExec.exe	104
PID 2144 wrote to memory of 1004	2144	MsiExec.exe	104
PID 2144 wrote to memory of 3388	2144	MsiExec.exe	106
PID 2144 wrote to memory of 3388	2144	MsiExec.exe	106
PID 3388 wrote to memory of 412	3388	iTunesHelper.exe	107
PID 3388 wrote to memory of 412	3388	iTunesHelper.exe	107
PID 3388 wrote to memory of 412	3388	iTunesHelper.exe	107
PID 2144 wrote to memory of 4700	2144	MsiExec.exe	111
PID 2144 wrote to memory of 4700	2144	MsiExec.exe	111
PID 2144 wrote to memory of 4700	2144	MsiExec.exe	111
PID 2144 wrote to memory of 2296	2144	MsiExec.exe	113
PID 2144 wrote to memory of 2296	2144	MsiExec.exe	113
PID 2144 wrote to memory of 2296	2144	MsiExec.exe	113

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\deckfeauture.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4964
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9F8AEBE92C42CBF31C8C763794F1D5CB
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:1756
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1004
- - C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\files\iTunesHelper.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\files\iTunesHelper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3388
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:412
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\files"
    3⤵
    PID:4700
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\files.cab

Filesize
3.6MB

MD5
9e1703f962e0783e4554f48e0ff47fa6

SHA1
e451d50985eacf7b716870e0062f062003f327b5

SHA256
255c0904241488153c4ee4f07bfbf5f8e8165aa32b73a8f5eb58c65dabf6fdec

SHA512
09ee93e2dc06c046af86d7923b8b3f7884226f16b652e240a710945831b421993ad6abbd282be959329e8a3546fa1fa6eff964e81e76067b1e734d440fcff45d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\files\CoreFoundation.dll

Filesize
1.5MB

MD5
92e50709f753055dc70693e2dcfeccbb

SHA1
1d3199705e9fa09e5693800a91e882f2c0bafa22

SHA256
e9b65b8f156750e62f742680fd1e476cebf2491dc191d9c4480597f3eafcdb83

SHA512
b40670d441c0c4f209eb832a1a6846266dbdf65a4a4b6f540d68cf908186009126b3e1518e408311e0207c7f15f9abac48f4b39cc5b3236fb2697d59656bc722

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\files\iTunesHelper.exe

Filesize
358KB

MD5
ed6a1c72a75dee15a6fa75873cd64975

SHA1
67a15ca72e3156f8be6c46391e184087e47f4a0d

SHA256
0d8878cca08903777888b3681f90e4a07c7aef7d9600a67dfa985844d4bf5eda

SHA512
256c2ebfeb42c2d3340d8bb423ef0ae48d5fb9fe5ca09c363595f51a03007482b67a777e4cae7a8194f69bc3a3fbcdb9abb5c9f92097925272431bb9d50f5c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\files\sqlite3.dll

Filesize
1.7MB

MD5
287027032e669b51f5ff290c71b7de88

SHA1
e81d5d9b2cc16acc9902e38fd4c1fe21d0c5d4e1

SHA256
6b7d5b7b647ed232ad25aa1a33597f4c75a5fe78b657378fc00de3987cc7c1e7

SHA512
5c405c82d392bd22246a9df04332bbb5cc29b4c9e2c9b26eadc89259b141984a78d35d11d331c96e797e525254bc55bcb87fe86aa5fc569e27b638ec806aa2e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-0f3ecd46-23e8-44fa-8765-31c892736ce7\msiwrapper.ini

Filesize
1KB

MD5
ef81729c3caa143d9edf7c1091ae920c

SHA1
2e075f8ea32b2d778b841a17809ee35afe9fce84

SHA256
90f828cb0e6e168ce9309b3c17777d37b2ebe65ce730db743f0897ebc9ff0a2b

SHA512
252856832b0b4727c3d67d242587d915117f91c7b7a95fb88464ec68688d68dba412dfd6a6f76ea2423e80f41294b451c249d13763da041a2da9f67040a9e30f

Download Submit
C:\Windows\Installer\MSI6726.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
2ae55c5e4cc062ff165031eb501c6340

SHA1
ac95f107b1776464d046ab4f451c781b9046dc80

SHA256
75e28d66f1c817a7ee1d34448f3e57a4a7c25b594985b20e12e6ad3516ca5173

SHA512
3f44ff8d2a77822b8977257214ca5993d9f9656f408ed3f7bd99d9d2800352f72842b62447b3c2d2c18522e064fed863f32382c955116b032c7032cb95f4e5ad

Download Submit
\??\Volume{fb412698-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d450b16f-7927-4b23-aadd-d585b5032458}_OnDiskSnapshotProp

Filesize
6KB

MD5
2c8193143b4fe07af230eafc9a763d9f

SHA1
e7d8c8ca57063cb09d029b2da17c2ec057bf63c0

SHA256
4cdb6b2cc36ca9a2dbd68817f223a2fd47450db513651f2d984d509e30a0d2f1

SHA512
69e68741ce3dc12ca1cb282c6ac6d196ed8a63d77eaca862b9e990bd9d0584aa00b1ad4d1b9632a99c04c8f1f21c41dcee6f54c1701360e2ee0e9464fa354c8b

Download Submit
\??\c:\temp\script.au3

Filesize
589KB

MD5
553e714a2687a08fbc44a82c671c28a3

SHA1
f59b1e863a894b8dac8a736c4aa634a9ca963ce4

SHA256
008bbbff530daf5d53663a32f1355cc787eb14c485ee74ee03f7f33993db33f3

SHA512
5ab27b0de45f25e2c75269686b88708b56331503fde85f295d4d2195e748be559511808b5723aae5a32c64cd900f7c65ce54a1e3e201673bf8558181a3a6945e

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
8dc057073df6807a01f60fd32e8ff18a

SHA1
8f65a20a1d2c2675ec90a6a39dd2b6554335a9f1

SHA256
f8b27df7da307d0d58e1b971b8080af872a3125e229bdcbdfb95c64e8542c9dc

SHA512
23b4fb16dd61f88136c27d14c4450c638900e941771dde51368c0b08831d994dfb911a0c31088ec3dfbbd21ce1f3a48b0da3ba8cfd361f56f63e449d89a9f557

Download Submit
memory/412-86-0x0000000005000000-0x0000000005FD0000-memory.dmp

Filesize
15.8MB

Download
memory/412-90-0x0000000006750000-0x0000000006A9E000-memory.dmp

Filesize
3.3MB

Download
memory/412-87-0x0000000006750000-0x0000000006A9E000-memory.dmp

Filesize
3.3MB

Download
memory/3388-89-0x00000000561F0000-0x000000005638D000-memory.dmp

Filesize
1.6MB

Download
memory/3388-91-0x000001B75C130000-0x000001B75C2EC000-memory.dmp

Filesize
1.7MB

Download
memory/3388-78-0x000001B75C130000-0x000001B75C2EC000-memory.dmp

Filesize
1.7MB

Download