darkgate | b016b4d6bae0db98203a8886360d5dd738121f8da27cb0607f6869d96f0724a2

Analysis

max time kernel
130s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

prtyhguafelif.msi
Size

4.3MB
MD5

34d86486c3fa02eee70fc0c0d4eefefe
SHA1

de35522f5d4981a272cc21e5900afe91516b5500
SHA256

3c130dd5bfba46230e49a87522411f716c4ef5ce8ff3c60ef450c5c5c2e75f45
SHA512

4e0cb69240f975e457db15389cc391ffe673f03d5b68113f3c43c4d6dd3714215ad9a7e3cee8eeeddaadf803ff024056f0ec592ed6b164f16136f27a970c707b
SSDEEP

49152:xpUP29qhCxzT+WKjSX2ull0vP7QwEm8dhPDg8cP5wpmC2eg+/xAiPr0ZHMWtBpG/:xppCQxlEDQwEm4d1c6pmC2e3/nIP

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

newdomainfortesteenestle.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
false
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
TFdsiUxb
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
false
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/1444-93-0x0000000006200000-0x000000000654E000-memory.dmp	family_darkgate_v6
behavioral2/memory/1444-103-0x0000000006200000-0x000000000654E000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4868	ICACLS.EXE
2024	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI6D6F.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI785E.tmp	msiexec.exe
File created	C:\Windows\Installer\e576ce3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI7773.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e576ce3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0C5C5D1B-8F8B-479B-9B20-CCD9DEE8F1B2}	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1644	vlc.exe
1444	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
400	MsiExec.exe
1644	vlc.exe
400	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000486acc2d320b21400000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000486acc2d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900486acc2d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d486acc2d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000486acc2d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3108	msiexec.exe
3108	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4940	msiexec.exe
Token: SeSecurityPrivilege	3108	msiexec.exe
Token: SeCreateTokenPrivilege	4940	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4940	msiexec.exe
Token: SeLockMemoryPrivilege	4940	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4940	msiexec.exe
Token: SeMachineAccountPrivilege	4940	msiexec.exe
Token: SeTcbPrivilege	4940	msiexec.exe
Token: SeSecurityPrivilege	4940	msiexec.exe
Token: SeTakeOwnershipPrivilege	4940	msiexec.exe
Token: SeLoadDriverPrivilege	4940	msiexec.exe
Token: SeSystemProfilePrivilege	4940	msiexec.exe
Token: SeSystemtimePrivilege	4940	msiexec.exe
Token: SeProfSingleProcessPrivilege	4940	msiexec.exe
Token: SeIncBasePriorityPrivilege	4940	msiexec.exe
Token: SeCreatePagefilePrivilege	4940	msiexec.exe
Token: SeCreatePermanentPrivilege	4940	msiexec.exe
Token: SeBackupPrivilege	4940	msiexec.exe
Token: SeRestorePrivilege	4940	msiexec.exe
Token: SeShutdownPrivilege	4940	msiexec.exe
Token: SeDebugPrivilege	4940	msiexec.exe
Token: SeAuditPrivilege	4940	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4940	msiexec.exe
Token: SeChangeNotifyPrivilege	4940	msiexec.exe
Token: SeRemoteShutdownPrivilege	4940	msiexec.exe
Token: SeUndockPrivilege	4940	msiexec.exe
Token: SeSyncAgentPrivilege	4940	msiexec.exe
Token: SeEnableDelegationPrivilege	4940	msiexec.exe
Token: SeManageVolumePrivilege	4940	msiexec.exe
Token: SeImpersonatePrivilege	4940	msiexec.exe
Token: SeCreateGlobalPrivilege	4940	msiexec.exe
Token: SeBackupPrivilege	3508	vssvc.exe
Token: SeRestorePrivilege	3508	vssvc.exe
Token: SeAuditPrivilege	3508	vssvc.exe
Token: SeBackupPrivilege	3108	msiexec.exe
Token: SeRestorePrivilege	3108	msiexec.exe
Token: SeRestorePrivilege	3108	msiexec.exe
Token: SeTakeOwnershipPrivilege	3108	msiexec.exe
Token: SeRestorePrivilege	3108	msiexec.exe
Token: SeTakeOwnershipPrivilege	3108	msiexec.exe
Token: SeBackupPrivilege	2688	srtasks.exe
Token: SeRestorePrivilege	2688	srtasks.exe
Token: SeSecurityPrivilege	2688	srtasks.exe
Token: SeTakeOwnershipPrivilege	2688	srtasks.exe
Token: SeBackupPrivilege	2688	srtasks.exe
Token: SeRestorePrivilege	2688	srtasks.exe
Token: SeSecurityPrivilege	2688	srtasks.exe
Token: SeTakeOwnershipPrivilege	2688	srtasks.exe
Token: SeRestorePrivilege	3108	msiexec.exe
Token: SeTakeOwnershipPrivilege	3108	msiexec.exe
Token: SeRestorePrivilege	3108	msiexec.exe
Token: SeTakeOwnershipPrivilege	3108	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4940	msiexec.exe
4940	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2688	3108	msiexec.exe	101
PID 3108 wrote to memory of 2688	3108	msiexec.exe	101
PID 3108 wrote to memory of 400	3108	msiexec.exe	103
PID 3108 wrote to memory of 400	3108	msiexec.exe	103
PID 3108 wrote to memory of 400	3108	msiexec.exe	103
PID 400 wrote to memory of 4868	400	MsiExec.exe	104
PID 400 wrote to memory of 4868	400	MsiExec.exe	104
PID 400 wrote to memory of 4868	400	MsiExec.exe	104
PID 400 wrote to memory of 2992	400	MsiExec.exe	106
PID 400 wrote to memory of 2992	400	MsiExec.exe	106
PID 400 wrote to memory of 2992	400	MsiExec.exe	106
PID 400 wrote to memory of 1644	400	MsiExec.exe	108
PID 400 wrote to memory of 1644	400	MsiExec.exe	108
PID 1644 wrote to memory of 1444	1644	vlc.exe	109
PID 1644 wrote to memory of 1444	1644	vlc.exe	109
PID 1644 wrote to memory of 1444	1644	vlc.exe	109
PID 400 wrote to memory of 2024	400	MsiExec.exe	110
PID 400 wrote to memory of 2024	400	MsiExec.exe	110
PID 400 wrote to memory of 2024	400	MsiExec.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\prtyhguafelif.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4940

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2996EEDD4DC38B0D0AE267A5E90693A2
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4868
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:2992
- - C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\files\vlc.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\files\vlc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1444
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:2024

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\files.cab

Filesize
4.0MB

MD5
6f94816dcfb975b2f73bbb8ed5cc4fc9

SHA1
7387d492f2cb54b1691c87fca6f4d61471ea09a5

SHA256
9583c9e90f8184b9555e37590bf4b442595f92db92f1a13a591af46c49f7cdb0

SHA512
38c11f29190babd63465f2b33cdb399f7a99c704f303dfc96d4f263ec4c834f395a43a8e963282f9e88c075473afd6a9eb3dc4ed433133c899337ddebe06c85f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\files\libvlc.dll

Filesize
1.5MB

MD5
51e4a971a6805182697a7fb43f163d75

SHA1
91a1b7a5770b38845bc2ccb36827c8965f745db4

SHA256
5aee3ba5acc947091f9e0837aaaf2d3f81fca38aa5a9ee9a65925d69296fee75

SHA512
1f0629bb3f2b423314e28bb585c4f3f826ae1015823a4b22380bfebb5e2ecd9f6f9310bb4c0a3b63cd4085f99040bbd9a629cf0355e2a040efe20cfb54099023

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\files\sqlite3.dll

Filesize
1.6MB

MD5
44d4e2044c8e201745bd60739797cae4

SHA1
c716eace5968da8d310fe02578135831771b02c8

SHA256
5b85e1fee47bc43122549b3c4c3b524541be261042fa1a46c53bc23fea9515bb

SHA512
1ccdcc31ce3a9bbf9c1d846b2b343f8a6a260917d5aa417c7605ed8b7e7e173d9570e2f08cb469d1b81184d749619ef1bcd5bfb6dd9a0c383125e7217dd8901e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\files\vlc.exe

Filesize
966KB

MD5
035860e139ba6db1b38d5346cb6ff5b6

SHA1
d515303cbca3a8ae7a0463fecd418d81b314e650

SHA256
16197a321fc7b0a2a311e689621fe4a7cd50fdcb2d163973a31e4fd6352232d7

SHA512
14dab9108d85af72001631130923b94483dd1440f24a8eedad41756db3030c5e11e80ec894922c389e09c86e8b721bcbd8594bd3646f484560f89963a7e18cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\msiwrapper.ini

Filesize
1KB

MD5
f848abced66972b1c87ce15f47892d64

SHA1
6119115e09bdb1524f18ff72c6b9c39270e65479

SHA256
419086bf6eb36fe89acfb5f932d6f8f9b70a50cd45229596e1ddc1789d202e71

SHA512
653695b196fa8e51f91447931d57845a8c6e6ffa5dad2504ed0347f9f446e015515b2d61060780799c2889210518648ca3ec4af254040fceaa2d53f6b7700b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\msiwrapper.ini

Filesize
1KB

MD5
40d7fd872ab16c99d40d774d4fbcc88f

SHA1
ea0572249a77c94fe80b06f06d41a39c7f4b1863

SHA256
a1359228a9cd45ec6b864e3ae56be2b4e96067cf2be711fcb882c83fa18ef396

SHA512
1cf24d2e6011843555dc61a00d7cfd68cdf6e8b87f4105482f4ddf850866fb0e512959b966faf9a5eed2fd112248316d56677fc8f4a5c2e3ae3ae0761f7ae5ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-492bb803-a0ca-469a-b2d4-e75e0a44475e\msiwrapper.ini

Filesize
1KB

MD5
de40069962545380ae89fd582be008cb

SHA1
29568de603cdfa9163dedced4598fd5f8c2c3411

SHA256
f647707ed17db6af7d630b521c3249e3840217d7b0ec4b092d6c8a774e2107af

SHA512
f9e8a276351258086061a60ec3edfe121410c7f9049f4d44d2347adc42a5beaaaf47b6f35018e8a35fb6f656e915263599ba66b9316a9dc1b7fe7c061bed8768

Download Submit
C:\Windows\Installer\MSI6D6F.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
1dad1a4ba275c0bf1d669e9e151e5d8f

SHA1
83aede3b6b0056daf7270dc5f21871bb1efdcd9e

SHA256
4d9266287db8af3a304d777e2d54d90957aada9f889863b4aada913d0488aa29

SHA512
10231772e777bed464fa2074ebde13ec376bb00b2ebd43011b3e5fffcc393f1c95e7b51e3b44b98c5f818b642101a8d612a4d0455f0cfd559bbe422d5d099cd0

Download Submit
\??\Volume{2dcc6a48-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f7ffccf7-e864-4639-a685-a3f827258c87}_OnDiskSnapshotProp

Filesize
6KB

MD5
4c0de7c03ffcf981548ba9e27e2cf8fd

SHA1
f48197513dff9c9ad2ae2091e3bdd2da020bc885

SHA256
e08df597a443e2c4dbdf5e6f2159e5cec8718587264cbcefba24750dec12fc85

SHA512
0269fa03fd2837d67f0ee10142e1fb6a302ce87ffb459ed8e51e816c6700a8ae3120549034a0fd0da098aa27b70877d53e45a0f70432e014530443e3c6787205

Download Submit
\??\c:\temp\script.au3

Filesize
470KB

MD5
1c58c98562845c82fc725c5c16b5a48e

SHA1
d6cbd30922812a9b9eaa9788d5b407d6ba0fbd85

SHA256
4ba483fde18e3600085e94315c389973f1b34738dad95611d8007892a2f70f54

SHA512
437801e4aafebfb92966115ee5610ae6a27d9eb5fac2e6165c22b1bd13dcd41eec4b21b0ad4440374000d29d869747ff18f8554d15239709945d6387ca42ef94

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
28a988656d5e68c08f68294ba3a148ae

SHA1
6001fa7583b92c0e38af90513687c43a2883f431

SHA256
663326b44b1faf8e7e7192c1d69959803a2fa02870a7756fcd2745d9bd91e02e

SHA512
900c855da7acc03359896370473cd7c6359f6e7fddd8ef2a6aa9cbd53d0a788b2049626169aae12331a2651304072e42267faad5b772f592410b0299e2503111

Download Submit
memory/1444-92-0x0000000004D00000-0x0000000005CD0000-memory.dmp

Filesize
15.8MB

Download
memory/1444-93-0x0000000006200000-0x000000000654E000-memory.dmp

Filesize
3.3MB

Download
memory/1444-103-0x0000000006200000-0x000000000654E000-memory.dmp

Filesize
3.3MB

Download
memory/1644-81-0x000001E8F9F60000-0x000001E8FA0FF000-memory.dmp

Filesize
1.6MB

Download
memory/1644-85-0x00007FF61C710000-0x00007FF61C808000-memory.dmp

Filesize
992KB

Download
memory/1644-88-0x000001E8F9F60000-0x000001E8FA0FF000-memory.dmp

Filesize
1.6MB

Download
memory/1644-86-0x0000000064160000-0x00000000642ED000-memory.dmp

Filesize
1.6MB

Download