darkgate | 8f866fef2619766bce17ac5b1fb3c6a30f9251877ac856b3614fb5b8ac185109

Analysis

max time kernel
144s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1927c89e8514cc8d7516d4513331a6c461d00547d107ffb7985742c46806f8f5.msi
Size

4.3MB
MD5

693c4acd02bea0abe6223a62dc2d4016
SHA1

d8f49b7896fb4e93cdb9602d604538cbdec2d043
SHA256

1927c89e8514cc8d7516d4513331a6c461d00547d107ffb7985742c46806f8f5
SHA512

435fb4c18e48a359b031c0c94d9cb31c49f4fff04b2df53ed3c29373446edca937f1af81d444d2199a505816ec9cc81a5bbf0ac5f6fb07bffb05f1a4182bfdbb
SSDEEP

49152:ApUPZ9qhCxzT+WKjSXBuX/MDiypVytj5hgleknccaUBj6oz0aHxAiToxZyiWtB96:ApOCQk/K6hgg4HomJ

Score

10^/10

darkgate admin888 discovery stealer

Malware Config

Extracted

Family

darkgate

Botnet

admin888

newdomainfortesteenestle.com

Attributes

anti_analysis
true
anti_debug
false
anti_vm
false
c2_port
443
check_disk
false
check_ram
true
check_xeon
false
crypter_au3
false
crypter_dll
false
crypter_raw_stub
false
internal_mutex
ZLhPAWah
minimum_disk
100
minimum_ram
4096
ping_interval
6
rootkit
false
startup_persistence
false
username
admin888

Signatures

DarkGate
DarkGate is an infostealer written in C++.
stealer darkgate

Detect DarkGate stealer 2 IoCs

resource	yara_rule
behavioral2/memory/1600-99-0x0000000006710000-0x0000000006A5E000-memory.dmp	family_darkgate_v6
behavioral2/memory/1600-101-0x0000000006710000-0x0000000006A5E000-memory.dmp	family_darkgate_v6

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4364	ICACLS.EXE
668	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI7A04.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e577271.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI732C.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI79F4.tmp	msiexec.exe
File created	C:\Windows\Installer\e577271.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{2A33E816-4B5A-45C0-B53F-6ECB8E20B8E3}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3060	vlc.exe
1600	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
1588	MsiExec.exe
3060	vlc.exe
1588	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
876	msiexec.exe
876	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4080	msiexec.exe
Token: SeSecurityPrivilege	876	msiexec.exe
Token: SeCreateTokenPrivilege	4080	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4080	msiexec.exe
Token: SeLockMemoryPrivilege	4080	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4080	msiexec.exe
Token: SeMachineAccountPrivilege	4080	msiexec.exe
Token: SeTcbPrivilege	4080	msiexec.exe
Token: SeSecurityPrivilege	4080	msiexec.exe
Token: SeTakeOwnershipPrivilege	4080	msiexec.exe
Token: SeLoadDriverPrivilege	4080	msiexec.exe
Token: SeSystemProfilePrivilege	4080	msiexec.exe
Token: SeSystemtimePrivilege	4080	msiexec.exe
Token: SeProfSingleProcessPrivilege	4080	msiexec.exe
Token: SeIncBasePriorityPrivilege	4080	msiexec.exe
Token: SeCreatePagefilePrivilege	4080	msiexec.exe
Token: SeCreatePermanentPrivilege	4080	msiexec.exe
Token: SeBackupPrivilege	4080	msiexec.exe
Token: SeRestorePrivilege	4080	msiexec.exe
Token: SeShutdownPrivilege	4080	msiexec.exe
Token: SeDebugPrivilege	4080	msiexec.exe
Token: SeAuditPrivilege	4080	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4080	msiexec.exe
Token: SeChangeNotifyPrivilege	4080	msiexec.exe
Token: SeRemoteShutdownPrivilege	4080	msiexec.exe
Token: SeUndockPrivilege	4080	msiexec.exe
Token: SeSyncAgentPrivilege	4080	msiexec.exe
Token: SeEnableDelegationPrivilege	4080	msiexec.exe
Token: SeManageVolumePrivilege	4080	msiexec.exe
Token: SeImpersonatePrivilege	4080	msiexec.exe
Token: SeCreateGlobalPrivilege	4080	msiexec.exe
Token: SeBackupPrivilege	2144	vssvc.exe
Token: SeRestorePrivilege	2144	vssvc.exe
Token: SeAuditPrivilege	2144	vssvc.exe
Token: SeBackupPrivilege	876	msiexec.exe
Token: SeRestorePrivilege	876	msiexec.exe
Token: SeRestorePrivilege	876	msiexec.exe
Token: SeTakeOwnershipPrivilege	876	msiexec.exe
Token: SeRestorePrivilege	876	msiexec.exe
Token: SeTakeOwnershipPrivilege	876	msiexec.exe
Token: SeRestorePrivilege	876	msiexec.exe
Token: SeTakeOwnershipPrivilege	876	msiexec.exe
Token: SeRestorePrivilege	876	msiexec.exe
Token: SeTakeOwnershipPrivilege	876	msiexec.exe
Token: SeBackupPrivilege	1868	srtasks.exe
Token: SeRestorePrivilege	1868	srtasks.exe
Token: SeSecurityPrivilege	1868	srtasks.exe
Token: SeTakeOwnershipPrivilege	1868	srtasks.exe
Token: SeBackupPrivilege	1868	srtasks.exe
Token: SeRestorePrivilege	1868	srtasks.exe
Token: SeSecurityPrivilege	1868	srtasks.exe
Token: SeTakeOwnershipPrivilege	1868	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4080	msiexec.exe
4080	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 876 wrote to memory of 1868	876	msiexec.exe	88
PID 876 wrote to memory of 1868	876	msiexec.exe	88
PID 876 wrote to memory of 1588	876	msiexec.exe	90
PID 876 wrote to memory of 1588	876	msiexec.exe	90
PID 876 wrote to memory of 1588	876	msiexec.exe	90
PID 1588 wrote to memory of 4364	1588	MsiExec.exe	91
PID 1588 wrote to memory of 4364	1588	MsiExec.exe	91
PID 1588 wrote to memory of 4364	1588	MsiExec.exe	91
PID 1588 wrote to memory of 1968	1588	MsiExec.exe	95
PID 1588 wrote to memory of 1968	1588	MsiExec.exe	95
PID 1588 wrote to memory of 1968	1588	MsiExec.exe	95
PID 1588 wrote to memory of 3060	1588	MsiExec.exe	97
PID 1588 wrote to memory of 3060	1588	MsiExec.exe	97
PID 3060 wrote to memory of 1600	3060	vlc.exe	98
PID 3060 wrote to memory of 1600	3060	vlc.exe	98
PID 3060 wrote to memory of 1600	3060	vlc.exe	98
PID 1588 wrote to memory of 668	1588	MsiExec.exe	99
PID 1588 wrote to memory of 668	1588	MsiExec.exe	99
PID 1588 wrote to memory of 668	1588	MsiExec.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1927c89e8514cc8d7516d4513331a6c461d00547d107ffb7985742c46806f8f5.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4080

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:876
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1868
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 1C2A8D782E0A14B5D4EA49E531D0B9E3
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4364
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:1968
- - C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\files\vlc.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\files\vlc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3060
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1600
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:668

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\files.cab

Filesize
4.0MB

MD5
0578a9b3f1f5efcfcabd1b4129bcaa0b

SHA1
b3c1079cc69f45faf9863d233d8765ac6c301850

SHA256
234e25efdc6685d98d99ffa87f0aabe4a41a62d2f0147d5f9e246d7c3be7d015

SHA512
05c48b8f062ff70a1014efbb8f7232a7e9eeed9b2096cf81b6b40d3ff9b83b33b81365e98e2988320c4e90f8c1b94b3577baa6fd0d502734d02f5c256e07c076

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\files\libvlc.dll

Filesize
1.5MB

MD5
0a95072b247d25671784f7904ff96c2b

SHA1
7eb59ffc0798cfddbb81ab606778c361a223f3ac

SHA256
e05a7b47a4ddf8e85c1dd406fcf62d4cd3de7208212a6d0e9360c06e1acfc1bf

SHA512
b00f8e2b28dde8a88a923062c57cd727cceac6bb6db1e61b6600c3ed6dbf7a5559a673ea5e16bf4b538325b82137bd39c94765d8987210d9b63078cc571cc73f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\files\sqlite3.dll

Filesize
1.6MB

MD5
7004c5b33f5e25bcf30296f0f73d9d9a

SHA1
c41409ebd54a2fcf6384c5da731ad72379d7bbe2

SHA256
f4fa5b3e56077d29e3877dbc1f2c8feb507fb4add72f6023ddb6af00bab7fcf7

SHA512
52a0d605dfcf4e07bd07c41c38e6e65eb91f6bdc7aad323d8b1c1b90b1bb2c093443a4567bb8c1dac2b67ef050c322e6b60a76c366b76176117650beebc3afbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\files\vlc.exe

Filesize
966KB

MD5
035860e139ba6db1b38d5346cb6ff5b6

SHA1
d515303cbca3a8ae7a0463fecd418d81b314e650

SHA256
16197a321fc7b0a2a311e689621fe4a7cd50fdcb2d163973a31e4fd6352232d7

SHA512
14dab9108d85af72001631130923b94483dd1440f24a8eedad41756db3030c5e11e80ec894922c389e09c86e8b721bcbd8594bd3646f484560f89963a7e18cc7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\msiwrapper.ini

Filesize
1KB

MD5
ecb700e6e4a26480a1c1a049984035ee

SHA1
23e466c29a5def7e81db3fc0eedf1e4d1cbf665c

SHA256
47264a2e2e9eafa35977353b7637469622787ae6efa04f8a6ca56b3169808927

SHA512
d79c346dba3f820dff66b8757a6725c92f27de96b1f1fcb1759b81a9d2c22eb119820965919fd79b172eaf6227ac0df289224badf584312a78818278a67c3bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\msiwrapper.ini

Filesize
1KB

MD5
d05d645d93cc4a754c7351f587ef1d13

SHA1
dcd23c1d9e3eac9933cc206860e0cd68b1133bdb

SHA256
ff80dcae6deed93b9fb154cac5e859f4cb8ba1fcaeadbff34548d179e498c29b

SHA512
12fdb8bf276e747eb55b6d77a2b3d4e3b1848fa7147b1b55262fe98f13954af9d0d3b6a5d84503fc042a4ed0066b8b438eaf52b81f2c10fe050d2bc8dccfad79

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-45a5ab98-840c-4cc8-98cc-e95d6a467e32\msiwrapper.ini

Filesize
1KB

MD5
5a57046543f6abf29ad3052714bf1346

SHA1
ba6e706353dfd66db2fd6493dc852badd2ad2fdf

SHA256
ed6bce3907ed4c84ab1e4ca07bb1de77d648924558265b9770f7b7ed1b63a977

SHA512
8752010717f03e59bd0233c95f4834d7dabac19ef73702cf6d10074a86db5c6258e417be551d99fe1bb96c4c36b797d6fac0818c0e3db961251581e13ddc2601

Download Submit
C:\Windows\Installer\MSI732C.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
1e43e0f5b440a5ad4a3a06b88c56b50a

SHA1
c813b0ba87ad96b68f5be0fb5f545615fce94d11

SHA256
31cf087345e9babf618f280605699bb065d7c1557262272cfa3b4605368990a7

SHA512
cd16692fa3092d6e095699453029b0c8ac14249ae664c57132d4fd5339a8b1299a34d102f37403452bccc1f02c2593d7e02aa0cfaf8bb1bbcceaf3e0500ea1f7

Download Submit
\??\Volume{14f6f45c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c5b4369a-97a8-4f56-89bc-c5e9e625cbb2}_OnDiskSnapshotProp

Filesize
6KB

MD5
f608542ae4a72bdbdddadeabfbe0c824

SHA1
10ec9072943c03d3c750362fd8406b9d9546b594

SHA256
6ce62083e5375a017b3252322fe8b7da8228dc0424d64b50af9369e1e9fde8bb

SHA512
b5f833089b1d49ac50cbf20a4dcf8e7120d0e83a33e5452e89b7dad900d7d28cc2763e6e09defd0914a45f556a94981df770a5fd040ca399ed973d9be815dc1e

Download Submit
\??\c:\temp\script.au3

Filesize
469KB

MD5
e1803b01e3f187355dbeb87a0c91b76c

SHA1
b78bc11afacf9cfcaade0e200a344c4602f2053d

SHA256
46c5ed90e3d6b8bc85ae369aa87ba75a12eed6a7cfa8edeb497e5ec7f7c75d9e

SHA512
bfcc8cf7c72bcbf2aa2586a653df00e5c0e7fccb748a5fcdf97ebfaa594fbf81e1c24ce1f5ced039dea76bf251a76ec85db2187614039fa882d702bdc14c6bda

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
6f142d573154e352f3787270e5adc50a

SHA1
9dd1b5353225ff98b9a6d5a58a20d5bf6757fa90

SHA256
32133d31a507047ae10993a7f9634e3613d8b894fd07315db266d82dd40976f9

SHA512
5a72458d310f4c1ab1e6a7a6c2ae41ab4debe02b3eeadce73ee26dd64ce25e7044fef20d1aa4716a5212fcdd9bd01c52a6b0df67fcd6c052aff84bd7ee954237

Download Submit
memory/1600-98-0x0000000005220000-0x00000000061F0000-memory.dmp

Filesize
15.8MB

Download
memory/1600-99-0x0000000006710000-0x0000000006A5E000-memory.dmp

Filesize
3.3MB

Download
memory/1600-101-0x0000000006710000-0x0000000006A5E000-memory.dmp

Filesize
3.3MB

Download
memory/3060-85-0x0000017225100000-0x000001722529E000-memory.dmp

Filesize
1.6MB

Download
memory/3060-84-0x000000005EF20000-0x000000005F0AD000-memory.dmp

Filesize
1.6MB

Download
memory/3060-83-0x00007FF6842A0000-0x00007FF684398000-memory.dmp

Filesize
992KB

Download
memory/3060-78-0x0000017225100000-0x000001722529E000-memory.dmp

Filesize
1.6MB

Download