Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2024 09:52
Static task
static1
Behavioral task
behavioral1
Sample
6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
Resource
win7-20240221-en
windows7-x64
13 signatures
150 seconds
General
-
Target
6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi
-
Size
1.8MB
-
MD5
247a8cc39384e93d258360a11381000f
-
SHA1
23893f035f8564dfea5030b9fdd54120d96072bb
-
SHA256
6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70
-
SHA512
336eca9569c0072e92ce16743f47ba9d6be06390a196f8e81654d6a42642ff5c99e423bfed00a8396bb0b037d5b54df8c3bde53757646e7e1a204f3be271c998
-
SSDEEP
24576:ftncpVGP4I9FsEsyt8l+E+s1tB7parWM0+AL5QgZQvUXtAqlU0ZyMRp:epUP59FBJZEH1X1arF0vN/nX
Malware Config
Extracted
Family
darkgate
C2
http://80.66.88.145
Attributes
-
anti_analysis
false
-
anti_debug
false
-
anti_vm
false
-
c2_port
7891
-
check_disk
true
-
check_ram
true
-
check_xeon
false
-
crypter_au3
true
-
crypter_dll
false
-
crypter_raw_stub
false
-
crypto_key
bIWRRCGvGiXOga
-
internal_mutex
bbbGcB
-
minimum_disk
50
-
minimum_ram
4096
-
ping_interval
4
-
rootkit
true
-
startup_persistence
true
Signatures
-
Detect DarkGate stealer 9 IoCs
resource yara_rule behavioral2/memory/2380-75-0x0000000004B00000-0x0000000004CD9000-memory.dmp family_darkgate_v6 behavioral2/memory/2380-79-0x0000000004B00000-0x0000000004CD9000-memory.dmp family_darkgate_v6 behavioral2/memory/2380-84-0x0000000004B00000-0x0000000004CD9000-memory.dmp family_darkgate_v6 behavioral2/memory/2380-100-0x0000000004B00000-0x0000000004CD9000-memory.dmp family_darkgate_v6 behavioral2/memory/2380-675-0x0000000004B00000-0x0000000004CD9000-memory.dmp family_darkgate_v6 behavioral2/memory/1508-674-0x0000000010490000-0x000000001050E000-memory.dmp family_darkgate_v6 behavioral2/memory/1508-1297-0x0000000010490000-0x000000001050E000-memory.dmp family_darkgate_v6 behavioral2/memory/5476-1298-0x0000000010410000-0x000000001048E000-memory.dmp family_darkgate_v6 behavioral2/memory/5476-1339-0x0000000010410000-0x000000001048E000-memory.dmp family_darkgate_v6 -
Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
description pid Process procid_target PID 2380 created 756 2380 Autoit3.exe 62 PID 2380 created 2676 2380 Autoit3.exe 48 PID 1508 created 2532 1508 reader_sl.exe 45 -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kdadghd.lnk reader_sl.exe -
Modifies file permissions 1 TTPs 2 IoCs
pid Process 4040 ICACLS.EXE 5268 ICACLS.EXE -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe -
Drops file in Windows directory 11 IoCs
description ioc Process File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSIBB23.tmp msiexec.exe File created C:\Windows\Installer\e578dc9.msi msiexec.exe File opened for modification C:\Windows\Installer\e578dc9.msi msiexec.exe File created C:\Windows\Installer\SourceHash{229FD164-E132-4ADB-8998-1DB40BF25484} msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI8E84.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIBB63.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE -
Executes dropped EXE 1 IoCs
pid Process 2380 Autoit3.exe -
Loads dropped DLL 2 IoCs
pid Process 1980 MsiExec.exe 1980 MsiExec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007667065a040ee7130000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007667065a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007667065a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7667065a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007667065a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString reader_sl.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 GoogleUpdateOnDemand.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString GoogleUpdateOnDemand.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Autoit3.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Autoit3.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 reader_sl.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 228 msiexec.exe 228 msiexec.exe 2380 Autoit3.exe 2380 Autoit3.exe 2380 Autoit3.exe 2380 Autoit3.exe 2380 Autoit3.exe 2380 Autoit3.exe 1508 reader_sl.exe 1508 reader_sl.exe 1508 reader_sl.exe 1508 reader_sl.exe 5476 GoogleUpdateOnDemand.exe 5476 GoogleUpdateOnDemand.exe -
Suspicious use of AdjustPrivilegeToken 53 IoCs
description pid Process Token: SeShutdownPrivilege 632 msiexec.exe Token: SeIncreaseQuotaPrivilege 632 msiexec.exe Token: SeSecurityPrivilege 228 msiexec.exe Token: SeCreateTokenPrivilege 632 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 632 msiexec.exe Token: SeLockMemoryPrivilege 632 msiexec.exe Token: SeIncreaseQuotaPrivilege 632 msiexec.exe Token: SeMachineAccountPrivilege 632 msiexec.exe Token: SeTcbPrivilege 632 msiexec.exe Token: SeSecurityPrivilege 632 msiexec.exe Token: SeTakeOwnershipPrivilege 632 msiexec.exe Token: SeLoadDriverPrivilege 632 msiexec.exe Token: SeSystemProfilePrivilege 632 msiexec.exe Token: SeSystemtimePrivilege 632 msiexec.exe Token: SeProfSingleProcessPrivilege 632 msiexec.exe Token: SeIncBasePriorityPrivilege 632 msiexec.exe Token: SeCreatePagefilePrivilege 632 msiexec.exe Token: SeCreatePermanentPrivilege 632 msiexec.exe Token: SeBackupPrivilege 632 msiexec.exe Token: SeRestorePrivilege 632 msiexec.exe Token: SeShutdownPrivilege 632 msiexec.exe Token: SeDebugPrivilege 632 msiexec.exe Token: SeAuditPrivilege 632 msiexec.exe Token: SeSystemEnvironmentPrivilege 632 msiexec.exe Token: SeChangeNotifyPrivilege 632 msiexec.exe Token: SeRemoteShutdownPrivilege 632 msiexec.exe Token: SeUndockPrivilege 632 msiexec.exe Token: SeSyncAgentPrivilege 632 msiexec.exe Token: SeEnableDelegationPrivilege 632 msiexec.exe Token: SeManageVolumePrivilege 632 msiexec.exe Token: SeImpersonatePrivilege 632 msiexec.exe Token: SeCreateGlobalPrivilege 632 msiexec.exe Token: SeBackupPrivilege 2260 vssvc.exe Token: SeRestorePrivilege 2260 vssvc.exe Token: SeAuditPrivilege 2260 vssvc.exe Token: SeBackupPrivilege 228 msiexec.exe Token: SeRestorePrivilege 228 msiexec.exe Token: SeRestorePrivilege 228 msiexec.exe Token: SeTakeOwnershipPrivilege 228 msiexec.exe Token: SeRestorePrivilege 228 msiexec.exe Token: SeTakeOwnershipPrivilege 228 msiexec.exe Token: SeBackupPrivilege 2468 srtasks.exe Token: SeRestorePrivilege 2468 srtasks.exe Token: SeSecurityPrivilege 2468 srtasks.exe Token: SeTakeOwnershipPrivilege 2468 srtasks.exe Token: SeBackupPrivilege 2468 srtasks.exe Token: SeRestorePrivilege 2468 srtasks.exe Token: SeSecurityPrivilege 2468 srtasks.exe Token: SeTakeOwnershipPrivilege 2468 srtasks.exe Token: SeRestorePrivilege 228 msiexec.exe Token: SeTakeOwnershipPrivilege 228 msiexec.exe Token: SeRestorePrivilege 228 msiexec.exe Token: SeTakeOwnershipPrivilege 228 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 632 msiexec.exe 632 msiexec.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 228 wrote to memory of 2468 228 msiexec.exe 100 PID 228 wrote to memory of 2468 228 msiexec.exe 100 PID 228 wrote to memory of 1980 228 msiexec.exe 102 PID 228 wrote to memory of 1980 228 msiexec.exe 102 PID 228 wrote to memory of 1980 228 msiexec.exe 102 PID 1980 wrote to memory of 4040 1980 MsiExec.exe 103 PID 1980 wrote to memory of 4040 1980 MsiExec.exe 103 PID 1980 wrote to memory of 4040 1980 MsiExec.exe 103 PID 1980 wrote to memory of 3992 1980 MsiExec.exe 105 PID 1980 wrote to memory of 3992 1980 MsiExec.exe 105 PID 1980 wrote to memory of 3992 1980 MsiExec.exe 105 PID 1980 wrote to memory of 2380 1980 MsiExec.exe 107 PID 1980 wrote to memory of 2380 1980 MsiExec.exe 107 PID 1980 wrote to memory of 2380 1980 MsiExec.exe 107 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 3016 2380 Autoit3.exe 108 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 PID 2380 wrote to memory of 1508 2380 Autoit3.exe 109 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2532
-
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe"2⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:5476
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2676
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe"2⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1508
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:756
-
C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe"2⤵PID:3016
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\6e068b9dcd8df03fd6456faeb4293c036b91a130a18f86a945c8964a576c1c70.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:632
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2468
-
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding C80445D7785FF0F7B1EC213AFC3023972⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1980 -
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d1998bb6-449d-4f7a-b220-3a0851bdf1f3\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
PID:4040
-
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
PID:3992
-
-
C:\Users\Admin\AppData\Local\Temp\MW-d1998bb6-449d-4f7a-b220-3a0851bdf1f3\files\Autoit3.exe"C:\Users\Admin\AppData\Local\Temp\MW-d1998bb6-449d-4f7a-b220-3a0851bdf1f3\files\Autoit3.exe" UGtZgHHT.au33⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2380
-
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-d1998bb6-449d-4f7a-b220-3a0851bdf1f3\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
PID:5268
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2260
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
129B
MD536b90beb71bebda067f9fd335cc1139c
SHA145edef9dff10916e8f949be5bcc7c7c6bcb21865
SHA25603bc06e9261016e78b93aeee15514ea024dfa7aeef4534dcb283af8c086b0659
SHA51251928d31dc328fdf88b37e9a46b3999e8f920af3189ba92eaa37331dd9f1d08060dc113f8ad52a67c66d0e34596bdf9da84c4956225149e206bf16856ee8c997
-
Filesize
767KB
MD5f2a58ef2c96cc0fa5f766fac010a4ca7
SHA1c0c18471d5357762bcd4019767e2c379ca7fb773
SHA2569c2d7318bee06e509b57697316bf969c3f8b384ea0bc82fce988b3152affc813
SHA512689526e144f5f26db4e4e0d0673308ed138a3f9858f513c8da68d0b45bbd9fc5c8feccfcc25e70a227e59cfc023781bf787cb8d95c45d2e1fd1ad4ebfb870897
-
Filesize
1.6MB
MD5e7c3b16ed93b760546ae6756b12644da
SHA199b3b1af70b45b4b815a814f61f9b6e509cd3bb6
SHA256659733a584c52078ac6b568dfb34a089bef2b3835a5ea737d32c1623a468b743
SHA512b6eeaaeeb1f7c8335076075bc8033d5d4744544f3937eeaddcbef5f7ba257a64c20a47f8388c1e8f10c5821da8abe0683be8fd60c3e1a9aea25e4a705e2f8b41
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
757KB
MD51b524d03b27b94906c1a87b207e08179
SHA18fbad6275708a69b764992b05126e053134fb9e9
SHA2561af981d9c5128b3657cdb5506d61563e0d1908b957e5dd6842059d6d3cfdc622
SHA5121e0f2aea5daa40b6cb7df61ba86e0956356ab7b7ecfc9e2934bc85eec8d42d3aeb32858dd0ead24e82ef261a4120f6374263b7af9256eb79a294d51273cc4f6e
-
Filesize
1KB
MD59a39811badd413a0332a7760d498b8b0
SHA19e75a71896a3902c2ff33da6e073bbbda0c9996b
SHA256f4d1441d0e88f31d601815ff6821eda0c2eb620a5e029cbdd825388fbf6fb0bd
SHA512bcebaac667149b1321f1f588979a40c26e07909a412485c51631495e8e095de7b0d7c6d25325fb9ae7794e0e3895228b9b2da4ed6bf111dd570174d612c3eeaf
-
Filesize
1KB
MD572866c5c16c95b71c7acff45ceb36e00
SHA140e72b933ec5e9010c6081284ca73ece012d295a
SHA256dd6c25cec195d56ba3040b158d36f02383bdf438a3e7bd25535ea26a1eff2fd0
SHA512c2f93d50d1adca18357f39f5b91556c51e390d41ad8c8122c0013295faef18b50de1be00b5f7c0e49e939b70cd1dbe1489fe59da60bafcb1f174d5dd8477027f
-
Filesize
647B
MD5f1b4e2326f55068faea6dd667237e81e
SHA1203d4e4dd5e32ef635c2f1b7a10fa63296219980
SHA25699e88131a2dc475f3ff575daa8570288d362809d6e4ff2312f2057dde6e041f3
SHA512c4f038f20438e0ebf785e9b4a9e9952329a357167307caceb980768c450ae167505d4f70593e936c3d333bb6f627ad9edf227f9ef2cf166db5f7d0d5d78e3148
-
Filesize
208KB
MD5d82b3fb861129c5d71f0cd2874f97216
SHA1f3fe341d79224126e950d2691d574d147102b18d
SHA256107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c
SHA512244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b
-
Filesize
23.7MB
MD5c3f78812dc1a843d73b2f897bb511e00
SHA1c085916ad059eb9825952b221036b63852d8760a
SHA256dfd8498fb1f7eee1b864f9615dfb491e4f0fa2527c17eb9fc671c976c5e5589f
SHA51264a0b2f1ffd440541037e3177657a546464fefffcaa2e894bd70495c897b0bb0be9f95d87a3098ec0706f2794897fdc0ffe720bcb030c96a5ad21d4f5563cff8
-
\??\Volume{5a066776-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d74ecc86-a070-4ae3-bb63-4885c0a0731c}_OnDiskSnapshotProp
Filesize6KB
MD5e1d0642442987c6222439635fc13e604
SHA167f2a1015fae8826146ab839d1119584e1599cad
SHA256039ba68a4bc0dc0c75439db925c5a0c5cc7871b0f7d5e4ecf3679e2bf27d7474
SHA512aa36dbb5d32e460279137057e6accd1f8227b2023c3f35bacc50eafdf67be75092a85ad83b7771ff0b0448d23f0c012445347b83baba25e5d1c7e29b479670d2