Overview

overview

10

Static

static

42c0b7865a...7f.msi

windows7_x64

8

42c0b7865a...7f.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    04-07-2022 08:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi

  • Size

    3.0MB

  • MD5

    83d7f0fe8d269f04c7665c0b6cbb8ada

  • SHA1

    902921743f59ff19eeb395d2618ef5addeac62fd

  • SHA256

    42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f

  • SHA512

    c51cc2f1779bc9fd659cda5524464098fa19dd86910d7a23b4353d944e5dbe56ba43314ecb9b6352b9614e7f43f76d7b61fe60bf5a5c4889ac264dd8a7f845eb

Score
10/10
cobaltstrike0305419896backdoortrojan

Malware Config

Extracted

Family

cobaltstrike

Botnet

305419896

C2

http://47.111.170.180:8888/load

Attributes
  • access_type

    512

  • host

    47.111.170.180,/load

  • http_header1

    AAAABwAAAAAAAAADAAAABgAAAAZDb29raWUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_header2

    AAAACgAAACZDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQAAAAcAAAAAAAAABQAAAAJpZAAAAAcAAAABAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • http_method1

    GET

  • http_method2

    POST

  • maxdns

    255

  • polling_time

    60000

  • port_number

    8888

  • sc_process32

    %windir%\syswow64\rundll32.exe

  • sc_process64

    %windir%\sysnative\rundll32.exe

  • state_machine

    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCepxWkRvKff9aSr8NJNjICKAfOAkCwiFfvggEjm6rsOd85r6J2MO/aflKXRMu6HUJ7YdYYiTR4AqWEq0crzforQfGXDqJ355NO17M/jGAEtdClSmPsH/w3g3OgnEq4mk086l68Kw0uE3i/neDyRh+nRllGEVlzNToWUJqwR2asBQIDAQABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • unknown1

    4096

  • unknown2

    AAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==

  • uri

    /submit.php

  • user_agent

    Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

  • watermark

    305419896

Extracted

Family

cobaltstrike

Botnet

0

Attributes
  • watermark

    0

Signatures

  • Cobaltstrike

    Detected malicious payload which is part of Cobaltstrike.

    trojanbackdoorcobaltstrike
  • Blocklisted process makes network request 2 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 12 IoCs
  • Drops file in Windows directory 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 21 IoCs
  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\42c0b7865a97c5bdf243a9fa8a57a622140eaecb52d831aa2f3141a18619ff7f.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:948
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:100
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding CEC92956AE77AF645A393FD3449A747F
        2⤵
        • Loads dropped DLL
        PID:3204
      • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe"
        2⤵
        • Executes dropped EXE
        • Modifies data under HKEY_USERS
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:4812
        • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe
          "C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe"
          3⤵
          • Executes dropped EXE
          • Modifies data under HKEY_USERS
          • Suspicious use of WriteProcessMemory
          PID:1992
          • C:\windows\temp\word.exe
            "C:\windows\temp\word.exe"
            4⤵
            • Executes dropped EXE
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:1368
          • C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
            "C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\windows\temp\补充材料.docx" /o ""
            4⤵
            • Drops file in System32 directory
            • Checks processor information in registry
            • Enumerates system info in registry
            • Modifies data under HKEY_USERS
            • Suspicious behavior: AddClipboardFormatListener
            • Suspicious use of SetWindowsHookEx
            PID:1872
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -NonInteractive -NoLogo -ExecutionPolicy RemoteSigned -Command "C:\Users\Admin\AppData\Local\Temp\AI_E19B.ps1 -paths 'C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\file_deleter.ps1','C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe','C:\Users\Admin\AppData\Roaming\Microsoft\' -retry_count 10"
          3⤵
          • Blocklisted process makes network request
          • Drops file in System32 directory
          • Modifies data under HKEY_USERS
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3716
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            4⤵
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:2264
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            4⤵
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:404
          • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" -Version 5.1 -s -NoLogo -NoProfile
            4⤵
            • Modifies data under HKEY_USERS
            • Suspicious behavior: EnumeratesProcesses
            PID:3560
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:924

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    4
    T1012

    Peripheral Device Discovery

    2
    T1120

    System Information Discovery

    5
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\AI_E19B.ps1
      Filesize

      13KB

      MD5

      bc738a907de8fd82f60b3076399d2919

      SHA1

      b1ba780669af90d283ee41b46fd3a9c0be63289e

      SHA256

      b2d5923658a04edcff416e46d17c64badd95d02df97601e141ade64474c9e3f0

      SHA512

      70a66f14b056aa2c92df10f5875e835642ced758512c54a85739ddf208362f080644d72d50129ba0adcb941c02a0398c90f1a6ad1762a8070c3f872a84679d9b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe
      Filesize

      748KB

      MD5

      cf23d98b7e5d4f005b90c14e99ef146a

      SHA1

      a89c40cc44930374ac4510f4978990f987975e7d

      SHA256

      6306724878799a05095288abdafb4d8e2a741f66f33ccebf5d834fbb08da7d8f

      SHA512

      176ba66df9f050cc932b6367c47e1c9ccfec3e2813234545cdc55eed13ddb72034d2d6984a9cd2fef9ed13ffdd5b698b275ad7c940ba74cf62c1fa2c4a3de579

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.exe
      Filesize

      748KB

      MD5

      cf23d98b7e5d4f005b90c14e99ef146a

      SHA1

      a89c40cc44930374ac4510f4978990f987975e7d

      SHA256

      6306724878799a05095288abdafb4d8e2a741f66f33ccebf5d834fbb08da7d8f

      SHA512

      176ba66df9f050cc932b6367c47e1c9ccfec3e2813234545cdc55eed13ddb72034d2d6984a9cd2fef9ed13ffdd5b698b275ad7c940ba74cf62c1fa2c4a3de579

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\aipackagechainer.ini
      Filesize

      1KB

      MD5

      aa344a2c80996664a3487d188bb8db38

      SHA1

      df818590e6b6c6f00a8636630e3382932e283059

      SHA256

      671eb170889772d3db273ac5e69a0c0a3bc842721c583d164afb7f1e34033c82

      SHA512

      46e39a5a55789b7f05f7107d1fef1b5271bfc61741c7d3018e8661b6d2f9bb604c1081a130c557b01c005ae6bbd3836d7cf25e0fb79a7d7de54222dcb56edca5

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\file_deleter.ps1
      Filesize

      13KB

      MD5

      bc738a907de8fd82f60b3076399d2919

      SHA1

      b1ba780669af90d283ee41b46fd3a9c0be63289e

      SHA256

      b2d5923658a04edcff416e46d17c64badd95d02df97601e141ade64474c9e3f0

      SHA512

      70a66f14b056aa2c92df10f5875e835642ced758512c54a85739ddf208362f080644d72d50129ba0adcb941c02a0398c90f1a6ad1762a8070c3f872a84679d9b

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe
      Filesize

      681KB

      MD5

      0340cd41dc46e57d7a496c55e735f8b3

      SHA1

      78ef3380bb7307d5b2020a35c5a845160b9405e3

      SHA256

      bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

      SHA512

      7ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066

      Download Submit
    • C:\Users\Admin\AppData\Roaming\Microsoft\\prerequisites\\2.exe
      Filesize

      681KB

      MD5

      0340cd41dc46e57d7a496c55e735f8b3

      SHA1

      78ef3380bb7307d5b2020a35c5a845160b9405e3

      SHA256

      bf4d9742ea09c84b3057aac8c456efd3b069a5d181f70ccd6e7524278c281596

      SHA512

      7ee2732940b0626d0d45f364e35ed7207b09b9ba979468dfce281293d3817fac50379e43f1fa43affb7a7e22413b08352a024d19f089d3213af662ab4b103066

      Download Submit
    • C:\Windows\Installer\MSID372.tmp
      Filesize

      549KB

      MD5

      822ec3c1b42ffdf6db9a15936f4512cf

      SHA1

      6ea07cae9eea92dd58bb6a81d3795033825e7045

      SHA256

      94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

      SHA512

      0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

      Download Submit
    • C:\Windows\Installer\MSID372.tmp
      Filesize

      549KB

      MD5

      822ec3c1b42ffdf6db9a15936f4512cf

      SHA1

      6ea07cae9eea92dd58bb6a81d3795033825e7045

      SHA256

      94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

      SHA512

      0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

      Download Submit
    • C:\Windows\Installer\MSID632.tmp
      Filesize

      549KB

      MD5

      822ec3c1b42ffdf6db9a15936f4512cf

      SHA1

      6ea07cae9eea92dd58bb6a81d3795033825e7045

      SHA256

      94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

      SHA512

      0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

      Download Submit
    • C:\Windows\Installer\MSID632.tmp
      Filesize

      549KB

      MD5

      822ec3c1b42ffdf6db9a15936f4512cf

      SHA1

      6ea07cae9eea92dd58bb6a81d3795033825e7045

      SHA256

      94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

      SHA512

      0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

      Download Submit
    • C:\Windows\Installer\MSID6DF.tmp
      Filesize

      549KB

      MD5

      822ec3c1b42ffdf6db9a15936f4512cf

      SHA1

      6ea07cae9eea92dd58bb6a81d3795033825e7045

      SHA256

      94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

      SHA512

      0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

      Download Submit
    • C:\Windows\Installer\MSID6DF.tmp
      Filesize

      549KB

      MD5

      822ec3c1b42ffdf6db9a15936f4512cf

      SHA1

      6ea07cae9eea92dd58bb6a81d3795033825e7045

      SHA256

      94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

      SHA512

      0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

      Download Submit
    • C:\Windows\Installer\MSID74D.tmp
      Filesize

      549KB

      MD5

      822ec3c1b42ffdf6db9a15936f4512cf

      SHA1

      6ea07cae9eea92dd58bb6a81d3795033825e7045

      SHA256

      94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

      SHA512

      0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

      Download Submit
    • C:\Windows\Installer\MSID74D.tmp
      Filesize

      549KB

      MD5

      822ec3c1b42ffdf6db9a15936f4512cf

      SHA1

      6ea07cae9eea92dd58bb6a81d3795033825e7045

      SHA256

      94cc96b889d32f8df13878f3ce538a741fa2d48444285c5c36849a817fc25597

      SHA512

      0d124c4964db15240213d9c6c93a756c7d4d97d05a2acf2a00851d26b0f0b947b5927847aa05b60a6fac674111243f897706f764964e3d2d7a639e84a36819f4

      Download Submit
    • C:\Windows\Installer\MSID7AC.tmp
      Filesize

      631KB

      MD5

      825dfb5d9b0e8a8e6035741c984b60a8

      SHA1

      c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

      SHA256

      68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

      SHA512

      4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

      Download Submit
    • C:\Windows\Installer\MSID7AC.tmp
      Filesize

      631KB

      MD5

      825dfb5d9b0e8a8e6035741c984b60a8

      SHA1

      c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

      SHA256

      68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

      SHA512

      4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

      Download Submit
    • C:\Windows\Installer\MSID973.tmp
      Filesize

      631KB

      MD5

      825dfb5d9b0e8a8e6035741c984b60a8

      SHA1

      c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

      SHA256

      68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

      SHA512

      4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

      Download Submit
    • C:\Windows\Installer\MSID973.tmp
      Filesize

      631KB

      MD5

      825dfb5d9b0e8a8e6035741c984b60a8

      SHA1

      c6f9d30ec90eb4e814c45acacbe4822f1c8bf02a

      SHA256

      68d1fe2093524c1845f844e4ac9accb71b52aee735250225ecadd33a04f9e1aa

      SHA512

      4cdb95f81c29d4b26ce39fd781b4ef191a28f3961942dbfa345495db8b43b5d705b7310527cd4bd19ade5bb5c1d7d5f9fed6316d1e628e98e18ab938d729ff35

      Download Submit
    • C:\Windows\Temp\word.exe
      Filesize

      2.3MB

      MD5

      6493f2382748d4577a21197714ba9a1c

      SHA1

      1a9783715f9c03f281cba6ace448f4c1fdc563ff

      SHA256

      a138863ad495030913fd42f7fce827f0542ef144490b727ee22b4b2f7f503fc3

      SHA512

      d7d4661f602deaf6345d846259da72cf202ba278da9028bc37e8e3a6168bdf7832eb0ff19adc683e63f6c9eac0733cbf1ffb7d9e7537d56ad1fcad716bd22a73

      Download Submit
    • C:\windows\temp\word.exe
      Filesize

      2.3MB

      MD5

      6493f2382748d4577a21197714ba9a1c

      SHA1

      1a9783715f9c03f281cba6ace448f4c1fdc563ff

      SHA256

      a138863ad495030913fd42f7fce827f0542ef144490b727ee22b4b2f7f503fc3

      SHA512

      d7d4661f602deaf6345d846259da72cf202ba278da9028bc37e8e3a6168bdf7832eb0ff19adc683e63f6c9eac0733cbf1ffb7d9e7537d56ad1fcad716bd22a73

      Download Submit
    • C:\windows\temp\补充材料.docx
      Filesize

      17KB

      MD5

      1615c36dd074f6bafbba308c90fb6c53

      SHA1

      14077a3d2a45618ae070a0b7065ff9f4da675e3a

      SHA256

      427043c0b132467069aed626ccd18ddf42bfefbd0e2be4cce8cf2cdad4cc830c

      SHA512

      6aacff7796b7edfae30620f72e9bdbc607b8a34d9d00d43845e83e3805a4a2329fc3116045873e370b8a012226e2e06dfc2d1999ee6877f800ee77fe0fdac175

      Download Submit
    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.0MB

      MD5

      59c99605d2a78530a305f20694cc2045

      SHA1

      a87273715834e427ee4fe0929677cbaa10789879

      SHA256

      0ddce63aac7a9121d626a8fa52085c11760146d7c89aae408bfde651531a4f0a

      SHA512

      2c588f83d31a47ce00f22e3b78232f080c018352958f13948e81948354911f63bc38f208a717b0d5f3877ba55f96d1bdbafa103cb9870b4797e948f977600c1c

      Download Submit
    • \??\Volume{edc211e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2daa749b-a92d-4084-a3b5-be48988ff643}_OnDiskSnapshotProp
      Filesize

      5KB

      MD5

      696d86a0ba5cf1249ca59f9bf6160e76

      SHA1

      01b2a39cba9c60a490c4fbd1fc9c328c7fd1321c

      SHA256

      708bd9f596249c46d7cefef93ecfc4a73c68f407cf4b033c9da07d1e8df99d34

      SHA512

      99f4241efa7156cf909a95fdd2de83ff64fd65c64e2a7979961717ba71ab0b9a02ea1d20aef34747fdd8ea919fe3439c48ef354b80e83f18ff11bb372083ccd8

      Download Submit
    • memory/100-130-0x0000000000000000-mapping.dmp
      Download
    • memory/404-184-0x0000000006E70000-0x0000000006E8A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/404-183-0x0000000007190000-0x0000000007226000-memory.dmp
      Filesize

      600KB

      Download
    • memory/404-176-0x0000000000000000-mapping.dmp
      Download
    • memory/1368-181-0x000000001E020000-0x000000001E06C000-memory.dmp
      Filesize

      304KB

      Download
    • memory/1368-180-0x000000001DFE0000-0x000000001E020000-memory.dmp
      Filesize

      256KB

      Download
    • memory/1368-165-0x00007FFD507D0000-0x00007FFD51291000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1368-150-0x0000000000000000-mapping.dmp
      Download
    • memory/1368-157-0x0000000002850000-0x0000000002872000-memory.dmp
      Filesize

      136KB

      Download
    • memory/1368-182-0x00007FFD507D0000-0x00007FFD51291000-memory.dmp
      Filesize

      10.8MB

      Download
    • memory/1368-154-0x0000000000400000-0x000000000064E000-memory.dmp
      Filesize

      2.3MB

      Download
    • memory/1872-161-0x00007FFD30710000-0x00007FFD30720000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1872-163-0x00007FFD30710000-0x00007FFD30720000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1872-153-0x0000000000000000-mapping.dmp
      Download
    • memory/1872-160-0x00007FFD30710000-0x00007FFD30720000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1872-162-0x00007FFD30710000-0x00007FFD30720000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1872-170-0x00007FFD2E5B0000-0x00007FFD2E5C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1872-171-0x00007FFD2E5B0000-0x00007FFD2E5C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1872-164-0x00007FFD30710000-0x00007FFD30720000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1992-147-0x0000000000000000-mapping.dmp
      Download
    • memory/2264-175-0x0000000000000000-mapping.dmp
      Download
    • memory/2264-186-0x0000000007740000-0x0000000007CE4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2264-185-0x0000000007010000-0x0000000007032000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3204-131-0x0000000000000000-mapping.dmp
      Download
    • memory/3560-177-0x0000000000000000-mapping.dmp
      Download
    • memory/3716-168-0x0000000005E00000-0x0000000005E66000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3716-159-0x0000000005530000-0x0000000005B58000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3716-158-0x0000000004EC0000-0x0000000004EF6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3716-156-0x0000000000000000-mapping.dmp
      Download
    • memory/3716-169-0x0000000006460000-0x000000000647E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3716-167-0x0000000005D90000-0x0000000005DF6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3716-166-0x0000000005490000-0x00000000054B2000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3716-174-0x00000000075F0000-0x000000000761C000-memory.dmp
      Filesize

      176KB

      Download
    • memory/4812-144-0x0000000000000000-mapping.dmp
      Download