Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2022 15:08
Static task
static1
Behavioral task
behavioral1
Sample
PDF_3028225.msi
Resource
win7-20220414-en
General
-
Target
PDF_3028225.msi
-
Size
484KB
-
MD5
47847ac5f01e037c1a18becc0dfd4611
-
SHA1
d6f37b18252787c2c2c31358e741d9b834440331
-
SHA256
7d1c0c7e4cbfe49926451ab6365455e5f3889fb17e2508afa9f6e2ebeedaa2c1
-
SHA512
7630b223cddfc31ef7afee9972ab4a5100b048d35f526211e331f4717260e2c29b0962ad35271701b00c5c379f7798004f5140abe8dbc88ddf083d8b2ee78004
Malware Config
Extracted
qakbot
403.780
vip01
1657631718
47.23.89.60:993
37.34.253.233:443
196.203.37.215:80
89.211.209.234:2222
81.158.239.251:2078
179.111.8.52:32101
208.107.221.224:443
24.158.23.166:995
66.230.104.103:443
92.132.132.81:2222
24.139.72.117:443
174.80.15.101:2083
24.178.196.158:2222
100.38.242.113:995
37.186.58.99:995
24.55.67.176:443
74.14.5.179:2222
172.114.160.81:443
40.134.246.185:995
63.143.92.99:995
67.209.195.198:443
179.158.105.44:443
148.64.96.100:443
111.125.245.116:995
32.221.224.140:995
117.248.109.38:21
84.241.8.23:32103
47.180.172.159:443
70.46.220.114:443
109.12.111.14:443
176.45.218.138:995
89.101.97.139:443
121.7.223.45:2222
24.54.48.11:443
94.59.15.180:2222
120.150.218.241:995
187.116.126.216:32101
186.90.153.162:2222
38.70.253.226:2222
104.34.212.7:32103
41.228.22.180:443
217.165.157.202:995
67.165.206.193:993
86.98.78.118:993
172.115.177.204:2222
1.161.79.116:443
82.41.63.217:443
85.6.232.221:2222
93.48.80.198:995
1.161.79.116:995
86.97.10.37:443
174.69.215.101:443
45.46.53.140:2222
197.87.182.135:443
197.94.219.121:443
96.37.113.36:993
76.25.142.196:443
173.21.10.71:2222
217.128.122.65:2222
47.145.130.171:443
47.156.129.52:443
187.172.164.12:443
72.252.157.93:990
72.252.157.93:993
190.252.242.69:443
72.252.157.93:995
69.14.172.24:443
2.178.120.112:61202
70.51.137.244:2222
94.36.193.176:2222
81.193.30.90:443
103.133.11.10:995
120.61.3.142:443
182.52.159.24:443
201.172.23.72:2222
37.208.131.49:50010
173.174.216.62:443
103.246.242.202:443
106.51.48.188:50001
182.191.92.203:995
86.97.246.166:1194
67.69.166.79:2222
45.241.254.69:993
39.49.41.221:995
88.240.59.52:443
39.44.60.200:995
39.52.59.221:995
39.41.16.210:995
217.164.119.30:2222
86.213.75.30:2078
39.57.56.11:995
24.43.99.75:443
101.50.67.155:995
108.56.213.219:995
189.253.167.141:443
5.32.41.45:443
39.53.124.57:995
80.11.74.81:2222
41.84.224.109:443
103.116.178.85:995
184.97.29.26:443
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 7 2928 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 2180 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{0E8C02CA-3030-4459-8253-5139E0330866} msiexec.exe File opened for modification C:\Windows\Installer\MSIC1BA.tmp msiexec.exe File created C:\Windows\Installer\e57bf2b.msi msiexec.exe File created C:\Windows\Installer\e57bf29.msi msiexec.exe File opened for modification C:\Windows\Installer\e57bf29.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeregsvr32.exeexplorer.exepid process 4156 msiexec.exe 4156 msiexec.exe 2180 regsvr32.exe 2180 regsvr32.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe 3392 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
regsvr32.exepid process 2180 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeAUDIODG.EXEdescription pid process Token: SeShutdownPrivilege 2928 msiexec.exe Token: SeIncreaseQuotaPrivilege 2928 msiexec.exe Token: SeSecurityPrivilege 4156 msiexec.exe Token: SeCreateTokenPrivilege 2928 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2928 msiexec.exe Token: SeLockMemoryPrivilege 2928 msiexec.exe Token: SeIncreaseQuotaPrivilege 2928 msiexec.exe Token: SeMachineAccountPrivilege 2928 msiexec.exe Token: SeTcbPrivilege 2928 msiexec.exe Token: SeSecurityPrivilege 2928 msiexec.exe Token: SeTakeOwnershipPrivilege 2928 msiexec.exe Token: SeLoadDriverPrivilege 2928 msiexec.exe Token: SeSystemProfilePrivilege 2928 msiexec.exe Token: SeSystemtimePrivilege 2928 msiexec.exe Token: SeProfSingleProcessPrivilege 2928 msiexec.exe Token: SeIncBasePriorityPrivilege 2928 msiexec.exe Token: SeCreatePagefilePrivilege 2928 msiexec.exe Token: SeCreatePermanentPrivilege 2928 msiexec.exe Token: SeBackupPrivilege 2928 msiexec.exe Token: SeRestorePrivilege 2928 msiexec.exe Token: SeShutdownPrivilege 2928 msiexec.exe Token: SeDebugPrivilege 2928 msiexec.exe Token: SeAuditPrivilege 2928 msiexec.exe Token: SeSystemEnvironmentPrivilege 2928 msiexec.exe Token: SeChangeNotifyPrivilege 2928 msiexec.exe Token: SeRemoteShutdownPrivilege 2928 msiexec.exe Token: SeUndockPrivilege 2928 msiexec.exe Token: SeSyncAgentPrivilege 2928 msiexec.exe Token: SeEnableDelegationPrivilege 2928 msiexec.exe Token: SeManageVolumePrivilege 2928 msiexec.exe Token: SeImpersonatePrivilege 2928 msiexec.exe Token: SeCreateGlobalPrivilege 2928 msiexec.exe Token: SeBackupPrivilege 1528 vssvc.exe Token: SeRestorePrivilege 1528 vssvc.exe Token: SeAuditPrivilege 1528 vssvc.exe Token: SeBackupPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: 33 3120 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3120 AUDIODG.EXE Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe Token: SeTakeOwnershipPrivilege 4156 msiexec.exe Token: SeRestorePrivilege 4156 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 2928 msiexec.exe 2928 msiexec.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
msiexec.exeregsvr32.exeregsvr32.exeexplorer.exedescription pid process target process PID 4156 wrote to memory of 3964 4156 msiexec.exe srtasks.exe PID 4156 wrote to memory of 3964 4156 msiexec.exe srtasks.exe PID 4156 wrote to memory of 2408 4156 msiexec.exe regsvr32.exe PID 4156 wrote to memory of 2408 4156 msiexec.exe regsvr32.exe PID 4156 wrote to memory of 4100 4156 msiexec.exe wscript.exe PID 4156 wrote to memory of 4100 4156 msiexec.exe wscript.exe PID 2408 wrote to memory of 2180 2408 regsvr32.exe regsvr32.exe PID 2408 wrote to memory of 2180 2408 regsvr32.exe regsvr32.exe PID 2408 wrote to memory of 2180 2408 regsvr32.exe regsvr32.exe PID 2180 wrote to memory of 3392 2180 regsvr32.exe explorer.exe PID 2180 wrote to memory of 3392 2180 regsvr32.exe explorer.exe PID 2180 wrote to memory of 3392 2180 regsvr32.exe explorer.exe PID 2180 wrote to memory of 3392 2180 regsvr32.exe explorer.exe PID 2180 wrote to memory of 3392 2180 regsvr32.exe explorer.exe PID 3392 wrote to memory of 4160 3392 explorer.exe schtasks.exe PID 3392 wrote to memory of 4160 3392 explorer.exe schtasks.exe PID 3392 wrote to memory of 4160 3392 explorer.exe schtasks.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PDF_3028225.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:12 /tn orfbywljai /ET 17:23 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA" /SC ONCE5⤵
- Creates scheduled task(s)
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x500 0x5181⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFBFilesize
727B
MD50d26fcd430e8da3f1d2268e5f2c96948
SHA1fde47603630d4b585d3d9d0b9c71a2d04b8d0e4f
SHA25698a8204e097137c5ac750cb4154fe9579c2254180cc842f15d8344e8e2be37ee
SHA51280ba38928c8d6eedfb8e0cb537f0bbab152918c2c65b917ecf33ebad22a49976783560dd963f253dd5a439ee2de695802f357cba2a8aa29b9bd5dc72eb71673a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
727B
MD5a485d69614a6015dd87f332f156dbcda
SHA1e173979fc219cc09b20f79a8ac9d2ee72d93668d
SHA25644a294a4e02743fc51bfa36b844d2cbf5f7ee94a9476dcd01ff5300a71860c48
SHA5124f7d64e45b6cb134c8676a4b1e2cc3e43bf24c15670aa8f9b7a4101ca8383d3c2bcf09dfc3856847e72168043dd8ddcf553cf5ecfe99c69032b8eb48508dad60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFBFilesize
408B
MD5d8f320d0a4671828a044a60d244ec315
SHA1bfb63c68b3233c87ca3c34aa3b8971ca0192588e
SHA25607c3d670038f3ef499d933ae717db75f4f069297fe2df42bfe9db74ccaa031fa
SHA512c11c1d78dec8e6e023f84ae6f5fd229e9d192f8e153c04abae53125fdf265e171876d639682af3fe83a7aefad1a4a567bdcb32e37323be5e12937e81ee5ea4a6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD588021d78b97a995266050f9c15080968
SHA19895dfeab888f9f062229978cbcdc7b80d5f9987
SHA25646817a2b0808d1b288090e79a2f12e6aec491ae5643fb27e83d75a3906101cae
SHA512b0292467a581afc8341a3da19a5971e191a0127b02fed0de20ca6741ce2ed2d50d13ba45c4f1f25ac669c7eb18723c453e1dc644a8bf2d182393f86bca51c570
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
777KB
MD5926382093a313282f4a1639944f3fb0c
SHA1851380d94deeb031aad806795d760f3982399850
SHA2561ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8
SHA512f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
777KB
MD5926382093a313282f4a1639944f3fb0c
SHA1851380d94deeb031aad806795d760f3982399850
SHA2561ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8
SHA512f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3
-
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbsFilesize
68B
MD50308aa2c8dab8a69de41f5d16679bb9b
SHA1c6827bf44a433ff086e787653361859d6f6e2fb3
SHA2560a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489
SHA5121a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5fbd5048d9068e240c3d273bf00c2d471
SHA191366f9f7fda9a75e8983e7a6c42c105c0bd5f72
SHA25643b5e6b85c2da687916e40e48355ea4577453234790f8a5947d25c2432805306
SHA5122dda8ae410b01d3a84d451e0fa994f38cc5f59d8450b0e310c9502fdef9fe97f1df6836bbef123ac9848c827b4153bfc5b702dfebdb71e68fe8ce15d45f0b9ff
-
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fa328c02-f60e-4ed6-8e50-c1335d2022c7}_OnDiskSnapshotPropFilesize
5KB
MD5b1d927fad9023abb7d62e0ff37f4744f
SHA13d31090009f01fa368bf51b836e05b8acbc1b8e9
SHA256b10ff77224fb8b290ce2e88a4bf5f521349b3dae171c241b0b7f8659b66f8edf
SHA51295fb0047fa38f87950a2d466cc3aff2552d1849dba83bd1f4816c224db6bd4429f6a13f9586ea82ad3fd845895e4e9a99ba1f074a21e8605ad931ed11f4d658f
-
memory/2180-145-0x0000000000C20000-0x0000000000C42000-memory.dmpFilesize
136KB
-
memory/2180-139-0x0000000000000000-mapping.dmp
-
memory/2180-143-0x0000000000C20000-0x0000000000C42000-memory.dmpFilesize
136KB
-
memory/2180-144-0x0000000000BD0000-0x0000000000BF2000-memory.dmpFilesize
136KB
-
memory/2180-147-0x0000000000C20000-0x0000000000C42000-memory.dmpFilesize
136KB
-
memory/2408-135-0x0000000000000000-mapping.dmp
-
memory/3392-146-0x0000000000000000-mapping.dmp
-
memory/3392-148-0x00000000012E0000-0x0000000001302000-memory.dmpFilesize
136KB
-
memory/3392-150-0x00000000012E0000-0x0000000001302000-memory.dmpFilesize
136KB
-
memory/3964-130-0x0000000000000000-mapping.dmp
-
memory/4100-136-0x0000000000000000-mapping.dmp
-
memory/4160-149-0x0000000000000000-mapping.dmp