qakbot | 7d1c0c7e4cbfe49926451ab6365455e5f3889fb17e2508afa9f6e2ebeedaa2c1

Resubmissions

15-07-2022 15:08

220715-sh9dfsbfb7 10

12-07-2022 16:28

220712-tyx6ssaahj 10

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
15-07-2022 15:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PDF_3028225.msi
Size

484KB
MD5

47847ac5f01e037c1a18becc0dfd4611
SHA1

d6f37b18252787c2c2c31358e741d9b834440331
SHA256

7d1c0c7e4cbfe49926451ab6365455e5f3889fb17e2508afa9f6e2ebeedaa2c1
SHA512

7630b223cddfc31ef7afee9972ab4a5100b048d35f526211e331f4717260e2c29b0962ad35271701b00c5c379f7798004f5140abe8dbc88ddf083d8b2ee78004

Score

10^/10

qakbot vip01 1657631718 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.780

Botnet

vip01

Campaign

1657631718

47.23.89.60:993

37.34.253.233:443

196.203.37.215:80

89.211.209.234:2222

81.158.239.251:2078

179.111.8.52:32101

208.107.221.224:443

24.158.23.166:995

66.230.104.103:443

92.132.132.81:2222

24.139.72.117:443

174.80.15.101:2083

24.178.196.158:2222

100.38.242.113:995

37.186.58.99:995

24.55.67.176:443

74.14.5.179:2222

172.114.160.81:443

40.134.246.185:995

63.143.92.99:995

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot
Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

7 2928 msiexec.exe
Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

2180 regsvr32.exe

flow	pid	process
7	2928	msiexec.exe

pid	process
2180	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0E8C02CA-3030-4459-8253-5139E0330866}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC1BA.tmp	msiexec.exe
File created	C:\Windows\Installer\e57bf2b.msi	msiexec.exe
File created	C:\Windows\Installer\e57bf29.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57bf29.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4160 schtasks.exe

pid	process
4160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeregsvr32.exeexplorer.exe

pid	process
4156	msiexec.exe
4156	msiexec.exe
2180	regsvr32.exe
2180	regsvr32.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe
3392	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

2180 regsvr32.exe

pid	process
2180	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeAUDIODG.EXE

description	pid	process
Token: SeShutdownPrivilege	2928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2928	msiexec.exe
Token: SeSecurityPrivilege	4156	msiexec.exe
Token: SeCreateTokenPrivilege	2928	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2928	msiexec.exe
Token: SeLockMemoryPrivilege	2928	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2928	msiexec.exe
Token: SeMachineAccountPrivilege	2928	msiexec.exe
Token: SeTcbPrivilege	2928	msiexec.exe
Token: SeSecurityPrivilege	2928	msiexec.exe
Token: SeTakeOwnershipPrivilege	2928	msiexec.exe
Token: SeLoadDriverPrivilege	2928	msiexec.exe
Token: SeSystemProfilePrivilege	2928	msiexec.exe
Token: SeSystemtimePrivilege	2928	msiexec.exe
Token: SeProfSingleProcessPrivilege	2928	msiexec.exe
Token: SeIncBasePriorityPrivilege	2928	msiexec.exe
Token: SeCreatePagefilePrivilege	2928	msiexec.exe
Token: SeCreatePermanentPrivilege	2928	msiexec.exe
Token: SeBackupPrivilege	2928	msiexec.exe
Token: SeRestorePrivilege	2928	msiexec.exe
Token: SeShutdownPrivilege	2928	msiexec.exe
Token: SeDebugPrivilege	2928	msiexec.exe
Token: SeAuditPrivilege	2928	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2928	msiexec.exe
Token: SeChangeNotifyPrivilege	2928	msiexec.exe
Token: SeRemoteShutdownPrivilege	2928	msiexec.exe
Token: SeUndockPrivilege	2928	msiexec.exe
Token: SeSyncAgentPrivilege	2928	msiexec.exe
Token: SeEnableDelegationPrivilege	2928	msiexec.exe
Token: SeManageVolumePrivilege	2928	msiexec.exe
Token: SeImpersonatePrivilege	2928	msiexec.exe
Token: SeCreateGlobalPrivilege	2928	msiexec.exe
Token: SeBackupPrivilege	1528	vssvc.exe
Token: SeRestorePrivilege	1528	vssvc.exe
Token: SeAuditPrivilege	1528	vssvc.exe
Token: SeBackupPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: 33	3120	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3120	AUDIODG.EXE
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe
Token: SeTakeOwnershipPrivilege	4156	msiexec.exe
Token: SeRestorePrivilege	4156	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2928 msiexec.exe
2928 msiexec.exe

pid	process
2928	msiexec.exe
2928	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

msiexec.exeregsvr32.exeregsvr32.exeexplorer.exe

description	pid	process	target process
PID 4156 wrote to memory of 3964	4156	msiexec.exe	srtasks.exe
PID 4156 wrote to memory of 3964	4156	msiexec.exe	srtasks.exe
PID 4156 wrote to memory of 2408	4156	msiexec.exe	regsvr32.exe
PID 4156 wrote to memory of 2408	4156	msiexec.exe	regsvr32.exe
PID 4156 wrote to memory of 4100	4156	msiexec.exe	wscript.exe
PID 4156 wrote to memory of 4100	4156	msiexec.exe	wscript.exe
PID 2408 wrote to memory of 2180	2408	regsvr32.exe	regsvr32.exe
PID 2408 wrote to memory of 2180	2408	regsvr32.exe	regsvr32.exe
PID 2408 wrote to memory of 2180	2408	regsvr32.exe	regsvr32.exe
PID 2180 wrote to memory of 3392	2180	regsvr32.exe	explorer.exe
PID 2180 wrote to memory of 3392	2180	regsvr32.exe	explorer.exe
PID 2180 wrote to memory of 3392	2180	regsvr32.exe	explorer.exe
PID 2180 wrote to memory of 3392	2180	regsvr32.exe	explorer.exe
PID 2180 wrote to memory of 3392	2180	regsvr32.exe	explorer.exe
PID 3392 wrote to memory of 4160	3392	explorer.exe	schtasks.exe
PID 3392 wrote to memory of 4160	3392	explorer.exe	schtasks.exe
PID 3392 wrote to memory of 4160	3392	explorer.exe	schtasks.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PDF_3028225.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2928

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4156

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3964

C:\Windows\system32\regsvr32.exe
regsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
2⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\regsvr32.exe
-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3392

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\system32\schtasks.exe" /Create /RU "NT AUTHORITY\SYSTEM" /Z /ST 17:12 /tn orfbywljai /ET 17:23 /tr "powershell.exe -encodedCommand cgBlAGcAcwB2AHIAMwAyAC4AZQB4AGUAIAAiAEMAOgBcAFUAcwBlAHIAcwBcAEEAZABtAGkAbgBcAEEAcABwAEQAYQB0AGEAXABMAG8AYwBhAGwAXABBAGQAbwBiAGUARgBvAG4AdABQAGEAYwBrAFwAbQBhAGkAbgAuAGQAbABsACIA" /SC ONCE
5⤵
- Creates scheduled task(s)
PID:4160

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
2⤵
PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x518
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3120

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFB
Filesize
727B

MD5
0d26fcd430e8da3f1d2268e5f2c96948

SHA1
fde47603630d4b585d3d9d0b9c71a2d04b8d0e4f

SHA256
98a8204e097137c5ac750cb4154fe9579c2254180cc842f15d8344e8e2be37ee

SHA512
80ba38928c8d6eedfb8e0cb537f0bbab152918c2c65b917ecf33ebad22a49976783560dd963f253dd5a439ee2de695802f357cba2a8aa29b9bd5dc72eb71673a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
727B

MD5
a485d69614a6015dd87f332f156dbcda

SHA1
e173979fc219cc09b20f79a8ac9d2ee72d93668d

SHA256
44a294a4e02743fc51bfa36b844d2cbf5f7ee94a9476dcd01ff5300a71860c48

SHA512
4f7d64e45b6cb134c8676a4b1e2cc3e43bf24c15670aa8f9b7a4101ca8383d3c2bcf09dfc3856847e72168043dd8ddcf553cf5ecfe99c69032b8eb48508dad60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFB
Filesize
408B

MD5
d8f320d0a4671828a044a60d244ec315

SHA1
bfb63c68b3233c87ca3c34aa3b8971ca0192588e

SHA256
07c3d670038f3ef499d933ae717db75f4f069297fe2df42bfe9db74ccaa031fa

SHA512
c11c1d78dec8e6e023f84ae6f5fd229e9d192f8e153c04abae53125fdf265e171876d639682af3fe83a7aefad1a4a567bdcb32e37323be5e12937e81ee5ea4a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize
412B

MD5
88021d78b97a995266050f9c15080968

SHA1
9895dfeab888f9f062229978cbcdc7b80d5f9987

SHA256
46817a2b0808d1b288090e79a2f12e6aec491ae5643fb27e83d75a3906101cae

SHA512
b0292467a581afc8341a3da19a5971e191a0127b02fed0de20ca6741ce2ed2d50d13ba45c4f1f25ac669c7eb18723c453e1dc644a8bf2d182393f86bca51c570

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
Filesize
777KB

MD5
926382093a313282f4a1639944f3fb0c

SHA1
851380d94deeb031aad806795d760f3982399850

SHA256
1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

SHA512
f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll
Filesize
777KB

MD5
926382093a313282f4a1639944f3fb0c

SHA1
851380d94deeb031aad806795d760f3982399850

SHA256
1ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8

SHA512
f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3

Download Submit
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs
Filesize
68B

MD5
0308aa2c8dab8a69de41f5d16679bb9b

SHA1
c6827bf44a433ff086e787653361859d6f6e2fb3

SHA256
0a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489

SHA512
1a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
fbd5048d9068e240c3d273bf00c2d471

SHA1
91366f9f7fda9a75e8983e7a6c42c105c0bd5f72

SHA256
43b5e6b85c2da687916e40e48355ea4577453234790f8a5947d25c2432805306

SHA512
2dda8ae410b01d3a84d451e0fa994f38cc5f59d8450b0e310c9502fdef9fe97f1df6836bbef123ac9848c827b4153bfc5b702dfebdb71e68fe8ce15d45f0b9ff

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fa328c02-f60e-4ed6-8e50-c1335d2022c7}_OnDiskSnapshotProp
Filesize
5KB

MD5
b1d927fad9023abb7d62e0ff37f4744f

SHA1
3d31090009f01fa368bf51b836e05b8acbc1b8e9

SHA256
b10ff77224fb8b290ce2e88a4bf5f521349b3dae171c241b0b7f8659b66f8edf

SHA512
95fb0047fa38f87950a2d466cc3aff2552d1849dba83bd1f4816c224db6bd4429f6a13f9586ea82ad3fd845895e4e9a99ba1f074a21e8605ad931ed11f4d658f

Download Submit
memory/2180-145-0x0000000000C20000-0x0000000000C42000-memory.dmp

Filesize
136KB

Download
memory/2180-139-0x0000000000000000-mapping.dmp

Download
memory/2180-143-0x0000000000C20000-0x0000000000C42000-memory.dmp

Filesize
136KB

Download
memory/2180-144-0x0000000000BD0000-0x0000000000BF2000-memory.dmp

Filesize
136KB

Download
memory/2180-147-0x0000000000C20000-0x0000000000C42000-memory.dmp

Filesize
136KB

Download
memory/2408-135-0x0000000000000000-mapping.dmp

Download
memory/3392-146-0x0000000000000000-mapping.dmp

Download
memory/3392-148-0x00000000012E0000-0x0000000001302000-memory.dmp

Filesize
136KB

Download
memory/3392-150-0x00000000012E0000-0x0000000001302000-memory.dmp

Filesize
136KB

Download
memory/3964-130-0x0000000000000000-mapping.dmp

Download
memory/4100-136-0x0000000000000000-mapping.dmp

Download
memory/4160-149-0x0000000000000000-mapping.dmp

Download