Analysis
-
max time kernel
146s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
22-09-2022 14:35
Static task
static1
Behavioral task
behavioral1
Sample
706d8d2f9bc001d3369661e52e89e93792f73730a49dea07d878b33846605f9f.msi
Resource
win7-20220812-en
General
-
Target
706d8d2f9bc001d3369661e52e89e93792f73730a49dea07d878b33846605f9f.msi
-
Size
13.6MB
-
MD5
757e30a40a2c0428cbdc45531b6266d1
-
SHA1
100e93213987e07ae20e835a304de2b325c5c3aa
-
SHA256
706d8d2f9bc001d3369661e52e89e93792f73730a49dea07d878b33846605f9f
-
SHA512
80f90be70faa431f5cad452f5bbc78ca1168560e8142126dd4c531bef1a1be956fe74f53479c2ebe3b65c54f679185816a6ce722266eb09677fd23039b6e18b4
-
SSDEEP
393216:q+Fve+AYu1hvR7q+c8KbeTQdLi560QUhlr2XJk:RXAD1hvRJ3uL01lhh2Xu
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/4420-149-0x0000000000400000-0x0000000001DEB000-memory.dmp family_blackmoon -
Processes:
resource yara_rule behavioral2/memory/924-162-0x0000000010000000-0x0000000010192000-memory.dmp purplefox_rootkit behavioral2/memory/924-168-0x0000000000400000-0x00000000006AC000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/924-162-0x0000000010000000-0x0000000010192000-memory.dmp family_gh0strat behavioral2/memory/924-168-0x0000000000400000-0x00000000006AC000-memory.dmp family_gh0strat -
Downloads MZ/PE file
-
Executes dropped EXE 6 IoCs
Processes:
MSI202B.tmpaaaa.exeletsvpn-latest.exeact.exeact.exelsp.exepid process 4420 MSI202B.tmp 4652 aaaa.exe 3152 letsvpn-latest.exe 3208 act.exe 2492 act.exe 924 lsp.exe -
Processes:
resource yara_rule C:\Windows\Installer\MSI202B.tmp vmprotect C:\Windows\Installer\MSI202B.tmp vmprotect behavioral2/memory/4420-138-0x0000000000400000-0x0000000001DEB000-memory.dmp vmprotect behavioral2/memory/4420-149-0x0000000000400000-0x0000000001DEB000-memory.dmp vmprotect C:\Users\Public\Videos\lsp.exe vmprotect C:\Users\Public\Videos\lsp.exe vmprotect behavioral2/memory/924-160-0x0000000000400000-0x00000000006AC000-memory.dmp vmprotect behavioral2/memory/924-161-0x0000000000400000-0x00000000006AC000-memory.dmp vmprotect behavioral2/memory/924-168-0x0000000000400000-0x00000000006AC000-memory.dmp vmprotect -
Loads dropped DLL 2 IoCs
Processes:
letsvpn-latest.exepid process 3152 letsvpn-latest.exe 3152 letsvpn-latest.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{D0D5A8D4-2C54-41FD-A0C3-50CC56973D60} msiexec.exe File opened for modification C:\Windows\Installer\MSI1D9A.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI202B.tmp msiexec.exe File created C:\Windows\Installer\e571b87.msi msiexec.exe File opened for modification C:\Windows\Installer\e571b87.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1476 924 WerFault.exe lsp.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeaaaa.exeact.exepid process 624 msiexec.exe 624 msiexec.exe 4652 aaaa.exe 4652 aaaa.exe 4652 aaaa.exe 4652 aaaa.exe 4652 aaaa.exe 4652 aaaa.exe 4652 aaaa.exe 4652 aaaa.exe 4652 aaaa.exe 4652 aaaa.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe 3208 act.exe -
Suspicious use of AdjustPrivilegeToken 55 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 624 msiexec.exe Token: SeCreateTokenPrivilege 1540 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1540 msiexec.exe Token: SeLockMemoryPrivilege 1540 msiexec.exe Token: SeIncreaseQuotaPrivilege 1540 msiexec.exe Token: SeMachineAccountPrivilege 1540 msiexec.exe Token: SeTcbPrivilege 1540 msiexec.exe Token: SeSecurityPrivilege 1540 msiexec.exe Token: SeTakeOwnershipPrivilege 1540 msiexec.exe Token: SeLoadDriverPrivilege 1540 msiexec.exe Token: SeSystemProfilePrivilege 1540 msiexec.exe Token: SeSystemtimePrivilege 1540 msiexec.exe Token: SeProfSingleProcessPrivilege 1540 msiexec.exe Token: SeIncBasePriorityPrivilege 1540 msiexec.exe Token: SeCreatePagefilePrivilege 1540 msiexec.exe Token: SeCreatePermanentPrivilege 1540 msiexec.exe Token: SeBackupPrivilege 1540 msiexec.exe Token: SeRestorePrivilege 1540 msiexec.exe Token: SeShutdownPrivilege 1540 msiexec.exe Token: SeDebugPrivilege 1540 msiexec.exe Token: SeAuditPrivilege 1540 msiexec.exe Token: SeSystemEnvironmentPrivilege 1540 msiexec.exe Token: SeChangeNotifyPrivilege 1540 msiexec.exe Token: SeRemoteShutdownPrivilege 1540 msiexec.exe Token: SeUndockPrivilege 1540 msiexec.exe Token: SeSyncAgentPrivilege 1540 msiexec.exe Token: SeEnableDelegationPrivilege 1540 msiexec.exe Token: SeManageVolumePrivilege 1540 msiexec.exe Token: SeImpersonatePrivilege 1540 msiexec.exe Token: SeCreateGlobalPrivilege 1540 msiexec.exe Token: SeBackupPrivilege 1344 vssvc.exe Token: SeRestorePrivilege 1344 vssvc.exe Token: SeAuditPrivilege 1344 vssvc.exe Token: SeBackupPrivilege 624 msiexec.exe Token: SeRestorePrivilege 624 msiexec.exe Token: SeRestorePrivilege 624 msiexec.exe Token: SeTakeOwnershipPrivilege 624 msiexec.exe Token: SeRestorePrivilege 624 msiexec.exe Token: SeTakeOwnershipPrivilege 624 msiexec.exe Token: SeBackupPrivilege 4508 srtasks.exe Token: SeRestorePrivilege 4508 srtasks.exe Token: SeSecurityPrivilege 4508 srtasks.exe Token: SeTakeOwnershipPrivilege 4508 srtasks.exe Token: SeRestorePrivilege 624 msiexec.exe Token: SeTakeOwnershipPrivilege 624 msiexec.exe Token: SeBackupPrivilege 4508 srtasks.exe Token: SeRestorePrivilege 4508 srtasks.exe Token: SeSecurityPrivilege 4508 srtasks.exe Token: SeTakeOwnershipPrivilege 4508 srtasks.exe Token: SeRestorePrivilege 624 msiexec.exe Token: SeTakeOwnershipPrivilege 624 msiexec.exe Token: SeRestorePrivilege 624 msiexec.exe Token: SeTakeOwnershipPrivilege 624 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 1540 msiexec.exe 1540 msiexec.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
msiexec.exeMSI202B.tmpaaaa.exedescription pid process target process PID 624 wrote to memory of 4508 624 msiexec.exe srtasks.exe PID 624 wrote to memory of 4508 624 msiexec.exe srtasks.exe PID 624 wrote to memory of 4420 624 msiexec.exe MSI202B.tmp PID 624 wrote to memory of 4420 624 msiexec.exe MSI202B.tmp PID 624 wrote to memory of 4420 624 msiexec.exe MSI202B.tmp PID 4420 wrote to memory of 4652 4420 MSI202B.tmp aaaa.exe PID 4420 wrote to memory of 4652 4420 MSI202B.tmp aaaa.exe PID 4420 wrote to memory of 4652 4420 MSI202B.tmp aaaa.exe PID 4420 wrote to memory of 3152 4420 MSI202B.tmp letsvpn-latest.exe PID 4420 wrote to memory of 3152 4420 MSI202B.tmp letsvpn-latest.exe PID 4420 wrote to memory of 3152 4420 MSI202B.tmp letsvpn-latest.exe PID 4652 wrote to memory of 3208 4652 aaaa.exe act.exe PID 4652 wrote to memory of 3208 4652 aaaa.exe act.exe PID 4652 wrote to memory of 2492 4652 aaaa.exe act.exe PID 4652 wrote to memory of 2492 4652 aaaa.exe act.exe PID 4652 wrote to memory of 924 4652 aaaa.exe lsp.exe PID 4652 wrote to memory of 924 4652 aaaa.exe lsp.exe PID 4652 wrote to memory of 924 4652 aaaa.exe lsp.exe PID 4652 wrote to memory of 2188 4652 aaaa.exe SCHTASKS.exe PID 4652 wrote to memory of 2188 4652 aaaa.exe SCHTASKS.exe PID 4652 wrote to memory of 2188 4652 aaaa.exe SCHTASKS.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\706d8d2f9bc001d3369661e52e89e93792f73730a49dea07d878b33846605f9f.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Installer\MSI202B.tmp"C:\Windows\Installer\MSI202B.tmp"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\aaaa.exeC:\Users\Admin\AppData\Local\Temp\aaaa.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Pictures\17704\act.exeC:\Users\Public\Pictures\17704\act.exe 6 23321 fds01234fs56789123afds4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Public\Pictures\17704\act.exeC:\Users\Public\Pictures\17704\act.exe 6 23321 fds01234fs56789123afds4⤵
- Executes dropped EXE
-
C:\Users\Public\Videos\lsp.exeC:\Users\Public\Videos\lsp.exe4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 924 -s 2525⤵
- Program crash
-
C:\Windows\SysWOW64\SCHTASKS.exeSCHTASKS /Create /SC ONLOGON /TN active /F /RL HIGHEST /TR C:\Users\Public\Pictures\17704\ttvip.exe4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exeC:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 924 -ip 9241⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\aaaa.exeFilesize
71KB
MD5c1955aac4a572955188089ffa6c07b8b
SHA14b9a0e72146e255d2ef232a1b18effdf2d322e8d
SHA25620502f70180bc1164f2b90240c3aca2150d29c0be682b573c7a3f714877d60dc
SHA512a0dba7ffb6cdde64f96740e8bbe5f5b3f0099910767d223fbc6afe34aa977ac17cc3df6d1084d55e469bc1b159b0cb1156ee5c46acd0d0efce4514ad05b64bf7
-
C:\Users\Admin\AppData\Local\Temp\aaaa.exeFilesize
71KB
MD5c1955aac4a572955188089ffa6c07b8b
SHA14b9a0e72146e255d2ef232a1b18effdf2d322e8d
SHA25620502f70180bc1164f2b90240c3aca2150d29c0be682b573c7a3f714877d60dc
SHA512a0dba7ffb6cdde64f96740e8bbe5f5b3f0099910767d223fbc6afe34aa977ac17cc3df6d1084d55e469bc1b159b0cb1156ee5c46acd0d0efce4514ad05b64bf7
-
C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exeFilesize
12.3MB
MD59ff45607c5b3092e6a248ead6275362c
SHA1137aa72f09ef8367b14175f21eb436471c28b5d2
SHA256021631c179ecd37953f3e8eecc1297d24110411c297f04b63e9e9801e747bd64
SHA5129ffcf767c40b37041f747b1e4fb90f25d5ca97c2eea2553920919addb78f4ed0391efa5fbc6562b1d97aa4555a9110fdc83c7792c820eb3ef2787e4103b2d380
-
C:\Users\Admin\AppData\Local\Temp\letsvpn-latest.exeFilesize
12.3MB
MD59ff45607c5b3092e6a248ead6275362c
SHA1137aa72f09ef8367b14175f21eb436471c28b5d2
SHA256021631c179ecd37953f3e8eecc1297d24110411c297f04b63e9e9801e747bd64
SHA5129ffcf767c40b37041f747b1e4fb90f25d5ca97c2eea2553920919addb78f4ed0391efa5fbc6562b1d97aa4555a9110fdc83c7792c820eb3ef2787e4103b2d380
-
C:\Users\Admin\AppData\Local\Temp\nse37AB.tmp\System.dllFilesize
11KB
MD575ed96254fbf894e42058062b4b4f0d1
SHA1996503f1383b49021eb3427bc28d13b5bbd11977
SHA256a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7
SHA51258174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4
-
C:\Users\Admin\AppData\Local\Temp\nse37AB.tmp\nsDialogs.dllFilesize
9KB
MD5ca95c9da8cef7062813b989ab9486201
SHA1c555af25df3de51aa18d487d47408d5245dba2d1
SHA256feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be
SHA512a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9
-
C:\Users\Public\Pictures\17704\act.exeFilesize
149KB
MD5dd0edcf63868f4de86bf7f93d3553937
SHA1b61c024ab6b5bf0448a6d1ff64f3a49d77f5abeb
SHA25622b546b89af77f0f1c92ecc9ebf06c211f28f71edea43d6daab0bfcb9577fff4
SHA512a303f092026eb8079a378250452720bcdcd470149cf584e867353accb7a988d00b31bbab0acc931bfbf936906c95e7c258be62564cb318d81b522c34276f7a70
-
C:\Users\Public\Pictures\17704\act.exeFilesize
149KB
MD5dd0edcf63868f4de86bf7f93d3553937
SHA1b61c024ab6b5bf0448a6d1ff64f3a49d77f5abeb
SHA25622b546b89af77f0f1c92ecc9ebf06c211f28f71edea43d6daab0bfcb9577fff4
SHA512a303f092026eb8079a378250452720bcdcd470149cf584e867353accb7a988d00b31bbab0acc931bfbf936906c95e7c258be62564cb318d81b522c34276f7a70
-
C:\Users\Public\Pictures\17704\act.exeFilesize
149KB
MD5dd0edcf63868f4de86bf7f93d3553937
SHA1b61c024ab6b5bf0448a6d1ff64f3a49d77f5abeb
SHA25622b546b89af77f0f1c92ecc9ebf06c211f28f71edea43d6daab0bfcb9577fff4
SHA512a303f092026eb8079a378250452720bcdcd470149cf584e867353accb7a988d00b31bbab0acc931bfbf936906c95e7c258be62564cb318d81b522c34276f7a70
-
C:\Users\Public\Videos\lsp.exeFilesize
1.0MB
MD5070c095092e76b68426d855225499856
SHA197bb03cf42246f877e59664134ead3765766cbe5
SHA256ea487c06dec84b8f2b275d1446fba0e4a49819b4470247c8b3407d7470710141
SHA5128e9c16b66fca62a24702fcab51d4e32e248247942f60205a1d2b973ec634a7172927235f97deeb0883f1cfb17b025a8f59f795b27d6e3393d51d401e8cbfedf9
-
C:\Users\Public\Videos\lsp.exeFilesize
1.0MB
MD5070c095092e76b68426d855225499856
SHA197bb03cf42246f877e59664134ead3765766cbe5
SHA256ea487c06dec84b8f2b275d1446fba0e4a49819b4470247c8b3407d7470710141
SHA5128e9c16b66fca62a24702fcab51d4e32e248247942f60205a1d2b973ec634a7172927235f97deeb0883f1cfb17b025a8f59f795b27d6e3393d51d401e8cbfedf9
-
C:\Windows\Installer\MSI202B.tmpFilesize
13.5MB
MD5d6350db9a0cf509cd27ee1958dd1405b
SHA188382e529bf7d033c87acdbfc616234dbe3d3ede
SHA2564ebfb3278b99d2d3b8e8759280e9dea094818c02e60ae426c269c05d3882e1d2
SHA512a6ebbd4c957d4c6f8e3892b7b8e89318aaad2d9cc292e93a1c850f12c7ac4f3d3ce02aa6698dc135a32b21a7d6393e3a8b9b3c99597a4b24f8855be37223fec8
-
C:\Windows\Installer\MSI202B.tmpFilesize
13.5MB
MD5d6350db9a0cf509cd27ee1958dd1405b
SHA188382e529bf7d033c87acdbfc616234dbe3d3ede
SHA2564ebfb3278b99d2d3b8e8759280e9dea094818c02e60ae426c269c05d3882e1d2
SHA512a6ebbd4c957d4c6f8e3892b7b8e89318aaad2d9cc292e93a1c850f12c7ac4f3d3ce02aa6698dc135a32b21a7d6393e3a8b9b3c99597a4b24f8855be37223fec8
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
11.8MB
MD59ad56c9e6492408320b16907829b4d19
SHA176646845194a5e84c2670b9df499429bff4d8ccd
SHA25634154a07352e8849398e55e8e226e3e9cd991b74b34faa658dde0b907d870706
SHA51209552f469ad0520f63bbfe2f5f0ea683c50316656b54713acb7599bab5110e6d2180451d0c60841a2144a1c1c0c36189a25aeaa1778270eafa0a78d91de35f6a
-
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{159e4a73-5664-4600-b0fa-52cdab621dbf}_OnDiskSnapshotPropFilesize
5KB
MD57b831eb6d1e2cb79051c7fdc192eda79
SHA1456887fa504fbe97e544fd8151a2e9b96978ee40
SHA2560fc3d15e3fefb926af99102a5b3937ccfd03a6a614ecb896008944c5c99c5e0e
SHA512548faa2075ec35dae140a7b47ad479685b0aee69cdaf1d5dbd9af5bd198bff68759fc6802e20e31ddcca5bcdde747867b547f170d4d76ad42f73c901a7e1aa24
-
memory/924-156-0x0000000000000000-mapping.dmp
-
memory/924-160-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/924-168-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/924-162-0x0000000010000000-0x0000000010192000-memory.dmpFilesize
1.6MB
-
memory/924-161-0x0000000000400000-0x00000000006AC000-memory.dmpFilesize
2.7MB
-
memory/2188-159-0x0000000000000000-mapping.dmp
-
memory/2492-154-0x0000000000000000-mapping.dmp
-
memory/3152-144-0x0000000000000000-mapping.dmp
-
memory/3208-151-0x0000000000000000-mapping.dmp
-
memory/4420-149-0x0000000000400000-0x0000000001DEB000-memory.dmpFilesize
25.9MB
-
memory/4420-139-0x0000000000401000-0x0000000000403000-memory.dmpFilesize
8KB
-
memory/4420-138-0x0000000000400000-0x0000000001DEB000-memory.dmpFilesize
25.9MB
-
memory/4420-135-0x0000000000000000-mapping.dmp
-
memory/4508-132-0x0000000000000000-mapping.dmp
-
memory/4652-146-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB
-
memory/4652-140-0x0000000000000000-mapping.dmp
-
memory/4652-143-0x0000000000400000-0x0000000000436000-memory.dmpFilesize
216KB