Analysis
-
max time kernel
1800s -
max time network
1793s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 21:51
Static task
static1
Behavioral task
behavioral1
Sample
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
Resource
win7-20220812-en
General
-
Target
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
-
Size
597KB
-
MD5
13bd4a09264d6312d957d61d64e79f53
-
SHA1
5ebf19ba1be83ad9e15991e76e509a57aaa9e9c0
-
SHA256
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad
-
SHA512
b7943be0b78a7de293b19e2b75a6b44bae34997c555e1a83a0064087d828616e601cc04cb8f13e6e44e8b9cb67fe2328b3826c8d31edf8cd5a74e9def710e582
-
SSDEEP
12288:rZzDzxF3RR3sSRogrrYW4OH5IBwBZ3TzChsL4o1U:rZzDzvvRoCBH2WBJChsMo1U
Malware Config
Extracted
qakbot
403.573
AA
1649749884
120.150.218.241:995
186.64.67.38:443
196.203.37.215:80
1.161.71.109:443
82.152.39.39:443
76.69.155.202:2222
72.66.116.235:995
103.107.113.120:443
113.11.89.165:995
208.107.221.224:443
103.88.226.30:443
75.99.168.194:443
75.113.214.234:2222
76.169.147.192:32103
190.73.3.148:2222
39.52.2.90:995
38.70.253.226:2222
5.95.58.211:2087
74.15.2.252:2222
76.70.9.169:2222
121.74.167.191:995
197.167.62.14:993
108.60.213.141:443
47.23.89.62:993
86.97.247.20:2222
47.23.89.62:995
176.67.56.94:443
86.98.33.251:443
96.37.113.36:993
148.64.96.100:443
47.180.172.159:443
140.82.49.12:443
80.11.74.81:2222
96.21.251.127:2222
177.158.7.155:443
125.168.47.127:2222
41.228.22.180:443
181.208.248.227:443
81.215.196.174:443
105.226.83.196:995
176.88.238.122:995
46.107.48.202:443
24.43.99.75:443
172.115.177.204:2222
180.129.102.214:995
2.50.137.197:443
78.87.206.213:995
72.76.94.99:443
66.98.42.102:443
109.228.220.196:443
75.99.168.194:61201
71.13.93.154:2222
45.9.20.200:443
173.174.216.62:443
31.35.28.29:443
93.48.80.198:995
32.221.224.140:995
203.122.46.130:443
47.180.172.159:50010
187.207.48.194:61202
39.44.144.159:995
92.132.172.197:2222
176.205.119.81:2078
144.202.2.175:995
45.76.167.26:995
149.28.238.199:995
45.76.167.26:443
144.202.2.175:443
144.202.3.39:995
45.63.1.12:995
140.82.63.183:995
144.202.3.39:443
149.28.238.199:443
45.63.1.12:443
140.82.63.183:443
63.143.92.99:995
70.46.220.114:443
103.87.95.133:2222
1.161.71.109:995
117.248.109.38:21
180.183.97.165:2222
86.97.11.43:443
202.134.152.2:2222
39.57.23.116:995
91.177.173.10:995
217.128.122.65:2222
24.178.196.158:2222
37.210.164.171:2222
37.186.54.254:995
86.98.208.214:2222
83.110.75.225:2222
174.69.215.101:443
217.165.147.83:993
172.114.160.81:995
84.241.8.23:32103
111.125.245.118:995
173.21.10.71:2222
182.191.92.203:995
191.99.191.28:443
73.151.236.31:443
119.158.121.244:995
71.74.12.34:443
101.50.103.193:995
47.158.25.67:443
187.172.232.250:443
47.156.191.217:443
187.250.114.15:443
187.195.19.24:443
201.145.189.252:443
72.252.201.34:990
72.252.201.34:995
45.46.53.140:2222
190.252.242.69:443
187.251.132.144:22
181.62.0.59:443
72.12.115.90:22
103.246.242.202:443
100.1.108.246:443
191.17.223.222:32101
40.134.246.185:995
24.55.67.176:443
109.12.111.14:443
90.120.65.153:2078
179.158.105.44:443
72.252.201.34:993
201.103.199.197:443
37.34.253.233:443
70.51.138.126:2222
187.102.135.142:2222
187.52.231.156:443
86.97.247.20:1194
41.84.242.5:995
186.105.121.166:443
31.48.166.122:2078
89.137.52.44:443
96.29.208.97:443
85.74.48.5:995
197.205.101.36:443
102.182.232.3:995
86.195.158.178:2222
217.164.210.192:443
197.89.8.167:443
201.211.64.196:2222
45.241.202.203:995
175.145.235.37:443
86.98.33.141:995
85.246.82.244:443
43.252.72.97:2222
67.209.195.198:990
41.38.167.179:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
msiexec.exeflow pid process 8 1688 msiexec.exe 10 1688 msiexec.exe 12 1688 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3448 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e573364.msi msiexec.exe File opened for modification C:\Windows\Installer\e573364.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{A1B91EDB-5470-4357-9282-40006CF9DB7E} msiexec.exe File opened for modification C:\Windows\Installer\MSI3587.tmp msiexec.exe File created C:\Windows\Installer\e573366.msi msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000045e03923b2b2bc3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000045e039230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090045e03923000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000045e0392300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeregsvr32.exeexplorer.exepid process 2396 msiexec.exe 2396 msiexec.exe 3448 regsvr32.exe 3448 regsvr32.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe 568 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
regsvr32.exepid process 3448 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 1688 msiexec.exe Token: SeIncreaseQuotaPrivilege 1688 msiexec.exe Token: SeSecurityPrivilege 2396 msiexec.exe Token: SeCreateTokenPrivilege 1688 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 1688 msiexec.exe Token: SeLockMemoryPrivilege 1688 msiexec.exe Token: SeIncreaseQuotaPrivilege 1688 msiexec.exe Token: SeMachineAccountPrivilege 1688 msiexec.exe Token: SeTcbPrivilege 1688 msiexec.exe Token: SeSecurityPrivilege 1688 msiexec.exe Token: SeTakeOwnershipPrivilege 1688 msiexec.exe Token: SeLoadDriverPrivilege 1688 msiexec.exe Token: SeSystemProfilePrivilege 1688 msiexec.exe Token: SeSystemtimePrivilege 1688 msiexec.exe Token: SeProfSingleProcessPrivilege 1688 msiexec.exe Token: SeIncBasePriorityPrivilege 1688 msiexec.exe Token: SeCreatePagefilePrivilege 1688 msiexec.exe Token: SeCreatePermanentPrivilege 1688 msiexec.exe Token: SeBackupPrivilege 1688 msiexec.exe Token: SeRestorePrivilege 1688 msiexec.exe Token: SeShutdownPrivilege 1688 msiexec.exe Token: SeDebugPrivilege 1688 msiexec.exe Token: SeAuditPrivilege 1688 msiexec.exe Token: SeSystemEnvironmentPrivilege 1688 msiexec.exe Token: SeChangeNotifyPrivilege 1688 msiexec.exe Token: SeRemoteShutdownPrivilege 1688 msiexec.exe Token: SeUndockPrivilege 1688 msiexec.exe Token: SeSyncAgentPrivilege 1688 msiexec.exe Token: SeEnableDelegationPrivilege 1688 msiexec.exe Token: SeManageVolumePrivilege 1688 msiexec.exe Token: SeImpersonatePrivilege 1688 msiexec.exe Token: SeCreateGlobalPrivilege 1688 msiexec.exe Token: SeBackupPrivilege 3544 vssvc.exe Token: SeRestorePrivilege 3544 vssvc.exe Token: SeAuditPrivilege 3544 vssvc.exe Token: SeBackupPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe Token: SeTakeOwnershipPrivilege 2396 msiexec.exe Token: SeRestorePrivilege 2396 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 1688 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
msiexec.exeMsiExec.exeregsvr32.exedescription pid process target process PID 2396 wrote to memory of 1900 2396 msiexec.exe srtasks.exe PID 2396 wrote to memory of 1900 2396 msiexec.exe srtasks.exe PID 2396 wrote to memory of 4380 2396 msiexec.exe MsiExec.exe PID 2396 wrote to memory of 4380 2396 msiexec.exe MsiExec.exe PID 2396 wrote to memory of 4380 2396 msiexec.exe MsiExec.exe PID 4380 wrote to memory of 3448 4380 MsiExec.exe regsvr32.exe PID 4380 wrote to memory of 3448 4380 MsiExec.exe regsvr32.exe PID 4380 wrote to memory of 3448 4380 MsiExec.exe regsvr32.exe PID 3448 wrote to memory of 568 3448 regsvr32.exe explorer.exe PID 3448 wrote to memory of 568 3448 regsvr32.exe explorer.exe PID 3448 wrote to memory of 568 3448 regsvr32.exe explorer.exe PID 3448 wrote to memory of 568 3448 regsvr32.exe explorer.exe PID 3448 wrote to memory of 568 3448 regsvr32.exe explorer.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 96613FD6F618EFDD6FBA294150CEBC8B2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" C:\Users\Admin\AppData\Local\SetupTest\1.dll3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBFilesize
765B
MD56af6b6f4ae6196f189dddbc3359153d0
SHA1a6b8bcd8d52bc78e6ab09a4691eb235bc342da76
SHA25656843ed6f900a0b68969b73463c867953773db38d9070ad3f3bc9f17019199e4
SHA5123ceab49c2e2ed4103e34f9174c69931dba4fd85442084ce37d7bd6bd829068e023f8dcba5f5cdc6c9f5633ab549d481cb322252b75ffd58ae316c273e70888e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472Filesize
637B
MD5f65e6919f241c149d42e36d0e6751e12
SHA1ed0f88a86d27ab339f1b5ac02dd8a01fdd969a0e
SHA2566e31167e7da0fc7f95061a6ba9201fe52bcaf0e58bca6b22d3d2be857fff1a69
SHA5123b02e7a213b3f625c942ec818a53dcb2c08916b3820991256d9c8168b9cccfa4193019e410ddae30ce52c1afacb3068421da1c0ffa506709673871a263c1bdfb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225FFilesize
1KB
MD5c2e74c923e71f2331e4ac3e559feed88
SHA10dafbf3c9b11edb7a0c7d149f545b88004a951f8
SHA256e2d1f43e63c1fda37b1c26cbeac110ad9edd19f6e3b337b616d57a6c0cb0c54c
SHA5127ee607f0f947a04137c3849697ad5b8ca70b142d2cca8520c7b1f29e009369aff67528ccc01f8a64909bc250dbfcfbf7cbe3a42625a6320196f2f5b253ac9e71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBFilesize
484B
MD5a553422bd1e6e9ad02458afd44e77e24
SHA1e1aef3204cc2aae18e6e831d349d399402d4025a
SHA256b85c7217ee92494bcc15ce77ef84a09f8aa3ca572b90890d1bf8f29447ebcbca
SHA51289fa0d8c606b211db5622cf35531454bc9958eb9e51932579004ed784998a94ceb0ff1f1bb65d76eddade841cb6e557a738eecec4c15d8c6c633730d542e259e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472Filesize
488B
MD54d878f3542ba11b522407cb697798ba1
SHA15ebd54787676b1481d7844f3db53641085a89d46
SHA256154700e1c9dd78cc60384a4125508a2f7aa71576f741e3e51c821321cedb5432
SHA512f87409c808df4efe9694c4de44777fb1fac6422400cf93182a5d037611e2750078342a4ae3990e86811dffa8c381cab60ad6d48f6e320d5d978501bc864d5571
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225FFilesize
482B
MD52024ed11be7298fc4957ecf3856bc1e2
SHA1abc0d9143c5dbbfd755d5f4e3981a4ec3aef2981
SHA256979f30646d82e57e6c5364565aad087e3f22256452d95d6f68715e919e750cd6
SHA51272038ec3049dd526a8d6a31e792682c3e23e53a53a361a1533eeadbf8b4fb2b77347700e6a1914fad2c5b4b0bd3be820d7893041fa7adc33745156e94a887681
-
C:\Users\Admin\AppData\Local\SetupTest\1.dllFilesize
716KB
MD5726a41b2959768c5c3d2c7c213e6d0d8
SHA1e28186bc0d771d20527b5f80757f4ee3f0ce442e
SHA2566d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647
SHA5124c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34
-
C:\Users\Admin\AppData\Local\SetupTest\1.dllFilesize
716KB
MD5726a41b2959768c5c3d2c7c213e6d0d8
SHA1e28186bc0d771d20527b5f80757f4ee3f0ce442e
SHA2566d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647
SHA5124c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
11.8MB
MD5e3feacf2c67bd1a1b01d2bcda8d13b85
SHA1837818db5bfc735b4b45d2ade4fad1085523dc34
SHA25646afe6e9ad6c1a417ffd330c4210cc0c6cf283ba3e8b945ad804fca345c2b779
SHA512fcb591effcc500ca0da11859b426e8c61b28724e7827c654e800e327b89ec8b993eea4bc1bbe9289ed89fe9de8ff813b8ac4bfb953c2707839b79efe22070b4b
-
\??\Volume{2339e045-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{379916b9-a0eb-4bec-9812-720ce6c2ae18}_OnDiskSnapshotPropFilesize
5KB
MD5300235188255e782e0d7635064dbbea0
SHA103381777b2c646a7964a8550ffe7b39410d79ec3
SHA25621fb7c33ca8e9df0d67f99cb6be4df09b104acf6afb61f0f4b10dbe6b621bc22
SHA512b4d2207f6a0f61604c8d7270a1856850f08ff5d49e05b622fe983ed8d14001a0afb1682ba45ff928d254bc7e8a5df7ee09da347c364d302ac647ea8dfe8f2112
-
memory/568-151-0x0000000000000000-mapping.dmp
-
memory/568-152-0x00000000012A0000-0x000000000132F000-memory.dmpFilesize
572KB
-
memory/568-153-0x00000000012A0000-0x000000000132F000-memory.dmpFilesize
572KB
-
memory/1900-132-0x0000000000000000-mapping.dmp
-
memory/3448-140-0x0000000000000000-mapping.dmp
-
memory/3448-145-0x0000000010000000-0x000000001008F000-memory.dmpFilesize
572KB
-
memory/4380-139-0x0000000000000000-mapping.dmp