qakbot | c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad

Resubmissions

05-12-2022 21:51

221205-1qkdasag75 10

05-12-2022 21:06

221205-zx2qgsah5z 10

Analysis

max time kernel
514s
max time network
502s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 21:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
Size

597KB
MD5

13bd4a09264d6312d957d61d64e79f53
SHA1

5ebf19ba1be83ad9e15991e76e509a57aaa9e9c0
SHA256

c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad
SHA512

b7943be0b78a7de293b19e2b75a6b44bae34997c555e1a83a0064087d828616e601cc04cb8f13e6e44e8b9cb67fe2328b3826c8d31edf8cd5a74e9def710e582
SSDEEP

12288:rZzDzxF3RR3sSRogrrYW4OH5IBwBZ3TzChsL4o1U:rZzDzvvRoCBH2WBJChsMo1U

Score

10^/10

qakbot aa 1649749884 banker stealer trojan

Malware Config

Extracted

Family

qakbot

Version

403.573

Botnet

Campaign

1649749884

120.150.218.241:995

186.64.67.38:443

196.203.37.215:80

1.161.71.109:443

82.152.39.39:443

76.69.155.202:2222

72.66.116.235:995

103.107.113.120:443

113.11.89.165:995

208.107.221.224:443

103.88.226.30:443

75.99.168.194:443

75.113.214.234:2222

76.169.147.192:32103

190.73.3.148:2222

39.52.2.90:995

38.70.253.226:2222

5.95.58.211:2087

74.15.2.252:2222

76.70.9.169:2222

Attributes

salt
jHxastDcds)oMc=jvh7wdUhxcsdt2

Signatures

Qakbot/Qbot
Qbot or Qakbot is a sophisticated worm with banking capabilities.
trojan banker stealer qakbot

Blocklisted process makes network request 8 IoCs

Processes:

msiexec.exe

flow	pid	process
9	4844	msiexec.exe
25	4844	msiexec.exe
26	4844	msiexec.exe
38	4844	msiexec.exe
42	4844	msiexec.exe
45	4844	msiexec.exe
47	4844	msiexec.exe
53	4844	msiexec.exe

Loads dropped DLL 1 IoCs

Processes:

regsvr32.exe

pid process

3600 regsvr32.exe

pid	process
3600	regsvr32.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI584C.tmp	msiexec.exe
File created	C:\Windows\Installer\e581896.msi	msiexec.exe
File created	C:\Windows\Installer\e581894.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581894.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A1B91EDB-5470-4357-9282-40006CF9DB7E}	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

msiexec.exeregsvr32.exeexplorer.exe

pid	process
1660	msiexec.exe
1660	msiexec.exe
3600	regsvr32.exe
3600	regsvr32.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe
1128	explorer.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

regsvr32.exe

pid process

3600 regsvr32.exe

pid	process
3600	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4844	msiexec.exe
Token: SeSecurityPrivilege	1660	msiexec.exe
Token: SeCreateTokenPrivilege	4844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4844	msiexec.exe
Token: SeLockMemoryPrivilege	4844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4844	msiexec.exe
Token: SeMachineAccountPrivilege	4844	msiexec.exe
Token: SeTcbPrivilege	4844	msiexec.exe
Token: SeSecurityPrivilege	4844	msiexec.exe
Token: SeTakeOwnershipPrivilege	4844	msiexec.exe
Token: SeLoadDriverPrivilege	4844	msiexec.exe
Token: SeSystemProfilePrivilege	4844	msiexec.exe
Token: SeSystemtimePrivilege	4844	msiexec.exe
Token: SeProfSingleProcessPrivilege	4844	msiexec.exe
Token: SeIncBasePriorityPrivilege	4844	msiexec.exe
Token: SeCreatePagefilePrivilege	4844	msiexec.exe
Token: SeCreatePermanentPrivilege	4844	msiexec.exe
Token: SeBackupPrivilege	4844	msiexec.exe
Token: SeRestorePrivilege	4844	msiexec.exe
Token: SeShutdownPrivilege	4844	msiexec.exe
Token: SeDebugPrivilege	4844	msiexec.exe
Token: SeAuditPrivilege	4844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4844	msiexec.exe
Token: SeChangeNotifyPrivilege	4844	msiexec.exe
Token: SeRemoteShutdownPrivilege	4844	msiexec.exe
Token: SeUndockPrivilege	4844	msiexec.exe
Token: SeSyncAgentPrivilege	4844	msiexec.exe
Token: SeEnableDelegationPrivilege	4844	msiexec.exe
Token: SeManageVolumePrivilege	4844	msiexec.exe
Token: SeImpersonatePrivilege	4844	msiexec.exe
Token: SeCreateGlobalPrivilege	4844	msiexec.exe
Token: SeBackupPrivilege	3816	vssvc.exe
Token: SeRestorePrivilege	3816	vssvc.exe
Token: SeAuditPrivilege	3816	vssvc.exe
Token: SeBackupPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe
Token: SeTakeOwnershipPrivilege	1660	msiexec.exe
Token: SeRestorePrivilege	1660	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

msiexec.exe

pid process

4844 msiexec.exe

pid	process
4844	msiexec.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

msiexec.exeMsiExec.exeregsvr32.exe

description	pid	process	target process
PID 1660 wrote to memory of 3380	1660	msiexec.exe	srtasks.exe
PID 1660 wrote to memory of 3380	1660	msiexec.exe	srtasks.exe
PID 1660 wrote to memory of 4252	1660	msiexec.exe	MsiExec.exe
PID 1660 wrote to memory of 4252	1660	msiexec.exe	MsiExec.exe
PID 1660 wrote to memory of 4252	1660	msiexec.exe	MsiExec.exe
PID 4252 wrote to memory of 3600	4252	MsiExec.exe	regsvr32.exe
PID 4252 wrote to memory of 3600	4252	MsiExec.exe	regsvr32.exe
PID 4252 wrote to memory of 3600	4252	MsiExec.exe	regsvr32.exe
PID 3600 wrote to memory of 1128	3600	regsvr32.exe	explorer.exe
PID 3600 wrote to memory of 1128	3600	regsvr32.exe	explorer.exe
PID 3600 wrote to memory of 1128	3600	regsvr32.exe	explorer.exe
PID 3600 wrote to memory of 1128	3600	regsvr32.exe	explorer.exe
PID 3600 wrote to memory of 1128	3600	regsvr32.exe	explorer.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:3380

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 4B25DC51C12356AEF857938692A7679E
2⤵
- Suspicious use of WriteProcessMemory
PID:4252

C:\Windows\SysWOW64\regsvr32.exe
"C:\Windows\SysWOW64\regsvr32.exe" C:\Users\Admin\AppData\Local\SetupTest\1.dll
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3600

C:\Windows\SysWOW64\explorer.exe
C:\Windows\SysWOW64\explorer.exe
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3816

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize
765B

MD5
6af6b6f4ae6196f189dddbc3359153d0

SHA1
a6b8bcd8d52bc78e6ab09a4691eb235bc342da76

SHA256
56843ed6f900a0b68969b73463c867953773db38d9070ad3f3bc9f17019199e4

SHA512
3ceab49c2e2ed4103e34f9174c69931dba4fd85442084ce37d7bd6bd829068e023f8dcba5f5cdc6c9f5633ab549d481cb322252b75ffd58ae316c273e70888e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472
Filesize
637B

MD5
f65e6919f241c149d42e36d0e6751e12

SHA1
ed0f88a86d27ab339f1b5ac02dd8a01fdd969a0e

SHA256
6e31167e7da0fc7f95061a6ba9201fe52bcaf0e58bca6b22d3d2be857fff1a69

SHA512
3b02e7a213b3f625c942ec818a53dcb2c08916b3820991256d9c8168b9cccfa4193019e410ddae30ce52c1afacb3068421da1c0ffa506709673871a263c1bdfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize
1KB

MD5
c2e74c923e71f2331e4ac3e559feed88

SHA1
0dafbf3c9b11edb7a0c7d149f545b88004a951f8

SHA256
e2d1f43e63c1fda37b1c26cbeac110ad9edd19f6e3b337b616d57a6c0cb0c54c

SHA512
7ee607f0f947a04137c3849697ad5b8ca70b142d2cca8520c7b1f29e009369aff67528ccc01f8a64909bc250dbfcfbf7cbe3a42625a6320196f2f5b253ac9e71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB
Filesize
484B

MD5
2c3a637601ea589838f52983011e0592

SHA1
4b8ca69a5cf5971596cc0c675d35994a3216df52

SHA256
10618cc858998198e4b8fdbcd69751c42c956d58249ba3accac57b9b7dac2c75

SHA512
4162997f69400cc7f75942cb2435f6dfa2eadec30259369b5546e59a7a68cff53b052a1708f1b6bcaa470e0b6dc39c3d88cdea978a8c95dff71c36150f129cc0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472
Filesize
488B

MD5
0921dcdbce2a798fb48687d83e9fec47

SHA1
f9e4f5f72746abc2698cd5f4f10c4eeffbfe1649

SHA256
81176f12a9a79219cb1f4f6a35e712a881051cf57e15c47d1fe4b8981301c929

SHA512
94de4526ff8ca02f5c85a5f41606deff5ae2587f2e5134e4c39141a26a14495e27522968f20c42b73da4c607d771bfd76bfb2dcb69f1008ff6ad4805392681d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F
Filesize
482B

MD5
cec11a59f69e1fb7aed7ae3d7593f142

SHA1
85f129a2988389efbfecc4bf5c3feda6e8b9758e

SHA256
880d0e8367a5dbd1d943583ad8288f48ceafdf158df2c5683bdd3e8e043b6eba

SHA512
95365c962aa6f58e5c68c67aca83e8e2ebc03e3ad4c349f43b3a81b1462efe8ac9ab2c48c72c818bf3395abb4d6d981e6957bb31d9aad154b785bc858ee9b902

Download Submit
C:\Users\Admin\AppData\Local\SetupTest\1.dll
Filesize
716KB

MD5
726a41b2959768c5c3d2c7c213e6d0d8

SHA1
e28186bc0d771d20527b5f80757f4ee3f0ce442e

SHA256
6d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647

SHA512
4c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34

Download Submit
C:\Users\Admin\AppData\Local\SetupTest\1.dll
Filesize
716KB

MD5
726a41b2959768c5c3d2c7c213e6d0d8

SHA1
e28186bc0d771d20527b5f80757f4ee3f0ce442e

SHA256
6d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647

SHA512
4c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
8c18790e049c701bd00b88060e789160

SHA1
bdf0c7590170148248d5a9d518cfbacf58743da4

SHA256
ea2e7fb7ce487e9f40541e4e68a51c3f7bf43a6c878b58904a1b62d3c92c8407

SHA512
3a2ebbddbfb50f559ffa1e3f503b3719ce31572e4e54d64b8dea94ed042cd6fede8641dc280dd064483fca6c7e2bc85cce5e76c13a5c7e43ae50a6cb18e8b3a4

Download Submit
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a2c3dbc9-8f77-4a8d-9e3f-1d884b9524f7}_OnDiskSnapshotProp
Filesize
5KB

MD5
1e13f7ce6b3894d84d3e0bbf14edbc04

SHA1
512aa801d3346b0aba74a8514b4a1a80befa5d4b

SHA256
d65d64f9f419b9d371cf24fbaef94cadf3ee320cc74d78f99ad278b1c8666ff4

SHA512
346d97dae534fdaa000b416690c7254b8472203d4f54283badc68699b1b0d1be34b0274783177ea45870ddbe012269ac6a9d786dc469950ace008a021e0c1f1f

Download Submit
memory/1128-151-0x0000000000000000-mapping.dmp

Download
memory/1128-152-0x00000000008F0000-0x000000000097F000-memory.dmp

Filesize
572KB

Download
memory/1128-153-0x00000000008F0000-0x000000000097F000-memory.dmp

Filesize
572KB

Download
memory/3380-132-0x0000000000000000-mapping.dmp

Download
memory/3600-140-0x0000000000000000-mapping.dmp

Download
memory/3600-145-0x0000000010000000-0x000000001008F000-memory.dmp

Filesize
572KB

Download
memory/4252-139-0x0000000000000000-mapping.dmp

Download