Analysis
-
max time kernel
514s -
max time network
502s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2022 21:06
Static task
static1
Behavioral task
behavioral1
Sample
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
Resource
win7-20220901-en
General
-
Target
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi
-
Size
597KB
-
MD5
13bd4a09264d6312d957d61d64e79f53
-
SHA1
5ebf19ba1be83ad9e15991e76e509a57aaa9e9c0
-
SHA256
c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad
-
SHA512
b7943be0b78a7de293b19e2b75a6b44bae34997c555e1a83a0064087d828616e601cc04cb8f13e6e44e8b9cb67fe2328b3826c8d31edf8cd5a74e9def710e582
-
SSDEEP
12288:rZzDzxF3RR3sSRogrrYW4OH5IBwBZ3TzChsL4o1U:rZzDzvvRoCBH2WBJChsMo1U
Malware Config
Extracted
qakbot
403.573
AA
1649749884
120.150.218.241:995
186.64.67.38:443
196.203.37.215:80
1.161.71.109:443
82.152.39.39:443
76.69.155.202:2222
72.66.116.235:995
103.107.113.120:443
113.11.89.165:995
208.107.221.224:443
103.88.226.30:443
75.99.168.194:443
75.113.214.234:2222
76.169.147.192:32103
190.73.3.148:2222
39.52.2.90:995
38.70.253.226:2222
5.95.58.211:2087
74.15.2.252:2222
76.70.9.169:2222
121.74.167.191:995
197.167.62.14:993
108.60.213.141:443
47.23.89.62:993
86.97.247.20:2222
47.23.89.62:995
176.67.56.94:443
86.98.33.251:443
96.37.113.36:993
148.64.96.100:443
47.180.172.159:443
140.82.49.12:443
80.11.74.81:2222
96.21.251.127:2222
177.158.7.155:443
125.168.47.127:2222
41.228.22.180:443
181.208.248.227:443
81.215.196.174:443
105.226.83.196:995
176.88.238.122:995
46.107.48.202:443
24.43.99.75:443
172.115.177.204:2222
180.129.102.214:995
2.50.137.197:443
78.87.206.213:995
72.76.94.99:443
66.98.42.102:443
109.228.220.196:443
75.99.168.194:61201
71.13.93.154:2222
45.9.20.200:443
173.174.216.62:443
31.35.28.29:443
93.48.80.198:995
32.221.224.140:995
203.122.46.130:443
47.180.172.159:50010
187.207.48.194:61202
39.44.144.159:995
92.132.172.197:2222
176.205.119.81:2078
144.202.2.175:995
45.76.167.26:995
149.28.238.199:995
45.76.167.26:443
144.202.2.175:443
144.202.3.39:995
45.63.1.12:995
140.82.63.183:995
144.202.3.39:443
149.28.238.199:443
45.63.1.12:443
140.82.63.183:443
63.143.92.99:995
70.46.220.114:443
103.87.95.133:2222
1.161.71.109:995
117.248.109.38:21
180.183.97.165:2222
86.97.11.43:443
202.134.152.2:2222
39.57.23.116:995
91.177.173.10:995
217.128.122.65:2222
24.178.196.158:2222
37.210.164.171:2222
37.186.54.254:995
86.98.208.214:2222
83.110.75.225:2222
174.69.215.101:443
217.165.147.83:993
172.114.160.81:995
84.241.8.23:32103
111.125.245.118:995
173.21.10.71:2222
182.191.92.203:995
191.99.191.28:443
73.151.236.31:443
119.158.121.244:995
71.74.12.34:443
101.50.103.193:995
47.158.25.67:443
187.172.232.250:443
47.156.191.217:443
187.250.114.15:443
187.195.19.24:443
201.145.189.252:443
72.252.201.34:990
72.252.201.34:995
45.46.53.140:2222
190.252.242.69:443
187.251.132.144:22
181.62.0.59:443
72.12.115.90:22
103.246.242.202:443
100.1.108.246:443
191.17.223.222:32101
40.134.246.185:995
24.55.67.176:443
109.12.111.14:443
90.120.65.153:2078
179.158.105.44:443
72.252.201.34:993
201.103.199.197:443
37.34.253.233:443
70.51.138.126:2222
187.102.135.142:2222
187.52.231.156:443
86.97.247.20:1194
41.84.242.5:995
186.105.121.166:443
31.48.166.122:2078
89.137.52.44:443
96.29.208.97:443
85.74.48.5:995
197.205.101.36:443
102.182.232.3:995
86.195.158.178:2222
217.164.210.192:443
197.89.8.167:443
201.211.64.196:2222
45.241.202.203:995
175.145.235.37:443
86.98.33.141:995
85.246.82.244:443
43.252.72.97:2222
67.209.195.198:990
41.38.167.179:995
-
salt
jHxastDcds)oMc=jvh7wdUhxcsdt2
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
msiexec.exeflow pid process 9 4844 msiexec.exe 25 4844 msiexec.exe 26 4844 msiexec.exe 38 4844 msiexec.exe 42 4844 msiexec.exe 45 4844 msiexec.exe 47 4844 msiexec.exe 53 4844 msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
regsvr32.exepid process 3600 regsvr32.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI584C.tmp msiexec.exe File created C:\Windows\Installer\e581896.msi msiexec.exe File created C:\Windows\Installer\e581894.msi msiexec.exe File opened for modification C:\Windows\Installer\e581894.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{A1B91EDB-5470-4357-9282-40006CF9DB7E} msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msiexec.exeregsvr32.exeexplorer.exepid process 1660 msiexec.exe 1660 msiexec.exe 3600 regsvr32.exe 3600 regsvr32.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe 1128 explorer.exe -
Suspicious behavior: MapViewOfSection 1 IoCs
Processes:
regsvr32.exepid process 3600 regsvr32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4844 msiexec.exe Token: SeIncreaseQuotaPrivilege 4844 msiexec.exe Token: SeSecurityPrivilege 1660 msiexec.exe Token: SeCreateTokenPrivilege 4844 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4844 msiexec.exe Token: SeLockMemoryPrivilege 4844 msiexec.exe Token: SeIncreaseQuotaPrivilege 4844 msiexec.exe Token: SeMachineAccountPrivilege 4844 msiexec.exe Token: SeTcbPrivilege 4844 msiexec.exe Token: SeSecurityPrivilege 4844 msiexec.exe Token: SeTakeOwnershipPrivilege 4844 msiexec.exe Token: SeLoadDriverPrivilege 4844 msiexec.exe Token: SeSystemProfilePrivilege 4844 msiexec.exe Token: SeSystemtimePrivilege 4844 msiexec.exe Token: SeProfSingleProcessPrivilege 4844 msiexec.exe Token: SeIncBasePriorityPrivilege 4844 msiexec.exe Token: SeCreatePagefilePrivilege 4844 msiexec.exe Token: SeCreatePermanentPrivilege 4844 msiexec.exe Token: SeBackupPrivilege 4844 msiexec.exe Token: SeRestorePrivilege 4844 msiexec.exe Token: SeShutdownPrivilege 4844 msiexec.exe Token: SeDebugPrivilege 4844 msiexec.exe Token: SeAuditPrivilege 4844 msiexec.exe Token: SeSystemEnvironmentPrivilege 4844 msiexec.exe Token: SeChangeNotifyPrivilege 4844 msiexec.exe Token: SeRemoteShutdownPrivilege 4844 msiexec.exe Token: SeUndockPrivilege 4844 msiexec.exe Token: SeSyncAgentPrivilege 4844 msiexec.exe Token: SeEnableDelegationPrivilege 4844 msiexec.exe Token: SeManageVolumePrivilege 4844 msiexec.exe Token: SeImpersonatePrivilege 4844 msiexec.exe Token: SeCreateGlobalPrivilege 4844 msiexec.exe Token: SeBackupPrivilege 3816 vssvc.exe Token: SeRestorePrivilege 3816 vssvc.exe Token: SeAuditPrivilege 3816 vssvc.exe Token: SeBackupPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe Token: SeTakeOwnershipPrivilege 1660 msiexec.exe Token: SeRestorePrivilege 1660 msiexec.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
msiexec.exepid process 4844 msiexec.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
msiexec.exeMsiExec.exeregsvr32.exedescription pid process target process PID 1660 wrote to memory of 3380 1660 msiexec.exe srtasks.exe PID 1660 wrote to memory of 3380 1660 msiexec.exe srtasks.exe PID 1660 wrote to memory of 4252 1660 msiexec.exe MsiExec.exe PID 1660 wrote to memory of 4252 1660 msiexec.exe MsiExec.exe PID 1660 wrote to memory of 4252 1660 msiexec.exe MsiExec.exe PID 4252 wrote to memory of 3600 4252 MsiExec.exe regsvr32.exe PID 4252 wrote to memory of 3600 4252 MsiExec.exe regsvr32.exe PID 4252 wrote to memory of 3600 4252 MsiExec.exe regsvr32.exe PID 3600 wrote to memory of 1128 3600 regsvr32.exe explorer.exe PID 3600 wrote to memory of 1128 3600 regsvr32.exe explorer.exe PID 3600 wrote to memory of 1128 3600 regsvr32.exe explorer.exe PID 3600 wrote to memory of 1128 3600 regsvr32.exe explorer.exe PID 3600 wrote to memory of 1128 3600 regsvr32.exe explorer.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\c0beb47f629a5debe0e99790d16a4d04afe786d6fb42c5ab6dfcaed84d86e7ad.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 4B25DC51C12356AEF857938692A7679E2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe"C:\Windows\SysWOW64\regsvr32.exe" C:\Users\Admin\AppData\Local\SetupTest\1.dll3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe4⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBFilesize
765B
MD56af6b6f4ae6196f189dddbc3359153d0
SHA1a6b8bcd8d52bc78e6ab09a4691eb235bc342da76
SHA25656843ed6f900a0b68969b73463c867953773db38d9070ad3f3bc9f17019199e4
SHA5123ceab49c2e2ed4103e34f9174c69931dba4fd85442084ce37d7bd6bd829068e023f8dcba5f5cdc6c9f5633ab549d481cb322252b75ffd58ae316c273e70888e0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472Filesize
637B
MD5f65e6919f241c149d42e36d0e6751e12
SHA1ed0f88a86d27ab339f1b5ac02dd8a01fdd969a0e
SHA2566e31167e7da0fc7f95061a6ba9201fe52bcaf0e58bca6b22d3d2be857fff1a69
SHA5123b02e7a213b3f625c942ec818a53dcb2c08916b3820991256d9c8168b9cccfa4193019e410ddae30ce52c1afacb3068421da1c0ffa506709673871a263c1bdfb
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225FFilesize
1KB
MD5c2e74c923e71f2331e4ac3e559feed88
SHA10dafbf3c9b11edb7a0c7d149f545b88004a951f8
SHA256e2d1f43e63c1fda37b1c26cbeac110ad9edd19f6e3b337b616d57a6c0cb0c54c
SHA5127ee607f0f947a04137c3849697ad5b8ca70b142d2cca8520c7b1f29e009369aff67528ccc01f8a64909bc250dbfcfbf7cbe3a42625a6320196f2f5b253ac9e71
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDBFilesize
484B
MD52c3a637601ea589838f52983011e0592
SHA14b8ca69a5cf5971596cc0c675d35994a3216df52
SHA25610618cc858998198e4b8fdbcd69751c42c956d58249ba3accac57b9b7dac2c75
SHA5124162997f69400cc7f75942cb2435f6dfa2eadec30259369b5546e59a7a68cff53b052a1708f1b6bcaa470e0b6dc39c3d88cdea978a8c95dff71c36150f129cc0
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_D2D3A37B25AAA89445E8EFE144391472Filesize
488B
MD50921dcdbce2a798fb48687d83e9fec47
SHA1f9e4f5f72746abc2698cd5f4f10c4eeffbfe1649
SHA25681176f12a9a79219cb1f4f6a35e712a881051cf57e15c47d1fe4b8981301c929
SHA51294de4526ff8ca02f5c85a5f41606deff5ae2587f2e5134e4c39141a26a14495e27522968f20c42b73da4c607d771bfd76bfb2dcb69f1008ff6ad4805392681d1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225FFilesize
482B
MD5cec11a59f69e1fb7aed7ae3d7593f142
SHA185f129a2988389efbfecc4bf5c3feda6e8b9758e
SHA256880d0e8367a5dbd1d943583ad8288f48ceafdf158df2c5683bdd3e8e043b6eba
SHA51295365c962aa6f58e5c68c67aca83e8e2ebc03e3ad4c349f43b3a81b1462efe8ac9ab2c48c72c818bf3395abb4d6d981e6957bb31d9aad154b785bc858ee9b902
-
C:\Users\Admin\AppData\Local\SetupTest\1.dllFilesize
716KB
MD5726a41b2959768c5c3d2c7c213e6d0d8
SHA1e28186bc0d771d20527b5f80757f4ee3f0ce442e
SHA2566d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647
SHA5124c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34
-
C:\Users\Admin\AppData\Local\SetupTest\1.dllFilesize
716KB
MD5726a41b2959768c5c3d2c7c213e6d0d8
SHA1e28186bc0d771d20527b5f80757f4ee3f0ce442e
SHA2566d8ef65670101ecf342152a34ae4b17784186759686c0e5eb631a9fa47315647
SHA5124c349bc12d66be7abde0af38491ce082a9e13036db882bfaeff3ee6ede650c070b1c0f73bea18ae75d7eaff457436a04f0467d50c45c077162e63487cb5a7f34
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD58c18790e049c701bd00b88060e789160
SHA1bdf0c7590170148248d5a9d518cfbacf58743da4
SHA256ea2e7fb7ce487e9f40541e4e68a51c3f7bf43a6c878b58904a1b62d3c92c8407
SHA5123a2ebbddbfb50f559ffa1e3f503b3719ce31572e4e54d64b8dea94ed042cd6fede8641dc280dd064483fca6c7e2bc85cce5e76c13a5c7e43ae50a6cb18e8b3a4
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a2c3dbc9-8f77-4a8d-9e3f-1d884b9524f7}_OnDiskSnapshotPropFilesize
5KB
MD51e13f7ce6b3894d84d3e0bbf14edbc04
SHA1512aa801d3346b0aba74a8514b4a1a80befa5d4b
SHA256d65d64f9f419b9d371cf24fbaef94cadf3ee320cc74d78f99ad278b1c8666ff4
SHA512346d97dae534fdaa000b416690c7254b8472203d4f54283badc68699b1b0d1be34b0274783177ea45870ddbe012269ac6a9d786dc469950ace008a021e0c1f1f
-
memory/1128-151-0x0000000000000000-mapping.dmp
-
memory/1128-152-0x00000000008F0000-0x000000000097F000-memory.dmpFilesize
572KB
-
memory/1128-153-0x00000000008F0000-0x000000000097F000-memory.dmpFilesize
572KB
-
memory/3380-132-0x0000000000000000-mapping.dmp
-
memory/3600-140-0x0000000000000000-mapping.dmp
-
memory/3600-145-0x0000000010000000-0x000000001008F000-memory.dmpFilesize
572KB
-
memory/4252-139-0x0000000000000000-mapping.dmp