e5e94056346367f7a8cf31fd7a2a47b4004623f1c8b74cb8f5d6ae110bef134a

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24-01-2024 23:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8GMgV5a1fsLKxv.msi
Size

4.3MB
MD5

643541e25802b30249ba4fd2f549e244
SHA1

df45dbb9c09775be5567cf8dd92b8bf8e77dcc43
SHA256

e5e94056346367f7a8cf31fd7a2a47b4004623f1c8b74cb8f5d6ae110bef134a
SHA512

8c8aa5e51f22fc9f3edf3c292b535963745599833b2041746141467a3a490ba92274dfafa27b2d896639a3ca25740261779c129c20e004daa0ea56e6937c66d8
SSDEEP

49152:ipUPP9qhCxzT+WKjSXsE6wsGjXZq5+iLirfmiiiiiiiiiQg7Xgnct6NymxAiOYUI:ipUCQHsWPieI5tjT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
3508	vlc.exe
1640	Autoit3.exe

Loads dropped DLL 3 IoCs

pid	Process
4192	MsiExec.exe
3508	vlc.exe
4192	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4348	ICACLS.EXE
4744	ICACLS.EXE

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Windows directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7E48.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8464.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSI8463.tmp	msiexec.exe
File created	C:\Windows\Installer\e577d8c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e577d8c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{61AE9F7F-1E00-48FC-ACE5-5DA0461DB821}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000da362e54a03ebf190000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000da362e540000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900da362e54000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dda362e54000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000da362e5400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Autoit3.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	Autoit3.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
828	msiexec.exe
828	msiexec.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3480	msiexec.exe
Token: SeSecurityPrivilege	828	msiexec.exe
Token: SeCreateTokenPrivilege	3480	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3480	msiexec.exe
Token: SeLockMemoryPrivilege	3480	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3480	msiexec.exe
Token: SeMachineAccountPrivilege	3480	msiexec.exe
Token: SeTcbPrivilege	3480	msiexec.exe
Token: SeSecurityPrivilege	3480	msiexec.exe
Token: SeTakeOwnershipPrivilege	3480	msiexec.exe
Token: SeLoadDriverPrivilege	3480	msiexec.exe
Token: SeSystemProfilePrivilege	3480	msiexec.exe
Token: SeSystemtimePrivilege	3480	msiexec.exe
Token: SeProfSingleProcessPrivilege	3480	msiexec.exe
Token: SeIncBasePriorityPrivilege	3480	msiexec.exe
Token: SeCreatePagefilePrivilege	3480	msiexec.exe
Token: SeCreatePermanentPrivilege	3480	msiexec.exe
Token: SeBackupPrivilege	3480	msiexec.exe
Token: SeRestorePrivilege	3480	msiexec.exe
Token: SeShutdownPrivilege	3480	msiexec.exe
Token: SeDebugPrivilege	3480	msiexec.exe
Token: SeAuditPrivilege	3480	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3480	msiexec.exe
Token: SeChangeNotifyPrivilege	3480	msiexec.exe
Token: SeRemoteShutdownPrivilege	3480	msiexec.exe
Token: SeUndockPrivilege	3480	msiexec.exe
Token: SeSyncAgentPrivilege	3480	msiexec.exe
Token: SeEnableDelegationPrivilege	3480	msiexec.exe
Token: SeManageVolumePrivilege	3480	msiexec.exe
Token: SeImpersonatePrivilege	3480	msiexec.exe
Token: SeCreateGlobalPrivilege	3480	msiexec.exe
Token: SeBackupPrivilege	3068	vssvc.exe
Token: SeRestorePrivilege	3068	vssvc.exe
Token: SeAuditPrivilege	3068	vssvc.exe
Token: SeBackupPrivilege	828	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe
Token: SeBackupPrivilege	3032	srtasks.exe
Token: SeRestorePrivilege	3032	srtasks.exe
Token: SeSecurityPrivilege	3032	srtasks.exe
Token: SeTakeOwnershipPrivilege	3032	srtasks.exe
Token: SeBackupPrivilege	3032	srtasks.exe
Token: SeRestorePrivilege	3032	srtasks.exe
Token: SeSecurityPrivilege	3032	srtasks.exe
Token: SeTakeOwnershipPrivilege	3032	srtasks.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe
Token: SeRestorePrivilege	828	msiexec.exe
Token: SeTakeOwnershipPrivilege	828	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3480	msiexec.exe
3480	msiexec.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 828 wrote to memory of 3032	828	msiexec.exe	99
PID 828 wrote to memory of 3032	828	msiexec.exe	99
PID 828 wrote to memory of 4192	828	msiexec.exe	101
PID 828 wrote to memory of 4192	828	msiexec.exe	101
PID 828 wrote to memory of 4192	828	msiexec.exe	101
PID 4192 wrote to memory of 4348	4192	MsiExec.exe	102
PID 4192 wrote to memory of 4348	4192	MsiExec.exe	102
PID 4192 wrote to memory of 4348	4192	MsiExec.exe	102
PID 4192 wrote to memory of 4940	4192	MsiExec.exe	105
PID 4192 wrote to memory of 4940	4192	MsiExec.exe	105
PID 4192 wrote to memory of 4940	4192	MsiExec.exe	105
PID 4192 wrote to memory of 3508	4192	MsiExec.exe	106
PID 4192 wrote to memory of 3508	4192	MsiExec.exe	106
PID 3508 wrote to memory of 1640	3508	vlc.exe	107
PID 3508 wrote to memory of 1640	3508	vlc.exe	107
PID 3508 wrote to memory of 1640	3508	vlc.exe	107
PID 4192 wrote to memory of 4744	4192	MsiExec.exe	109
PID 4192 wrote to memory of 4744	4192	MsiExec.exe	109
PID 4192 wrote to memory of 4744	4192	MsiExec.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\8GMgV5a1fsLKxv.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3480

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 889EE6A41CB6D800B95CDA44EA981E0F
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:4192
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:4348
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:4940
- - C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\files\vlc.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\files\vlc.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:3508
  - - \??\c:\temp\Autoit3.exe
      "c:\temp\Autoit3.exe" c:\temp\script.au3
      4⤵
      Executes dropped EXE
      Checks processor information in registry
      PID:1640
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4744

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\files.cab

Filesize
1.0MB

MD5
290f6f2bc920cd0aa848ef58ce45b19e

SHA1
a7fb670800f76eee4807225e893b31ac5b9df822

SHA256
496d4b38db0b5c5e1c6344817714f0a9feee9975d0db4ec335d85d217a529567

SHA512
cd15483f6a4fbf387375646c1792065794276693059054156638283194f2b353624ec207d15a85135d77d29076dbc1589b48ff1a4b67605cd2f0d1f2159ff036

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\files\libvlc.dll

Filesize
68KB

MD5
d8fb51c4274b63b3c8fe48d3ccf104d0

SHA1
a5754c814921a4055cd50d10c7d6ad32a2d9dd83

SHA256
d3e3d49f51b9f8b946fc021b00900e209dc9b32b1f67389445bf92fc468bdb65

SHA512
853ca0fa0b4e782f256efd11ca68cc930290e7679cb48cccc2539841d38e8a3e08d537076b5a126ac1b20a557cb152bb952b0b15c1507e77e54416b2fc4a1cbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\files\libvlc.dll

Filesize
159KB

MD5
8c60c871438cd49be12ed482ff7b2d6e

SHA1
a17864640f9d5c3c2c67f01ac1e60b1571d93db9

SHA256
6c2978c78566ae347da23acecbf0298d7acf08b514b74d6dc4ce668f4333d9b0

SHA512
2145e1d8390cd66fad953f418b8d7dba24a78e0ee7c22308a52faae07610f71c1c8a87ad46dc3023f6b19dbf4d19af03f42d8cfe1c645b0e844c3a6b3bedd42b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\files\sqlite3.dll

Filesize
111KB

MD5
f9d8abe2d1e9d2749bda46d707ad3569

SHA1
95e6ca11adc2f19e5a924de8f9a703cebe7397ef

SHA256
7877f9d35aa4b95d56d1bdf03a6c99168d28d013456a32132d3104bb7eb80bf1

SHA512
b7ee8422fbc3eb9b3e262ce0b10222d8395c0ab773a3b398989aa9956a3a1674319f10a259320c8334f683d5b3fe7acb0f16c2600a2c5f341674810a8fdc7f0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\files\vlc.exe

Filesize
100KB

MD5
35344cbe2f4a2106ceb3b085c9cbacd4

SHA1
2beabe51070dddccf9bd038a638e5533e9bdb8c1

SHA256
00510b9e95fdf5de2ba453617f44579b47ae6836b54c12290e6909cf836fe57e

SHA512
b2a3904b302a8895c13fb148f393ac61bc2cb9889d59c5a22705c2bb9e66908f83ff3e38f0ef3a1056300867046f2ef004f56e4e4eb9b9e12a2b20f4025f45e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\files\vlc.exe

Filesize
126KB

MD5
c94c2d22cf889a74d663ec55d84911be

SHA1
bf6e1aafb7cc545f869f38dffbcfed2fe1b5485c

SHA256
d9502176f02f8c42c74cc0b2e38f2edf4823a3e63756a2cf137b24969dace96c

SHA512
a6448d6d6ffbc35307a8c066a82bd5bff35236ca088559c80eb6615ac7d7710f182e097aac1fd2bd5acf4ec8b4f9230c5b3309293ae6a2ee5668c3eb4d755de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\msiwrapper.ini

Filesize
1KB

MD5
f0603982a2afa9a86c591732edafefb9

SHA1
fa704b7ba6bec0894c4fc3b31f2459c605a3662a

SHA256
109acfc5a6e2634f513db77a3abeeb5c9fe312bdeed5afd53b3b53820110fb34

SHA512
d1441aff299736502bb40e6c7531d5f82b3ef193d0d1f14d0c303e970660ea18c482025d7e56a0b5fb72b2c9a3f2e0e9550208629b35e82faab38f9c48373ad8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-248dc0bd-19c6-41de-935a-7dc32edcd683\msiwrapper.ini

Filesize
1KB

MD5
5f133afa41d19be5fc4e3624942aab23

SHA1
14ab5347f1c906b63eb22f7d9b9bc8407cd7e6f5

SHA256
ab2a9597833fc8f83a0d049e3a5da343f121e002b9886f88d270c8120ad86a74

SHA512
5e72c21d0858ac3246e03344ab36f09e2d3f24a8c9ad783d9c79f71993c3ef73a5066320461fbce45b8c6b370cf7bf2f55801ffcde3e0b3d94b79a8ce0e0a243

Download Submit
C:\Windows\Installer\MSI7E48.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\temp\Autoit3.exe

Filesize
782KB

MD5
9486ef9dbcef6bcdf75e491601cf6d1f

SHA1
c0b10d5717ddce0d4cb6b5c88d024e0dbf84c5a3

SHA256
a294c02d14ce630fd0f7cd251fafc3c5a5e9bbed45f48cf73c806b48ee13c19f

SHA512
b91a0e61e2c27cf952c8418aa61d89805ea255bb2e5200181185649622e0477be090ed83c9ba087578f8a7c903228e4e19e8d1f65fabc9c6d2efbed83c590e3e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
3.9MB

MD5
d4092fbcb08db51a757792a0b1e50933

SHA1
eb141c7eb4637bebb5498fc85414c3a2048d4f78

SHA256
e4264e6930bb25a0bf84b3e857a3a960649325de140d05ce17f1806967a7d9b6

SHA512
35ba01275634566de320599f12e293d972e7d2194c385f94faa778716b3c63ff05d918e05130ea0339d7a1be85f972119d70058fbeb330a6e1af4fa294fc79d1

Download Submit
\??\Volume{542e36da-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{07f4f5bc-bb29-4e2c-9718-7f8199b8a742}_OnDiskSnapshotProp

Filesize
6KB

MD5
114245be6a5f1949f1a8a3397134047d

SHA1
ffafca9197be1782b80d1fbfd2c3c615983c8dbe

SHA256
e8c83bcd897bbdd30626abb879feb67e856fc9cb4cce303826a8571097474aad

SHA512
cbb595a143a08cfbbcbb8afe10c06f592042b1ff3d7d84f48c88b25f3c48bab9fe5dc16d3e4a8afad226b5933374061dff6ffb20b6dfc7c7fb0ea78bd41443bb

Download Submit
\??\c:\temp\script.au3

Filesize
466KB

MD5
b395d416df27709427c17c04725a4c45

SHA1
c407d97bdb9bf1cd461fa40c66f261e3f92dd602

SHA256
78b3702f5c0f7efdf4598a2284cf3c7b3b51a6ae93a001029290bcc6a97bdc0a

SHA512
ec1b985bdb793e1acb9ed95681682ff712e8e518544214b0d648643b28a59c9c8cf6812879ea90a7319bd7853803a6fb3def19c5c897bd61b49c67c73c9c61c3

Download Submit
\??\c:\temp\test.txt

Filesize
76B

MD5
5e21c8ec8315c76c2e60eb1ff99040ca

SHA1
5b691e8bcf0967cc2b46aeb6dd7af91d8992ea25

SHA256
9e6861ac7aa15474d2d00afd67b2fdec473cf67a13116fddecf1495088e853ba

SHA512
ab10cda631047028e9321952430a9f7b1cd9a78cb59c8c192aaa72cc5a95cdeee96ef432f422e11bcddeb72170d97ba0093e29cc0ad07bb78e1c61c571f2553b

Download Submit
memory/1640-101-0x0000000004500000-0x00000000054D0000-memory.dmp

Filesize
15.8MB

Download
memory/1640-102-0x00000000059F0000-0x0000000005D3E000-memory.dmp

Filesize
3.3MB

Download
memory/1640-103-0x00000000059F0000-0x0000000005D3E000-memory.dmp

Filesize
3.3MB

Download
memory/3508-88-0x0000017C7FC60000-0x0000017C7FDFE000-memory.dmp

Filesize
1.6MB

Download
memory/3508-85-0x00007FF765530000-0x00007FF765628000-memory.dmp

Filesize
992KB

Download
memory/3508-86-0x0000000064370000-0x00000000644FD000-memory.dmp

Filesize
1.6MB

Download
memory/3508-80-0x0000017C7FC60000-0x0000017C7FDFE000-memory.dmp

Filesize
1.6MB

Download