Overview

overview

7

Static

static

1

msi1217YD.msi

windows7-x64

7

msi1217YD.msi

windows10-1703-x64

7

msi1217YD.msi

windows10-2004-x64

7

msi1217YD.msi

windows11-21h2-x64

7

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-01-2024 17:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    msi1217YD.msi

  • Size

    112.2MB

  • MD5

    73de0e9331c6fa90bc0b78d1fd8371e7

  • SHA1

    df579476fbcb6b0848b73fcf52c7879461d838a8

  • SHA256

    b0a480c9a1e292b18a55b8d79bc3efccdb2936510226b0f313d14df8ac67627f

  • SHA512

    57e985d3044e2597cf5c22207694c95268aff713c3d80a70332e54607a3fe8ec07a451593c65a55cb2c4228c830fab9d3be86141222784834b845b7738014e73

  • SSDEEP

    3145728:4B4swQOP2kt4/iUOsdQidkLgvEtRxGH2/ril:4BxOhS/iUZ7dNE1GW/ril

Score
7/10
vmprotect

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • VMProtect packed file 10 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 25 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\msi1217YD.msi
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3356
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding A91AB6D6049D6297932EAD87F372F74D C
      2⤵
      • Loads dropped DLL
      PID:320
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2108
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 3316A1D3E4FA3C22E00EC97A84D9B278
        2⤵
        • Loads dropped DLL
        PID:4776
      • C:\Windows\Installer\MSIA74F.tmp
        "C:\Windows\Installer\MSIA74F.tmp" /EnforcedRunAsAdmin /RunAsAdmin "C:\Users\Admin\AppData\Roaming\YOUDAO\217.bat"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:1592
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\System32\cmd.exe" /C ""C:\Users\Admin\AppData\Roaming\YOUDAO\217.bat" "
          3⤵
          • Checks computer location settings
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:116
          • C:\Users\Admin\AppData\Roaming\YOUDAO\WinRAR.exe
            C:\Users\Admin\AppData\Roaming\YOUDAO\WinRAR.exe x -p7758523s -ibck 1.zip tiak.exe
            4⤵
            • Executes dropped EXE
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            PID:440
          • C:\Windows\SysWOW64\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\YOUDAO\3.vbs"
            4⤵
            • Checks computer location settings
            • Suspicious use of WriteProcessMemory
            PID:3644
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\System32\cmd.exe" /c del %cd%\66.bat
              5⤵
                PID:2192
              • C:\Users\Admin\AppData\Roaming\YOUDAO\tiak.exe
                "C:\Users\Admin\AppData\Roaming\YOUDAO\tiak.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3648
                • C:\tkhkel\help360.exe
                  C:\tkhkel\help360.exe
                  6⤵
                  • Checks computer location settings
                  • Executes dropped EXE
                  • Drops file in Windows directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of WriteProcessMemory
                  PID:4676
                  • C:\windows\Runn\Yloux.exe
                    "C:\windows\Runn\Yloux.exe"
                    7⤵
                    • Executes dropped EXE
                    • Enumerates connected drives
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of SetWindowsHookEx
                    PID:468
                • C:\Program Files\Internet Explorer\iexplore.exe
                  "C:\Program Files\Internet Explorer\iexplore.exe" https://sms-activate.ru/cn/getNumber
                  6⤵
                  • Modifies Internet Explorer settings
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SetWindowsHookEx
                  • Suspicious use of WriteProcessMemory
                  PID:3940
                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3940 CREDAT:17410 /prefetch:2
                    7⤵
                    • Modifies Internet Explorer settings
                    • Modifies registry class
                    • Suspicious use of SetWindowsHookEx
                    PID:348
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ping 127.0.0.1 -n 5 &del "C:\Users\Admin\AppData\Roaming\YOUDAO\tiak.exe"
                  6⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2448
                  • C:\Windows\SysWOW64\PING.EXE
                    ping 127.0.0.1 -n 5
                    7⤵
                    • Runs ping.exe
                    PID:312
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:2608
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x344 0x3d0
        1⤵
          PID:2332

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e57a0d5.rbs
          Filesize

          300KB

          MD5

          fb4de747a88d0b1fa4d0c413741dbded

          SHA1

          c1c013c5de8d8aa3f4f390834d8cf4c4915ac57d

          SHA256

          7f774f0fc4207a5c58ca9cf56b0a73075d6043178f4d97ab93ae6a398195c4ba

          SHA512

          743b8596ec43f08b9d489a83531af78d52e3cf81e070b9a6cafbc1171198b7e151e9894ec8e586e6b1a4333b12a571c38bb57e4fa92df4684989bd91d3ac89ef

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          471B

          MD5

          6c9b222cd1e44e41ad93ba8d2fcb6512

          SHA1

          b00df12a3bb2efd842f545c288b4bc948fc0de8f

          SHA256

          4d9577e0b9cdb6fd342f66ed39177a482fa460da255f954dcd6a32b88385727d

          SHA512

          809faeef601ca22eba46491747fc7dbb4ce292aaff753ec0041cd85121fbf914f78a23bed0882ce89712a0ebdc52d3aaedad71e9e98e194c62289577c82f5507

          Download Submit

        • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
          Filesize

          404B

          MD5

          86a76405020a548c7776072fea7ffa2e

          SHA1

          bfe85468c8d2ae9d5747b7e9014ef74b85c27bc3

          SHA256

          01ce71cb8a9a20aa75c506f5f78b3658c27da3ff4fd254ec492c89d89667f849

          SHA512

          e3109e29298cb9700f54c3a02a8356c25bbe7447548d02e69d42320338fe653ef54903884e0a85d87c47b4b7a921baa53ed9e495066fadc215533b7c7e158247

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\JAH3CXGZ\sms-activate[1].xml
          Filesize

          267B

          MD5

          27a23a23109662c91cc3d63426b6bcf0

          SHA1

          4500a19ee0246ab6757d02a8870ee29a2caa265c

          SHA256

          5d5150d46a2e2dd2a61835e37eb3463cf8d1f1de332d3fa17c937ed2bc0e97cd

          SHA512

          e25a938e390d7e6712b9f1a2faf23bc2f4d532a4aa807953109943f9c68e7013ef5b89833c96b4abd513d61babfa1a0720a56b7193231205b196c6f624c8d1a7

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\JAH3CXGZ\sms-activate[1].xml
          Filesize

          681B

          MD5

          210a39e83fea22b0fcbc3b957fef02ad

          SHA1

          c67c0a29de9519f9818f84f1d0f11f947a5bf02d

          SHA256

          8b4f6d0623e7a38646be3e7746f35f670539dc189498d141ef3b335d06648cda

          SHA512

          5babef2d03958d628e87a3a833156e4a077fe34ecd6adf262d7ffc4ca040789c48c408ba5285cd3609c40da4e46b8f25d552a69c1fcf20eb02c8b3df9197c2e8

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\JAH3CXGZ\sms-activate[1].xml
          Filesize

          2KB

          MD5

          3051763a18f15ddda594ba963ee63d3f

          SHA1

          aa8c626791a2971015a76980e056092333f83151

          SHA256

          04010176ff33e117fad48e73dc4b10bd80badd2d1a9b4a23c07bdbcc337dceb2

          SHA512

          30835883bdf1bc856d991664c6e167bf01a458fc6c5a3957d1cb9ab40482a3a302687b706477eecdd832623bcc8cdbd88a999e32325b5637fc3850fb60e76d63

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver4C46.tmp
          Filesize

          15KB

          MD5

          1a545d0052b581fbb2ab4c52133846bc

          SHA1

          62f3266a9b9925cd6d98658b92adec673cbe3dd3

          SHA256

          557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

          SHA512

          bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\buhspo8\imagestore.dat
          Filesize

          832B

          MD5

          37f1e6aecb4256a594415a19e130b6f2

          SHA1

          9b996919e2381c9805d52ad84ef40b0d97294f3c

          SHA256

          d9c7ad04dee9670e18f1062f440d50abad7687bfdaeb346eed22241c81ced578

          SHA512

          69984985d56bac443d87048ca5daa94a013da56096ea7cf13de7ea167a006d10c9a04b25e74bca60a560a40db13e2087056fa42a09057b0ca48e12b8951cba5f

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\BMK4G1YN\analytics[1].js
          Filesize

          51KB

          MD5

          575b5480531da4d14e7453e2016fe0bc

          SHA1

          e5c5f3134fe29e60b591c87ea85951f0aea36ee1

          SHA256

          de36e50194320a7d3ef1ace9bd34a875a8bd458b253c061979dd628e9bf49afd

          SHA512

          174e48f4fb2a7e7a0be1e16564f9ed2d0bbcc8b4af18cb89ad49cf42b1c3894c8f8e29ce673bc5d9bc8552f88d1d47294ee0e216402566a3f446f04aca24857a

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ISEWAASI\activate_favicon[1].png
          Filesize

          624B

          MD5

          49fd14489af959c08d1f0cc073788fd6

          SHA1

          f5a22605926a80dab3114f170e069a3d97a72ff3

          SHA256

          29c11b104967a9b054c179230a8faa99033044ff106a0b49acbbc604e53a4e3d

          SHA512

          a313b8a913caa79d30002eddc491cf66297d7011ac6f3376129cb97bd581fc832848eab2fd336a37949f5813732fdb229935a3907875ac077e39b86162f0f831

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ISEWAASI\suggestions[1].en-US
          Filesize

          17KB

          MD5

          5a34cb996293fde2cb7a4ac89587393a

          SHA1

          3c96c993500690d1a77873cd62bc639b3a10653f

          SHA256

          c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

          SHA512

          e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\MSI56DA.tmp
          Filesize

          557KB

          MD5

          db7612f0fd6408d664185cfc81bef0cb

          SHA1

          19a6334ec00365b4f4e57d387ed885b32aa7c9aa

          SHA256

          e9e426b679b3efb233f03c696e997e2da3402f16a321e954b54454317fceb240

          SHA512

          25e129cb22aaabc68c42ecf10bb650ac4d0609b12c08703c780572bac7ecf4559fcc49cd595c56ea48cf55260a984cfa333c08307ffb7c62268b03fbecc724b9

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YOUDAO\1.zip
          Filesize

          1.3MB

          MD5

          b759d283d1e318ac76757be8787585ef

          SHA1

          b0b18c0ea22a823d2ee32ad702a6f615304b1955

          SHA256

          94a5ed168fe2adea5e57ef7edd72b3137b74da62d527b467a9a3f3785040b5a7

          SHA512

          273d651d6db2e8f90d55fcf1c98f8d32a52c0fc5e8b16c6008f01b7a092e6c44457502c3250c3fb25134efd3e60214d4b311c059edcd98c7b02e3a012a3d2b88

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YOUDAO\217.bat
          Filesize

          91B

          MD5

          cb242c95a12c2107f242a0f1620216e1

          SHA1

          899cf47f75e292d4a3696b23df68e19b090c0218

          SHA256

          429376ad0492dd8b4e03dc113888cbce866b5e9b6c3e72c82c6ee3fc006f6e6f

          SHA512

          42d56db973fa3c9f7c414d4a9f4bffe28e089ad542556ae054a0b15f264c4060d3777064461920a0fd864a57bea715f71daf5c858f6c66d960587ade3b457e4c

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YOUDAO\3.vbs
          Filesize

          439B

          MD5

          ff1eac510e2fb9c00a39ee817826be7b

          SHA1

          36485d145164c922d8c4ff92fa879bdba1a9ad5e

          SHA256

          e96ecf797d784b8bab8d70a264f1fd6ca6b679a477af4bf6887f6635f8d42bcd

          SHA512

          d44f4cc8445371636c9a728817a4d8321220968ff70955c3dec0a7521b1741972aa92a1190a1e0b4d08770ef0e806a84226836d8ca0ff20d21355a96cc214d2f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YOUDAO\WinRAR.exe
          Filesize

          1.4MB

          MD5

          833ee6c5e8470e6854bed0348bbf8600

          SHA1

          ba69f4184273952bc6231b6252129c2f2e150272

          SHA256

          aebeda4a23149ee31782de62c3f8af89a85f2438d7eb3ea2dbfcdbc41e3fdaac

          SHA512

          ade97e3348aa70a7c4b9b10ba97d106e24f08ada5f16789f439e05f5eb95e58cd84d24526a0e963466a1bfca0c2fcd874a0db24b430b502cc553c9368f20c9ff

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YOUDAO\tiak.exe
          Filesize

          1.2MB

          MD5

          42e3ebd0f79da4cd7b464c2f034e6102

          SHA1

          aa954817d34d516a7b72449a80f90698f6449371

          SHA256

          fe9ba273060ebd8d19b253466bc029c452c6e5189b1cb126cfb002e0cad409b9

          SHA512

          322d1613d94b45846b16cda0fd8f14ff438231915b495ed70ea469ed2e455928c120b807ed114be7302d38b4c1807e8590e6c5a3081deef829409d2a1aa0443f

          Download Submit

        • C:\Users\Admin\AppData\Roaming\YOUDAO\tiak.exe
          Filesize

          1.4MB

          MD5

          d370fb110dbfa214821fbe64a3a4f293

          SHA1

          e246be2fe719044c6e0f6087228e47e633d86656

          SHA256

          7ff1e34f072af0a47b35f51e2a6ae96bec0c8843f2a64d0e8a9d47d1a9a0932b

          SHA512

          903b01ab627ea4770562b90e14ec9b6a916921dad94e510642bdb6c324bb7ca12826faef0feae3ac87d4b628c4656f2e5f7ee743165574a9bbbe79329a89f34a

          Download Submit

        • C:\Windows\Installer\MSIA74F.tmp
          Filesize

          409KB

          MD5

          f7e1ad874fba884ceabfdb0f8edf74bb

          SHA1

          dcd89a248a6e3d85bb3f7eae624a41cef9704654

          SHA256

          bbce37f9e20f5bc59ab45dc49c985d115b13bb214561ddb874118fd91fb52ce8

          SHA512

          5e59de04305aff37703e928a594b9114fb728e3285c09aae7706339d9f9ee77652271de5899738e8410d13224838efb3e30f5ab4e149c21458d3c971010dd209

          Download Submit

        • C:\Windows\Installer\e57a0d4.msi
          Filesize

          222KB

          MD5

          cc65ec74a8d179bd83070679cc7779d1

          SHA1

          2878caed0d9af0fc08b3e0060427802a60710544

          SHA256

          7ba6d6a43e173d500e7f155c3cb08c93a2bf8c578503bb8f6746bff7c4ac8f1e

          SHA512

          7e7a7ce6c742697c0413911b97ca04a259f0ee3e6c61161c3c18d7f7ceb0a528d0a31f6fd3b7643790ae3eb8fcf3794bde966a6a9686c3c24957d6ec893ff263

          Download Submit

        • C:\Windows\Runn\Yloux.exe
          Filesize

          360KB

          MD5

          31a53ed65fb85e263a4df3f2c14c6acd

          SHA1

          6cfe843aa773536aa367ac28f7ea178dedabd629

          SHA256

          fb639a750be5dc0aebca629cd509503d7b16874803908a05f6afa6be4cc83fe9

          SHA512

          0179f931fdd544dadd05d42b033dbd8d4c75a90b245d259336bd34401c5d5571982a8fdb2cd11a622d6084ac453421ada47e83eacc7cf3bcbcd55223caa1ac0e

          Download Submit

        • C:\Windows\Runn\Yloux.exe
          Filesize

          316KB

          MD5

          986a856134e8a25c6c89db5900c3ee1d

          SHA1

          2ccf8d319fa6366d7fd1c6c0c123ca164f1bded1

          SHA256

          e43967a82cebc8e24545290e9abcdf2d40bf771ba43748d6f47cf68fd7e3fcd3

          SHA512

          b08fce1a0eed02dfddbcd5d95db2b22cf1f1fae3e0f29ae4c797372f7c866e2002de784114b0b2fb0e79a6e254c84330552051695875795c0243624f8d1d5fcc

          Download Submit

        • C:\tkhkel\help360.exe
          Filesize

          126KB

          MD5

          10cfb325cca3a1f89e465e9f42aab06f

          SHA1

          c9ccc603060ed690d9e20c03cf4ffb4946b1fbff

          SHA256

          a3d93b29524a9d136fb9d713661a2d463360f57194068ff0c713f7e99f334d75

          SHA512

          bf7a7ec71da9d490ea622488a3dd1e800b5dcdd903b7ddc663f93e537b5393329c258332f0f412fd65d0a5973edd6aa0208522bd5ab54ad54082d119c7425d4a

          Download Submit

        • C:\tkhkel\help360.exe
          Filesize

          75KB

          MD5

          f974852383efa2d205757c68ae54ae9a

          SHA1

          458d590a7cd2263754e852c908b1f382767376db

          SHA256

          eabf19a26e07fbb9154ccb5a2702fbe12e61cfa2bc55f288ab9587b3d2da9932

          SHA512

          5002c4138ec209406de908afed9922d01a25cdaf1b46474fb4fdad2dbe09f948a9654a39557922231a5c375c473f237c13070abdeca359a6091e96b980738620

          Download Submit

        • C:\windows\Runn\1.bin
          Filesize

          176KB

          MD5

          3d7d682f44b0b12b5518d3e9c6c11d2a

          SHA1

          23869cb52e797c0f5c64364af8c78c49c71b9c27

          SHA256

          702eb45ead6494f36944f5d16e5aef30de138c6d16fdf92eedd098fb59fa5347

          SHA512

          6295f519308b8ccd4ce6cea1058340dc25fdba5414a44c8c952437dc2cdea42b783e476ded8c855d0423895c1e8d0667eda817d956322d78ceeb5e10139af550

          Download Submit

        • C:\windows\Runn\Yloux.exe
          Filesize

          352KB

          MD5

          17783da96bb57020095ae6f995a9c99e

          SHA1

          90eba8ed395e2d3ac01acf23253a58a2cc976b11

          SHA256

          89a40fa5507b919fa1eb59af75d08790e5604bb0cdfe33fa02eee3ae0be9113f

          SHA512

          a0716e0f1e6100a2ab9b840f876a6b9c01338a7ba361bf33d1fd699891e661d0c26a6183ea8f7e488c8377db352950e1f54eb46042961ad20fc6360aa7e7a1c5

          Download Submit

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          132KB

          MD5

          65457d5a622ae4e7e1038fef020366ce

          SHA1

          73236fd948b2f26fdefa1d5d808f974bf2d1b6d1

          SHA256

          90647bb378de0be49e118b6f3a4dfce15da8a978aaad36c77817a3acac41765b

          SHA512

          267f38f497f6576c31e5ecf0cccc1e34afe55e8526cd08aeaf110008635b7b4c8ae629cc1270a471aed3eea9ed20e767c10f587310ed41e9b4f3c8af1a0fc7aa

          Download Submit

        • \??\Volume{6479dd83-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f485329c-bb9a-45f5-866e-4ca2db3758bd}_OnDiskSnapshotProp
          Filesize

          6KB

          MD5

          41f09068a92a2e921df49a6c96c67238

          SHA1

          93d9107a5462cc19e655ab7376a6c1731391d5a0

          SHA256

          61336a194b35070224883e3a0c4912eda0366823e945a8c4c62d0849ebcab397

          SHA512

          45c0724f7f05a20c6c668dfd51fe5bfce0f1b2b9877387cf6a69d573e926f2bd5e0eb1b1df28c798e8704737b1957af7c07a3fe24331db04c95e55e3df831d6b

          Download Submit

        • memory/468-502-0x0000000002FF0000-0x0000000003034000-memory.dmp

          Filesize

          272KB

          Download

        • memory/468-485-0x0000000000BB0000-0x0000000000BDD000-memory.dmp

          Filesize

          180KB

          Download

        • memory/468-553-0x0000000002FF0000-0x0000000003034000-memory.dmp

          Filesize

          272KB

          Download

        • memory/468-551-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/468-550-0x0000000002FF0000-0x0000000003034000-memory.dmp

          Filesize

          272KB

          Download

        • memory/468-549-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/468-531-0x0000000002FF0000-0x0000000003034000-memory.dmp

          Filesize

          272KB

          Download

        • memory/468-508-0x0000000002FF0000-0x0000000003034000-memory.dmp

          Filesize

          272KB

          Download

        • memory/468-504-0x0000000000400000-0x0000000000590000-memory.dmp

          Filesize

          1.6MB

          Download

        • memory/468-500-0x0000000002DB0000-0x0000000002DEE000-memory.dmp

          Filesize

          248KB

          Download

        • memory/468-503-0x0000000002FF0000-0x0000000003034000-memory.dmp

          Filesize

          272KB

          Download

        • memory/468-497-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/468-488-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/468-495-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/468-494-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/468-496-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/468-498-0x0000000180000000-0x0000000180033000-memory.dmp

          Filesize

          204KB

          Download

        • memory/468-499-0x0000000002FF0000-0x0000000003034000-memory.dmp

          Filesize

          272KB

          Download

        • memory/3648-117-0x0000000000400000-0x00000000017E3000-memory.dmp

          Filesize

          19.9MB

          Download

        • memory/3648-110-0x0000000001990000-0x0000000001991000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3648-119-0x00000000035D0000-0x00000000035D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3648-111-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3648-133-0x0000000000400000-0x00000000017E3000-memory.dmp

          Filesize

          19.9MB

          Download

        • memory/3648-115-0x0000000001B10000-0x0000000001B11000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3648-116-0x00000000035C0000-0x00000000035C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3648-114-0x0000000001B00000-0x0000000001B01000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3648-113-0x0000000000400000-0x00000000017E3000-memory.dmp

          Filesize

          19.9MB

          Download

        • memory/3648-112-0x0000000001AF0000-0x0000000001AF1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4676-487-0x00000000007A0000-0x0000000001032000-memory.dmp

          Filesize

          8.6MB

          Download

        • memory/4676-486-0x00000000007A0000-0x0000000001032000-memory.dmp

          Filesize

          8.6MB

          Download

        • memory/4676-468-0x0000000010000000-0x0000000010604000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/4676-458-0x0000000003E10000-0x0000000004410000-memory.dmp

          Filesize

          6.0MB

          Download

        • memory/4676-127-0x00000000011D0000-0x00000000011D1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4676-129-0x00000000007A0000-0x0000000001032000-memory.dmp

          Filesize

          8.6MB

          Download