1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf

Analysis

max time kernel
100s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 18:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf.msi
Size

5.0MB
MD5

0deea78b6ac2236f701fa82cb5c10918
SHA1

93d39ca0a3047db121460ad61057fadc059b6c3d
SHA256

1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf
SHA512

d5393c01ee510397cbce9264b4f87ed6d79f2b3ee4cea3f9b4fca4e5ce70c08ddb3f210327375f9cdca267408125274362ebe6cf79270881bb73dc5154e24587
SSDEEP

98304:sVHYDgFMyclbrPcGJ1Ea2x3PoFpSSgGN6o:QNMyI/t0foFpngGN6o

Score

6^/10

execution persistence privilege_escalation

Malware Config

Signatures

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ManualsViewerUpdater = "cmd /c \"start /min /d \"C:\\Users\\Admin\\AppData\\Local\\ManualsViewer\\\" node.exe update.js --reboot\""	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e57dbe9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57dbe9.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI18D3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1AAD.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE2A4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE302.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CC1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D20.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1923.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9E5CF1E9-AB5B-402B-A63F-F95DFFD84B31}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A0F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1962.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1A5E.tmp	msiexec.exe

Loads dropped DLL 18 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid	process
1236	MsiExec.exe
1236	MsiExec.exe
1236	MsiExec.exe
1236	MsiExec.exe
1236	MsiExec.exe
1236	MsiExec.exe
1236	MsiExec.exe
1236	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe
3108	MsiExec.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

224 powershell.exe
Event Triggered Execution: Installer Packages 1 TTPs 1 IoCs
persistence privilege_escalation

Installer Packages
T1546.016

Processes:

msiexec.exe

pid process

2120 msiexec.exe

pid	process
224	powershell.exe

pid	process
2120	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005b1010511f65dd1c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005b1010510000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005b101051000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5b101051000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005b10105100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

powershell.exemsiexec.exe

pid process

224 powershell.exe
224 powershell.exe
224 powershell.exe
4680 msiexec.exe
4680 msiexec.exe

pid	process
224	powershell.exe
224	powershell.exe
224	powershell.exe
4680	msiexec.exe
4680	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	2120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2120	msiexec.exe
Token: SeSecurityPrivilege	4680	msiexec.exe
Token: SeCreateTokenPrivilege	2120	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2120	msiexec.exe
Token: SeLockMemoryPrivilege	2120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2120	msiexec.exe
Token: SeMachineAccountPrivilege	2120	msiexec.exe
Token: SeTcbPrivilege	2120	msiexec.exe
Token: SeSecurityPrivilege	2120	msiexec.exe
Token: SeTakeOwnershipPrivilege	2120	msiexec.exe
Token: SeLoadDriverPrivilege	2120	msiexec.exe
Token: SeSystemProfilePrivilege	2120	msiexec.exe
Token: SeSystemtimePrivilege	2120	msiexec.exe
Token: SeProfSingleProcessPrivilege	2120	msiexec.exe
Token: SeIncBasePriorityPrivilege	2120	msiexec.exe
Token: SeCreatePagefilePrivilege	2120	msiexec.exe
Token: SeCreatePermanentPrivilege	2120	msiexec.exe
Token: SeBackupPrivilege	2120	msiexec.exe
Token: SeRestorePrivilege	2120	msiexec.exe
Token: SeShutdownPrivilege	2120	msiexec.exe
Token: SeDebugPrivilege	2120	msiexec.exe
Token: SeAuditPrivilege	2120	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2120	msiexec.exe
Token: SeChangeNotifyPrivilege	2120	msiexec.exe
Token: SeRemoteShutdownPrivilege	2120	msiexec.exe
Token: SeUndockPrivilege	2120	msiexec.exe
Token: SeSyncAgentPrivilege	2120	msiexec.exe
Token: SeEnableDelegationPrivilege	2120	msiexec.exe
Token: SeManageVolumePrivilege	2120	msiexec.exe
Token: SeImpersonatePrivilege	2120	msiexec.exe
Token: SeCreateGlobalPrivilege	2120	msiexec.exe
Token: SeCreateTokenPrivilege	2120	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2120	msiexec.exe
Token: SeLockMemoryPrivilege	2120	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2120	msiexec.exe
Token: SeMachineAccountPrivilege	2120	msiexec.exe
Token: SeTcbPrivilege	2120	msiexec.exe
Token: SeSecurityPrivilege	2120	msiexec.exe
Token: SeTakeOwnershipPrivilege	2120	msiexec.exe
Token: SeLoadDriverPrivilege	2120	msiexec.exe
Token: SeSystemProfilePrivilege	2120	msiexec.exe
Token: SeSystemtimePrivilege	2120	msiexec.exe
Token: SeProfSingleProcessPrivilege	2120	msiexec.exe
Token: SeIncBasePriorityPrivilege	2120	msiexec.exe
Token: SeCreatePagefilePrivilege	2120	msiexec.exe
Token: SeCreatePermanentPrivilege	2120	msiexec.exe
Token: SeBackupPrivilege	2120	msiexec.exe
Token: SeRestorePrivilege	2120	msiexec.exe
Token: SeShutdownPrivilege	2120	msiexec.exe
Token: SeDebugPrivilege	2120	msiexec.exe
Token: SeAuditPrivilege	2120	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2120	msiexec.exe
Token: SeChangeNotifyPrivilege	2120	msiexec.exe
Token: SeRemoteShutdownPrivilege	2120	msiexec.exe
Token: SeUndockPrivilege	2120	msiexec.exe
Token: SeSyncAgentPrivilege	2120	msiexec.exe
Token: SeEnableDelegationPrivilege	2120	msiexec.exe
Token: SeManageVolumePrivilege	2120	msiexec.exe
Token: SeImpersonatePrivilege	2120	msiexec.exe
Token: SeCreateGlobalPrivilege	2120	msiexec.exe
Token: SeCreateTokenPrivilege	2120	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2120	msiexec.exe
Token: SeLockMemoryPrivilege	2120	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

2120 msiexec.exe
2120 msiexec.exe

pid	process
2120	msiexec.exe
2120	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

msiexec.exeMsiExec.exe

description	pid	process	target process
PID 4680 wrote to memory of 1236	4680	msiexec.exe	MsiExec.exe
PID 4680 wrote to memory of 1236	4680	msiexec.exe	MsiExec.exe
PID 4680 wrote to memory of 1236	4680	msiexec.exe	MsiExec.exe
PID 4680 wrote to memory of 364	4680	msiexec.exe	srtasks.exe
PID 4680 wrote to memory of 364	4680	msiexec.exe	srtasks.exe
PID 4680 wrote to memory of 3108	4680	msiexec.exe	MsiExec.exe
PID 4680 wrote to memory of 3108	4680	msiexec.exe	MsiExec.exe
PID 4680 wrote to memory of 3108	4680	msiexec.exe	MsiExec.exe
PID 3108 wrote to memory of 224	3108	MsiExec.exe	powershell.exe
PID 3108 wrote to memory of 224	3108	MsiExec.exe	powershell.exe
PID 3108 wrote to memory of 224	3108	MsiExec.exe	powershell.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1602a807b162c379770efd0f8dc96af3eb926dce03042397c2ccc23f6b525ebf.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2120

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4680

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 7C5920B7C9E8D5CD5B844A7E87671899 C
2⤵
- Loads dropped DLL
PID:1236

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
PID:364

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding A86ACC9B0DBC971EBD1273AF9AC6BCA4
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD0E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiCDC.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrCDD.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrCDE.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\ManualsViewer\ManualsViewer.exe

Filesize
275KB

MD5
3e34fe938047483111053beb4bada320

SHA1
6bc5b1d97ec9f6efe792c7c4600191a75c437e8c

SHA256
d79db4add67490ec6070fb0750ab667becec4751d5316c81f8e2c6813d0fcbcd

SHA512
8ec758c9ea9a4aa066f3641d3ee3ed41d5c3417273081f65f355d28e47b11556b2457ad3770af3fef1491977f9d6c1d91be849a1eb73e1ecbc10c5ab80e66cf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI90D6.tmp

Filesize
738KB

MD5
d0c9613582605f3793fdad7279de428b

SHA1
8b3e9fb67c7beb20706544d360ee13c3aad9c1d1

SHA256
8bd84f1156ebdfa44afaac8a4579ba56a8c7513e3d51e00822167ea144923726

SHA512
3640a0f53730cad7323473f99a2049833db58eaed00f94b75b4a03b07cc8af99c104a40b2e888307055a5c9740b5fea4b394aa15bc78a3102088cc0770713eac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_qpwd40xh.g30.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssD0E.ps1

Filesize
36KB

MD5
7dc43ea8bb420287894f3fc68efd4d15

SHA1
f6b0f90586986f968cfa7958f917db8dda54de34

SHA256
579c430cd0bb6c24e614076155e245ff7acd74e8b429854acdc61e200c205395

SHA512
21a29042ac2b8796390b13ecbe5526485c420dc07da918de732b1c8088dc54198c349f2612cc4d800025e6fb4aa00db12997e46454cc2ccf9ad5efc51271ab3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrCDD.ps1

Filesize
31KB

MD5
df9bb699dfb6aa697c3263769529b815

SHA1
100ef96b36711304020d60535c4d1a2bf2b235b3

SHA256
ba6d2b558c6021fc77cb888a174137d9c9874777ab3e8caa804cf9c3e2e60733

SHA512
2498780c7bcce850f44e6a211e9b83781d8df546ef1147d383aba51dc71e72249089484f9d4c4f841c0afdd98f13348940b9209eab8093ef5e748e272f73a54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrCDE.txt

Filesize
326B

MD5
f776e6b7ddeb8374229f0bf55233df89

SHA1
1905d3af75b68aceda6424b792aaf2fe944cdce9

SHA256
ded8e2ac37eeb7c78679c99e4ad4cf3390167855c8939b1458c4246de4a2addb

SHA512
470bfd9705cd5548f157bde578a0496aea8f723e338bdabc0bffc7f68feda5db95f4d5f825529a546d0eedde3dcb50797200061a0826c1bd9c2a879d2faf967d

Download Submit
C:\Windows\Installer\MSI1A5E.tmp

Filesize
512KB

MD5
d1395cc27fabb23ff098c0954b7725a7

SHA1
b782d01c84471849d92e130e5af448de8040bd58

SHA256
a2f7155c0ce5e3c69fdcff6d89df011a6d4715eae2853104f2480800d63eb69e

SHA512
a5c531d4cb099e91a498dd738804eaf8f47573bb802d15bc550c438ca117ea61258cc886ede7b91f83b9570f73f3bd3c08718819868a1e92249fcb3d5bcdb914

Download Submit
C:\Windows\Installer\MSI1AAD.tmp

Filesize
757KB

MD5
5a72f5f620d7363c21dac3c062225203

SHA1
e083f31c15020d54e42103099dc240be4cbb7430

SHA256
b312faf20d72a4e44be87530beb446298c85fef73c79130c6d13aae6720f585c

SHA512
c742314859a75672f8e049ef52db54e48d34b48b9ee6c6e8677ae376d6f0aef6589ffdce90b37c9f8b987ea35d2ec42a07937ce0ba05f3158bf0c79a4f0db987

Download Submit
C:\Windows\Installer\MSIBA3.tmp

Filesize
759KB

MD5
a2317ebf66616e3b13218b2b9739cf74

SHA1
9fbdf90fb9d2bc93f025c16c94347eb817908d9d

SHA256
d6a3c9c614fa4491a1bd988d86687515e15edf7e0cfde2159d0850bf2c5c7c89

SHA512
8d11a2174e3ac7eefc776ff3d95ac65517c4af78f2880b84c6ce1ed65990e769cdbd5cc3d5755cc0dd9fc69a7c2408b32dde6205503f9a67ec96008c87b1f2e3

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
3e28aef8cfdeb41ac4628a83d16391f9

SHA1
d785dc24a9697302b5386aeb56d75ba60df93457

SHA256
f03213f633a59086cfdf6db6e73eabca6c24d2cbc0328f47f7e31240d7d07b16

SHA512
5a0439b8c0ea6ca13b5b8dfe8408d0826fdca70cea02b6e8d1f3623ff2956aedb09dcd74b85d45b22b31e5a99ff04f944f212fb39b938b5e4561b4abda96084e

Download Submit
\??\Volume{5110105b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5e1874a8-dc95-4cd2-90a6-d81934f8cf82}_OnDiskSnapshotProp

Filesize
6KB

MD5
11aa4d49c499fcb62c55d5f8fbc66c41

SHA1
df5d95bfa96e5ffe7fbf4bb5a3afeee342a75e54

SHA256
806959639b27d39a2f99b80fab56ae81c808dbc3eddc0ef48d4d6811b821b18d

SHA512
0d27b9c7fb41950af4a907fef07b56240ba9f842a337bcfd60b334c42f7e29ae70a603d8c0887d1a900f44829025f134e6b7db5c0c4adc51b1ecec487143b1bc

Download Submit
memory/224-64-0x0000000006700000-0x000000000674C000-memory.dmp

Filesize
304KB

Download
memory/224-70-0x00000000086C0000-0x0000000008C64000-memory.dmp

Filesize
5.6MB

Download
memory/224-62-0x0000000006100000-0x0000000006454000-memory.dmp

Filesize
3.3MB

Download
memory/224-66-0x0000000008040000-0x00000000086BA000-memory.dmp

Filesize
6.5MB

Download
memory/224-67-0x0000000006C30000-0x0000000006C4A000-memory.dmp

Filesize
104KB

Download
memory/224-68-0x00000000076C0000-0x0000000007756000-memory.dmp

Filesize
600KB

Download
memory/224-69-0x0000000006CC0000-0x0000000006CE2000-memory.dmp

Filesize
136KB

Download
memory/224-63-0x00000000066E0000-0x00000000066FE000-memory.dmp

Filesize
120KB

Download
memory/224-52-0x0000000006090000-0x00000000060F6000-memory.dmp

Filesize
408KB

Download
memory/224-51-0x0000000006020000-0x0000000006086000-memory.dmp

Filesize
408KB

Download
memory/224-73-0x0000000007D30000-0x0000000007EF2000-memory.dmp

Filesize
1.8MB

Download
memory/224-74-0x00000000091A0000-0x00000000096CC000-memory.dmp

Filesize
5.2MB

Download
memory/224-75-0x0000000007C70000-0x0000000007D02000-memory.dmp

Filesize
584KB

Download
memory/224-50-0x0000000005730000-0x0000000005752000-memory.dmp

Filesize
136KB

Download
memory/224-49-0x0000000005980000-0x0000000005FA8000-memory.dmp

Filesize
6.2MB

Download
memory/224-48-0x0000000002DB0000-0x0000000002DE6000-memory.dmp

Filesize
216KB

Download