bruteratel | d71bfab9cca5df6a28e12ba51fe5eaf0f9151514b3fd363264513347a8c5cf3a

Analysis

max time kernel
1788s
max time network
1807s
platform
windows11-21h2_x64
resource
win11-20240508-en
submitted
27/06/2024, 18:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

neuro.msi
Size

1.8MB
MD5

3645512add0c8cb24a88d2ffe3fe7620
SHA1

66dbfe6ffc1918f51b28af1abf55df0d1beaefe6
SHA256

d71bfab9cca5df6a28e12ba51fe5eaf0f9151514b3fd363264513347a8c5cf3a
SHA512

85151258ccb3b590716aed87c4a6a24ba74931aab0b378e279d9ab510fce94dfd26632d8ba44975e8136b1a9cc6c190e64c8b223f5f5e4f5b9cb3c6fb4a9429c
SSDEEP

49152:/YM3YuW8zBQSc0ZnSKYZKumZr7AH6odeQCC:bY90ZniK/AHHdvCC

Score

10^/10

bruteratel latrodectus backdoor discovery loader persistence privilege_escalation

Malware Config

Extracted

Family

latrodectus

https://finjuiceer.com/live/

https://trymeakafr.com/live/

Signatures

Brute Ratel C4
A customized command and control framework for red teaming and adversary simulation.
backdoor bruteratel
Bruteratel family
bruteratel

Detect BruteRatel badger 3 IoCs

resource	yara_rule
behavioral3/memory/2364-48-0x000000033A710000-0x000000033A75A000-memory.dmp	family_bruteratel
behavioral3/memory/2364-47-0x000000033A710000-0x000000033A75A000-memory.dmp	family_bruteratel
behavioral3/memory/2364-58-0x000000033A710000-0x000000033A75A000-memory.dmp	family_bruteratel

Latrodectus family
latrodectus
Latrodectus loader
Latrodectus is a loader written in C++.
loader latrodectus

Detect larodectus Loader variant 2 3 IoCs

loader

resource	yara_rule
behavioral3/memory/2364-80-0x00007FF42EF20000-0x00007FF42EF33000-memory.dmp	family_latrodectus_v2
behavioral3/memory/3320-85-0x00000000015D0000-0x00000000015E3000-memory.dmp	family_latrodectus_v2
behavioral3/memory/3320-86-0x00000000015D0000-0x00000000015E3000-memory.dmp	family_latrodectus_v2

Blocklisted process makes network request 48 IoCs

flow	pid	Process
2	2364	rundll32.exe
3	2364	rundll32.exe
5	2364	rundll32.exe
6	2364	rundll32.exe
7	2364	rundll32.exe
8	2364	rundll32.exe
10	2364	rundll32.exe
12	2364	rundll32.exe
13	2364	rundll32.exe
17	2364	rundll32.exe
18	2364	rundll32.exe
20	2364	rundll32.exe
21	2364	rundll32.exe
22	2364	rundll32.exe
23	2364	rundll32.exe
24	2364	rundll32.exe
25	2364	rundll32.exe
27	2364	rundll32.exe
28	2364	rundll32.exe
29	2364	rundll32.exe
30	2364	rundll32.exe
31	2364	rundll32.exe
32	2364	rundll32.exe
33	2364	rundll32.exe
34	2364	rundll32.exe
35	2364	rundll32.exe
36	2364	rundll32.exe
37	2364	rundll32.exe
38	2364	rundll32.exe
39	2364	rundll32.exe
40	2364	rundll32.exe
41	2364	rundll32.exe
42	2364	rundll32.exe
43	2364	rundll32.exe
44	2364	rundll32.exe
45	2364	rundll32.exe
46	2364	rundll32.exe
47	2364	rundll32.exe
48	2364	rundll32.exe
49	2364	rundll32.exe
50	2364	rundll32.exe
51	2364	rundll32.exe
52	2364	rundll32.exe
53	2364	rundll32.exe
54	2364	rundll32.exe
55	2364	rundll32.exe
56	2364	rundll32.exe
57	2364	rundll32.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3107365284-1576850094-161165143-1000\Software\Microsoft\Windows\CurrentVersion\Run\funeral = "rundll32 \"C:\\Users\\Admin\\AppData\\Roaming\\capisp.dll\", remi"	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF2E1022B6BB0E5F99.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI84D2.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8405.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8454.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{659E647F-C518-49D5-BEA8-CCE98FBB9612}	msiexec.exe
File created	C:\Windows\SystemTemp\~DF4ADE845D164A53CC.TMP	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8540.tmp	msiexec.exe
File created	C:\Windows\Installer\e5783b7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5783b7.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
5004	MSI8540.tmp

Loads dropped DLL 9 IoCs

pid	Process
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
1924	MsiExec.exe
3208	MsiExec.exe
3208	MsiExec.exe
2364	rundll32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
852	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSI8540.tmp

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000d96f655da10588100000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000d96f655d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900d96f655d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dd96f655d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000d96f655d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1436	msiexec.exe
1436	msiexec.exe
5004	MSI8540.tmp
5004	MSI8540.tmp
2364	rundll32.exe
2364	rundll32.exe
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
3320	Explorer.EXE
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe
2364	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	852	msiexec.exe
Token: SeSecurityPrivilege	1436	msiexec.exe
Token: SeCreateTokenPrivilege	852	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	852	msiexec.exe
Token: SeLockMemoryPrivilege	852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	852	msiexec.exe
Token: SeMachineAccountPrivilege	852	msiexec.exe
Token: SeTcbPrivilege	852	msiexec.exe
Token: SeSecurityPrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeLoadDriverPrivilege	852	msiexec.exe
Token: SeSystemProfilePrivilege	852	msiexec.exe
Token: SeSystemtimePrivilege	852	msiexec.exe
Token: SeProfSingleProcessPrivilege	852	msiexec.exe
Token: SeIncBasePriorityPrivilege	852	msiexec.exe
Token: SeCreatePagefilePrivilege	852	msiexec.exe
Token: SeCreatePermanentPrivilege	852	msiexec.exe
Token: SeBackupPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeShutdownPrivilege	852	msiexec.exe
Token: SeDebugPrivilege	852	msiexec.exe
Token: SeAuditPrivilege	852	msiexec.exe
Token: SeSystemEnvironmentPrivilege	852	msiexec.exe
Token: SeChangeNotifyPrivilege	852	msiexec.exe
Token: SeRemoteShutdownPrivilege	852	msiexec.exe
Token: SeUndockPrivilege	852	msiexec.exe
Token: SeSyncAgentPrivilege	852	msiexec.exe
Token: SeEnableDelegationPrivilege	852	msiexec.exe
Token: SeManageVolumePrivilege	852	msiexec.exe
Token: SeImpersonatePrivilege	852	msiexec.exe
Token: SeCreateGlobalPrivilege	852	msiexec.exe
Token: SeCreateTokenPrivilege	852	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	852	msiexec.exe
Token: SeLockMemoryPrivilege	852	msiexec.exe
Token: SeIncreaseQuotaPrivilege	852	msiexec.exe
Token: SeMachineAccountPrivilege	852	msiexec.exe
Token: SeTcbPrivilege	852	msiexec.exe
Token: SeSecurityPrivilege	852	msiexec.exe
Token: SeTakeOwnershipPrivilege	852	msiexec.exe
Token: SeLoadDriverPrivilege	852	msiexec.exe
Token: SeSystemProfilePrivilege	852	msiexec.exe
Token: SeSystemtimePrivilege	852	msiexec.exe
Token: SeProfSingleProcessPrivilege	852	msiexec.exe
Token: SeIncBasePriorityPrivilege	852	msiexec.exe
Token: SeCreatePagefilePrivilege	852	msiexec.exe
Token: SeCreatePermanentPrivilege	852	msiexec.exe
Token: SeBackupPrivilege	852	msiexec.exe
Token: SeRestorePrivilege	852	msiexec.exe
Token: SeShutdownPrivilege	852	msiexec.exe
Token: SeDebugPrivilege	852	msiexec.exe
Token: SeAuditPrivilege	852	msiexec.exe
Token: SeSystemEnvironmentPrivilege	852	msiexec.exe
Token: SeChangeNotifyPrivilege	852	msiexec.exe
Token: SeRemoteShutdownPrivilege	852	msiexec.exe
Token: SeUndockPrivilege	852	msiexec.exe
Token: SeSyncAgentPrivilege	852	msiexec.exe
Token: SeEnableDelegationPrivilege	852	msiexec.exe
Token: SeManageVolumePrivilege	852	msiexec.exe
Token: SeImpersonatePrivilege	852	msiexec.exe
Token: SeCreateGlobalPrivilege	852	msiexec.exe
Token: SeCreateTokenPrivilege	852	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	852	msiexec.exe
Token: SeLockMemoryPrivilege	852	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
852	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1436 wrote to memory of 1924	1436	msiexec.exe	80
PID 1436 wrote to memory of 1924	1436	msiexec.exe	80
PID 1436 wrote to memory of 1924	1436	msiexec.exe	80
PID 1436 wrote to memory of 1832	1436	msiexec.exe	84
PID 1436 wrote to memory of 1832	1436	msiexec.exe	84
PID 1436 wrote to memory of 3208	1436	msiexec.exe	86
PID 1436 wrote to memory of 3208	1436	msiexec.exe	86
PID 1436 wrote to memory of 3208	1436	msiexec.exe	86
PID 1436 wrote to memory of 5004	1436	msiexec.exe	87
PID 1436 wrote to memory of 5004	1436	msiexec.exe	87
PID 1436 wrote to memory of 5004	1436	msiexec.exe	87
PID 2364 wrote to memory of 3320	2364	rundll32.exe	52

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3320
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\neuro.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:852
- C:\Windows\System32\rundll32.exe
  "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\capisp.dll, remi
  2⤵
  - Blocklisted process makes network request
  - Adds Run key to start application
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2364

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9F699AA4579F39DBE99ECDF1B7F56E30 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:1924
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1832
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 36FC8D36929C988BEDE8251748CED15C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3208
- C:\Windows\Installer\MSI8540.tmp
  "C:\Windows\Installer\MSI8540.tmp" C:/Windows/System32/rundll32.exe C:\Users\Admin\AppData\Roaming\capisp.dll, remi
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:5004

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\MSI685F.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Users\Admin\AppData\Roaming\capisp.dll

Filesize
1.2MB

MD5
70b599f67e97cb878ca7be88e069a82d

SHA1
768f8a179fee1f13505c7b772e543b19b29b14c8

SHA256
9b7bdb4cb71e84c5cff0923928bf7777a41cb5e0691810ae948304c151c0c1c5

SHA512
163c8e0b2676a27f1781e9fdec3c9994ba828c0085b9fdff9df4dd0112da122a5d7f6ca597af396f99c2afadbe438e1ab967dfba34451ee4ba3c59cd244b4985

Download Submit
C:\Windows\Installer\MSI8540.tmp

Filesize
389KB

MD5
b9545ed17695a32face8c3408a6a3553

SHA1
f6c31c9cd832ae2aebcd88e7b2fa6803ae93fc83

SHA256
1e0e63b446eecf6c9781c7d1cae1f46a3bb31654a70612f71f31538fb4f4729a

SHA512
f6d6dc40dcba5ff091452d7cc257427dcb7ce2a21816b4fec2ee249e63246b64667f5c4095220623533243103876433ef8c12c9b612c0e95fdfffe41d1504e04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
3d7c8b2483492365f7ef2152997f142c

SHA1
f000c295692a3447c9fa00fa256a95ceaec6de75

SHA256
16c9eca25a3f1c6377477d838f776cedc64a6233ab7b9bb20b15fecf3ed54ed4

SHA512
b789e53cb434fc7d82ddb4b27b4cda222d3a1e0ea65de2625c9e344aecc78b4da1790d15a10868583cdba8197aded26457fd7ad3e3293d7f19e0877d5cb82249

Download Submit
\??\Volume{5d656fd9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0c879899-a532-4726-afcc-600f35c924d3}_OnDiskSnapshotProp

Filesize
6KB

MD5
52fb2c5ad840f3507a6ff4b3636e44fe

SHA1
113e4f70c539d6c0435b0618b05395f9161b1b98

SHA256
38e944d07e974a479408eb9620e98fb28f5e0a5dcde6a735476e43118bf3665a

SHA512
47f4d4a43096919d5b126402fe4bf339c1bb8aa93e7fc60df0af648912659fb8d3d12d975ba835d637be3850edc912aaadc568b3ea3b4dff899fe4dec7c40328

Download Submit
memory/2364-84-0x00007FF42EEE0000-0x00007FF42EEE1000-memory.dmp

Filesize
4KB

Download
memory/2364-82-0x00007FF42EF00000-0x00007FF42EF01000-memory.dmp

Filesize
4KB

Download
memory/2364-47-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/2364-48-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/2364-69-0x0000000180000000-0x000000018013A000-memory.dmp

Filesize
1.2MB

Download
memory/2364-78-0x00007FF42EEF0000-0x00007FF42EEF1000-memory.dmp

Filesize
4KB

Download
memory/2364-77-0x00007FF42EF00000-0x00007FF42EF01000-memory.dmp

Filesize
4KB

Download
memory/2364-49-0x0000023566720000-0x000002356676C000-memory.dmp

Filesize
304KB

Download
memory/2364-83-0x00007FF42EEF0000-0x00007FF42EEF1000-memory.dmp

Filesize
4KB

Download
memory/2364-58-0x000000033A710000-0x000000033A75A000-memory.dmp

Filesize
296KB

Download
memory/2364-81-0x00007FF42EF10000-0x00007FF42EF11000-memory.dmp

Filesize
4KB

Download
memory/2364-80-0x00007FF42EF20000-0x00007FF42EF33000-memory.dmp

Filesize
76KB

Download
memory/2364-79-0x00007FF42EF40000-0x00007FF42EF41000-memory.dmp

Filesize
4KB

Download
memory/2364-76-0x00007FF42EF10000-0x00007FF42EF11000-memory.dmp

Filesize
4KB

Download
memory/2364-75-0x00007FF42EF20000-0x00007FF42EF21000-memory.dmp

Filesize
4KB

Download
memory/2364-74-0x00007FF42EF30000-0x00007FF42EF31000-memory.dmp

Filesize
4KB

Download
memory/2364-73-0x00007FF42EF40000-0x00007FF42EF41000-memory.dmp

Filesize
4KB

Download
memory/2364-97-0x0000023566720000-0x000002356676C000-memory.dmp

Filesize
304KB

Download
memory/3320-86-0x00000000015D0000-0x00000000015E3000-memory.dmp

Filesize
76KB

Download
memory/3320-85-0x00000000015D0000-0x00000000015E3000-memory.dmp

Filesize
76KB

Download