Overview

overview

10

Static

static

3

337f603c8b...18.exe

windows7-x64

10

337f603c8b...18.exe

windows10-2004-x64

10

$PLUGINSDI...nu.dll

windows7-x64

3

$PLUGINSDI...nu.dll

windows10-2004-x64

3

$TEMP/setup.exe

windows7-x64

10

$TEMP/setup.exe

windows10-2004-x64

10

$TEMP/sys.exe

windows7-x64

7

$TEMP/sys.exe

windows10-2004-x64

7

$PLUGINSDIR/Math.dll

windows7-x64

3

$PLUGINSDIR/Math.dll

windows10-2004-x64

3

$PLUGINSDI...es.dll

windows7-x64

3

$PLUGINSDI...es.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$R1.dll

windows7-x64

6

$R1.dll

windows10-2004-x64

6

$TEMP/tcpsrvc.exe

windows7-x64

7

$TEMP/tcpsrvc.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$SYSDIR/$S...1_.exe

windows7-x64

7

$SYSDIR/$S...1_.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$SYSDIR/$_5_.dll

windows7-x64

6

$SYSDIR/$_5_.dll

windows10-2004-x64

6

Analysis

  • max time kernel
    146s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2024 05:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    337f603c8b740238d363cca78e8687d5_JaffaCakes118.exe

  • Size

    4.7MB

  • MD5

    337f603c8b740238d363cca78e8687d5

  • SHA1

    a6b9fce6d9bbd232d779b0fbae39a746613e4397

  • SHA256

    5a2421a99391c5deb961e8f6dbbb5a660531192c2fa279061d6d637bb9656947

  • SHA512

    e3ed5235ccc8f8b18e318baf54ebec38b2c6281be08290d2c0ba42fcdb0d4e99eefe2014904a2c75c94efbd7e3d96d0d3ee471c27334ec991f96344a32171cef

  • SSDEEP

    98304:JfyFY1bgUxBPwBwVIJMIcjE0PAK+AV/YbcDklVkH343uKS:JaFYmOPw6VIJMIcjL2wwflKH343tS

Score
10/10
pandastealeradwarediscoverypersistencespywarestealer

Malware Config

Signatures

  • Panda Stealer payload 2 IoCs
  • PandaStealer

    Panda Stealer is a fork of CollectorProject Stealer written in C++.

    stealerpandastealer
  • Drops file in Drivers directory 3 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Blocklisted process makes network request 3 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 6 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Maps connected drives based on registry 3 TTPs 6 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 3 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 4 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer Protected Mode 1 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 37 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\337f603c8b740238d363cca78e8687d5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\337f603c8b740238d363cca78e8687d5_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4400
    • C:\Users\Admin\AppData\Local\Temp\sys.exe
      "C:\Users\Admin\AppData\Local\Temp\sys.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Installs/modifies Browser Helper Object
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Modifies registry class
      PID:820
    • C:\Users\Admin\AppData\Local\Temp\tcpsrvc.exe
      "C:\Users\Admin\AppData\Local\Temp\tcpsrvc.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Maps connected drives based on registry
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer Protected Mode
      • Modifies Internet Explorer Protected Mode Banner
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\SysWOW64\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s "C:\Windows\system32\vrtqsptfjqdmsvr.dll"
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • Maps connected drives based on registry
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:320
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Users\Admin\AppData\Local\Temp\7zSA6EE.tmp\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\7zSA6EE.tmp\setup.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2976
        • C:\Windows\SysWOW64\msiexec.exe
          "msiexec" /i "C:\Program Files (x86)\Downloaded Installers\{240D57C0-234A-4CAD-B6E7-DFDE6B0B1272}\setup.msi"
          4⤵
          • Blocklisted process makes network request
          • Enumerates connected drives
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:4020
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1976
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:468
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding ED021287D20E2FD17F8D470FDB385970 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:636
      • C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe
        "C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe"
        3⤵
        • Drops file in Drivers directory
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        PID:3656
  • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
    "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4416
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1984 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:4832
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e5833ae.rbs
    Filesize

    8KB

    MD5

    c8b8b838439c082c7ce6e686abaad4e0

    SHA1

    99dc840e2f5df2c5d36123adc15c600f44dedc3e

    SHA256

    8a81116f6a4d3c8ab9544b8921ad93998ce43217be5071612b7b8f52e4c3c859

    SHA512

    345993033fbe6fadc060b86647d6bacdf2271fc205a346debccfed4d11b72bac14d710289f15fec9ae21c6f2d2376d65fe299234f8de8b1c407db7ccd3beb8d9

    Download Submit

  • C:\Program Files (x86)\SlimDrivers\SlimDrivers.exe
    Filesize

    22.5MB

    MD5

    1698d9ac0c1167d6cf7b8a32ebff81b3

    SHA1

    31241974219fcba442fe61937df9a891fcf829ac

    SHA256

    796ca26fc493a66153fc1129acc989bddef7fccf7ca3cbfac409088be8437378

    SHA512

    40e416467ac416c87efd8e7876a86c9f618684ddd0b107108345d7ac67c0db7ed72f395844ac1dc8f5039683593015bf61ab84bf5ba5f22797d8419aacb9e16f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6
    Filesize

    75KB

    MD5

    84fb59541357ebbac17a5dd906b3957e

    SHA1

    ef72d52c513b97a066a4922609862559645a6f7a

    SHA256

    44e527b61336921190fca1222af6ced398b67b36a7803c05525eb5dc9a18a93a

    SHA512

    8547ae3ebcf38b9c46b18ad0264222a93520bf55fd2fbbcbe757b61b5fd18d209817dae5dc432f12c65fae6be769da6f71c1b24afe03ef473854e1b00baeec01

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_0AEA4C6D6CCC81E7AABA17FA25994227
    Filesize

    5B

    MD5

    5bfa51f3a417b98e7443eca90fc94703

    SHA1

    8c015d80b8a23f780bdd215dc842b0f5551f63bd

    SHA256

    bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

    SHA512

    4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6
    Filesize

    212B

    MD5

    bc435afff8a6a896d469f8c89560c7b5

    SHA1

    a700a119a0ba9155f872aa3f2307f257e92f5c50

    SHA256

    d76f5be668335b4f78b22f10b108e92682e961cd000991d9a1651d52e7a0c419

    SHA512

    e992cbbf5630289fd24f46d7803baacf14052012d896247245ccc7847cac7ce0a61a548808bcfee5693669d894ee4497c094a7eb939612b6ffabe703644df928

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_0AEA4C6D6CCC81E7AABA17FA25994227
    Filesize

    404B

    MD5

    1e67d90975dc757e18b081bd12e5261c

    SHA1

    45a8e48b81f92928c82a88f30dcf93b2842cb111

    SHA256

    1e9bd53d15b62c88b6d024c310485272c36a32ff73a9c2243ff78ac300d92d14

    SHA512

    c7da4a34164b2a5408b08641e520f085d7293d696a76c2cebb2c5388056eebf99b96bacfba0893147321335a326bc59238cd7a311a5549616df830afee95f60b

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GPUS7TYC\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\SlimWare Utilities Inc\SlimDrivers\SWDUMon.sys
    Filesize

    15KB

    MD5

    a3a548c9b02b9cb91721da152bc34f04

    SHA1

    147daf95f1417a9f2ba6e6cea47c631a0b5992f1

    SHA256

    944cf2dd7c284d006dc87c3768bbace5469f8f6d8b3e1df7fbf3e751b7583451

    SHA512

    54e0742685862c39b989319d1858f965011073b8998b72bb5e08573c51b6d486e77ee4354110089a9e20929f517441bc1b26e2cd4eb934cffb306d5d007a31fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSA6EE.tmp\setup.exe
    Filesize

    73KB

    MD5

    ca6be57a4f75e216f320f97ae1098ff6

    SHA1

    3d8824b17c5a4c4afb887182a9af68c981b4b859

    SHA256

    7061f18bc963a9452432458cbffba4607ab55c360cfda38dda2fb913adb7a3ed

    SHA512

    8ff5f86a03d70bbe5cc34c0ce3586d49edccf557ed3f6565cebd07fb9218cb6ebf80f536f93ea0401373e309127bfe9dea83f66325623a5bc66ce677be886804

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zSA6EE.tmp\setup.msi
    Filesize

    23.6MB

    MD5

    66105820fc90d4728885dc0a497b8213

    SHA1

    4575ee17d6c1ee5ff114ca1be6b5ae547d6df965

    SHA256

    eb34cd95f9da684b1d680bc5d7d710fbd14318d341711a9e53b43578ad7d9310

    SHA512

    a865fa5fb01509ca9a18d51f4d173b4fbf6ee61c8cb1a13ccde2bb99f134085355325240a598eec5c9bb5138ba8c00ad577a17611ae9d0844baa34e74aaa72d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI47C2.tmp
    Filesize

    148KB

    MD5

    14c01c848d8452005734858a64b6784b

    SHA1

    d3d81fcd1267095880218ef09b92220248905ea8

    SHA256

    fa9b83479f1b955790325dc557624185a8c72df3e31870dae075437146858185

    SHA512

    8334c467c470c13b0245425d3bc1ba9676a04e1e015bec56122504d622e7e3858d5ad7950d09c155f3666a90b7d3c7b40f324d0786553d6e81711b7f38cf1d57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsgAF6D.tmp.dll
    Filesize

    604KB

    MD5

    b8b303dbcda489ce392dd78b9c3088ae

    SHA1

    5fbb5dc212a26c8d995d9fc70aaed84972c81378

    SHA256

    6fc9b661c0be1f1c29943c41125ed6e883576f2714bc9c4738a1098850f5bbde

    SHA512

    551745e3bdf647fcf0c8e0b9d92cb691c0d011382c9867c0d575221cec5c669277d79467d751b37269c5e61d31a9485d9a21c5015db0663b4c9a3639ced96b03

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsiA6B2.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\Math.dll
    Filesize

    66KB

    MD5

    b140459077c7c39be4bef249c2f84535

    SHA1

    c56498241c2ddafb01961596da16d08d1b11cd35

    SHA256

    0598f7d83db44929b7170c1285457b52b4281185f63ced102e709bf065f10d67

    SHA512

    fbcb19a951d96a216d73b6b3e005338bbb6e11332c6cc8c3f179ccd420b4db0e5682dc4245bd120dcb67bc70960eab368e74c68c7c165a485a12a7d0d8a00328

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nssA6A1.tmp\UAC.dll
    Filesize

    17KB

    MD5

    88ad3fd90fc52ac3ee0441a38400a384

    SHA1

    08bc9e1f5951b54126b5c3c769e3eaed42f3d10b

    SHA256

    e58884695378cf02715373928bb8ade270baf03144369463f505c3b3808cbc42

    SHA512

    359496f571e6fa2ec4c5ab5bd1d35d1330586f624228713ae55c65a69e07d8623022ef54337c22c3aab558a9b74d9977c8436f5fea4194899d9ef3ffd74e7dbb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    Filesize

    2.4MB

    MD5

    b774d568aaf090164ec32291370cb341

    SHA1

    f5a55bcd898ff2848df1bb067e5012951dfbc266

    SHA256

    56e96195f7c806eb74503977eb61fd681b99ac14fcdb9f852d89ee46b0edc5ef

    SHA512

    0ffe18d77b13e5a94be4575984982d4d583450821865821be9c7dcffcb2fb03a744b4ca530516ba8917eb2d130bf8767416259563ecefe511ccbf34254f52691

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\sys.exe
    Filesize

    1.9MB

    MD5

    361afb77460382b303ff0feab78b65c7

    SHA1

    e3b44a60f2bb4998399252cc36d3e65dc80deef1

    SHA256

    2063d5933ad5f7789082e04d6209032c4f85ef495f06b9de3f41546f0fde6de8

    SHA512

    b81233d5d15884158ec99a64ecfd9239906d67bf149282f87e458718a9eb8ae71b8c00cbe5e6d289b48ab5ac0ff7d1f061bb1caff67d93dfcf9c1a387726615b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tcpsrvc.exe
    Filesize

    372KB

    MD5

    8c706a763e7622b72fe3222ec053d326

    SHA1

    2ee23255a22f1d42eefbc1fe88f4d82736e6c1b7

    SHA256

    79b06d3d76b61edfc0d3f48d0189e37ab2245ab169a06cf0aeb815576cdc7819

    SHA512

    21c36d1c470d71374e4da34cb9b589cb0f6105145509bb4d30187be4e219f34e0f96ed0cd6d1a25cc3e366474e918d5b99a9f5e2c25d610b8f1cf7dc4ba5cbc8

    Download Submit

  • C:\Windows\SysWOW64\8a52b3c6.dll
    Filesize

    2.5MB

    MD5

    81dd5db35b7311d7e86ad64bb21946c0

    SHA1

    936997fb386f9d482715dd5747cace7ce94fcdea

    SHA256

    0b87c091f55d456fcf375cfd93cdd4fac981537c53fe06bba20db4d37f624aa2

    SHA512

    014f93810a96d99b7b3710366acdd8c869c152940bcfd4b6764ec12a69dd36d874bcac544f62279dd35054cd21c99cdc90dd00c74153be23f5e39100f19958d7

    Download Submit

  • C:\Windows\Tasks\SlimDrivers Startup.job
    Filesize

    428B

    MD5

    3af84b5d76fcc85463573997e1bbe3e3

    SHA1

    371281b1a9232f71e91ddb127a6b094c95bc9ee4

    SHA256

    66f8a309a4595c5bff3929f074585c85a9a875b577ea5de550ae6dcae0da8ebb

    SHA512

    bdf7a715459a7b76cb03f82297946caadd8248be0973343d245ed095e63d682cc615fc962dc35f01ae53d821b7749603fe19bda90f3000c790e6cb705d2b64ad

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    24.1MB

    MD5

    0f55e3feb655bcf18664a84ee1534785

    SHA1

    7916091599c360c4b5050cada9bdfd295b724462

    SHA256

    b051fbbd3196f4106ff6d799c89ccc58c37963dcc762f9dca6855fdd18a3bc3b

    SHA512

    4c6ebe7e378339ebc227714bd0f1ed8a1340de40b101e42870499e7c6ee5ff75eaede45e6cc7080c6e4c741d6bfb0001c086006f52d7cea04e2261b86c9749f0

    Download Submit

  • \??\Volume{ff55ba41-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{70ee826c-a72b-4287-aa10-4237e18c34ee}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    74a9ea2cc57c9517290613a6082b9b1c

    SHA1

    e0db852d4a03fcf10b348f6762e6bda73b5118fa

    SHA256

    1f9e7aa605e4252c3aa9bd535a303a314f8ecded71988e1e33912f1c9d1637f1

    SHA512

    9e877bfadec66d0bf68c94d64dee18482fb325797447b6086e0d5f286d83a6eeaa54edb91d2f57e2070270a017da6904bd48ce9e2e35dca15f7846fa16551fed

    Download Submit

  • memory/820-36-0x0000000002F20000-0x0000000002F3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2816-110-0x0000000028DE0000-0x0000000028E7E000-memory.dmp

    Filesize

    632KB

    Download