Overview

overview

10

Static

static

1

ggggugeliu...17.msi

windows7-x64

10

ggggugeliu...17.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/12/2024, 11:32 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ggggugeliulanqGoogle1217.msi

  • Size

    54.3MB

  • MD5

    afbf73c1469b3641f62cccb2b0bb178a

  • SHA1

    633fd0c782856aba35f718c6806a8693fc2a5689

  • SHA256

    e308b5f5029ee8f51f866beee18370456632409cd34a77e7992ae82ab282cdb6

  • SHA512

    b92be4412e560f3103252a98371c9e0b1a5fde0aaa1016a146988dd0a34acd7d8f43aefcfdd6dd4d53c6058ff5a2b649ae35402996a3b4db2557b010923eaa6b

  • SSDEEP

    786432:kErzXzCnli5q0Nl+nIgX9mt9Pfn8qjeoiMyIDbbLJsaC+lLft7NmkudZ0/4YTx6V:RrvCnMjkmjfn8qjem6Rat7b4kl/F0

Score
10/10
gh0stratpurplefoxaspackv2discoverypersistenceprivilege_escalationratrootkitspywarestealertrojan

Malware Config

Signatures

  • Detect PurpleFox Rootkit 1 IoCs

    Detect PurpleFox Rootkit.

    rootkit
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Gh0strat family
    gh0strat
  • PurpleFox

    PurpleFox is an exploit kit used to distribute other malware families and first seen in 2018.

    rootkittrojanpurplefox
  • Purplefox family
    purplefox
  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 3 IoCs
    evasion
  • Modifies data under HKEY_USERS 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 46 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ggggugeliulanqGoogle1217.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:3100
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3904
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 22450C16D189B8F509B80C277A457B96 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3120
      • C:\Users\Public\Documents\Google.exe
        "C:\Users\Public\Documents\Google.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:3844
        • C:\Users\Public\Documents\main\current\DingTalk.exe
          "C:\Users\Public\Documents\main\current\DingTalk.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1356
          • C:\Windows\SysWOW64\cmd.exe
            cmd /c C:\\Users\\Public\\Documents\\FANG.bat
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1312
            • C:\Windows\SysWOW64\tasklist.exe
              tasklist /FI "IMAGENAME eq NtHandleCallback.exe"
              6⤵
              • Enumerates processes with tasklist
              • System Location Discovery: System Language Discovery
              PID:4188
            • C:\Windows\SysWOW64\find.exe
              find /I "NtHandleCallback.exe"
              6⤵
              • System Location Discovery: System Language Discovery
              PID:4828
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 1 /nobreak
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2388
            • C:\Users\Public\Documents\WindowsData\kail.exe
              "C:\Users\Public\Documents\WindowsData\kail.exe" x "C:\Users\Public\Documents\WindowsData\me.key" -o"C:\Users\Public\Documents\WindowsData" -pkillstartup -y
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2020
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 1 /nobreak
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2100
            • C:\Users\Public\Documents\WindowsData\NtHandleCallback.exe
              "C:\Users\Public\Documents\WindowsData\NtHandleCallback.exe"
              6⤵
              • Enumerates connected drives
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Checks processor information in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of SetWindowsHookEx
              PID:1260
            • C:\Windows\SysWOW64\timeout.exe
              timeout /t 1 /nobreak
              6⤵
              • System Location Discovery: System Language Discovery
              • Delays execution with timeout.exe
              PID:2180
            • C:\Users\Public\Documents\WindowsData\setup.exe
              "C:\Users\Public\Documents\WindowsData\setup.exe"
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3664
              • C:\Users\Admin\AppData\Local\Temp\CR_55942.tmp\setup.exe
                "C:\Users\Admin\AppData\Local\Temp\CR_55942.tmp\setup.exe" --install-archive="C:\Users\Admin\AppData\Local\Temp\CR_55942.tmp\CHROME.PACKED.7Z"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3360
                • C:\Users\Admin\AppData\Local\Temp\CR_55942.tmp\setup.exe
                  C:\Users\Admin\AppData\Local\Temp\CR_55942.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win32 --annotation=prod=Chrome --annotation=ver=70.0.3538.110 --initial-client-data=0x2e0,0x2e4,0x2e8,0x2d8,0x2ec,0x716548,0x716558,0x716564
                  8⤵
                  • Executes dropped EXE
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2880
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:4384
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding F7F85CF4D8B6FA3308E821FC9E94A38E
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3948
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:2448

    Network

    • flag-us
      DNS
      209.205.72.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      209.205.72.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      2.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      2.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      64.159.190.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      64.159.190.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      19.158.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      19.158.22.2.in-addr.arpa
      IN PTR
      Response
      19.158.22.2.in-addr.arpa
      IN PTR
      a2-22-158-19deploystaticakamaitechnologiescom
    • flag-us
      DNS
      x.zbj888.top
      NtHandleCallback.exe
      Remote address:
      8.8.8.8:53
      Request
      x.zbj888.top
      IN A
      Response
      x.zbj888.top
      IN A
      206.238.221.79
    • flag-us
      DNS
      79.221.238.206.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.221.238.206.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      79.221.238.206.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      79.221.238.206.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      23.236.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      23.236.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      213.143.182.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      213.143.182.52.in-addr.arpa
      IN PTR
      Response
    • 206.238.221.79:48888
      x.zbj888.top
      NtHandleCallback.exe
      654 B
       354 B
       10
      8
    • 8.8.8.8:53
      209.205.72.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      209.205.72.20.in-addr.arpa

    • 8.8.8.8:53
      2.159.190.20.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      2.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      64.159.190.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      64.159.190.20.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
       128 B
       1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      19.158.22.2.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      19.158.22.2.in-addr.arpa

    • 8.8.8.8:53
      x.zbj888.top
      dns
      NtHandleCallback.exe
      58 B
       74 B
       1
      1

      DNS Request

      x.zbj888.top

      DNS Response

      206.238.221.79

    • 8.8.8.8:53
      79.221.238.206.in-addr.arpa
      dns
      146 B
       146 B
       2
      2

      DNS Request

      79.221.238.206.in-addr.arpa

      DNS Request

      79.221.238.206.in-addr.arpa

    • 8.8.8.8:53
      23.236.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      23.236.111.52.in-addr.arpa

    • 8.8.8.8:53
      213.143.182.52.in-addr.arpa
      dns
      73 B
       147 B
       1
      1

      DNS Request

      213.143.182.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58659c.rbs
      Filesize

      1KB

      MD5

      5ee94d10b0c78f7102946f13b0f98bc7

      SHA1

      c2969ecfdf0873cb00fa77d92484bb3a5927bc53

      SHA256

      f27b821fb2a5760d4f7e76c74d64a8bd147f88591cb99cd4b56313f0a17fa52c

      SHA512

      fa00063d3711eb18fd62d4fa74e498ac314221bf4c93aca354fd27611b9e26d7b48b8fe72ddff3a5cfe229db872c8c87a4a70947185b67847816cd293a480d14

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\CR_55942.tmp\setup.exe
      Filesize

      2.0MB

      MD5

      f4b59f1167891f6a7ec181e1aa0a8d8b

      SHA1

      41be9ee189473dfe82e56267a9f6594e825e8dfd

      SHA256

      4dead65e1a1fbac3245182c6f7b40b5c568a2a7a7fd5b3a2d642b1919dcb93ea

      SHA512

      f352d37a9fe278686df67f1485663110ba46535f9fd3b55867ec23a0dd5a6d64e1247bb0656470b45dc85d1d0d4bffa4ccdc296d799d7f7786f93f628b6e2ac8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIBF97.tmp
      Filesize

      79KB

      MD5

      9a4968fe67c177850163deafec64d0a6

      SHA1

      15b3f837c4f066cface8b3535a88523d20e5ca5c

      SHA256

      441d8c2ee1b434e21b7a8547f3c9e8b5b654ed7c790372d7870c8071d3a9b6ab

      SHA512

      256d1173b794bda93adece3bf2689c6875a67a8690139587c271f5c7a45f2a397caf164a4a05f34c9710ce65c7f473243c05be35155d130406999a834fc7643f

      Download Submit

    • C:\Users\Public\Documents\FANG.bat
      Filesize

      2KB

      MD5

      ae2fd0aba2183a123c840c0afd0551c4

      SHA1

      05b11a559798fb6c6b39079608dcb9c7c0d32580

      SHA256

      f6608b596458955ae7feba0b192b31fe6e2f1fbe8fb6dafb5843339ac7bb966f

      SHA512

      77991355217dadbe04bf98a4d655bcf2576f3960a98467a1f6710180bc11d56558e406c1aa74525a67b4bb1cdc2d54c57d27e41202f3450c3ee2ccc02f1493aa

      Download Submit

    • C:\Users\Public\Documents\Google.exe
      Filesize

      3.9MB

      MD5

      627e4a4ff89ecb9fd9c812a8d86b28c3

      SHA1

      0a8fffcf73bdcb8e0305225c9fcdf73947c59954

      SHA256

      2bd7ca5ee774736af3c23d30c400b416d6ac41fc814d6f9f239eb1e7be599eb3

      SHA512

      1f393b4e7ae4b26fb7bc094049983cc6a2d68f6ba99cc1ccf77610edde2f51d9b16b76b48bdf2a65f7fe2c3da9cd33013f8565c64a40a4ac593a30ba9b8b897d

      Download Submit

    • C:\Users\Public\Documents\WindowsData\Irrlicht.dll
      Filesize

      121KB

      MD5

      56995ed5b0877b7c024badde6ff255de

      SHA1

      f33016ed1a87a8e3dfacd50740325aacfba036a8

      SHA256

      8c034147471bed12edcc13ed525eb17ec6b6f9197108f4d97f89fa05112499d9

      SHA512

      68a9ed254d394517315d4c78ecacb4079dd00c501bad3a67257b49de3c60a3de3a8d5056d0363420990e371030a9521f955405f9904448fd64f27fb2fbda8d3f

      Download Submit

    • C:\Users\Public\Documents\WindowsData\NtHandleCallback.exe
      Filesize

      150KB

      MD5

      157b89f140fcdc2fa6d0990a3cf29560

      SHA1

      bcdfb7aaf53ca6cea2b5a75e6c398efe6eb0dab9

      SHA256

      63a34aaf8e991e67032e02de652f1f7a8f746a7bff5f196c507732192b6dcaf1

      SHA512

      26c893e50f6cade2148413ff552418c8f9fac685152b6f1916a74bd8a333cb85026a56afe1cd47e518fdc014f29779372e036a63fe102077b684ec8e6ef3341b

      Download Submit

    • C:\Users\Public\Documents\WindowsData\Server.log
      Filesize

      1.3MB

      MD5

      aaba2e8d60314ca07d8b62fdfe5cc3ee

      SHA1

      9fa85d0832f34b0ba1a8580a074a688004f9e1fb

      SHA256

      886905a6cee8ae4b352e5285e9c38c6d5cdd6d2374c383b8b62e6ea5825c5c4a

      SHA512

      9113078dad1d225b75db60d568a2ac4402caa36d715f8aba27d37b2af4e2629c24d960a84335bd9a3d399d93eca54c84298d01d0d48ea040fd38b4e1bb2ddcf3

      Download Submit

    • C:\Users\Public\Documents\WindowsData\WindowsPowerShell WbemScripting.SWbemLocator.vbe
      Filesize

      1KB

      MD5

      5dadb16abae0cb3b806b3f5a655ed50f

      SHA1

      cb0d60063c5a202cc39032889742f090bd799309

      SHA256

      9718211c0b0a7923aa173b10b6ebf6bd0a2a9ded3ed17e415d05292827a95a8b

      SHA512

      404a6de46995f659c78d541984d34e955d82fef87f757588156722dc7ed4845cc86af46191cc3ef76770ff52bf289680076d8ab21a3205c1d3f4304339007842

      Download Submit

    • C:\Users\Public\Documents\WindowsData\kail.exe
      Filesize

      732KB

      MD5

      42e83bb2537a79b17e13dd936ec2fef4

      SHA1

      688ac633d0b61fd698459a55d9909164c04ef56e

      SHA256

      00f85beb322fe51ab3a3b88abcbbbe40f019a7ee53498e27a507da6824adaf76

      SHA512

      4d07e73371c4e0d24bb9a351c55e20738b61e8efd6f304ecfa1041a5d94a984a2b292648cac5bf831aba345ccf15437334fcae5c91f1032cf7385ebb3a74857c

      Download Submit

    • C:\Users\Public\Documents\WindowsData\setup.exe
      Filesize

      49.8MB

      MD5

      e5735b95f35985f9819bf8f47b857482

      SHA1

      9c0fd34821b004124bb97180268ba0c86feef12e

      SHA256

      9a59260ff9b1ac88a5c75ed77524b4dbdf24bff78ea512a7c81d39e8b694ab51

      SHA512

      7c6b5a216e60eb391824fb02b7a2b8c202fdcbb3d41c38cbb034dd78923a5539e900a2fac269092df487135c36eadfb79a59781ad384036224e2bbd1ec8109fa

      Download Submit

    • C:\Users\Public\Documents\main\current\DataReport.dll
      Filesize

      128KB

      MD5

      a018ed8eae43df148a0e4b7e08fac02d

      SHA1

      eda9b1249e3c19468e128a81dcc0b4043b9de3fe

      SHA256

      e2e7e20adb4ce0f9ec8eabe6b651e70881cb2c83ebb5be2c681c62b53849343c

      SHA512

      efef4ab4fe15794977426ff793007dbd3bba09776a1e18175b73e7c52813c751bbf430cccdfebb1b8600203e51db46eb751b364b32acf6c81979b9ea41b0b374

      Download Submit

    • C:\Users\Public\Documents\main\current\DingTalk.exe
      Filesize

      1.1MB

      MD5

      5a512d1a8eaf18c367a0c15ff11671b7

      SHA1

      b360a012e70d5aadc7a4687621270bb97396e3c7

      SHA256

      3ea37f077bdc72b4e1deccbb591bf9a319eeb2f132f067f87d7e1dd30034080e

      SHA512

      6309982639b05b9794183591575dd9afbd901d5aa50078db18106503520fe47ed434ca407dbcd14cbf8ec600567620e861b0e545429e9cbab9002a286ea5b693

      Download Submit

    • C:\Users\Public\Documents\main\current\log2.dll
      Filesize

      353KB

      MD5

      175ea664f62cdc31949d29a9a3ecd4f2

      SHA1

      3b8904f28c0e36b9aab2cfeacf2516d47dd3beae

      SHA256

      1980bff5d376f07c7f01a6301f60d2012a90e84c2f9095ef4c1def3cbfcbe25b

      SHA512

      8a16e53afe3a086140887df18e7df220856935c3941bc7e4f51066898764887d1b574ee7944e3d4f71c4382b1fccdee969704a5ead0061eac603f6d8fa02e09b

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.1MB

      MD5

      925e6723908b88eb45a2b87b8e6f7553

      SHA1

      100b4c5dd400ba5ef5ce8d482f7367727f37a185

      SHA256

      b898e42795d4eaa7600d072e9692cf48cddcf96841a34aa35b755dede008863b

      SHA512

      3f1db15dfd5a63d7202d7336ad75abbfb80d95105e139a7e48935c13d41ffde707175ad042583e2cddf3ad3d75e6a6fd6ace06097af9619e551fb72df63cd648

      Download Submit

    • \??\Volume{625ed6c4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d8e2dfbd-734d-4684-96b2-81f0fdf61361}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      1ab2be2dd0d6e115de3d03f1ac82c66d

      SHA1

      b329185148b87d64c7f694cb6760229ed58e03c5

      SHA256

      407202afcb8af53a337b66009c5c76e4bb67d997edafee4142684807c53c42b6

      SHA512

      df4cd88a0e09b5402021370060d5fb9b3e71265a76715bc70b966e0510c4b984540b41ca5c6a2bad353e075400a8398872d1eccf6eac8ea885800ba58c843b7c

      Download Submit

    • memory/1260-80-0x0000000074FE0000-0x000000007501A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1260-88-0x0000000010000000-0x0000000010145000-memory.dmp

      Filesize

      1.3MB

      Download

    • memory/1260-82-0x0000000074FE0000-0x000000007501A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1260-91-0x00000000023C0000-0x0000000002561000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1260-81-0x0000000074FE0000-0x000000007501A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/1260-122-0x0000000074FE0000-0x000000007501A000-memory.dmp

      Filesize

      232KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.