babadeda | ebaa5af691e844929d2cad60baf36b118db3fc4b0616ce8b9585838aaf4c34b6

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-01-2025 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AdvBackup.msi
Size

7.7MB
MD5

25ad5262c29d2ea7404bda26ef0188bd
SHA1

83f9194b6224defe5827c94c67c2d32808d71919
SHA256

a45f49a2506f2353a72a287630f6ce1ab002554c75fc65a19321366bdd29ed0f
SHA512

7c990871346fe2e9d18cb4a46cd8f7cec07f1d4d5430362f2c6c60d2cbd34ac3cc61da121e50cba5f3a3a964876e6f4dd34c5a93344daae959e0fe030d532088
SSDEEP

196608:Ou6xR3okM5G6HO1XvOJeQDlG73LDl8cgdtNb4Ccgyftd:Ou6n3O5G6H8/YND873nyZrIt

Score

10^/10

babadeda cryptbot crypter discovery loader persistence privilege_escalation spyware stealer

Malware Config

Extracted

Family

cryptbot

veocou63.top

morizu06.top

Attributes

payload_url
http://tynpdi08.top/download.php?file=loungy.exe

Signatures

Babadeda
Babadeda is a crypter delivered as a legitimate installer and used to drop other malware families.
loader crypter babadeda

Babadeda Crypter 1 IoCs

resource	yara_rule
behavioral4/files/0x0007000000023c8f-85.dat	family_babadeda

Babadeda family
babadeda
CryptBot
CryptBot is a C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Cryptbot family
cryptbot
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{71CD67EC-C060-49EA-85E5-97ED42D7335B}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1CBC.tmp	msiexec.exe
File created	C:\Windows\Installer\e581b24.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e581b24.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1B82.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1BF0.tmp	msiexec.exe
File created	C:\Windows\Installer\e581b26.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4452	backdata.exe

Loads dropped DLL 8 IoCs

pid	Process
3048	MsiExec.exe
3048	MsiExec.exe
3048	MsiExec.exe
3048	MsiExec.exe
3048	MsiExec.exe
2460	MsiExec.exe
2460	MsiExec.exe
4452	backdata.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3672	msiexec.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	backdata.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a47b29fbd6f9c3720000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a47b29fb0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a47b29fb000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da47b29fb000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a47b29fb00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	backdata.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	backdata.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3320	msiexec.exe
3320	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3672	msiexec.exe
Token: SeSecurityPrivilege	3320	msiexec.exe
Token: SeCreateTokenPrivilege	3672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3672	msiexec.exe
Token: SeLockMemoryPrivilege	3672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3672	msiexec.exe
Token: SeMachineAccountPrivilege	3672	msiexec.exe
Token: SeTcbPrivilege	3672	msiexec.exe
Token: SeSecurityPrivilege	3672	msiexec.exe
Token: SeTakeOwnershipPrivilege	3672	msiexec.exe
Token: SeLoadDriverPrivilege	3672	msiexec.exe
Token: SeSystemProfilePrivilege	3672	msiexec.exe
Token: SeSystemtimePrivilege	3672	msiexec.exe
Token: SeProfSingleProcessPrivilege	3672	msiexec.exe
Token: SeIncBasePriorityPrivilege	3672	msiexec.exe
Token: SeCreatePagefilePrivilege	3672	msiexec.exe
Token: SeCreatePermanentPrivilege	3672	msiexec.exe
Token: SeBackupPrivilege	3672	msiexec.exe
Token: SeRestorePrivilege	3672	msiexec.exe
Token: SeShutdownPrivilege	3672	msiexec.exe
Token: SeDebugPrivilege	3672	msiexec.exe
Token: SeAuditPrivilege	3672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3672	msiexec.exe
Token: SeChangeNotifyPrivilege	3672	msiexec.exe
Token: SeRemoteShutdownPrivilege	3672	msiexec.exe
Token: SeUndockPrivilege	3672	msiexec.exe
Token: SeSyncAgentPrivilege	3672	msiexec.exe
Token: SeEnableDelegationPrivilege	3672	msiexec.exe
Token: SeManageVolumePrivilege	3672	msiexec.exe
Token: SeImpersonatePrivilege	3672	msiexec.exe
Token: SeCreateGlobalPrivilege	3672	msiexec.exe
Token: SeCreateTokenPrivilege	3672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3672	msiexec.exe
Token: SeLockMemoryPrivilege	3672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3672	msiexec.exe
Token: SeMachineAccountPrivilege	3672	msiexec.exe
Token: SeTcbPrivilege	3672	msiexec.exe
Token: SeSecurityPrivilege	3672	msiexec.exe
Token: SeTakeOwnershipPrivilege	3672	msiexec.exe
Token: SeLoadDriverPrivilege	3672	msiexec.exe
Token: SeSystemProfilePrivilege	3672	msiexec.exe
Token: SeSystemtimePrivilege	3672	msiexec.exe
Token: SeProfSingleProcessPrivilege	3672	msiexec.exe
Token: SeIncBasePriorityPrivilege	3672	msiexec.exe
Token: SeCreatePagefilePrivilege	3672	msiexec.exe
Token: SeCreatePermanentPrivilege	3672	msiexec.exe
Token: SeBackupPrivilege	3672	msiexec.exe
Token: SeRestorePrivilege	3672	msiexec.exe
Token: SeShutdownPrivilege	3672	msiexec.exe
Token: SeDebugPrivilege	3672	msiexec.exe
Token: SeAuditPrivilege	3672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3672	msiexec.exe
Token: SeChangeNotifyPrivilege	3672	msiexec.exe
Token: SeRemoteShutdownPrivilege	3672	msiexec.exe
Token: SeUndockPrivilege	3672	msiexec.exe
Token: SeSyncAgentPrivilege	3672	msiexec.exe
Token: SeEnableDelegationPrivilege	3672	msiexec.exe
Token: SeManageVolumePrivilege	3672	msiexec.exe
Token: SeImpersonatePrivilege	3672	msiexec.exe
Token: SeCreateGlobalPrivilege	3672	msiexec.exe
Token: SeCreateTokenPrivilege	3672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3672	msiexec.exe
Token: SeLockMemoryPrivilege	3672	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3672	msiexec.exe
3672	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4452	backdata.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 3048	3320	msiexec.exe	85
PID 3320 wrote to memory of 3048	3320	msiexec.exe	85
PID 3320 wrote to memory of 3048	3320	msiexec.exe	85
PID 3320 wrote to memory of 4968	3320	msiexec.exe	106
PID 3320 wrote to memory of 4968	3320	msiexec.exe	106
PID 3320 wrote to memory of 2460	3320	msiexec.exe	108
PID 3320 wrote to memory of 2460	3320	msiexec.exe	108
PID 3320 wrote to memory of 2460	3320	msiexec.exe	108
PID 3320 wrote to memory of 4452	3320	msiexec.exe	110
PID 3320 wrote to memory of 4452	3320	msiexec.exe	110
PID 3320 wrote to memory of 4452	3320	msiexec.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AdvBackup.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3672

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 19C219C8C47FD446A926C42252E165A6 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3048
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4968
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2EEC5D0181BBAC444F4DB224AF562885
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2460
- C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe
  "C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of SetWindowsHookEx
  PID:4452

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e581b25.rbs

Filesize
13KB

MD5
d0fa56d4e07d19283632378f1f66a2ed

SHA1
ba8578706a6ed7652271be846aa8a02419a1ca97

SHA256
344aad48af9450370bd6dd339d7dbee67c33b13831c32367bace153e196e7012

SHA512
a8189aab3b50d1a09a878a0c0737457b60ff41bf4d029c115303c0ad3d12edef028f71458a50298d27adb2047c005919fdb51315bfdbf71a1abe1752c2200c03

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI99B0.tmp

Filesize
393KB

MD5
3d24a2af1fb93f9960a17d6394484802

SHA1
ee74a6ceea0853c47e12802961a7a8869f7f0d69

SHA256
8d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88

SHA512
f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWsLjxdEovfAf\_Files\_Information.txt

Filesize
5KB

MD5
83ebe9a9f21e41c88089c799173b52fa

SHA1
4b63c41cd4f68b01e7221cbad5b6530b67869f11

SHA256
8ad0524ebd006fa4a9418ccccacd0be1459acc6dc1a102c61f8fd65ae3fd4ea2

SHA512
f561fca542628a5bb7ea810d17de104679c1121b0fd6f08425b2d9425d19b104aa71c22db984043313e2896475f70371971469b3d4e22de53378e0aa7602462a

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWsLjxdEovfAf\_Files\_Screen_Desktop.jpeg

Filesize
57KB

MD5
67323a7e3250428ecf58972fa81addd9

SHA1
d3b64fde9e42863961543201d1ee40cf15e460b3

SHA256
72a87758c4c0bf48f64e1e266e315b23d30534ef09ac311b5a37c2b75364d15c

SHA512
d680e382dd9c930bee1ff4d84826dcf41fa75f27a12c67f6f3392ff8c45e4f1248486ed01e8543a1b1bd2530c5d2a8d1dca9fe88d4bb8943bc3fd3bdbfd814c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWsLjxdEovfAf\gBKMkGdFbDoNAf.zip

Filesize
52KB

MD5
a0d64b898793d82aa709b494de03f0f4

SHA1
9a615d20807b5b8768975ac8f31c4844762e0e78

SHA256
a8d0e539df86eb0e2d34a0217f572b4b87c6035656bf840a11775766633b9af8

SHA512
bc5398fe9b478724da1fd9a1e38bf419ef8e5aec3d7b115a3a2ac50bcb3c0f15e8f44f7e9eaccda639dad2a7f03f2a62ab9d6f6a111b50ae51e0af0c5c6a2672

Download Submit
C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe

Filesize
10.2MB

MD5
b4f358fb5e2687505a7793a1c3fd30b8

SHA1
665fdf0bfece66a4e65684e4a8022ba18ea90b29

SHA256
843daace027b06df1ceb220a8dca85099e6249d3cd588f192c19105dfebd9008

SHA512
73c875846ec43aa2db3d0d45cedd330e8ae2bc1fe58298a08e6ad9824a5caedb00d670a7d1816ff7c778e4ac0bd6b166107a1b64cc0ff5d5ed50893ded8d9aeb

Download Submit
C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\libmetis30.dll

Filesize
3.8MB

MD5
5a9963267a59111458cc97cffe054699

SHA1
233cd89ab6cef194b2aaa9cc17bfb7f3f24e7411

SHA256
21b706d416bbdaf6037e8efbfa86cf1eb10fc1834dfa8fdf2386a7f0492246db

SHA512
03c7b50185b084e6ccf4c09be1eeff7fc6c254e22e36eb4b8a11e3d6b239f378df1659274fe2341a5a54b8b0043fc44678a2405716c54109391b67925fe5edd8

Download Submit
C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\mlg

Filesize
559KB

MD5
d3cefa732bbfb96d5e9ac98650a85733

SHA1
b6a914c0e61d1640b83849ae77d2aa3e0b28604b

SHA256
025545351f15a7e62b271453eb5f2e12e13d53bf8b08d466d3e6e62a5c530e81

SHA512
fc582f7e19d843b854e75f5f7b39713152c3b1c3d5f599eae46c78d9cfa358a2b81de47dda6c0769f346fed98d7e00cc0a4a46c126a5d2b4b78268ec163fdf4b

Download Submit
C:\Windows\Installer\e581b24.msi

Filesize
7.7MB

MD5
25ad5262c29d2ea7404bda26ef0188bd

SHA1
83f9194b6224defe5827c94c67c2d32808d71919

SHA256
a45f49a2506f2353a72a287630f6ce1ab002554c75fc65a19321366bdd29ed0f

SHA512
7c990871346fe2e9d18cb4a46cd8f7cec07f1d4d5430362f2c6c60d2cbd34ac3cc61da121e50cba5f3a3a964876e6f4dd34c5a93344daae959e0fe030d532088

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
2cd8b763071423de25b560da8bc254c2

SHA1
b7577bf0e31188c2267eb333163f3dc37420a44e

SHA256
797da7e3d8510fa8c60902e082be01c4f3168d10c98075fa9ab8900d381c9583

SHA512
7b211eb2818a70df87aa15519336ffdd9d4e8fed99ee0a789f37b0d9c7774735e9d70b8e8d91df079230bd20acf90d09dfb777a58cceb52c4916951b7812d298

Download Submit
\??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{9cb6c0da-aadf-46fd-9ea6-04a7a9f82b96}_OnDiskSnapshotProp

Filesize
6KB

MD5
1778790eec33dacc9dd8f827f71adb2c

SHA1
04677b822aaf567b79931a35abeffe7d2b864e8b

SHA256
7e83d4020cf43739bc21d91dfd9fae29f23e98835a26e941c62d78e066b3e17e

SHA512
b081841ee453a7d49df34ee341ed08600eed4d66c33665d3b5253e3c2ba4965a870ada6a487f667b289e7cc990dee84c92be9f301cce8b5fa197efb83e142978

Download Submit
memory/4452-80-0x0000000000350000-0x0000000000DED000-memory.dmp

Filesize
10.6MB

Download
memory/4452-213-0x0000000000350000-0x0000000000DED000-memory.dmp

Filesize
10.6MB

Download