rhadamanthys | dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31

Analysis

max time kernel
135s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2025 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YouTube Partner Program Policy Update – February 2025.msi
Size

4.1MB
MD5

a11fed7d63b37dcaeb5877df4a978f6d
SHA1

2dcb800231cb89fa37aeb092efdfd9cfda07bfa9
SHA256

dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31
SHA512

ea6a7a2855ce3b37df0c88702487cf2bf9afc03e06717aa79272c703f26fb798bd4ced36db0454ddd3938d9bd4b95e3ef17bcf3cfd391dd29dc0ce1ccdd27c0c
SSDEEP

49152:vNK3fuMxhxdsIjCohpCWAE0MGnqz2jsnCGQNxTKCqX88ctFZGNf32obHmn5TCp6l:4P3hxdss17C6Eqz2jUiUdGobGnGJaQJ

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 1 IoCs

resource	yara_rule
behavioral2/memory/4688-68-0x0000000000500000-0x0000000000622000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

description	pid	Process	procid_target
PID 4688 created 2656	4688	MSBuild.exe	44

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2336 set thread context of 1164	2336	AppCheckS.exe	101
PID 1164 set thread context of 4688	1164	cmd.exe	105

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57e407.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{441F1276-1158-4794-8D3D-EE2F450D9ECE}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE4A3.tmp	msiexec.exe
File created	C:\Windows\Installer\e57e409.msi	msiexec.exe
File created	C:\Windows\Installer\e57e407.msi	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
1132	AppCheckS.exe
2336	AppCheckS.exe

Loads dropped DLL 6 IoCs

pid	Process
1132	AppCheckS.exe
1132	AppCheckS.exe
1132	AppCheckS.exe
2336	AppCheckS.exe
2336	AppCheckS.exe
2336	AppCheckS.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000079521e240123cf490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000079521e240000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090079521e24000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d79521e24000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000079521e2400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

pid	Process
3244	msiexec.exe
3244	msiexec.exe
1132	AppCheckS.exe
2336	AppCheckS.exe
2336	AppCheckS.exe
1164	cmd.exe
1164	cmd.exe
4688	MSBuild.exe
4688	MSBuild.exe
4688	MSBuild.exe
4688	MSBuild.exe
4888	svchost.exe
4888	svchost.exe
4888	svchost.exe
4888	svchost.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2336	AppCheckS.exe
1164	cmd.exe
1164	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4644	msiexec.exe
Token: SeSecurityPrivilege	3244	msiexec.exe
Token: SeCreateTokenPrivilege	4644	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4644	msiexec.exe
Token: SeLockMemoryPrivilege	4644	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4644	msiexec.exe
Token: SeMachineAccountPrivilege	4644	msiexec.exe
Token: SeTcbPrivilege	4644	msiexec.exe
Token: SeSecurityPrivilege	4644	msiexec.exe
Token: SeTakeOwnershipPrivilege	4644	msiexec.exe
Token: SeLoadDriverPrivilege	4644	msiexec.exe
Token: SeSystemProfilePrivilege	4644	msiexec.exe
Token: SeSystemtimePrivilege	4644	msiexec.exe
Token: SeProfSingleProcessPrivilege	4644	msiexec.exe
Token: SeIncBasePriorityPrivilege	4644	msiexec.exe
Token: SeCreatePagefilePrivilege	4644	msiexec.exe
Token: SeCreatePermanentPrivilege	4644	msiexec.exe
Token: SeBackupPrivilege	4644	msiexec.exe
Token: SeRestorePrivilege	4644	msiexec.exe
Token: SeShutdownPrivilege	4644	msiexec.exe
Token: SeDebugPrivilege	4644	msiexec.exe
Token: SeAuditPrivilege	4644	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4644	msiexec.exe
Token: SeChangeNotifyPrivilege	4644	msiexec.exe
Token: SeRemoteShutdownPrivilege	4644	msiexec.exe
Token: SeUndockPrivilege	4644	msiexec.exe
Token: SeSyncAgentPrivilege	4644	msiexec.exe
Token: SeEnableDelegationPrivilege	4644	msiexec.exe
Token: SeManageVolumePrivilege	4644	msiexec.exe
Token: SeImpersonatePrivilege	4644	msiexec.exe
Token: SeCreateGlobalPrivilege	4644	msiexec.exe
Token: SeBackupPrivilege	3224	vssvc.exe
Token: SeRestorePrivilege	3224	vssvc.exe
Token: SeAuditPrivilege	3224	vssvc.exe
Token: SeBackupPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe
Token: SeTakeOwnershipPrivilege	3244	msiexec.exe
Token: SeRestorePrivilege	3244	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4644	msiexec.exe
4644	msiexec.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3244 wrote to memory of 876	3244	msiexec.exe	97
PID 3244 wrote to memory of 876	3244	msiexec.exe	97
PID 3244 wrote to memory of 1132	3244	msiexec.exe	99
PID 3244 wrote to memory of 1132	3244	msiexec.exe	99
PID 1132 wrote to memory of 2336	1132	AppCheckS.exe	100
PID 1132 wrote to memory of 2336	1132	AppCheckS.exe	100
PID 2336 wrote to memory of 1164	2336	AppCheckS.exe	101
PID 2336 wrote to memory of 1164	2336	AppCheckS.exe	101
PID 2336 wrote to memory of 1164	2336	AppCheckS.exe	101
PID 2336 wrote to memory of 1164	2336	AppCheckS.exe	101
PID 1164 wrote to memory of 4688	1164	cmd.exe	105
PID 1164 wrote to memory of 4688	1164	cmd.exe	105
PID 1164 wrote to memory of 4688	1164	cmd.exe	105
PID 1164 wrote to memory of 4688	1164	cmd.exe	105
PID 1164 wrote to memory of 4688	1164	cmd.exe	105
PID 4688 wrote to memory of 4888	4688	MSBuild.exe	106
PID 4688 wrote to memory of 4888	4688	MSBuild.exe	106
PID 4688 wrote to memory of 4888	4688	MSBuild.exe	106
PID 4688 wrote to memory of 4888	4688	MSBuild.exe	106
PID 4688 wrote to memory of 4888	4688	MSBuild.exe	106

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2656
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4888

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\YouTube Partner Program Policy Update – February 2025.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4644

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:876
- C:\Users\Admin\AppData\Local\Toadinthehole\AppCheckS.exe
  "C:\Users\Admin\AppData\Local\Toadinthehole\AppCheckS.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1132
- - C:\Users\Admin\AppData\Roaming\manageCheck\AppCheckS.exe
    C:\Users\Admin\AppData\Roaming\manageCheck\AppCheckS.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\SysWOW64\cmd.exe
      4⤵
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of WriteProcessMemory
      PID:1164
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e408.rbs

Filesize
9KB

MD5
6d324f992e911316567752ed5fe6f738

SHA1
a268fc4bed5bc2cfb4bc06e3b0e30675dc2efe80

SHA256
45c8d18f3a35b6df7190a8db835e17c1eb1004a7bbc4010784aaa5bcd906cba5

SHA512
281f3f1833e38728296e752858a3ab8e5dbf21a553cd9ac4a9849be5a7b193ecc6056e54f500cb7e77c2d3a1d94c16b44068acb1ee7f490fd7424a09d46b003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9acb745d

Filesize
1.8MB

MD5
2e2f46154489f8251fef2a599a312bc8

SHA1
4b110300e563d4840ec8845a4aaf61ffd2b8a99b

SHA256
2fb7b4e019ce677d13d381c5e8c1f5492f0dcbfffdea54048b262283bbf39cba

SHA512
35f2ce6be159043c967e549164c643d0989336de2dc60c9622981e4bccd9521705c2928b8e6090f9b5ebbeb794879799393313521ada6dbc9c0839c4dfdb7722

Download Submit
C:\Users\Admin\AppData\Local\Toadinthehole\AppCheckS.exe

Filesize
1.7MB

MD5
18247442e0f9378e739f650fd51acb4e

SHA1
41c3145d0a63f2cb87ae9f4f6107855ddaa72886

SHA256
a5bf40c29313eb9f0e711bee0d63b411ef35e80ba0fbdcc5964d0539db59290e

SHA512
e4669a7d72fc37b39cd161c6243c2f1f9840e36598a25c1125540f72d6ef4aeddc2ef9b89804137f2c0edba9fcd68e89ba74f9ebfe1bec2aec14e0f7c2e42bc3

Download Submit
C:\Users\Admin\AppData\Local\Toadinthehole\MSVCP140.dll

Filesize
618KB

MD5
9ff712c25312821b8aec84c4f8782a34

SHA1
1a7a250d92a59c3af72a9573cffec2fcfa525f33

SHA256
517cd3aac2177a357cca6032f07ad7360ee8ca212a02dd6e1301bf6cfade2094

SHA512
5a65da337e64ea42bcc461b411ae622ce4dec1036638b1e5de4757b366875d7f13c1290f2ee345f358994f648c5941db35aa5d2313f547605508fd2bcc047e33

Download Submit
C:\Users\Admin\AppData\Local\Toadinthehole\VCRUNTIME140.dll

Filesize
85KB

MD5
edf9d5c18111d82cf10ec99f6afa6b47

SHA1
d247f5b9d4d3061e3d421e0e623595aa40d9493c

SHA256
d89c7b863fc1ac3a179d45d5fe1b9fd35fb6fbd45171ca68d0d68ab1c1ad04fb

SHA512
bf017aa8275c5b6d064984a606c5d40852aa70047759468395fe520f7f68b5452befc3145efaa7c51f8ec3bf71d9e32dbd5633637f040d58ff9a4b6953bf1cbf

Download Submit
C:\Users\Admin\AppData\Local\Toadinthehole\crump.jpg

Filesize
45KB

MD5
d4ab0589417a189428c501b9d7806d11

SHA1
e5ddbe97e9f2b3169c7536c83d656de73dd6bd8f

SHA256
9e9a3d7b58c7e848fd230b1c9ca46f428aad950b167ee92830596954c90d52b7

SHA512
9b01210f43c1edbae64ab7672f734838a21d737e41b985cf0c4194c15cb6df9aa8a771fcb28eda140812f0b39cf8af8ce368d7cc10e7bf94c4ed4e7b180f2b3c

Download Submit
C:\Users\Admin\AppData\Local\Toadinthehole\logomachy.psd

Filesize
1.6MB

MD5
78dd9f575dd49af7499bef1fc1aef917

SHA1
32dd4fe64e6fb1dfbc53a86e8762d925a0a32d88

SHA256
a8f8bcca78c5a328a4dbd3829784f724427a582d3a09397d61a73448c85bd076

SHA512
45dc68eefd030e361ea7634f2d046a45180682df2aa050f75ceee5ea12887d49535862b523f870472f9bd11239dea64ad9e62bc02e75cc139319f6ed4359b3f5

Download Submit
C:\Users\Admin\AppData\Local\Toadinthehole\mfc140u.dll

Filesize
5.8MB

MD5
3f5b940545718cce8815e02be8e68619

SHA1
9d41743eb1d700261a908f8bcee532df94d1b102

SHA256
f2f9406a1c3cadf284574b3fa02e9dd1e9fa1b9415871cf0aa23e65aa79ed49b

SHA512
5b9a8ffcbd868266433787436c6fd2867ddd908366bfb4a2cfaf54b032d7d0bdfc0f607eb04a229d90a10ca757cdd29f5d19003e5f4af333994fc6a736bf0bcb

Download Submit
C:\Windows\Installer\e57e407.msi

Filesize
4.1MB

MD5
a11fed7d63b37dcaeb5877df4a978f6d

SHA1
2dcb800231cb89fa37aeb092efdfd9cfda07bfa9

SHA256
dabfe2b02c36b5f1a7f1c0d96798c944f69f84c4889e2e7e25655bb4d3894f31

SHA512
ea6a7a2855ce3b37df0c88702487cf2bf9afc03e06717aa79272c703f26fb798bd4ced36db0454ddd3938d9bd4b95e3ef17bcf3cfd391dd29dc0ce1ccdd27c0c

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
24.1MB

MD5
2a8bb5cd93b23d40bc11a3c7a8952990

SHA1
286d27133c7900a8de506dc8f2ada875e732141b

SHA256
2482202dd91ac9d1ffa1e5c62a1fdbeee5b259dd3b9d421a9c3da04b96fef61c

SHA512
014080fa96d75126dcc07a142dc4570812012a17f900af6b08c998c2317f97d1675a644ad5fe3bb08069b0a00462bd0143dcc2974cc99d0b2add9ccfcc2a2f23

Download Submit
\??\Volume{241e5279-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2fbd92d9-c9ee-4ea4-9fcc-e224e3e85f06}_OnDiskSnapshotProp

Filesize
6KB

MD5
5f468bc1f158d200772ce7d41f8e00ed

SHA1
c89ed9534b7b30e7128a64031af481b61c3d705e

SHA256
3c1975e93db34a8ce8b8f0108fbcea9f85d3118317c2118cfa8dda3a7e7aab0a

SHA512
7b02a193e78ee5ec9aeab6abd6ba9324a9feca76d46cb4f6fe6ade1f355bda8d58196f372c7c1ec9b804493645bad9d46b6f6ff9982fb8984c857013b7eb15a2

Download Submit
memory/1132-38-0x00007FFA65130000-0x00007FFA652A2000-memory.dmp

Filesize
1.4MB

Download
memory/1164-62-0x00007FFA84590000-0x00007FFA84785000-memory.dmp

Filesize
2.0MB

Download
memory/1164-63-0x0000000075860000-0x00000000759DB000-memory.dmp

Filesize
1.5MB

Download
memory/2336-59-0x00007FFA65130000-0x00007FFA652A2000-memory.dmp

Filesize
1.4MB

Download
memory/2336-58-0x00007FFA65130000-0x00007FFA652A2000-memory.dmp

Filesize
1.4MB

Download
memory/4688-70-0x0000000002560000-0x0000000002570000-memory.dmp

Filesize
64KB

Download
memory/4688-68-0x0000000000500000-0x0000000000622000-memory.dmp

Filesize
1.1MB

Download
memory/4688-69-0x0000000002550000-0x0000000002558000-memory.dmp

Filesize
32KB

Download
memory/4688-65-0x0000000074600000-0x0000000075854000-memory.dmp

Filesize
18.3MB

Download
memory/4688-71-0x0000000004E00000-0x0000000005200000-memory.dmp

Filesize
4.0MB

Download
memory/4688-72-0x0000000004E00000-0x0000000005200000-memory.dmp

Filesize
4.0MB

Download
memory/4688-73-0x00007FFA84590000-0x00007FFA84785000-memory.dmp

Filesize
2.0MB

Download
memory/4688-75-0x0000000075A10000-0x0000000075C25000-memory.dmp

Filesize
2.1MB

Download
memory/4888-76-0x0000000000AD0000-0x0000000000ADA000-memory.dmp

Filesize
40KB

Download
memory/4888-79-0x0000000001080000-0x0000000001480000-memory.dmp

Filesize
4.0MB

Download
memory/4888-80-0x00007FFA84590000-0x00007FFA84785000-memory.dmp

Filesize
2.0MB

Download
memory/4888-82-0x0000000075A10000-0x0000000075C25000-memory.dmp

Filesize
2.1MB

Download