Overview

overview

10

Static

static

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

7

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

9

Ransomware...KB.exe

windows10-ltsc_2021-x64

9

Ransomware...KB.ps1

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Ransomware...KB.msi

windows10-ltsc_2021-x64

10

Ransomware...KB.exe

windows10-ltsc_2021-x64

10

Resubmissions

31/03/2025, 00:22

250331-apdw1ssjs8 10

28/03/2025, 22:52

250328-2tfd7avl15 10

25/03/2025, 14:57

250325-sb3mbsxxht 10

Analysis

  • max time kernel
    450s
  • max time network
    563s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    28/03/2025, 22:52

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RansomwareSamples/Sekhmet_30_03_2020_364KB.msi

  • Size

    364KB

  • MD5

    15fc8a15e86c367586e3661b03bcab44

  • SHA1

    a6a6f2dc244d75cac1509e46c7de88ff479b9ee6

  • SHA256

    b2945f293ee3f68a97cc493774ff1e8818f104fb92ef9dbeead05a32fc7006ff

  • SHA512

    cad4c868065a4715126a6e644c1fc1c5d9832e027f62f2f9370172e523fe7db63119871ba64977fc2f25959197a20f0e0e98bd66b2539eae7d46ded9d571436b

  • SSDEEP

    6144:nj+vyxz9WYWqpkGbOAqMK/oVZUlz/F8GO53OuzZOJM7CQ5g//s4Y:j+wpWYkGA/WGUGO53OIZkh/Y

Score
10/10
egregorsekhmetcredential_accessdiscoverypersistenceprivilege_escalationransomwarestealer

Malware Config

Extracted

Path

C:\03dfe1345efb8ef72765da72\RECOVER-FILES.txt

Family

sekhmet

Ransom Note
-------------- | Attention! | -------------- Your company network has been hacked and breached. We downloaded confidential and private data. In case of not contacting us in 3 business days this data will be published on a special website available for public view. Also we had executed a special software that turned files, databases and other important data in your network into an encrypted state using RSA-2048 and ChaCha algorithms. A special key is required to decrypt and restore these files. Only we have this key and only we can give it to you with a reliable decryption software. --------------------------------------- | How to contact us and be safe again | --------------------------------------- The only method to restore your files and be safe from data leakage is to purchase a private key which is unique for you and securely stored on our servers. After the payment we provide you with decryption software that will decrypt all your files, also we remove the downloaded data from your network and never post any information about you. There are 2 ways to directly contact us: 1) Using hidden TOR network: a) Download a special TOR browser: https://www.torproject.org/ b) Install the TOR browser c) Open our website in the TOR browser: http://o3n4bhhtybbtwqqs.onion/C3A1FCC184FA5B8C d) Follow the instructions on this page. 2) If you have any problems connecting or using TOR network a) Open our website: https://sekhmet.top/C3A1FCC184FA5B8C b) Follow the instructions on this page On this web site, you will get instructions on how to make a free decryption test and how to pay. Also it has a live chat with our operators and support team. ----------------------- |Questions and answers| ----------------------- We understand you may have questions, so we provide here answers to the frequently asked questions. ==== Q: What about decryption guarantees? A: You have a FREE opportunity to test a service by instantly decrypting for free 3 files from every system in your network. If you have any problems our friendly support team is always here to assist you in a live chat. ==== ==== Q: How can we be sure that after the payment data is removed and not published or used in any nefarious ways? A: We can assure you, downloaded data will be securely removed using DoD 5220.22-M wiping standart. We are not interested in keeping this data as we do not gain any profit from it. This data is used only to leverage you to make a payment and nothing more. On the market the data itself are relatively useless and cheap. Also we perfectly understand that using or publishing this data after the payment will compromise our reliable business operations and we are not interested in it. ==== ==== Q: How did you get into the network? A: Detailed report on how we did it and how to fix your vulnerabilities can be provided by request after the payment. ==== -------------------------------------------------------------------------------------- This is techinal information we need to identify you correctly and give decryption key to you, do not redact! ---SEKHMET--- tpjvDG9n8hwoCGHLAf29WwErGseh9mqkR6TRjmxlBJNayyzEvD5gyLfAO2ZmfFtoSuLGFd8hzvrCgy6kWb3RK9TWkMDEn/u1snzkXn03sm5rXAO7loTcp92NXLxgSVEgIAB731SdcyBxnB8NVz//KlJl5UsnUInGAa/LXQkdIA1x4rLBCTxU0jUtgobTmc7PLjLCyaMpS9rQvzYQxNL+0ilyCj9BSNiKYC7SIV5uiboC5cU+Y0ZmO1DM52ij4DciGgyvzLP2yowz5MHjxzTOQgkwV/IzWCPG+FvF41Qx3IlprCpPdd7AQkZXcjx+qR/oeduVbXp6iB7vv+0FtM+kI8TWrPM9CXxvDVsklkIUMu46ppuhc5z257XrcW9WAmY6FSYt8Rkv3EYJO4RlXUkmSZwoSRlKJsu9AZ/wpu8XAfhjLSxfqQAa5gOW11T1soPW7r+d2vbv0owWO1gR8XXHT5OPyJUO+SX8ntfAuKDehp+yXz6UWeUDU6GIyNED/iO8l/mE+MGQaXgZvQGypQwWeyEqaI+DZndpIMuk7fH/kOW0ZjS+9SOrEC21bK4qusSjJA7iPSoFgYLY0L5h2EqLkCjH4+m/byv19YVsViNqfTA1IIU0ooRn7zeRbTL7gUSPL43V3zdRIRynxNKoaV3gwqmqekgz53BlhJIfLxl7Hs4DEFATB2Y+F3JpGPSra8VTTF5Gbo7qyRufcoJnif05Uf3lMGb2KyqEIxGshF9W2q35tAONKYmcwLPoREaQZtU2xLShZG+fKHjVUVlbu6EKaNcLw2PQzof/hxLfVjaP6HM2hgxHSp3M9cQ/cLgrK3CyUMwfJylBnsEqGZPlWqFIaPRs5EFFvfuIIxPsDNXCu7ZdKrCtMXv/aQ5TFiPMXAA7dJWvVJUJcfDPJP4k39qrNLQH/sQ1567HELPAiKFGkOdTDR1evfyXK7/9X+48Rqs7sKzzmpN8GY9KshOEkYZEHsBWIXPhH5zdHM05BgeZbln24ZZ44fNe8sJP7co73w2Rzl8sYG6vY4e5dCKbvyqZvEIAo1JmvtPMtN7S9Ew7TCYOR6FEyEC7Ej66wiprRhdH266xZm3fq57KPBbvymRyka7sY67L2wbWC5PUB4H3Yzj3y/x2Tw4oHSPcI8SkXF4AnWeScQoPC17znVrhyxfib8mm8Y1LUUANfHs+BIwyFTcuyBMvOhHx/06ghxFw+xHVcWduElrxyIKVr4Disr/m9IRn5LhbnY0usyiugfNRvSyWiAWMWYtC6QZQ5TBoz1INoAusA4AVWiJZCmjnEgE4/K5XpBZyV3dWaSVNp73R7M3yIzoY829ip90lLXGOnMfhi6Jmx7opuiRkTWEGvFk7BEGYsbhWvi21XTrSl7liiMpd5S2nSivUP8jusrzBi5/eVO4HKuy6qpn4M7o26+0eSZH0S1JqGdDSwytDMA5NUuMUOxH95WQR+yu1C6FGu+C3y+9Gf2iLKwgb2PHMKykXZ2xP40ZPC0ErBnxcYV47kQKsJ85UEiMW5OwMavZ4TjNSm3qfhvXUIvPILzbVf2shGnJ6xwel0RhURjan8G5AQeQRJGiPtQrxofWOj6SlrXHdceizaLyN2Ku3yHN3YktpFHXBSywh02No6JPIIuIg5eaYeUjj5+X1oeb+E4n8YmSMjbILe2IZbqKsbsCXU21S6BQgVw/WVAbwkGL5Aqx+MDTHMotTkv6IJ+Mj5/viHiZZRsUSxx7zorf0M/Atif14GyuL1U5qECt4R/Ayied9PTp8qrVGiW5YCXIHsqQqBWHAZx0YSlOmVQRob4JQjDu4JZMZlpBTLBjA8xAcUkNLRujHblF1451pQRM/A3hRdxFPAstl96ueiILySxj4BBQDgC9pTGonr3Ii5HSoWqOg5+22ztkNsbyvMdTDR7gWu5ovnanIJL0qAsvYVjUAF5ileTo+Un2wJSYSC1EqsjsQNOAe/rAcRMa02s+shFdxxA2m2roCtMCiMasOLZBjkJKYX5WFt9xPlq9hX6dwPTwTxrWJbqBJs+iqlDA5YxjsVxnA1v0fi8S48e4GtHSYPJSP31aOQn/k5NqPgpbw/uIqaI3mKLVxNAvP/VmPEtCPnU+4Fc2s07FX51A35giZYbHnMFaTXayR41iTfv4YKCKAG5AnXwuh5TBoZyUiKUXWEytCT6HHHFFZdZn8lZuQFlVnAgXQNF7iU+ZNe8+2cvngUkLa24eSBUsEuA1wUW2ld8JXAXe/hQgBEAEYASCAAigAOhJWAE4ASgBYAFkAUgBBAEkAAABCIkMAMwBBADEARgBDAEMAMQA4ADQARgBBADUAQgA4AEMAAABKVnwAQwA6AEYAXwAyADAAMgA4ADYALwA5ADIAMgA4ADkAMQB8AEUAOgBDAF8AMAAvADAAfABGADoARgBfADIAMAA0ADIAMQAvADIAMAA0ADcAOQB8AAAAUg5TAFkAUwBUAEUATQAAAGgAckBXAGkAbgBkAG8AdwBzACAAMQAwACAARQBuAHQAZQByAHAAcgBpAHMAZQAgAEwAVABTAEMAIAAyADAAMgAxAAAAehRXAE8AUgBLAEcAUgBPAFUAUAAAAA== ---SEKHMET---
URLs

http://o3n4bhhtybbtwqqs.onion/C3A1FCC184FA5B8C

https://sekhmet.top/C3A1FCC184FA5B8C

Signatures

  • Detected Egregor ransomware 1 IoCs
  • Egregor Ransomware

    Variant of the Sekhmet ransomware first seen in September 2020.

    ransomwareegregor
  • Egregor family
    egregor
  • Sekhmet Ransomware

    Ransomware family active in the wild since early 2020.

    ransomwaresekhmet
  • Sekhmet family
    sekhmet
  • Credentials from Password Stores: Windows Credential Manager 1 TTPs

    Suspicious access to Credentials History.

    credential_accessstealer
  • Drops startup file 4 IoCs
  • Blocklisted process makes network request 21 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 10 IoCs
  • Loads dropped DLL 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 11 IoCs
  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\RansomwareSamples\Sekhmet_30_03_2020_364KB.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2260
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:6068
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:5060
    • C:\Windows\syswow64\MsiExec.exe
      "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Users\Admin\AppData\Local\Temp\System Update\patch_may13869.dll"
      2⤵
      • Drops startup file
      • Blocklisted process makes network request
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:5056
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\03dfe1345efb8ef72765da72\RECOVER-FILES.txt
    Filesize

    11KB

    MD5

    495a111eb74024999b3c5e803c46620f

    SHA1

    0da4244712d6450caaa3606352d7afd976065a33

    SHA256

    ce453fe0beaa3f164baa48390783bb64bb29957a90379222fab9dab7a2633089

    SHA512

    000954d9636e1a88e59c6c0f6a29e3aee4b34ffce226be00621ce5941968cad53bb871be6776dd0ed6a20166b4e93aaf04a590afa20cbfb39de90a3dd2821787

    Download Submit

  • C:\Config.Msi\e57886b.rbs
    Filesize

    7KB

    MD5

    58fc3bbb1e82ce0690539bbd8ab72ddd

    SHA1

    5896939f23170d84e0aa4493cdf80b3ffe26d807

    SHA256

    65fabba55b2c879a5b605325136934ff88a041e2bb020525db21c5dec3175c27

    SHA512

    33a41111223ccd95c7bb1da846491de4f91d771d7b401f3175f9535574d3039bd0f021adaed1d46a8466bc9456f99ce6e827318f361a68704feda2dcf10254dd

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
    Filesize

    2KB

    MD5

    40a50d86d67f59c010b2fb2260758b6f

    SHA1

    cad7afcb7aa30182b9db0cb730596c586ffb279d

    SHA256

    7e0b6aa0f0cb1c587d2ebafdd446eae5406ebeb10f3af85400ceb9096f9b12f9

    SHA512

    f6fce4c62a4cf013711926589337e9dce99d5f65f4f0c895a63ea4896a8caea16f1cc21805e0245906b656a298a35f688553ce95186890a74270a73915bb01ee

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    Filesize

    4KB

    MD5

    c876fcebfd8d975bc96a0e0518ec100b

    SHA1

    4a23963d46dcf8bfa55af8f7d35c85e8f94bba37

    SHA256

    12fe66a8443049edae11662c1fd7a7f361b5924e187e55641e37bbb2cdac7362

    SHA512

    8b56324a84474744eacb83f6637a26e6e5e33cf15dce1d0b30401eb463bdd5b070173297face82aaad0978885987bdd63381e1d3d1b8091db4578d87abe6d5fe

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    1KB

    MD5

    4a3a79c265b364a0926fe772bfc87230

    SHA1

    be4357818887855ecfe262986b7783c5c487237d

    SHA256

    bd2b055b9960d995dd6dfeb4ede435e5195b32d339c87873d85a3922408f1238

    SHA512

    79e5ed31627bd72df03a107071af2aeecfd810c140cd0709d6b592488181711c44a52454b6a93d38c20484dcfc1d0111e893dc1ed50b24e3fbc55bb25a724745

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D7833C286363AD25C70511661A83D581_0D5B85F46E0186BABAB24EA67895D7CA
    Filesize

    526B

    MD5

    8420d236284dd7b66d3bbb523d7edd8c

    SHA1

    134f1f017484f0ca5c528992b5b8885151d923d1

    SHA256

    1c094758746a4e8822516d2ad664feef6e326f9d7264be1b623c617ce9746f3d

    SHA512

    144749fe324b73e2e47eda5f65d68440e02cd4bd3a08868bf0c962b7f31cc7950943f8e71466b6e870e26a0570669932691d0a53a032258545d293c20c7fa57e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_E6095CD2AECC9011BCD0D7B421356B17
    Filesize

    488B

    MD5

    3a5554abce026c05609889e383bdf911

    SHA1

    bad3ea579adab7ee1e84c3e6a69d539c5e8ceec6

    SHA256

    5ba2acdc02dc4e3d37df26dfd0fa10caec170bebf8d1ef69b9bdab829969a4bf

    SHA512

    e244c840b4a4f9ff458f2fbf9732dde94472b09259e90b401dde4fc312cf4fbcb5a22ab4fd692563e044b240046c7fc4d1ae4e1f6bee9acb523dc75d6f998e31

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
    Filesize

    608B

    MD5

    53a33c12931e62bce72de3b8a78a1e1c

    SHA1

    5f9d38e3e1d4c33e5911456ad8101dcb19f73ddd

    SHA256

    6c1cf946b5e127ce6a84117a9ce749dcc58e952b24770cdcdc39afb5465d3361

    SHA512

    851ef8dfd2c5b5efe96397bc4192b1845a4e74bef666545122dd70bf4bf95ceaaaef5009abcd22d784da3a08579c6dbab2cd55b3bdcaf5e26692c26839aadd71

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506
    Filesize

    598B

    MD5

    1420a26a0406ddba3845231849847946

    SHA1

    3eb61b890bbe30f0e22cf4725fca08cb50e8c53c

    SHA256

    aa8f2f68fa02f70f0814ee46840249c3ed18f80c6544017aae8dc86b1a88c23f

    SHA512

    3327b701194179c51f2aa72fd482c2e41939a1bf0c65dc2981356502cf4c8cfb14e0a9e76f43fc8b4e7ef48eebc9ab649da162c29f2ae90ebea79bc3623ec3b4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E
    Filesize

    482B

    MD5

    fa7dcc2beff5a812aa08a0495a0264f7

    SHA1

    66aec43cb8555854a2c5273944ce7eb25039b592

    SHA256

    723caa9caf219d69637ca6caa6b9b9a7fe597c0e1226ff6109039a0174fb0bc3

    SHA512

    9d0ac3972df8b9dc1e760fe452e460ee4e499c5fe275e598cd39074e3004910f5df56856cc1fa6ac5046d8131db6694a9960976c26b6d074c258470a7a852d80

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D7833C286363AD25C70511661A83D581_0D5B85F46E0186BABAB24EA67895D7CA
    Filesize

    484B

    MD5

    3838cfe8daf52ef093ca11a0b4e10d3e

    SHA1

    2122f76fae9e5a4c07316ca1217b0d6a81fc7bf9

    SHA256

    a8e4ce03dc452bba0563388559e3c549a674c6b6e966fea10f66bca4107682ce

    SHA512

    72a3f44356ab48e300095c87ec2c951c61fdf3485ddf9f0628ca3a9cdf50a8c558e7423c541112e03d03eac0750ad907c2fc83fdb1e0aeda9cff533ab0f24807

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\System Update\patch_may13869.dll
    Filesize

    707KB

    MD5

    1343bd0e55191ff224f2a5d4b30cdf3b

    SHA1

    6412cbf10ac523452e051267afce4095d7f3d5ac

    SHA256

    fceb299326ef4298a3c30e10b31d8c64f1369b182ac256d1eeaf148c1adcea8d

    SHA512

    f3fcb8d1c89f463f2e73dadbf32afda7716c8c065990f3422fc2b5f10cb396a68ea6f711a0184989b83f474e660bc12fb47db60966011b1a18f84755571e9b9e

    Download Submit

  • C:\Windows\Installer\e57886a.msi
    Filesize

    364KB

    MD5

    15fc8a15e86c367586e3661b03bcab44

    SHA1

    a6a6f2dc244d75cac1509e46c7de88ff479b9ee6

    SHA256

    b2945f293ee3f68a97cc493774ff1e8818f104fb92ef9dbeead05a32fc7006ff

    SHA512

    cad4c868065a4715126a6e644c1fc1c5d9832e027f62f2f9370172e523fe7db63119871ba64977fc2f25959197a20f0e0e98bd66b2539eae7d46ded9d571436b

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    24.0MB

    MD5

    74d7d790ba8d9676104aa22e64dd8384

    SHA1

    ca84a53c630371c76aba19fe8fbb2afcf3247d43

    SHA256

    7a828615b0d8c79468d8ae72414982d09a2da5769ba407a81b77d10d611a0bf3

    SHA512

    cd55028927d892832198b42d521755c26c7ae090982486c861a1997f19932cc19b71047b7dca8c6637db75998d53285e7b0232c78c180b70a604ed009feb6eda

    Download Submit

  • \??\Volume{e6588854-0000-0000-0000-d08302000000}\System Volume Information\SPP\OnlineMetadataCache\{ccbdaf9d-8bce-4ddc-8fd7-40a105247bdc}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    58b3403a6e793f5b88508122d09b451b

    SHA1

    f77a12cbb6b6543e5d821e690d4db23d7e1572ff

    SHA256

    74878f20509b6ae8804eab34a7ed5fa51fe18d6d835ec9c767e7478870a36e98

    SHA512

    fb7b5fe269b419de60bdd3e4097c73b74d2dabe67ed280c2f4c279aa8cb513e924cdf9a7aa2b503a904939ad4907e6c83771c618814bbb9e3a65d844a4c45374

    Download Submit

  • memory/5056-32-0x0000000002D80000-0x0000000002DA8000-memory.dmp

    Filesize

    160KB

    Download

  • memory/5056-39-0x0000000002D80000-0x0000000002DA8000-memory.dmp

    Filesize

    160KB

    Download