Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
12-06-2022 09:28
Static task
static1
Behavioral task
behavioral1
Sample
ktrazuaohhbo7kc.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
ktrazuaohhbo7kc.msi
Resource
win10v2004-20220414-en
General
-
Target
ktrazuaohhbo7kc.msi
-
Size
1.0MB
-
MD5
516b891e8e0dd965e27d87552070deaf
-
SHA1
45d53c2fe685c953cf1a18e4fb9b96ab0d480682
-
SHA256
74f05574ba23c3e43d28a4d1adec713cfada1bdd01648bcbd16418a87ad91a37
-
SHA512
4a7f16a5032acc6df9e241b53c1c43798dff0b04f1e5eb8d4fb78d57ccf6916d108c903b0e9634555c1dc6cec8b947d64b27d98c28b225ae81847474037418a9
Malware Config
Extracted
hawkeye_reborn
9.0.1.6
Protocol: smtp- Host:
mail.patrogabon.com - Port:
587 - Username:
[email protected] - Password:
PyAF1VMa~s5;
fde0218e-5e9c-462f-b529-a61f688a2e66
-
fields
map[_AntiDebugger:false _AntiVirusKiller:false _BotKiller:false _ClipboardLogger:true _Delivery:0 _DisableCommandPrompt:false _DisableRegEdit:false _DisableTaskManager:false _Disablers:false _EmailPassword:PyAF1VMa~s5; _EmailPort:587 _EmailSSL:true _EmailServer:mail.patrogabon.com _EmailUsername:[email protected] _ExecutionDelay:10 _FTPPort:0 _FTPSFTP:false _FakeMessageIcon:0 _FakeMessageShow:false _FileBinder:false _HideFile:false _HistoryCleaner:false _Install:false _InstallLocation:0 _InstallStartup:false _InstallStartupPersistance:false _KeyStrokeLogger:true _LogInterval:10 _MeltFile:false _Mutex:fde0218e-5e9c-462f-b529-a61f688a2e66 _PasswordStealer:true _ProcessElevation:false _ProcessProtection:false _ScreenshotLogger:false _SystemInfo:false _Version:9.0.1.6 _WebCamLogger:false _WebsiteBlocker:false _WebsiteVisitor:false _WebsiteVisitorVisible:false _ZoneID:false]
-
name
HawkEye Keylogger - Reborn v9, Version=9.0.1.6, Culture=neutral, PublicKeyToken=null
Signatures
-
HawkEye Reborn
HawkEye Reborn is an enhanced version of the HawkEye malware kit.
-
M00nd3v_Logger
M00nd3v Logger is a .NET stealer/logger targeting passwords from browsers and email clients.
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
MSI8454.tmpdescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions MSI8454.tmp -
Processes:
resource yara_rule behavioral2/memory/4556-146-0x0000000000400000-0x0000000000490000-memory.dmp m00nd3v_logger -
NirSoft MailPassView 4 IoCs
Password recovery tool for various email clients
Processes:
resource yara_rule behavioral2/memory/3016-155-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3016-157-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3016-158-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView behavioral2/memory/3016-159-0x0000000000400000-0x000000000041C000-memory.dmp MailPassView -
NirSoft WebBrowserPassView 4 IoCs
Password recovery tool for various web browsers
Processes:
resource yara_rule behavioral2/memory/1904-148-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1904-150-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1904-151-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView behavioral2/memory/1904-152-0x0000000000400000-0x000000000045B000-memory.dmp WebBrowserPassView -
Nirsoft 8 IoCs
Processes:
resource yara_rule behavioral2/memory/1904-148-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1904-150-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1904-151-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/1904-152-0x0000000000400000-0x000000000045B000-memory.dmp Nirsoft behavioral2/memory/3016-155-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3016-157-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3016-158-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft behavioral2/memory/3016-159-0x0000000000400000-0x000000000041C000-memory.dmp Nirsoft -
Executes dropped EXE 1 IoCs
Processes:
MSI8454.tmppid process 1948 MSI8454.tmp -
Looks for VMWare Tools registry key 2 TTPs 1 IoCs
Processes:
MSI8454.tmpdescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools MSI8454.tmp -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
MSI8454.tmpdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion MSI8454.tmp Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion MSI8454.tmp -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
MSI8454.tmpdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation MSI8454.tmp -
Uses the VBS compiler for execution 1 TTPs
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts vbc.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe -
Maps connected drives based on registry 3 TTPs 2 IoCs
Disk information is often read in order to detect sandboxing environments.
Processes:
MSI8454.tmpdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum MSI8454.tmp Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 MSI8454.tmp -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MSI8454.tmpRegAsm.exedescription pid process target process PID 1948 set thread context of 4556 1948 MSI8454.tmp RegAsm.exe PID 4556 set thread context of 1904 4556 RegAsm.exe vbc.exe PID 4556 set thread context of 3016 4556 RegAsm.exe vbc.exe -
Drops file in Windows directory 8 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI8230.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI8454.tmp msiexec.exe File created C:\Windows\Installer\e577791.msi msiexec.exe File opened for modification C:\Windows\Installer\e577791.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000036afcf5ac1e326070000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000036afcf5a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090036afcf5a000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000036afcf5a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
msiexec.exeMSI8454.tmpvbc.exepid process 1416 msiexec.exe 1416 msiexec.exe 1948 MSI8454.tmp 1948 MSI8454.tmp 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe 1904 vbc.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeMSI8454.tmpsrtasks.exedescription pid process Token: SeShutdownPrivilege 4144 msiexec.exe Token: SeIncreaseQuotaPrivilege 4144 msiexec.exe Token: SeSecurityPrivilege 1416 msiexec.exe Token: SeCreateTokenPrivilege 4144 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4144 msiexec.exe Token: SeLockMemoryPrivilege 4144 msiexec.exe Token: SeIncreaseQuotaPrivilege 4144 msiexec.exe Token: SeMachineAccountPrivilege 4144 msiexec.exe Token: SeTcbPrivilege 4144 msiexec.exe Token: SeSecurityPrivilege 4144 msiexec.exe Token: SeTakeOwnershipPrivilege 4144 msiexec.exe Token: SeLoadDriverPrivilege 4144 msiexec.exe Token: SeSystemProfilePrivilege 4144 msiexec.exe Token: SeSystemtimePrivilege 4144 msiexec.exe Token: SeProfSingleProcessPrivilege 4144 msiexec.exe Token: SeIncBasePriorityPrivilege 4144 msiexec.exe Token: SeCreatePagefilePrivilege 4144 msiexec.exe Token: SeCreatePermanentPrivilege 4144 msiexec.exe Token: SeBackupPrivilege 4144 msiexec.exe Token: SeRestorePrivilege 4144 msiexec.exe Token: SeShutdownPrivilege 4144 msiexec.exe Token: SeDebugPrivilege 4144 msiexec.exe Token: SeAuditPrivilege 4144 msiexec.exe Token: SeSystemEnvironmentPrivilege 4144 msiexec.exe Token: SeChangeNotifyPrivilege 4144 msiexec.exe Token: SeRemoteShutdownPrivilege 4144 msiexec.exe Token: SeUndockPrivilege 4144 msiexec.exe Token: SeSyncAgentPrivilege 4144 msiexec.exe Token: SeEnableDelegationPrivilege 4144 msiexec.exe Token: SeManageVolumePrivilege 4144 msiexec.exe Token: SeImpersonatePrivilege 4144 msiexec.exe Token: SeCreateGlobalPrivilege 4144 msiexec.exe Token: SeBackupPrivilege 4056 vssvc.exe Token: SeRestorePrivilege 4056 vssvc.exe Token: SeAuditPrivilege 4056 vssvc.exe Token: SeBackupPrivilege 1416 msiexec.exe Token: SeRestorePrivilege 1416 msiexec.exe Token: SeRestorePrivilege 1416 msiexec.exe Token: SeTakeOwnershipPrivilege 1416 msiexec.exe Token: SeRestorePrivilege 1416 msiexec.exe Token: SeTakeOwnershipPrivilege 1416 msiexec.exe Token: SeRestorePrivilege 1416 msiexec.exe Token: SeTakeOwnershipPrivilege 1416 msiexec.exe Token: SeDebugPrivilege 1948 MSI8454.tmp Token: SeBackupPrivilege 4496 srtasks.exe Token: SeRestorePrivilege 4496 srtasks.exe Token: SeSecurityPrivilege 4496 srtasks.exe Token: SeTakeOwnershipPrivilege 4496 srtasks.exe Token: SeBackupPrivilege 4496 srtasks.exe Token: SeRestorePrivilege 4496 srtasks.exe Token: SeSecurityPrivilege 4496 srtasks.exe Token: SeTakeOwnershipPrivilege 4496 srtasks.exe Token: SeRestorePrivilege 1416 msiexec.exe Token: SeTakeOwnershipPrivilege 1416 msiexec.exe Token: SeRestorePrivilege 1416 msiexec.exe Token: SeTakeOwnershipPrivilege 1416 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4144 msiexec.exe 4144 msiexec.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
msiexec.exeMSI8454.tmpRegAsm.exedescription pid process target process PID 1416 wrote to memory of 4496 1416 msiexec.exe srtasks.exe PID 1416 wrote to memory of 4496 1416 msiexec.exe srtasks.exe PID 1416 wrote to memory of 1948 1416 msiexec.exe MSI8454.tmp PID 1416 wrote to memory of 1948 1416 msiexec.exe MSI8454.tmp PID 1416 wrote to memory of 1948 1416 msiexec.exe MSI8454.tmp PID 1948 wrote to memory of 4564 1948 MSI8454.tmp schtasks.exe PID 1948 wrote to memory of 4564 1948 MSI8454.tmp schtasks.exe PID 1948 wrote to memory of 4564 1948 MSI8454.tmp schtasks.exe PID 1948 wrote to memory of 4556 1948 MSI8454.tmp RegAsm.exe PID 1948 wrote to memory of 4556 1948 MSI8454.tmp RegAsm.exe PID 1948 wrote to memory of 4556 1948 MSI8454.tmp RegAsm.exe PID 1948 wrote to memory of 4556 1948 MSI8454.tmp RegAsm.exe PID 1948 wrote to memory of 4556 1948 MSI8454.tmp RegAsm.exe PID 1948 wrote to memory of 4556 1948 MSI8454.tmp RegAsm.exe PID 1948 wrote to memory of 4556 1948 MSI8454.tmp RegAsm.exe PID 1948 wrote to memory of 4556 1948 MSI8454.tmp RegAsm.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 1904 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe PID 4556 wrote to memory of 3016 4556 RegAsm.exe vbc.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ktrazuaohhbo7kc.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4144
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:4496 -
C:\Windows\Installer\MSI8454.tmp"C:\Windows\Installer\MSI8454.tmp"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Looks for VMWare Tools registry key
- Checks BIOS information in registry
- Checks computer location settings
- Maps connected drives based on registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1948 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JvwXYWCv" /XML "C:\Users\Admin\AppData\Local\Temp\tmp537A.tmp"3⤵
- Creates scheduled task(s)
PID:4564 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp80B4.tmp"4⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\tmp84CC.tmp"4⤵
- Accesses Microsoft Outlook accounts
PID:3016
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4056
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD57969052493c6d31b40ddc2fb76f0807f
SHA1577772f56c1a2a1f2baf418ae9e206864c4df806
SHA2563f2011402ac1f72ce6a01afa3ed22ca8f69ce4337616ec122a747327330f1807
SHA5121289d25fccce9e8a77b6e685ae8858deff87d2e3dd72e8e7d1b8c5b20b3be4784deecca97faf3543d8ff0c5473383ff9034d2ed222f216f7e8a9f3a0272a8256
-
Filesize
4KB
MD5bdf65f70610625cc771c5cc7ce168c7d
SHA1a8829b1c071ed0521d11925a98468c12a53a03b8
SHA256b66236dd86f140ca02db0c296e45032b272de2895c4f047a562e73bc8395dba5
SHA512add2db50b0440b07ecc48a5fde7f0b72e84b76f11ea060944afa28ddd03791e6adb3bfca704254131fb3f591f484b37f7276fab96b0c4776a27cb526bcf5f3a4
-
Filesize
1.0MB
MD5d29982e380361445494782bd1c9b5006
SHA19f101141ad54dbad246636fd240d4b70e2d443d9
SHA2561dd929b928371a47a5bee9ae2fbf9997675d91b9e376472ab313e4d685cce42c
SHA512d90395c79ab5a88e3d2131750b4890e549d76ff97fec06dd4fb6c5e030fee5d56d474ea7d99b507064ae77eb19253f0668502e8d92201a51384f873f34d20831
-
Filesize
1.0MB
MD5d29982e380361445494782bd1c9b5006
SHA19f101141ad54dbad246636fd240d4b70e2d443d9
SHA2561dd929b928371a47a5bee9ae2fbf9997675d91b9e376472ab313e4d685cce42c
SHA512d90395c79ab5a88e3d2131750b4890e549d76ff97fec06dd4fb6c5e030fee5d56d474ea7d99b507064ae77eb19253f0668502e8d92201a51384f873f34d20831
-
Filesize
23.0MB
MD5ad0308b4c8bbd9a6caf5a549bed1d136
SHA13713e45cdc85efafc9001917cada374c92ea633f
SHA25664abb21d5a33e20d6b1127c631c564f67db50761f13b2d96f9525620210f1f2f
SHA512cbfdba90538e34d211548a1d2eb2de5ed0226cf0e6bccc1838f1b77fbe89d57ea9306d3005174eba917d416ae5e8da88c3077e90573fae4c05e21ca2de81b713
-
\??\Volume{5acfaf36-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f91fe708-67bb-4b63-a15a-70ddf0cdd949}_OnDiskSnapshotProp
Filesize5KB
MD5543fe72fc1c127cf9def02136876f544
SHA1279b87501788f081d9a5e84a25175a07681f8735
SHA25652edb6c411a94080c705750f8f6e1561946542cfee83d0ce75c5557969df2ccd
SHA5123e4c82beb43539167e3615032a7111b756d3cf02e0160d099f77c60cd2a20313e5afc76541663d793959207fc53c41f9b587627d8efc8040a1e6ee35f3ae9dbc