Analysis
-
max time kernel
248s -
max time network
215s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
resource tags
arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2022 15:30
Static task
static1
Behavioral task
behavioral1
Sample
PDF_3028225.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
PDF_3028225.msi
Resource
win10v2004-20220414-en
General
-
Target
PDF_3028225.msi
-
Size
484KB
-
MD5
47847ac5f01e037c1a18becc0dfd4611
-
SHA1
d6f37b18252787c2c2c31358e741d9b834440331
-
SHA256
7d1c0c7e4cbfe49926451ab6365455e5f3889fb17e2508afa9f6e2ebeedaa2c1
-
SHA512
7630b223cddfc31ef7afee9972ab4a5100b048d35f526211e331f4717260e2c29b0962ad35271701b00c5c379f7798004f5140abe8dbc88ddf083d8b2ee78004
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
msiexec.exeflow pid process 4 2076 msiexec.exe 8 2076 msiexec.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exepid process 948 regsvr32.exe 100 regsvr32.exe 1956 regsvr32.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exemsiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 10 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\Installer\e56fb3d.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIFD12.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{0E8C02CA-3030-4459-8253-5139E0330866} msiexec.exe File created C:\Windows\Installer\e56fb3f.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI68C3.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI9E4C.tmp msiexec.exe File opened for modification C:\Windows\Installer\e56fb3d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e111c2ed168134740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e111c2ed0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900e111c2ed000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e111c2ed00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
msiexec.exepid process 3432 msiexec.exe 3432 msiexec.exe 3432 msiexec.exe 3432 msiexec.exe 3432 msiexec.exe 3432 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 2076 msiexec.exe Token: SeIncreaseQuotaPrivilege 2076 msiexec.exe Token: SeSecurityPrivilege 3432 msiexec.exe Token: SeCreateTokenPrivilege 2076 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2076 msiexec.exe Token: SeLockMemoryPrivilege 2076 msiexec.exe Token: SeIncreaseQuotaPrivilege 2076 msiexec.exe Token: SeMachineAccountPrivilege 2076 msiexec.exe Token: SeTcbPrivilege 2076 msiexec.exe Token: SeSecurityPrivilege 2076 msiexec.exe Token: SeTakeOwnershipPrivilege 2076 msiexec.exe Token: SeLoadDriverPrivilege 2076 msiexec.exe Token: SeSystemProfilePrivilege 2076 msiexec.exe Token: SeSystemtimePrivilege 2076 msiexec.exe Token: SeProfSingleProcessPrivilege 2076 msiexec.exe Token: SeIncBasePriorityPrivilege 2076 msiexec.exe Token: SeCreatePagefilePrivilege 2076 msiexec.exe Token: SeCreatePermanentPrivilege 2076 msiexec.exe Token: SeBackupPrivilege 2076 msiexec.exe Token: SeRestorePrivilege 2076 msiexec.exe Token: SeShutdownPrivilege 2076 msiexec.exe Token: SeDebugPrivilege 2076 msiexec.exe Token: SeAuditPrivilege 2076 msiexec.exe Token: SeSystemEnvironmentPrivilege 2076 msiexec.exe Token: SeChangeNotifyPrivilege 2076 msiexec.exe Token: SeRemoteShutdownPrivilege 2076 msiexec.exe Token: SeUndockPrivilege 2076 msiexec.exe Token: SeSyncAgentPrivilege 2076 msiexec.exe Token: SeEnableDelegationPrivilege 2076 msiexec.exe Token: SeManageVolumePrivilege 2076 msiexec.exe Token: SeImpersonatePrivilege 2076 msiexec.exe Token: SeCreateGlobalPrivilege 2076 msiexec.exe Token: SeBackupPrivilege 4696 vssvc.exe Token: SeRestorePrivilege 4696 vssvc.exe Token: SeAuditPrivilege 4696 vssvc.exe Token: SeBackupPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe Token: SeTakeOwnershipPrivilege 3432 msiexec.exe Token: SeRestorePrivilege 3432 msiexec.exe -
Suspicious use of FindShellTrayWindow 7 IoCs
Processes:
msiexec.exemsiexec.exemsiexec.exewscript.exepid process 2076 msiexec.exe 2076 msiexec.exe 5020 msiexec.exe 5020 msiexec.exe 4408 msiexec.exe 4408 msiexec.exe 3132 wscript.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
msiexec.exeregsvr32.exeregsvr32.exeregsvr32.exedescription pid process target process PID 3432 wrote to memory of 3724 3432 msiexec.exe srtasks.exe PID 3432 wrote to memory of 3724 3432 msiexec.exe srtasks.exe PID 3432 wrote to memory of 4520 3432 msiexec.exe wscript.exe PID 3432 wrote to memory of 4520 3432 msiexec.exe wscript.exe PID 3432 wrote to memory of 1596 3432 msiexec.exe regsvr32.exe PID 3432 wrote to memory of 1596 3432 msiexec.exe regsvr32.exe PID 1596 wrote to memory of 948 1596 regsvr32.exe regsvr32.exe PID 1596 wrote to memory of 948 1596 regsvr32.exe regsvr32.exe PID 1596 wrote to memory of 948 1596 regsvr32.exe regsvr32.exe PID 3432 wrote to memory of 4668 3432 msiexec.exe wscript.exe PID 3432 wrote to memory of 4668 3432 msiexec.exe wscript.exe PID 3432 wrote to memory of 2632 3432 msiexec.exe regsvr32.exe PID 3432 wrote to memory of 2632 3432 msiexec.exe regsvr32.exe PID 2632 wrote to memory of 100 2632 regsvr32.exe regsvr32.exe PID 2632 wrote to memory of 100 2632 regsvr32.exe regsvr32.exe PID 2632 wrote to memory of 100 2632 regsvr32.exe regsvr32.exe PID 3432 wrote to memory of 3132 3432 msiexec.exe wscript.exe PID 3432 wrote to memory of 3132 3432 msiexec.exe wscript.exe PID 3432 wrote to memory of 4456 3432 msiexec.exe regsvr32.exe PID 3432 wrote to memory of 4456 3432 msiexec.exe regsvr32.exe PID 4456 wrote to memory of 1956 4456 regsvr32.exe regsvr32.exe PID 4456 wrote to memory of 1956 4456 regsvr32.exe regsvr32.exe PID 4456 wrote to memory of 1956 4456 regsvr32.exe regsvr32.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\PDF_3028225.msi1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll3⤵
- Loads dropped DLL
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs2⤵
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll3⤵
- Loads dropped DLL
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbs2⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-n -i:"Install" C:\Users\Admin\AppData\Local\AdobeFontPack\main.dll3⤵
- Loads dropped DLL
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\PDF_3028225.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\PDF_3028225.msi"1⤵
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFBFilesize
727B
MD50d26fcd430e8da3f1d2268e5f2c96948
SHA1fde47603630d4b585d3d9d0b9c71a2d04b8d0e4f
SHA25698a8204e097137c5ac750cb4154fe9579c2254180cc842f15d8344e8e2be37ee
SHA51280ba38928c8d6eedfb8e0cb537f0bbab152918c2c65b917ecf33ebad22a49976783560dd963f253dd5a439ee2de695802f357cba2a8aa29b9bd5dc72eb71673a
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
727B
MD5a485d69614a6015dd87f332f156dbcda
SHA1e173979fc219cc09b20f79a8ac9d2ee72d93668d
SHA25644a294a4e02743fc51bfa36b844d2cbf5f7ee94a9476dcd01ff5300a71860c48
SHA5124f7d64e45b6cb134c8676a4b1e2cc3e43bf24c15670aa8f9b7a4101ca8383d3c2bcf09dfc3856847e72168043dd8ddcf553cf5ecfe99c69032b8eb48508dad60
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_32ADABCB823BA1231EA36C215C0D3FFBFilesize
408B
MD50e36baba2bff4f95b60f07398f309e91
SHA171621ae41ccf4994b220e25df353a7aeff1b4ceb
SHA256fa9df9778c0053b6e553d0464c60c7ecead34642b2118c4c1a277d4236038af4
SHA512082de27c17e705fb6ef00d1db682ac089e3609ee2876ed3e02a7f88fe6c87579288f93376b8fb67282763ee8a993f06b13f570dd9ab25a3138ffa635992457bf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141Filesize
412B
MD559b7458d0639572cea235781e09ac281
SHA11e4ef8c7688ee13f94ca5515d7721d12662836b2
SHA2567673a36ce4f1c69eecf315f25d31fc0054d27eba7e689063acd22f7ac464454c
SHA512a66a67fab3520a9418ede063f52fde2572ce186c10e9ff8ee3c2eb46ee9212e5031e3ac2a07094a1a52b57f202c12fa6076968fe1e1a808a114fd37b44f900d2
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
777KB
MD5926382093a313282f4a1639944f3fb0c
SHA1851380d94deeb031aad806795d760f3982399850
SHA2561ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8
SHA512f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
777KB
MD5926382093a313282f4a1639944f3fb0c
SHA1851380d94deeb031aad806795d760f3982399850
SHA2561ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8
SHA512f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
777KB
MD5926382093a313282f4a1639944f3fb0c
SHA1851380d94deeb031aad806795d760f3982399850
SHA2561ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8
SHA512f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3
-
C:\Users\Admin\AppData\Local\AdobeFontPack\main.dllFilesize
777KB
MD5926382093a313282f4a1639944f3fb0c
SHA1851380d94deeb031aad806795d760f3982399850
SHA2561ce7c87d8dc79ace14eb2a1be829f2d3b321b70717f723a61998ab3b9112eec8
SHA512f315d01e8475c4bc73a9c2e18c17c462b826dec66d9900534f0ccddd08f782642828fe1c2b3a04049f82c38f24cd48f419c7d1c91200ca1de32f27642ac145d3
-
C:\Users\Admin\AppData\Local\AdobeFontPack\notify.vbsFilesize
68B
MD50308aa2c8dab8a69de41f5d16679bb9b
SHA1c6827bf44a433ff086e787653361859d6f6e2fb3
SHA2560a7e8fd68575db5f84c18b9a26e4058323d1357e2a29a5b12278e4bfa6939489
SHA5121a1ca92e3c8d52c8b5adbb3117a88d8a2a8c33eaf2f7b0d620fe006653f57f4ba0b803884616594ca31e13a1b0b59ddae52cecf044621ec44371084dac6beb72
-
C:\Windows\Installer\e56fb3f.msiFilesize
484KB
MD547847ac5f01e037c1a18becc0dfd4611
SHA1d6f37b18252787c2c2c31358e741d9b834440331
SHA2567d1c0c7e4cbfe49926451ab6365455e5f3889fb17e2508afa9f6e2ebeedaa2c1
SHA5127630b223cddfc31ef7afee9972ab4a5100b048d35f526211e331f4717260e2c29b0962ad35271701b00c5c379f7798004f5140abe8dbc88ddf083d8b2ee78004
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD53483877b3986a5f5a034114a2dc5d44b
SHA1a3d2e17886299b0066f17c59cd207acfcc49abfa
SHA25639367e786bd7b8d176523554529399581f2fa7083cc228a8e0df721eb5f9272f
SHA512ae2cafde588de63bfff4f870f94fadc0a31a57c35720de35fa225ae18c884e95f6e97e831055776090aeca3719aaa9a81e7563a16f137eb6f5bcaa24f07803bc
-
\??\Volume{edc211e1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{86167eba-3cdc-4083-896e-22e7398e9f18}_OnDiskSnapshotPropFilesize
5KB
MD5302582000777702f09694fa689c32f9f
SHA12627705d0f861da0b89dcd0cd6de23237da1b687
SHA256dd299005d698bbb2fb50c82cd4b927060ce8349eca17c2e1f0aa631a78752749
SHA5126aec739226401424123fe4f099a23a12b0944d52304bc7b948d43ef627d01b0247392103b2093f9ec7d785b91a7d7fabfde2bfa1fdf97bf24d788597e7bf9038
-
memory/100-146-0x0000000000000000-mapping.dmp
-
memory/948-139-0x0000000000000000-mapping.dmp
-
memory/1596-136-0x0000000000000000-mapping.dmp
-
memory/1956-150-0x0000000000000000-mapping.dmp
-
memory/2632-145-0x0000000000000000-mapping.dmp
-
memory/3132-148-0x0000000000000000-mapping.dmp
-
memory/3724-130-0x0000000000000000-mapping.dmp
-
memory/4456-149-0x0000000000000000-mapping.dmp
-
memory/4520-135-0x0000000000000000-mapping.dmp
-
memory/4668-144-0x0000000000000000-mapping.dmp