d2b19361c504cfbf90c6733c17a12f89928b14c12787a4df0da619dbd90facdf

Analysis

max time kernel
148s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
08-01-2023 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

airshipper-windows.msi
Size

13.9MB
MD5

b30f858a333b468f768bc70db6cf4cc9
SHA1

881326e777a537c78bd4f02e1996f48d684e3e21
SHA256

d2b19361c504cfbf90c6733c17a12f89928b14c12787a4df0da619dbd90facdf
SHA512

ec2dd4886565df60a7fae85be8214fe495c9f5078fb46d227b654745bbea7abfe113f2aa3ab99dc0136e50bd7d5344909c36204f2aa6ab188341ce856fae73cd
SSDEEP

196608:Y1L/961cSEfDtbauOHiR5kFoRZ7hpBeppZU21WQfvHNVsc0EstM95ak8:OJUwUuid6Zp4DZUr4H/sssC9Uk

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2056	airshipper.exe

Loads dropped DLL 1 IoCs

pid	Process
2776	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Airshipper\airshipper.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3E03.tmp	msiexec.exe
File created	C:\Windows\Installer\{5F467C5A-B0D8-4530-858B-D2CECDDECA70}\ProductICO	msiexec.exe
File opened for modification	C:\Windows\Installer\{5F467C5A-B0D8-4530-858B-D2CECDDECA70}\ProductICO	msiexec.exe
File created	C:\Windows\Installer\e573c1e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e573c1e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5F467C5A-B0D8-4530-858B-D2CECDDECA70}	msiexec.exe
File created	C:\Windows\Installer\e573c20.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe

Modifies registry class 26 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C88751717CF27D4419D2B26402C2F29D\A5C764F58D0B035458B82DECDCEDAC07	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\SourceList\Media\DiskPrompt = "Airshipper Installation"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\ProductName = "Airshipper"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\PackageCode = "3FBFC335F4DC53F49BEBED304896BCAF"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\SourceList\Media\1 = ";CD-ROM #1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A5C764F58D0B035458B82DECDCEDAC07\DesktopShortcut = "MainProgram"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\Version = "655360"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\ProductIcon = "C:\\Windows\\Installer\\{5F467C5A-B0D8-4530-858B-D2CECDDECA70}\\ProductICO"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A5C764F58D0B035458B82DECDCEDAC07\Environment = "MainProgram"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A5C764F58D0B035458B82DECDCEDAC07\MainProgram	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\C88751717CF27D4419D2B26402C2F29D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\A5C764F58D0B035458B82DECDCEDAC07	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\A5C764F58D0B035458B82DECDCEDAC07\SourceList\PackageName = "airshipper-windows.msi"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2600	msiexec.exe
2600	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1028	msiexec.exe
Token: SeSecurityPrivilege	2600	msiexec.exe
Token: SeCreateTokenPrivilege	1028	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1028	msiexec.exe
Token: SeLockMemoryPrivilege	1028	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1028	msiexec.exe
Token: SeMachineAccountPrivilege	1028	msiexec.exe
Token: SeTcbPrivilege	1028	msiexec.exe
Token: SeSecurityPrivilege	1028	msiexec.exe
Token: SeTakeOwnershipPrivilege	1028	msiexec.exe
Token: SeLoadDriverPrivilege	1028	msiexec.exe
Token: SeSystemProfilePrivilege	1028	msiexec.exe
Token: SeSystemtimePrivilege	1028	msiexec.exe
Token: SeProfSingleProcessPrivilege	1028	msiexec.exe
Token: SeIncBasePriorityPrivilege	1028	msiexec.exe
Token: SeCreatePagefilePrivilege	1028	msiexec.exe
Token: SeCreatePermanentPrivilege	1028	msiexec.exe
Token: SeBackupPrivilege	1028	msiexec.exe
Token: SeRestorePrivilege	1028	msiexec.exe
Token: SeShutdownPrivilege	1028	msiexec.exe
Token: SeDebugPrivilege	1028	msiexec.exe
Token: SeAuditPrivilege	1028	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1028	msiexec.exe
Token: SeChangeNotifyPrivilege	1028	msiexec.exe
Token: SeRemoteShutdownPrivilege	1028	msiexec.exe
Token: SeUndockPrivilege	1028	msiexec.exe
Token: SeSyncAgentPrivilege	1028	msiexec.exe
Token: SeEnableDelegationPrivilege	1028	msiexec.exe
Token: SeManageVolumePrivilege	1028	msiexec.exe
Token: SeImpersonatePrivilege	1028	msiexec.exe
Token: SeCreateGlobalPrivilege	1028	msiexec.exe
Token: SeBackupPrivilege	644	vssvc.exe
Token: SeRestorePrivilege	644	vssvc.exe
Token: SeAuditPrivilege	644	vssvc.exe
Token: SeBackupPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe
Token: SeTakeOwnershipPrivilege	2600	msiexec.exe
Token: SeRestorePrivilege	2600	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1028	msiexec.exe
1028	msiexec.exe
2056	airshipper.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2056	airshipper.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2600 wrote to memory of 4192	2600	msiexec.exe	92
PID 2600 wrote to memory of 4192	2600	msiexec.exe	92
PID 2600 wrote to memory of 2776	2600	msiexec.exe	95
PID 2600 wrote to memory of 2776	2600	msiexec.exe	95
PID 2600 wrote to memory of 2776	2600	msiexec.exe	95
PID 2776 wrote to memory of 2056	2776	MsiExec.exe	96
PID 2776 wrote to memory of 2056	2776	MsiExec.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\airshipper-windows.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1028

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4192
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3EEB74A7F387B25DA57D6AD4E5AE29D4 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2776
- - C:\Program Files\Airshipper\airshipper.exe
    "C:\Program Files\Airshipper\airshipper.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2056

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Airshipper\airshipper.exe

Filesize
26.6MB

MD5
226383401c4f9cac848db38f1ec642d1

SHA1
c54efcb0a24535474e012a23f87408830bb92753

SHA256
b58390cd578aea9e31aa623ad77dbff03bde203044b5fa0ecf9b21a06d077809

SHA512
cf6c53a4c86401e4d444befed69310928bb0d2017003f1a3e947538f2d3bd6f09463b1a66002eae3bddeeb814bf43099ed84210a86efab2d38b8d0275d5f4f1d

Download Submit
C:\Program Files\Airshipper\airshipper.exe

Filesize
26.6MB

MD5
226383401c4f9cac848db38f1ec642d1

SHA1
c54efcb0a24535474e012a23f87408830bb92753

SHA256
b58390cd578aea9e31aa623ad77dbff03bde203044b5fa0ecf9b21a06d077809

SHA512
cf6c53a4c86401e4d444befed69310928bb0d2017003f1a3e947538f2d3bd6f09463b1a66002eae3bddeeb814bf43099ed84210a86efab2d38b8d0275d5f4f1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4BFD.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4BFD.tmp

Filesize
211KB

MD5
a3ae5d86ecf38db9427359ea37a5f646

SHA1
eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

SHA256
c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

SHA512
96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
6c504b2e83e7f480bed14c670c799a28

SHA1
4b1daeb936b2cf90b5db60d6d0281745aef24d06

SHA256
97a5e19b773489a655540bcdfdec5f72e7c311dc2386d5682f6f0cb4162b2cff

SHA512
2d5df76f68814baa07dd2f8d9007d1fd78b0d4af12e7cd7a7bd6e80908c19c9319f8d66dac65169701d3ec8ad7ce3463a3dd42b0c6ff59d99c9fe6a38c654609

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0bca3713-42e8-418a-bb43-dbc0dd6d7ace}_OnDiskSnapshotProp

Filesize
5KB

MD5
82808d8bb34521fea3d6927f56e05b88

SHA1
74447d0b56cea70c80740724217eac14af89e037

SHA256
15f9761b6a89e52bbe6bb4c328c074ea4f0e58269ae0f38c149148927be2e943

SHA512
7dc65fb8b7f24463367ba3abc2860463c391a40039bc3cc0219ac7cf7b978488cf6bd8a80ef43d58ef96c87eb1f8db0cdd5dca1e97b5517c80454e9a8a98452b

Download Submit
memory/2056-137-0x0000000000000000-mapping.dmp

Download
memory/2776-133-0x0000000000000000-mapping.dmp

Download
memory/4192-132-0x0000000000000000-mapping.dmp

Download