e64775374097f1b1c8fd4173f7d5be4305b88cec26a56d003113aff2837ae08e

Analysis

max time kernel
79s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2023 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty-64bit-0.78-installer.msi
Size

3.5MB
MD5

108b432c4dc0a66b657d985e180bec71
SHA1

262812d43303b7ddc7c04a1c243172ebe6579f00
SHA256

e64775374097f1b1c8fd4173f7d5be4305b88cec26a56d003113aff2837ae08e
SHA512

5ddb97078b417f22c54dce768564dec58fd92a9c190f7a6cac9c7979a0f136dd439da1d59dd3c088e709433f5c4f79c033abd4b6ca8989d38620c20f4623386e
SSDEEP

98304:Ujhyh9EoxGHgBRn8Tg4IDrwRW8FMDMb34+NHC6:UjhyJPR8Tg4IDrwdFMD048

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

msiexec.exe

flow pid process

5 4496 msiexec.exe
8 4496 msiexec.exe
10 4496 msiexec.exe
14 4496 msiexec.exe
Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid process

4620 MsiExec.exe

flow	pid	process
5	4496	msiexec.exe
8	4496	msiexec.exe
10	4496	msiexec.exe
14	4496	msiexec.exe

pid	process
4620	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Program Files directory 10 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Program Files\PuTTY\psftp.exe	msiexec.exe
File created	C:\Program Files\PuTTY\puttygen.exe	msiexec.exe
File created	C:\Program Files\PuTTY\website.url	msiexec.exe
File created	C:\Program Files\PuTTY\LICENCE	msiexec.exe
File created	C:\Program Files\PuTTY\pageant.exe	msiexec.exe
File created	C:\Program Files\PuTTY\plink.exe	msiexec.exe
File created	C:\Program Files\PuTTY\pscp.exe	msiexec.exe
File created	C:\Program Files\PuTTY\putty.exe	msiexec.exe
File created	C:\Program Files\PuTTY\README.txt	msiexec.exe
File created	C:\Program Files\PuTTY\putty.chm	msiexec.exe

Drops file in Windows directory 8 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4EEF2644-700F-46F8-9655-915145248986}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID438.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d11d.msi	msiexec.exe
File created	C:\Windows\Installer\e57d11b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d11b.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 14 IoCs

Processes:

msiexec.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\.ppk\Content Type = "application/x-putty-private-key"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell\open\command\ = "\"C:\\Program Files\\PuTTY\\pageant.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell\edit\command\ = "\"C:\\Program Files\\PuTTY\\puttygen.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\.ppk	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell\edit	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell\edit\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\.ppk\ = "PPK_Assoc_ProgId"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\ = "PuTTY Private Key File"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell\open	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell\open\ = "Load into Pageant"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\PPK_Assoc_ProgId\shell\edit\ = "Edit with PuTTYgen"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

msiexec.exe

pid process

1624 msiexec.exe
1624 msiexec.exe

pid	process
1624	msiexec.exe
1624	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4496	msiexec.exe
Token: SeSecurityPrivilege	1624	msiexec.exe
Token: SeCreateTokenPrivilege	4496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4496	msiexec.exe
Token: SeLockMemoryPrivilege	4496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4496	msiexec.exe
Token: SeMachineAccountPrivilege	4496	msiexec.exe
Token: SeTcbPrivilege	4496	msiexec.exe
Token: SeSecurityPrivilege	4496	msiexec.exe
Token: SeTakeOwnershipPrivilege	4496	msiexec.exe
Token: SeLoadDriverPrivilege	4496	msiexec.exe
Token: SeSystemProfilePrivilege	4496	msiexec.exe
Token: SeSystemtimePrivilege	4496	msiexec.exe
Token: SeProfSingleProcessPrivilege	4496	msiexec.exe
Token: SeIncBasePriorityPrivilege	4496	msiexec.exe
Token: SeCreatePagefilePrivilege	4496	msiexec.exe
Token: SeCreatePermanentPrivilege	4496	msiexec.exe
Token: SeBackupPrivilege	4496	msiexec.exe
Token: SeRestorePrivilege	4496	msiexec.exe
Token: SeShutdownPrivilege	4496	msiexec.exe
Token: SeDebugPrivilege	4496	msiexec.exe
Token: SeAuditPrivilege	4496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4496	msiexec.exe
Token: SeChangeNotifyPrivilege	4496	msiexec.exe
Token: SeRemoteShutdownPrivilege	4496	msiexec.exe
Token: SeUndockPrivilege	4496	msiexec.exe
Token: SeSyncAgentPrivilege	4496	msiexec.exe
Token: SeEnableDelegationPrivilege	4496	msiexec.exe
Token: SeManageVolumePrivilege	4496	msiexec.exe
Token: SeImpersonatePrivilege	4496	msiexec.exe
Token: SeCreateGlobalPrivilege	4496	msiexec.exe
Token: SeCreateTokenPrivilege	4496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4496	msiexec.exe
Token: SeLockMemoryPrivilege	4496	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4496	msiexec.exe
Token: SeMachineAccountPrivilege	4496	msiexec.exe
Token: SeTcbPrivilege	4496	msiexec.exe
Token: SeSecurityPrivilege	4496	msiexec.exe
Token: SeTakeOwnershipPrivilege	4496	msiexec.exe
Token: SeLoadDriverPrivilege	4496	msiexec.exe
Token: SeSystemProfilePrivilege	4496	msiexec.exe
Token: SeSystemtimePrivilege	4496	msiexec.exe
Token: SeProfSingleProcessPrivilege	4496	msiexec.exe
Token: SeIncBasePriorityPrivilege	4496	msiexec.exe
Token: SeCreatePagefilePrivilege	4496	msiexec.exe
Token: SeCreatePermanentPrivilege	4496	msiexec.exe
Token: SeBackupPrivilege	4496	msiexec.exe
Token: SeRestorePrivilege	4496	msiexec.exe
Token: SeShutdownPrivilege	4496	msiexec.exe
Token: SeDebugPrivilege	4496	msiexec.exe
Token: SeAuditPrivilege	4496	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4496	msiexec.exe
Token: SeChangeNotifyPrivilege	4496	msiexec.exe
Token: SeRemoteShutdownPrivilege	4496	msiexec.exe
Token: SeUndockPrivilege	4496	msiexec.exe
Token: SeSyncAgentPrivilege	4496	msiexec.exe
Token: SeEnableDelegationPrivilege	4496	msiexec.exe
Token: SeManageVolumePrivilege	4496	msiexec.exe
Token: SeImpersonatePrivilege	4496	msiexec.exe
Token: SeCreateGlobalPrivilege	4496	msiexec.exe
Token: SeCreateTokenPrivilege	4496	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4496	msiexec.exe
Token: SeLockMemoryPrivilege	4496	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid process

4496 msiexec.exe
4496 msiexec.exe

pid	process
4496	msiexec.exe
4496	msiexec.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 1624 wrote to memory of 4620	1624	msiexec.exe	MsiExec.exe
PID 1624 wrote to memory of 4620	1624	msiexec.exe	MsiExec.exe
PID 1624 wrote to memory of 4620	1624	msiexec.exe	MsiExec.exe
PID 1624 wrote to memory of 2428	1624	msiexec.exe	srtasks.exe
PID 1624 wrote to memory of 2428	1624	msiexec.exe	srtasks.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\putty-64bit-0.78-installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4496

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3B64296821445F2EF262C79AED053DFE C
  2⤵
  - Loads dropped DLL
  PID:4620
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4412

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
699cd7cab884d69fa42884d852483961

SHA1
5bfb5fe2a9988b4449de9cc8a6ca20ef77aad022

SHA256
521700f06a433941ed57f75a86bf74bf5431375c31e8088c8cbefdff49def725

SHA512
b6635cb845e39b8b87ce9b305ff88a0e6d414723241c15edfa3d6dcd5b788fd1d9e3979dcb967c9b14f9ac87d72075dc0871834faf73099d9d10a116ed3546e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_383EB3891E16580A90C892D349C28A00

Filesize
638B

MD5
2aaca6b5a6015dda41e8ba05168e6ee0

SHA1
5a6183aeb39d8dde39c8ee6e1400a3045a94cdf6

SHA256
f59cfc6b9822da316d7cb2aee7da2208cefae024de2951e3790b16630137d5fd

SHA512
e285d7f0548d34b31781a491ba8cf9d656cd7ea0790735e9921d1a998a387eb2c1bf0f261d1dfdcca3ba78664712af77372a1793884d41cec242564fd2d30772

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
636b10c20ef4ece80aa28183d44eb72a

SHA1
903ac629ffd221da3485450a677f23333353d679

SHA256
c11395b80919741a4e6e9af0fe297ac35a455f5b1ed99c252b30acd20fe34313

SHA512
c3a636ca3740eb7c30255e880af573efab6629b7fc65d76f0a7632039f90b7af03fd696204119c9b81837b026037e9025b9a4a979874e849dca21dda1ad5098b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
2e3073c69a8e4424dd0f7663ccef81cd

SHA1
b9e80d06ccfccb2409970fc042665519ead18e05

SHA256
1bb5ec37287b8d3ecc2840a4cfc65fdf21de4b2f1eede25f2095f479994cfe23

SHA512
c751453127f8caf019b48724eb9b0986b1e4f0e801948cfb515bdc694571ed848e384f1cfe336f61e2472a60568f41bb3b704201b40ed3d6baf8c4fe7632c7bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_383EB3891E16580A90C892D349C28A00

Filesize
488B

MD5
46a31bd5315a990c1cf274bff2a60159

SHA1
0d68354df3e7b7f1f89032aa6841c9d12d31bb4a

SHA256
7a45bf46062df1e28f7dfa9ba2053bfcafed6b63621e677e9e290cf4daffa650

SHA512
434aa81db9de4183fa3788345c1d10f7ac7b3618b6bd0dc8ec3ae79892a5b137b2834e1b832b3cb66f721a60eaeb565b7259ceeef55134243bd581ff2ca2e7f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
3f46ae747e82043e3f73deb994c0b7de

SHA1
d185b42d079b4fada026e215e6fe4eadca38fdbd

SHA256
a7d8878c48bca660cb46b1d52e506a0743c6e62f45cd84ab486b2845a002825f

SHA512
a1e0e33c6311029affc48b6eff942ead3c2307ea670da4a00489ff380cc744d26acd41c1e69d2b7cdc04b09ff8f751a1cac26d0b139d8dacb8f48b3528676c5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC97.tmp

Filesize
102KB

MD5
d9ac1b56edf330a6eb7894ab293f14f6

SHA1
022d8944e3927fff2b330dab54716ddcbb366d16

SHA256
097f1c3f27b18010448d77e3f70c4d9f774cb9c5ab435c62baa1c00e4cadd5ef

SHA512
e434410e2b2c2bb1fba4f3fc7c277b978c45b1df1d3c3994d6dc1530558393d7d42a713506bf95d013b2e40e9da36fd3e588fea8d8dc062a24ad931e4d76c328

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIEC97.tmp

Filesize
102KB

MD5
d9ac1b56edf330a6eb7894ab293f14f6

SHA1
022d8944e3927fff2b330dab54716ddcbb366d16

SHA256
097f1c3f27b18010448d77e3f70c4d9f774cb9c5ab435c62baa1c00e4cadd5ef

SHA512
e434410e2b2c2bb1fba4f3fc7c277b978c45b1df1d3c3994d6dc1530558393d7d42a713506bf95d013b2e40e9da36fd3e588fea8d8dc062a24ad931e4d76c328

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
bbabce2625341990a25a4de6d28335ee

SHA1
3b1ab69f3841ceeafc7918db8f775c3e2499952b

SHA256
e55d29e172bd43d012ba0af72919ecfffb79f7c1e25beb31f46cfb89ec0ef2af

SHA512
7ba2b8b0f5f4534cb8a5733c21e698f5cdb90f1d2e396953053c0ba4d074233a339ad7d4be3c8554431b847516b5ad4c970fc62b72f566ba97dbd7d187e8e1cd

Download Submit
\??\Volume{5d2b4a7c-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4152331e-8877-4cbe-befe-ebad1ebbc7c5}_OnDiskSnapshotProp

Filesize
5KB

MD5
ecdea1ccf3144a359172302fab11128e

SHA1
d85cccce94b4e293149ed28a5788090b69139e96

SHA256
215879b6f8938ce83c0b667acf3d5a8f25fc4ea3fe8e7565e076d2f571784fc1

SHA512
81c1373bd4249b0d6d33a1fba2000f2cce4f90e9d419a06a4d8bc1aac168e12bc13101747bb07826e86f17bcadc2629361e93b9f1577a847876f9d64e37446c9

Download Submit
memory/2428-135-0x0000000000000000-mapping.dmp

Download
memory/4620-132-0x0000000000000000-mapping.dmp

Download