Analysis
-
max time kernel
508s -
max time network
511s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
18-01-2023 23:40
Static task
static1
Behavioral task
behavioral1
Sample
AnyDeskAPP.msi
Resource
win10-20220901-en
Behavioral task
behavioral2
Sample
AnyDeskAPP.msi
Resource
win10v2004-20221111-en
General
-
Target
AnyDeskAPP.msi
-
Size
1.4MB
-
MD5
4e4a4a4eb6a77d72af83b2bbd0698593
-
SHA1
dbaeba54fcae50acc36565d0f61ad73df6df7d45
-
SHA256
58e9f60d0b951029578cc1054668bfee2f00cfa029cfbd01ea65c7f61713a40a
-
SHA512
69785dadc878bd1178672a8f08590eeccd268b4fd2107ae3909e59fba03e7cfa425f690580dfcfa1f5ec3e494e5ef0b7232a16a26c8fbf734ef3887da4044ccb
-
SSDEEP
24576:Y+rwxLNjY3Wx0ECIgYmfLVYeBZrWAv12h2SekeUuyZD6lvs0zqa3:TrMjYMZKumZrWAWTreUuyZD6lvVz9
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 44 4432 powershell.exe -
Loads dropped DLL 5 IoCs
Processes:
MsiExec.exepid process 4992 MsiExec.exe 4992 MsiExec.exe 4992 MsiExec.exe 4992 MsiExec.exe 4992 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSI38F2.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI3B85.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{E9FCC84B-1149-4C5D-B073-66A342F5B861} msiexec.exe File opened for modification C:\Windows\Installer\MSI3C80.tmp msiexec.exe File created C:\Windows\Installer\e573894.msi msiexec.exe File opened for modification C:\Windows\Installer\e573894.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3B65.tmp msiexec.exe File created C:\Windows\Installer\e573897.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3DE9.tmp msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSI3AD7.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000000b9e60d2ecf4958f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800000b9e60d20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809000b9e60d2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000000b9e60d200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 5 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 msiexec.exe -
Modifies registry class 27 IoCs
Processes:
msiexec.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B48CCF9E9411D5C40B37663A245F8B16 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51\B48CCF9E9411D5C40B37663A245F8B16 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\Language = "1046" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\Assignment = "1" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B48CCF9E9411D5C40B37663A245F8B16 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\SourceList\PackageName = "AnyDeskAPP.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B48CCF9E9411D5C40B37663A245F8B16\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\ProductName = "AnyDesk" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\PackageCode = "7A53F5C34D4FDEE41A79AB069A0CCD7B" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\SourceList\Net msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\Clients = 3a0000000000 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\SourceList msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16\DeploymentFlags = "3" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51 msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B48CCF9E9411D5C40B37663A245F8B16 msiexec.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msiexec.exepowershell.exepid process 3364 msiexec.exe 3364 msiexec.exe 4432 powershell.exe 4432 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4712 msiexec.exe Token: SeIncreaseQuotaPrivilege 4712 msiexec.exe Token: SeSecurityPrivilege 3364 msiexec.exe Token: SeCreateTokenPrivilege 4712 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4712 msiexec.exe Token: SeLockMemoryPrivilege 4712 msiexec.exe Token: SeIncreaseQuotaPrivilege 4712 msiexec.exe Token: SeMachineAccountPrivilege 4712 msiexec.exe Token: SeTcbPrivilege 4712 msiexec.exe Token: SeSecurityPrivilege 4712 msiexec.exe Token: SeTakeOwnershipPrivilege 4712 msiexec.exe Token: SeLoadDriverPrivilege 4712 msiexec.exe Token: SeSystemProfilePrivilege 4712 msiexec.exe Token: SeSystemtimePrivilege 4712 msiexec.exe Token: SeProfSingleProcessPrivilege 4712 msiexec.exe Token: SeIncBasePriorityPrivilege 4712 msiexec.exe Token: SeCreatePagefilePrivilege 4712 msiexec.exe Token: SeCreatePermanentPrivilege 4712 msiexec.exe Token: SeBackupPrivilege 4712 msiexec.exe Token: SeRestorePrivilege 4712 msiexec.exe Token: SeShutdownPrivilege 4712 msiexec.exe Token: SeDebugPrivilege 4712 msiexec.exe Token: SeAuditPrivilege 4712 msiexec.exe Token: SeSystemEnvironmentPrivilege 4712 msiexec.exe Token: SeChangeNotifyPrivilege 4712 msiexec.exe Token: SeRemoteShutdownPrivilege 4712 msiexec.exe Token: SeUndockPrivilege 4712 msiexec.exe Token: SeSyncAgentPrivilege 4712 msiexec.exe Token: SeEnableDelegationPrivilege 4712 msiexec.exe Token: SeManageVolumePrivilege 4712 msiexec.exe Token: SeImpersonatePrivilege 4712 msiexec.exe Token: SeCreateGlobalPrivilege 4712 msiexec.exe Token: SeBackupPrivilege 3788 vssvc.exe Token: SeRestorePrivilege 3788 vssvc.exe Token: SeAuditPrivilege 3788 vssvc.exe Token: SeBackupPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe Token: SeTakeOwnershipPrivilege 3364 msiexec.exe Token: SeRestorePrivilege 3364 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
msiexec.exepid process 4712 msiexec.exe 4712 msiexec.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
msiexec.exeMsiExec.exedescription pid process target process PID 3364 wrote to memory of 3880 3364 msiexec.exe srtasks.exe PID 3364 wrote to memory of 3880 3364 msiexec.exe srtasks.exe PID 3364 wrote to memory of 4992 3364 msiexec.exe MsiExec.exe PID 3364 wrote to memory of 4992 3364 msiexec.exe MsiExec.exe PID 3364 wrote to memory of 4992 3364 msiexec.exe MsiExec.exe PID 4992 wrote to memory of 4432 4992 MsiExec.exe powershell.exe PID 4992 wrote to memory of 4432 4992 MsiExec.exe powershell.exe PID 4992 wrote to memory of 4432 4992 MsiExec.exe powershell.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AnyDeskAPP.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 1902D1E48C0D1BD777152DC84CEA37072⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss3E83.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi3E61.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr3E71.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr3E72.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\pss3E83.ps1Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
C:\Users\Admin\AppData\Local\Temp\scr3E71.ps1Filesize
17KB
MD57c5b73168b207a9c580eb62dd1588fef
SHA1cdd8f39b7a12aa0b3c62a3c0c19572976d0444dc
SHA2566d6b711685d829f27fcfe579853e43d993bf6e935085161d0dbee6abb43f60d5
SHA5127ea9836bc57698341d18154e1b76ea6d1ee67b68504c2076b7125374c63298a9bf3580b4d2c2936ab19d0831940bb927171b6ad5a46fb87caf7f43b2b82696f9
-
C:\Windows\Installer\MSI38F2.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI38F2.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI3AD7.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI3AD7.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI3B65.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI3B65.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI3B85.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI3B85.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI3DE9.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
C:\Windows\Installer\MSI3DE9.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5fe1588cdf441c15eb13e966508a31971
SHA1a5f7452d0a7375c6430f9dc50e239183a6a83599
SHA256ab1ada76643d0008bc6279c249c68fd946416fcfb577fc70d5f812663b0d1730
SHA512e77936a05472033564369e89b0755e846593439c2a209091673baeccbe1de4eae57f0cdce03f9d5d88b4c268b5179a28ff7ccce1e85ca45e25238498f8635ccb
-
\??\Volume{d2609e0b-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{fa88a0b1-e429-45c4-92a6-ef7d0ce1328e}_OnDiskSnapshotPropFilesize
5KB
MD50c22901b528bcf865f0dec61285186bb
SHA1c92f637f2a57f5e7c6a82edd6491afe2910c4825
SHA256cba47ee4c21da95cb85fdbb2380d0b9e06705d40008f90bb17054e6632060d5d
SHA512749e9df008065663efd0c8d548b822ab89e359482af6955c8d96409d3d2a140d26fce47611fd96f65cdf42ccacecf1405c31363b29e8dc3c0aef5aa93408a221
-
memory/3880-132-0x0000000000000000-mapping.dmp
-
memory/4432-146-0x0000000004CA0000-0x00000000052C8000-memory.dmpFilesize
6.2MB
-
memory/4432-148-0x0000000005340000-0x00000000053A6000-memory.dmpFilesize
408KB
-
memory/4432-149-0x0000000005560000-0x00000000055C6000-memory.dmpFilesize
408KB
-
memory/4432-150-0x0000000005B80000-0x0000000005B9E000-memory.dmpFilesize
120KB
-
memory/4432-147-0x0000000004BC0000-0x0000000004BE2000-memory.dmpFilesize
136KB
-
memory/4432-152-0x00000000074E0000-0x0000000007B5A000-memory.dmpFilesize
6.5MB
-
memory/4432-153-0x00000000060D0000-0x00000000060EA000-memory.dmpFilesize
104KB
-
memory/4432-154-0x0000000006E60000-0x0000000006EF6000-memory.dmpFilesize
600KB
-
memory/4432-155-0x0000000006160000-0x0000000006182000-memory.dmpFilesize
136KB
-
memory/4432-156-0x0000000007B60000-0x0000000008104000-memory.dmpFilesize
5.6MB
-
memory/4432-145-0x0000000004630000-0x0000000004666000-memory.dmpFilesize
216KB
-
memory/4432-144-0x0000000000000000-mapping.dmp
-
memory/4992-133-0x0000000000000000-mapping.dmp