1c2df64413c29b713cd02d9bf4cab3531044b2fa6b3f47e29b9ecdbe769fde86

Analysis

max time kernel
137s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20231023-en
resource tags

arch:x64arch:x86image:win10v2004-20231023-enlocale:en-usos:windows10-2004-x64system
submitted
04-11-2023 02:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UsbDk_1.0.22_x64.msi
Size

6.1MB
MD5

163a9d11b9fdec29027abc090059c08d
SHA1

5df419114f2697c053b3cff414950eb5166ecbf2
SHA256

91f6f695e1e13c656024e6d3b55620bf08d8835ef05ee0496935ba6bb62466a5
SHA512

9e80cad0be81e13827f7cba3d44ef23847bca0d2c8c1663c75a833e8f26dacb626d69b7ee9b8191111847996a034daf181756ca07b5956058a07856bbcaedaf0
SSDEEP

196608:A3yzLWzWg+LC2dVZyL0MU6diS+fWe7/00la:sHz/2dKL7jdiPOe7/00

Score

8^/10

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Drivers\UsbDk.sys	UsbDkInstHelper.exe
File opened for modification	C:\Windows\System32\Drivers\UsbDk.sys	UsbDkInstHelper.exe

Executes dropped EXE 1 IoCs

pid	Process
3016	UsbDkInstHelper.exe

Loads dropped DLL 3 IoCs

pid	Process
3016	UsbDkInstHelper.exe
3016	UsbDkInstHelper.exe
3016	UsbDkInstHelper.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
11	2280	msiexec.exe
13	2280	msiexec.exe
15	2280	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\UsbDk Runtime Library\UsbDk.tmf	msiexec.exe
File created	C:\Program Files\UsbDk Runtime Library\UsbDkController.exe	msiexec.exe
File created	C:\Program Files\UsbDk Runtime Library\UsbDkHelper.dll	msiexec.exe
File created	C:\Program Files\UsbDk Runtime Library\UsbDkInstHelper.exe	msiexec.exe
File created	C:\Program Files\UsbDk Runtime Library\WdfCoinstaller01011.dll	msiexec.exe
File created	C:\Program Files\UsbDk Runtime Library\UsbDkHelper_x86.dll	msiexec.exe
File created	C:\Program Files\UsbDk Runtime Library\UsbDk.inf	msiexec.exe
File created	C:\Program Files\UsbDk Runtime Library\UsbDk.sys	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSID164.tmp	msiexec.exe
File opened for modification	C:\Windows\setupact.log	UsbDkInstHelper.exe
File opened for modification	C:\Windows\setuperr.log	UsbDkInstHelper.exe
File opened for modification	C:\Windows\Installer\e58cea5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6D4A6ED0-CF41-4615-A4B3-BDA018C3C1CD}	msiexec.exe
File created	C:\Windows\Installer\e58cea5.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000064ad0c2742b1dab0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000064ad0c20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900064ad0c2000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d064ad0c2000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000064ad0c200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1A\52C64B7E	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2716	msiexec.exe
2716	msiexec.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
680	Process not Found

Suspicious use of AdjustPrivilegeToken 57 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2280	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2280	msiexec.exe
Token: SeSecurityPrivilege	2716	msiexec.exe
Token: SeCreateTokenPrivilege	2280	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2280	msiexec.exe
Token: SeLockMemoryPrivilege	2280	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2280	msiexec.exe
Token: SeMachineAccountPrivilege	2280	msiexec.exe
Token: SeTcbPrivilege	2280	msiexec.exe
Token: SeSecurityPrivilege	2280	msiexec.exe
Token: SeTakeOwnershipPrivilege	2280	msiexec.exe
Token: SeLoadDriverPrivilege	2280	msiexec.exe
Token: SeSystemProfilePrivilege	2280	msiexec.exe
Token: SeSystemtimePrivilege	2280	msiexec.exe
Token: SeProfSingleProcessPrivilege	2280	msiexec.exe
Token: SeIncBasePriorityPrivilege	2280	msiexec.exe
Token: SeCreatePagefilePrivilege	2280	msiexec.exe
Token: SeCreatePermanentPrivilege	2280	msiexec.exe
Token: SeBackupPrivilege	2280	msiexec.exe
Token: SeRestorePrivilege	2280	msiexec.exe
Token: SeShutdownPrivilege	2280	msiexec.exe
Token: SeDebugPrivilege	2280	msiexec.exe
Token: SeAuditPrivilege	2280	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2280	msiexec.exe
Token: SeChangeNotifyPrivilege	2280	msiexec.exe
Token: SeRemoteShutdownPrivilege	2280	msiexec.exe
Token: SeUndockPrivilege	2280	msiexec.exe
Token: SeSyncAgentPrivilege	2280	msiexec.exe
Token: SeEnableDelegationPrivilege	2280	msiexec.exe
Token: SeManageVolumePrivilege	2280	msiexec.exe
Token: SeImpersonatePrivilege	2280	msiexec.exe
Token: SeCreateGlobalPrivilege	2280	msiexec.exe
Token: SeBackupPrivilege	4676	vssvc.exe
Token: SeRestorePrivilege	4676	vssvc.exe
Token: SeAuditPrivilege	4676	vssvc.exe
Token: SeBackupPrivilege	2716	msiexec.exe
Token: SeRestorePrivilege	2716	msiexec.exe
Token: SeRestorePrivilege	2716	msiexec.exe
Token: SeTakeOwnershipPrivilege	2716	msiexec.exe
Token: SeRestorePrivilege	2716	msiexec.exe
Token: SeTakeOwnershipPrivilege	2716	msiexec.exe
Token: SeLoadDriverPrivilege	3016	UsbDkInstHelper.exe
Token: SeLoadDriverPrivilege	3016	UsbDkInstHelper.exe
Token: 33	4020	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4020	AUDIODG.EXE
Token: SeBackupPrivilege	2800	srtasks.exe
Token: SeRestorePrivilege	2800	srtasks.exe
Token: SeSecurityPrivilege	2800	srtasks.exe
Token: SeTakeOwnershipPrivilege	2800	srtasks.exe
Token: SeBackupPrivilege	2800	srtasks.exe
Token: SeRestorePrivilege	2800	srtasks.exe
Token: SeSecurityPrivilege	2800	srtasks.exe
Token: SeTakeOwnershipPrivilege	2800	srtasks.exe
Token: SeRestorePrivilege	2716	msiexec.exe
Token: SeTakeOwnershipPrivilege	2716	msiexec.exe
Token: SeRestorePrivilege	2716	msiexec.exe
Token: SeTakeOwnershipPrivilege	2716	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2280	msiexec.exe
2280	msiexec.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2716 wrote to memory of 2800	2716	msiexec.exe	107
PID 2716 wrote to memory of 2800	2716	msiexec.exe	107
PID 2716 wrote to memory of 3016	2716	msiexec.exe	109
PID 2716 wrote to memory of 3016	2716	msiexec.exe	109

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\UsbDk_1.0.22_x64.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2280

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2800
- C:\Program Files\UsbDk Runtime Library\UsbDkInstHelper.exe
  "C:\Program Files\UsbDk Runtime Library\\UsbDkInstHelper.exe" i
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:3016

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4676

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x500 0x4b0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\UsbDk Runtime Library\UsbDk.inf

Filesize
301B

MD5
701e82189769259b5062f48e187b2545

SHA1
93250a3e4100b42b1de8d31b71c1986a340ca9ff

SHA256
54a523c3203d77def6a190c7ffcfab6c029b299d8c3aa5bdbae78564ed2f9ee0

SHA512
7a3a459f1ee21a7fded9ebae2fdb020753ec3416134e058bf62ae227b6d9c29e22bee36f0919ad3c590d0b1059ec5f3507cbfa6663ccd06314af0b86a542c1ed

Download Submit
C:\Program Files\UsbDk Runtime Library\UsbDk.sys

Filesize
100KB

MD5
796e14ba5e0b677ef929e2a55019c287

SHA1
622bf97115371a762645e34d2432efd3e29f4f14

SHA256
c92b6c15bd550023312ae4cfe49a39757952a3c2ebdc7d1d143ac5e695f69a63

SHA512
02162af2e6115f3939f354b0b6b4cc5b0e5ec0a4a3ecf53a84e7ab227e704131fe40c2ebfb7eb8091753147f709ad8fff9f794db0031aa1a660641587719f65c

Download Submit
C:\Program Files\UsbDk Runtime Library\UsbDkHelper.dll

Filesize
328KB

MD5
50f68e9051061cb821bcdbbd11390870

SHA1
41a1f652b31557727e9ace85826d1440c437883a

SHA256
66bbfe6f99b417f97c7a9e97816e24af7dde0e01b8e535c41e91e1c6c19cfeda

SHA512
453fcc2bf3b92a6c90d3b3b0ebb8aeb8ea6cc7825edc093692cca91387a52ee76862e746154a5f4912a549c5a2fdc0587a6b0697ebd30fa0657871848c34900a

Download Submit
C:\Program Files\UsbDk Runtime Library\UsbDkHelper.dll

Filesize
328KB

MD5
50f68e9051061cb821bcdbbd11390870

SHA1
41a1f652b31557727e9ace85826d1440c437883a

SHA256
66bbfe6f99b417f97c7a9e97816e24af7dde0e01b8e535c41e91e1c6c19cfeda

SHA512
453fcc2bf3b92a6c90d3b3b0ebb8aeb8ea6cc7825edc093692cca91387a52ee76862e746154a5f4912a549c5a2fdc0587a6b0697ebd30fa0657871848c34900a

Download Submit
C:\Program Files\UsbDk Runtime Library\UsbDkInstHelper.exe

Filesize
96KB

MD5
984cdff8ffd93b129fb353f364b71523

SHA1
ffa3047971dddabca4c79aa5fec9fea48dac78f8

SHA256
b1a2c002850bfb6d886a3cf1da17404b795a733dca884c686f9f85920ccc0f21

SHA512
b6606dc26d0d3e9b474c0dd811ab95fe15a7ed2a55a646f622ed3cb6d1bac3a3a3eac190a5f1b8b3e20d61686249b3153e21f40632d8d96e24359d6f097dafc3

Download Submit
C:\Program Files\UsbDk Runtime Library\UsbDkInstHelper.exe

Filesize
96KB

MD5
984cdff8ffd93b129fb353f364b71523

SHA1
ffa3047971dddabca4c79aa5fec9fea48dac78f8

SHA256
b1a2c002850bfb6d886a3cf1da17404b795a733dca884c686f9f85920ccc0f21

SHA512
b6606dc26d0d3e9b474c0dd811ab95fe15a7ed2a55a646f622ed3cb6d1bac3a3a3eac190a5f1b8b3e20d61686249b3153e21f40632d8d96e24359d6f097dafc3

Download Submit
C:\Program Files\UsbDk Runtime Library\WdfCoInstaller01011.dll

Filesize
1.7MB

MD5
d10864c1730172780c2d4be633b9220a

SHA1
b85d02ba0e8de4aeded1a2f5679505cd403bd201

SHA256
f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2

SHA512
c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040

Download Submit
C:\Program Files\UsbDk Runtime Library\WdfCoinstaller01011.dll

Filesize
1.7MB

MD5
d10864c1730172780c2d4be633b9220a

SHA1
b85d02ba0e8de4aeded1a2f5679505cd403bd201

SHA256
f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2

SHA512
c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040

Download Submit
C:\Program Files\UsbDk Runtime Library\WdfCoinstaller01011.dll

Filesize
1.7MB

MD5
d10864c1730172780c2d4be633b9220a

SHA1
b85d02ba0e8de4aeded1a2f5679505cd403bd201

SHA256
f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2

SHA512
c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B

Filesize
1KB

MD5
510e4daf683ed4456658b80740c8ec11

SHA1
012983eaf608e1097855e7cabee86dba215b344f

SHA256
5ca294c68a35157c446e9d2dc5987d7736017500c002dd99c087ed13076e5b78

SHA512
727f3c741c2e1fca3582dc73afa394a7f14c0519c3feb714796915a373330cc7b0a0b777df9aba9a50ea59fd6e062bf5982365c908060bbb623b61f875144b60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_0B8D2F2AE9116DAEFA3CA328805C1EB0

Filesize
1KB

MD5
06932d596182f7e83d0ea75e71b8b8f5

SHA1
3fe312cde2828a2941f6694cccddb07d511c02ca

SHA256
ed25df7660fda94e9a02680b7f844502826af8a8e365ef146f7308b64cf1193c

SHA512
348537344c2a30b9c4b76d5e938112dabdabc01baa6743b1ac8651d89b52bd71510ff83034f121b3e603b8b1424f84af465996b2d308036e709eeeb8e68cb39d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1B1401C7EC8E96BC79CBFD92F9DF762D_5398732881722BDE3E78D6CA6BB2B78B

Filesize
388B

MD5
cc7350c78276e65f13febc72b3481e39

SHA1
2dbf415d6216683d44b8b1e931cec35ecb550349

SHA256
67444ea983264bc9dede2b76b88ff6ff436cbd4e72bfa3bab5f9319c5fd0a5fc

SHA512
d815f84e644373682d3b9278e8ce6a8696a664275156b2c709fe650e2707c68f7325aee1fa06293f5e42acfff2fd2282eff54aefb5e6af45aae2646260d81078

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CDE89F9DCB25D8AC547E3CEFDA4FB6C2_0B8D2F2AE9116DAEFA3CA328805C1EB0

Filesize
390B

MD5
750a7920f35f2652340715ae4a8f2275

SHA1
b531f882f752104c4b920069ba539b8612ba748f

SHA256
8c143ddf9d40bf1f7915a321f72bc33d6a63612933b1f8fb97dc6db451fad30c

SHA512
adce77c4eaa202cd91f05b2590ea397133f81bfb99516b14b068a97e3f94cdc479b6e01f0b06b9abba431bc5c461c042e4cb222485af49c4f9eade1f6fc9d2aa

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
5265b56256f3ce3561c2d47fd56319a1

SHA1
151e16da827a569e1446960510a0702cb42780c5

SHA256
d7a46da267461753c9f7cda77fd7e4a80c88fecbe9d6099967b281a2e0125de4

SHA512
8afff31ff4f2ebfb308edf6957009cad67bf5135df69c9642b8ecd3790c3eb7984b7be248e6cfbe316c0cca8466c18fc74469e168d8c8392fe78a5102a4ec102

Download Submit
\??\Volume{c2d04a06-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d1311409-5433-4410-ae1c-61e07780521c}_OnDiskSnapshotProp

Filesize
5KB

MD5
8c150ed039ae30aa64aaf78c59aa7f73

SHA1
9c000f7b5fc6a537df2917e54fef6a6dd763c51b

SHA256
a1bb2a25fb78306917bda773aa94d2323fee2d78a415d18e5361dd551fb675ac

SHA512
1309f87e23a1bd8ba68ed58345902f99d372b5f8abbb6512d94c624bdb925a50715c71962bef086d26a6deb6d1d1f88cf6d561eef910aec3951b13ca09a98933

Download Submit