Overview
overview
10Static
static
10076be2c09b...29.exe
windows11-21h2-x64
100fd2b5dba8...d1.exe
windows11-21h2-x64
10131d6fb920...b1.exe
windows11-21h2-x64
101c133b9bb4...fd.exe
windows11-21h2-x64
1030af8d3ec6...30.exe
windows11-21h2-x64
1041c9d28653...f5.exe
windows11-21h2-x64
105a0daa24b5...1f.exe
windows11-21h2-x64
630efa1e2d...ad.exe
windows11-21h2-x64
10651bc82076...73.exe
windows11-21h2-x64
677bea9e71...58.exe
windows11-21h2-x64
107afefba65e...bb.exe
windows11-21h2-x64
3817c226e42...db.dll
windows11-21h2-x64
8a925fc1289...42.exe
windows11-21h2-x64
7b1c5fd5c0f...ae.exe
windows11-21h2-x64
10f2923f695d...7d.msi
windows11-21h2-x64
10f58d2071a2...e1.exe
windows11-21h2-x64
7Analysis
-
max time kernel
496s -
max time network
454s -
platform
windows11-21h2_x64 -
resource
win11-20231215-en -
resource tags
arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system -
submitted
20-12-2023 01:43
Behavioral task
behavioral1
Sample
076be2c09b944ec56381f42405728f7f657d2597b6e27191354568fb70170b29.exe
Resource
win11-20231215-en
Behavioral task
behavioral2
Sample
0fd2b5dba8eb6762b397cf61bd9c2ff9de3eefc8eb8c4cbb1002d1b9c96fe5d1.exe
Resource
win11-20231215-en
Behavioral task
behavioral3
Sample
131d6fb9204ceda508075afce9b9b65e429952674e914d224268deb319a0aab1.exe
Resource
win11-20231215-en
Behavioral task
behavioral4
Sample
1c133b9bb476879df8145370ce1069ec92f28cade85a839e0159158a3e1b1afd.exe
Resource
win11-20231215-en
Behavioral task
behavioral5
Sample
30af8d3ec685a4a5669f1377bb74589772a0428d9daa214c179a795dcf4b9030.exe
Resource
win11-20231215-en
Behavioral task
behavioral6
Sample
41c9d28653704e628d8dd20e5f65a298242072156a31bc5fe0e24a1f4c640af5.exe
Resource
win11-20231215-en
Behavioral task
behavioral7
Sample
5a0daa24b5748d81ba0bb78d7f2b50eb4c387ffe679c92c1462f7dec586adb1f.exe
Resource
win11-20231215-en
Behavioral task
behavioral8
Sample
630efa1e2dc642799b867363bb36d1953884480ac29942a1ab20243a8a9620ad.exe
Resource
win11-20231215-en
Behavioral task
behavioral9
Sample
651bc82076659431e06327aeb3aacef2c30bf3cfd43ae4f9bc6b4222f15bb673.exe
Resource
win11-20231215-en
Behavioral task
behavioral10
Sample
677bea9e71aa3a56fe62a20580eb0786431a4789cb340a7294eb243054191c58.exe
Resource
win11-20231215-en
Behavioral task
behavioral11
Sample
7afefba65e72f42925ba76fae9ea98286eff7d0d01dcccd07c6117384858b6bb.exe
Resource
win11-20231215-en
Behavioral task
behavioral12
Sample
817c226e42f5c503325288fd8273bc03b326590f457e7a589eb34c2792d0a5db.dll
Resource
win11-20231215-en
Behavioral task
behavioral13
Sample
a925fc1289573f01bb86482e38340f0fe431269aa7500d776713c71091c49142.exe
Resource
win11-20231215-en
Behavioral task
behavioral14
Sample
b1c5fd5c0f6a2760eb638414d9bf9b7536b81f45edbd9d509dd085346c67a6ae.exe
Resource
win11-20231215-en
Behavioral task
behavioral15
Sample
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.msi
Resource
win11-20231215-en
Behavioral task
behavioral16
Sample
f58d2071a2fdaea27d814e788e002fe5da63843546f22c255eceade162323ce1.exe
Resource
win11-20231215-en
General
-
Target
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.msi
-
Size
252KB
-
MD5
7ee76614ffebd297cabed708980cec45
-
SHA1
64ffe23df18cd51e287fc650e871601e5cf22e01
-
SHA256
f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d
-
SHA512
d07fdb7e5c914f5dc1b24448c06b12b84636259abfc686dd2440375c3877e5769ad196a9934293d3723009292f837efd98fb123c823fd77a0dae8592a02f1d41
-
SSDEEP
3072:1En24jTXQKXWhFby1OdlyP8fmgvI7mgnkzR4gMzMXamrL7hybkRYW5:1ERjrQKX2rlDtIyskzCPzMKmM7
Malware Config
Extracted
predatorstealer
http://193.142.59.66/L9/
Signatures
-
PredatorStealer
Predator is a modular stealer written in C#.
-
CoreCCC Packer 1 IoCs
Detects CoreCCC packer used to load .NET malware.
resource yara_rule behavioral15/files/0x000200000002a7f1-10.dat coreccc -
Executes dropped EXE 4 IoCs
pid Process 4036 MSI79D4.tmp 3320 MSI79D4.tmp 4616 FB_7E77.tmp.exe 4716 FB_7EB6.tmp.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_7EB6.tmp.exe Key opened \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_7EB6.tmp.exe Key opened \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_7EB6.tmp.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender Updater = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cc3a68ce1dad95ce662e1c51f1568e3a.exe / start" FB_7EB6.tmp.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\L: msiexec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4036 set thread context of 3320 4036 MSI79D4.tmp 90 -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\e577908.msi msiexec.exe File opened for modification C:\Windows\Installer\e577908.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\SystemTemp\~DFDA18FBA6E054C339.TMP msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe File opened for modification C:\Windows\Installer\MSI79D4.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF73B30E3DBD11C8EA.TMP msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\SystemTemp\~DF2326531E7F4BA6F3.TMP msiexec.exe File opened for modification C:\Windows\Installer\MSI79A4.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF80EF10C2C0288FCE.TMP msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001484cc1f66f1204e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001484cc1f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001484cc1f000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1484cc1f000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001484cc1f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 1212 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 556 msiexec.exe 556 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 56 IoCs
description pid Process Token: SeShutdownPrivilege 484 msiexec.exe Token: SeIncreaseQuotaPrivilege 484 msiexec.exe Token: SeSecurityPrivilege 556 msiexec.exe Token: SeCreateTokenPrivilege 484 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 484 msiexec.exe Token: SeLockMemoryPrivilege 484 msiexec.exe Token: SeIncreaseQuotaPrivilege 484 msiexec.exe Token: SeMachineAccountPrivilege 484 msiexec.exe Token: SeTcbPrivilege 484 msiexec.exe Token: SeSecurityPrivilege 484 msiexec.exe Token: SeTakeOwnershipPrivilege 484 msiexec.exe Token: SeLoadDriverPrivilege 484 msiexec.exe Token: SeSystemProfilePrivilege 484 msiexec.exe Token: SeSystemtimePrivilege 484 msiexec.exe Token: SeProfSingleProcessPrivilege 484 msiexec.exe Token: SeIncBasePriorityPrivilege 484 msiexec.exe Token: SeCreatePagefilePrivilege 484 msiexec.exe Token: SeCreatePermanentPrivilege 484 msiexec.exe Token: SeBackupPrivilege 484 msiexec.exe Token: SeRestorePrivilege 484 msiexec.exe Token: SeShutdownPrivilege 484 msiexec.exe Token: SeDebugPrivilege 484 msiexec.exe Token: SeAuditPrivilege 484 msiexec.exe Token: SeSystemEnvironmentPrivilege 484 msiexec.exe Token: SeChangeNotifyPrivilege 484 msiexec.exe Token: SeRemoteShutdownPrivilege 484 msiexec.exe Token: SeUndockPrivilege 484 msiexec.exe Token: SeSyncAgentPrivilege 484 msiexec.exe Token: SeEnableDelegationPrivilege 484 msiexec.exe Token: SeManageVolumePrivilege 484 msiexec.exe Token: SeImpersonatePrivilege 484 msiexec.exe Token: SeCreateGlobalPrivilege 484 msiexec.exe Token: SeBackupPrivilege 1748 vssvc.exe Token: SeRestorePrivilege 1748 vssvc.exe Token: SeAuditPrivilege 1748 vssvc.exe Token: SeBackupPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeRestorePrivilege 556 msiexec.exe Token: SeTakeOwnershipPrivilege 556 msiexec.exe Token: SeDebugPrivilege 4716 FB_7EB6.tmp.exe Token: SeBackupPrivilege 2768 srtasks.exe Token: SeRestorePrivilege 2768 srtasks.exe Token: SeSecurityPrivilege 2768 srtasks.exe Token: SeTakeOwnershipPrivilege 2768 srtasks.exe Token: SeBackupPrivilege 2768 srtasks.exe Token: SeRestorePrivilege 2768 srtasks.exe Token: SeSecurityPrivilege 2768 srtasks.exe Token: SeTakeOwnershipPrivilege 2768 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 484 msiexec.exe 484 msiexec.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 556 wrote to memory of 2768 556 msiexec.exe 83 PID 556 wrote to memory of 2768 556 msiexec.exe 83 PID 556 wrote to memory of 4036 556 msiexec.exe 85 PID 556 wrote to memory of 4036 556 msiexec.exe 85 PID 556 wrote to memory of 4036 556 msiexec.exe 85 PID 4036 wrote to memory of 1212 4036 MSI79D4.tmp 86 PID 4036 wrote to memory of 1212 4036 MSI79D4.tmp 86 PID 4036 wrote to memory of 1212 4036 MSI79D4.tmp 86 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 4036 wrote to memory of 3320 4036 MSI79D4.tmp 90 PID 3320 wrote to memory of 4616 3320 MSI79D4.tmp 89 PID 3320 wrote to memory of 4616 3320 MSI79D4.tmp 89 PID 3320 wrote to memory of 4616 3320 MSI79D4.tmp 89 PID 3320 wrote to memory of 4716 3320 MSI79D4.tmp 88 PID 3320 wrote to memory of 4716 3320 MSI79D4.tmp 88 PID 3320 wrote to memory of 4716 3320 MSI79D4.tmp 88 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_7EB6.tmp.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-771046930-2949676035-3337286276-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 FB_7EB6.tmp.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\f2923f695dc02132cea5c0241060dba9a35d317342675118f7b22288e78cee7d.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:484
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2768
-
-
C:\Windows\Installer\MSI79D4.tmp"C:\Windows\Installer\MSI79D4.tmp"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4036 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YstHtlt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7D5E.tmp"3⤵
- Creates scheduled task(s)
PID:1212
-
-
C:\Windows\Installer\MSI79D4.tmp"{path}"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3320
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1748
-
C:\Users\Admin\AppData\Local\Temp\FB_7EB6.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_7EB6.tmp.exe"1⤵
- Executes dropped EXE
- Accesses Microsoft Outlook profiles
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- outlook_office_path
- outlook_win_path
PID:4716
-
C:\Users\Admin\AppData\Local\Temp\FB_7E77.tmp.exe"C:\Users\Admin\AppData\Local\Temp\FB_7E77.tmp.exe"1⤵
- Executes dropped EXE
PID:4616
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
681B
MD5449995eeb9639d25b7b1db505b11c3ba
SHA1fb622508f017c04bb7d3b3fe882359df58413b02
SHA2563f28a2aff6fe0ca1e426e5113ec77d4c345d4a0d27d7e61ef50712ef5f772844
SHA512a957df372541f02708c1b77c4195018caa9c761f1d674117fd321b225a3ee2b3a1c0a6282f750fe4736ac9f845b9289676805d7acd0d9fb88d844fc5789d090c
-
Filesize
3KB
MD574bafb3e707c7b0c63938ac200f99c7f
SHA110c5506337845ed9bf25c73d2506f9c15ab8e608
SHA256129450ba06ad589cf6846a455a5b6b5f55e164ee4906e409eb692ab465269689
SHA5125b24dc5acd14f812658e832b587b60695fb16954fca006c2c3a7382ef0ec65c3bd1aaf699425c49ff3cceef16869e75dd6f00ec189b9f673f08f7e1b80cf7781
-
Filesize
83KB
MD5dd24541db9276752835823f0610d06bb
SHA1d043d4e789fc5881b6cb9aa52a5c73151dbe7ea8
SHA256f156f9a91bcc0419623538e5ab1745a17813b9c3526ca1217fb9977679fcc2f8
SHA51256a948584427f34d3c59228b96023d3c7ca00a83c476d5ef53f8f4e7a2cbd071676eb635254a58554cced677a175eee3c64a0b31d040fdf39264134ddf058c47
-
Filesize
1KB
MD5945829b0c7cb163c167b0d0e013be347
SHA1f07305f1025e251181484384e7061ef1539093cf
SHA256e18dfdfb5995952457d326bec03bdca7fd421a1e3b53c887ba1480c06f21c8a7
SHA51205611ab8fb9ee0bdcae6a3768eae6e7498ce148c58dcd32ebc9ea6eab7969ffeadf25ea58cdf819836d6de897eeaed900e5f33a48f94dd937ac7865dc349fe9c
-
Filesize
227KB
MD54e136eafa2b14e6f68e66dbb7ac58d2f
SHA1d737b584b9f162ba98b4ec2508ed3e5199580288
SHA25643f04bffb4efb62082c3cf30f05b0c838565ccc5a358c502b3ba582db9c76a50
SHA51246883599aa660af1118594fc378062b20cd50df505a119d379065ff987bc42a719950c591557e00302ee3b7528302da737cee61d50ae00857bde822c631f3c6d
-
Filesize
193KB
MD5638d1624ce1f2c800418efc880db18bf
SHA16b68d4f4d508e8d75e9fea0994fd6e19360f32d5
SHA2566c321b546cab91e8848cd73ed999a712133ea2e577c50dee4a7ac71038a1c151
SHA512197be97d7f8c4031d92f73ce7818040efc54ee0c9b6b94b4302300cb20d1973fb104852f8991bdd5b732245b4d9a058b5005fed944d48a0b414177151d8fe90c
-
\??\Volume{1fcc8414-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a3044691-cb71-48db-8a38-c8c41c022d19}_OnDiskSnapshotProp
Filesize6KB
MD51685fee1a11d485176f780e815d85644
SHA168f85d2d8905c8b11d6d24cf2882b8f3599fbc79
SHA256d1cae5faea03c75f8555d35556896fc9041daaa110cfa224ff3475e6a0ad45b6
SHA512bfa4d0462cbb4f6303a2c0358ebd592a08157914fab5219aac7996c6d0166dbc95df768bf286e3878094057904a519226bc7cf038e8d1a931ccd1cba96606127