Analysis

  • max time kernel
    70s
  • max time network
    197s
  • platform
    windows11-21h2_x64
  • resource
    win11-20231222-en
  • resource tags

    arch:x64arch:x86image:win11-20231222-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12-01-2024 13:33

General

  • Target

    Tr Tools PRO 1.0.5.2.exe

  • Size

    179.1MB

  • MD5

    64039454302ba8946380b2876075212a

  • SHA1

    ee3694cbfceab3ce074558de3b432159dd816cb2

  • SHA256

    c3f16db95779b1a4cf0d3861ed9c4a477f65023fa57940a204247dabefc68a74

  • SHA512

    7a6d943993a0a2ac0ab45a12deb463dcefc525226812532183bd0a57b04229eb99801091a64a0da4e260d34c19ad430add2f6c9784849988ddd9d5ba0d5b80ff

  • SSDEEP

    3145728:6gEXvze4cOXhxBroP4P4rzmSAsX56AqO7M4CJsEW19ERkrpbAOOm:UbeFuPwrzmdsX5PqOQxJuukB

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Tr Tools PRO 1.0.5.2.exe
    "C:\Users\Admin\AppData\Local\Temp\Tr Tools PRO 1.0.5.2.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2368
    • C:\Users\Admin\AppData\Local\Temp\is-SUVAS.tmp\Tr Tools PRO 1.0.5.2.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-SUVAS.tmp\Tr Tools PRO 1.0.5.2.tmp" /SL5="$E0052,186960161,884736,C:\Users\Admin\AppData\Local\Temp\Tr Tools PRO 1.0.5.2.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:3572
      • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\VCRedistInstaller (2021).exe
        "C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\VCRedistInstaller (2021).exe" -s
        3⤵
          PID:1324
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\install_all.bat" "
            4⤵
              PID:764
              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2005_x64.exe
                vcredist2005_x64.exe /q
                5⤵
                  PID:2592
                  • C:\Windows\SysWOW64\msiexec.exe
                    msiexec /i vcredist.msi
                    6⤵
                      PID:4996
                  • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2008_x86.exe
                    vcredist2008_x86.exe /qb
                    5⤵
                      PID:3180
                      • \??\f:\3fdc88b7fc3078f88fcdbd19b17a4384\install.exe
                        f:\3fdc88b7fc3078f88fcdbd19b17a4384\.\install.exe /qb
                        6⤵
                          PID:4936
                      • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2008_x64.exe
                        vcredist2008_x64.exe /qb
                        5⤵
                          PID:1520
                          • \??\f:\133f289838f280f503b46563\install.exe
                            f:\133f289838f280f503b46563\.\install.exe /qb
                            6⤵
                              PID:1228
                          • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2010_x86.exe
                            vcredist2010_x86.exe /passive /norestart
                            5⤵
                              PID:3824
                              • \??\f:\058dccb2d4e5f4de37ad20ce0876\Setup.exe
                                f:\058dccb2d4e5f4de37ad20ce0876\Setup.exe /passive /norestart
                                6⤵
                                  PID:5000
                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2010_x64.exe
                                vcredist2010_x64.exe /passive /norestart
                                5⤵
                                  PID:840
                                  • \??\f:\579dcf307298e8847daacaba37717e60\Setup.exe
                                    f:\579dcf307298e8847daacaba37717e60\Setup.exe /passive /norestart
                                    6⤵
                                      PID:2236
                                  • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x86.exe
                                    vcredist2012_x86.exe /passive /norestart
                                    5⤵
                                      PID:3036
                                      • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x86.exe
                                        "C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{D3353168-AF76-428A-92F4-F41760945F7C} {10CFF1C5-8B38-4341-AEEB-FC2C3A43BD73} 3036
                                        6⤵
                                          PID:2076
                                      • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x64.exe
                                        vcredist2012_x64.exe /passive /norestart
                                        5⤵
                                          PID:1800
                                          • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x64.exe
                                            "C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2012_x64.exe" /passive /norestart -burn.unelevated BurnPipe.{796B0363-9DF8-4F01-9506-96849B7DA64E} {8DD7ECE2-97FA-417F-BD29-5A6E52CB9885} 1800
                                            6⤵
                                              PID:3216
                                          • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x86.exe
                                            vcredist2013_x86.exe /passive /norestart
                                            5⤵
                                              PID:1740
                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x86.exe
                                                "C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x86.exe" /passive /norestart -burn.unelevated BurnPipe.{E4B77225-D512-4D4D-85D0-901C6CC716B8} {A1B9AEDD-89DA-4C32-A509-60D571E41BD7} 1740
                                                6⤵
                                                  PID:4708
                                                • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
                                                  "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} -burn.embedded BurnPipe.{CB283081-27FC-4E90-87DA-BDA0D0FD5917} {B8724963-7CAB-4690-9690-CCC114F1F8B1} 1740
                                                  6⤵
                                                    PID:2648
                                                    • C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
                                                      "C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={9dff3540-fc85-4ed5-ac84-9e3c7fd8bece} -burn.embedded BurnPipe.{CB283081-27FC-4E90-87DA-BDA0D0FD5917} {B8724963-7CAB-4690-9690-CCC114F1F8B1} 1740 -burn.unelevated BurnPipe.{06C49572-0D9B-458E-A8BC-2BE70FE8BC31} {5E986F47-6306-47B7-9D91-0A31778D2534} 2648
                                                      7⤵
                                                        PID:3148
                                                  • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x64.exe
                                                    vcredist2013_x64.exe /passive /norestart
                                                    5⤵
                                                      PID:4616
                                                      • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x64.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2013_x64.exe" /passive /norestart -burn.unelevated BurnPipe.{B707319C-E8E4-4C20-A2D0-C87EC40E8586} {CA0B4D9D-287D-46BE-A129-E76E8772C64F} 4616
                                                        6⤵
                                                          PID:4044
                                                        • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
                                                          "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={042d26ef-3dbe-4c25-95d3-4c1b11b235a7} -burn.embedded BurnPipe.{53D74E02-256A-4723-8FE7-68DEC131A9D0} {1A3DAABF-62A1-445E-9775-4CF763FAA3F0} 4616
                                                          6⤵
                                                            PID:768
                                                            • C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe
                                                              "C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\vcredist_x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={042d26ef-3dbe-4c25-95d3-4c1b11b235a7} -burn.embedded BurnPipe.{53D74E02-256A-4723-8FE7-68DEC131A9D0} {1A3DAABF-62A1-445E-9775-4CF763FAA3F0} 4616 -burn.unelevated BurnPipe.{6F915EBB-B699-4238-B3D7-7D4BC6819D42} {076A5A80-9FDD-4F38-9971-2DE6E69FB799} 768
                                                              7⤵
                                                                PID:1080
                                                          • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2015_2017_2019_2022_x86.exe
                                                            vcredist2015_2017_2019_2022_x86.exe /passive /norestart
                                                            5⤵
                                                              PID:4444
                                                              • C:\Windows\Temp\{D331DFBA-B9FB-4864-A9A3-921E1A05F3B2}\.cr\vcredist2015_2017_2019_2022_x86.exe
                                                                "C:\Windows\Temp\{D331DFBA-B9FB-4864-A9A3-921E1A05F3B2}\.cr\vcredist2015_2017_2019_2022_x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2015_2017_2019_2022_x86.exe" -burn.filehandle.attached=576 -burn.filehandle.self=584 /passive /norestart
                                                                6⤵
                                                                  PID:3452
                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2015_2017_2019_2022_x64.exe
                                                                vcredist2015_2017_2019_2022_x64.exe /passive /norestart
                                                                5⤵
                                                                  PID:632
                                                                  • C:\Windows\Temp\{DA2E8DC2-4D3F-4573-926E-33963E436C14}\.cr\vcredist2015_2017_2019_2022_x64.exe
                                                                    "C:\Windows\Temp\{DA2E8DC2-4D3F-4573-926E-33963E436C14}\.cr\vcredist2015_2017_2019_2022_x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2015_2017_2019_2022_x64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=576 /passive /norestart
                                                                    6⤵
                                                                      PID:1444
                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\LibUsb.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\LibUsb.exe" /VERYSILENT
                                                                3⤵
                                                                  PID:1180
                                                            • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2005_x86.exe
                                                              vcredist2005_x86.exe /q
                                                              1⤵
                                                                PID:4828
                                                                • C:\Windows\SysWOW64\msiexec.exe
                                                                  msiexec /i vcredist.msi
                                                                  2⤵
                                                                    PID:2012
                                                                • C:\Windows\system32\msiexec.exe
                                                                  C:\Windows\system32\msiexec.exe /V
                                                                  1⤵
                                                                    PID:1072
                                                                    • C:\Windows\system32\srtasks.exe
                                                                      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                                                                      2⤵
                                                                        PID:1692
                                                                      • C:\Windows\syswow64\MsiExec.exe
                                                                        C:\Windows\syswow64\MsiExec.exe -Embedding F8CDECD2AC29CB4D51788FB70BD26C40
                                                                        2⤵
                                                                          PID:988
                                                                        • C:\Windows\syswow64\MsiExec.exe
                                                                          C:\Windows\syswow64\MsiExec.exe -Embedding 52BC520083C2EF16C414D32F66ECE329
                                                                          2⤵
                                                                            PID:1864
                                                                        • C:\Windows\system32\vssvc.exe
                                                                          C:\Windows\system32\vssvc.exe
                                                                          1⤵
                                                                            PID:3792
                                                                          • C:\Users\Admin\AppData\Local\Temp\is-J9447.tmp\LibUsb.tmp
                                                                            "C:\Users\Admin\AppData\Local\Temp\is-J9447.tmp\LibUsb.tmp" /SL5="$70066,1110214,831488,C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\LibUsb.exe" /VERYSILENT
                                                                            1⤵
                                                                              PID:4396
                                                                            • C:\Program Files (x86)\Tr Tools PRO\Tr Tools PRO.exe
                                                                              "C:\Program Files (x86)\Tr Tools PRO\Tr Tools PRO.exe"
                                                                              1⤵
                                                                                PID:1128

                                                                              Network

                                                                              MITRE ATT&CK Enterprise v15

                                                                              Replay Monitor

                                                                              Loading Replay Monitor...

                                                                              Downloads

                                                                              • C:\Program Files (x86)\Tr Tools PRO\Tr Tools PRO.exe

                                                                                Filesize

                                                                                1.0MB

                                                                                MD5

                                                                                a706eeb80394065ae1e0cd010fb9a382

                                                                                SHA1

                                                                                6be76600a2291ba5fad7aabfa09dbdda50b8c533

                                                                                SHA256

                                                                                1c860b91cd4a67c9beaa4dacac1f58c35e638fe266d891cfb85ae6f4c6805e68

                                                                                SHA512

                                                                                0b3409290e88c0e8a0f4342d4c30e9032a7be4672797ae09bddfb8ee213f3f00850dc2c3b5c09bbc635a09b03017756bf03b6375db4d14ec51b8c2d0472c04d2

                                                                              • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

                                                                                Filesize

                                                                                381KB

                                                                                MD5

                                                                                2be8990180ca60e860ea3887299a12eb

                                                                                SHA1

                                                                                43830c28aa6dcf2de882b73976d0a87a49aa80c0

                                                                                SHA256

                                                                                ca538fe5159a7a89f96fe6c100bdab2d271e8b27ba559cc8ed79b542c2228287

                                                                                SHA512

                                                                                1973792a5d41ae810b5e6032a60e42802079ceec0342bfff916a2f3d451385e11ffdb84355844b61f1a760e394b7c6e87db8c508e9e9e9b643f65cd1d1ed6cc2

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\VCRedistInstaller (2021).exe

                                                                                Filesize

                                                                                382KB

                                                                                MD5

                                                                                97b71d2891aeb94fe4c31253da1f07c6

                                                                                SHA1

                                                                                afc36fcb596b6a14b9bed49816ba68ef07c670fb

                                                                                SHA256

                                                                                e5a7e8a7cb7b0c185529a9dccbe8966b794c0399c269da5814cfa36af021a01c

                                                                                SHA512

                                                                                4b25b82db3199379c6f25ad6a981fe0967dbd300b575d84dccb01cffa06ae2a475cbf8b6ba7d29c2068bef8a1a0baf4f32c842ddd60e7506bf9cf5aa804610fe

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\VCRedistInstaller (2021).exe

                                                                                Filesize

                                                                                859KB

                                                                                MD5

                                                                                f001f7763578a2e2302f572ec3dd88bf

                                                                                SHA1

                                                                                4662c1c3f3aa4768064e7c2535aebe67fb2a2811

                                                                                SHA256

                                                                                1ea812ede7b239d840a2a437b926fc23adeea2592b8138d2274fae0bbf91ef89

                                                                                SHA512

                                                                                d0d85557546eaefb55954e885164737dabe3dc2f499be07015692be20c8e066b59a1f6f58fe1690fc13772966f6bb22e3d479b321c8731791ad4f6a9f19dedb2

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\VCRedistInstaller (2021).exe

                                                                                Filesize

                                                                                893KB

                                                                                MD5

                                                                                f439034d7f3e92be1c0b0b4a3df586c6

                                                                                SHA1

                                                                                c989e610074dae4cddae396b099bf744b547e427

                                                                                SHA256

                                                                                c41aa08e9310ddcfaddb735c1fdef033d740d25478a02f44a30be36f21eca0ae

                                                                                SHA512

                                                                                dff6e377b47386b3281982d960aca22ae654f3fe7b167dc37bcdbfbb7757d39c17e3d1c907559616f0d8034e97d34fac52399a1ea45112208ffaef7df36040ea

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\install_all.bat

                                                                                Filesize

                                                                                1KB

                                                                                MD5

                                                                                bdf5623cd38ba457dce96477bd0f5db1

                                                                                SHA1

                                                                                193ee62aca481445362c468b387ce925217628b3

                                                                                SHA256

                                                                                d3761e4427522c01e4020c1f00040978ff5761b0ee7fa1a9f7d9abfc9f38e8d1

                                                                                SHA512

                                                                                6717a44834e43762b572055bd1e56d87e0c91400c1e6bd84dd3242df457d9e74f9dcbd81637f0507957672395eed8698a064c16fcc1d7fc83e3a92ca777a344c

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2005_x64.exe

                                                                                Filesize

                                                                                91KB

                                                                                MD5

                                                                                edd086f6132521f83cbe4fdd52a2ee25

                                                                                SHA1

                                                                                b5dcde3dbfec5be49f5770423e1af047171fd474

                                                                                SHA256

                                                                                9032ce296cca9db0e57ee608d899d082c1823cb340e234cb91ae1c4bb0d890cf

                                                                                SHA512

                                                                                3da516529bf98671fc33d257e1ee061fe7f2e911bf6a90303ce01a342f3e5be82cbddb96ade0b9ae066cd0aca36ff9994386497ea12d3ae671a579e45bd3cebc

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2008_x86.exe

                                                                                Filesize

                                                                                381KB

                                                                                MD5

                                                                                d12a1c3924145ca09ca86b8dcb80d82e

                                                                                SHA1

                                                                                c6c4e3ee10f292a1c38bd77acdfa5c608b4465f0

                                                                                SHA256

                                                                                9dbdf3c11873627f164efa1e56672ee565cd95db8ec04b9ff2aaa69d6a25dd7f

                                                                                SHA512

                                                                                bf5e39f5072c3ab31b7bd12e9b27a7413e6414cc6c0e911818dddb06c870a98f5316c80ec920a9ae8b21759fbbfc5204eb8c509900284be392e9ab3ac9670bef

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-DSSV2.tmp\vcredist2008_x86.exe

                                                                                Filesize

                                                                                92KB

                                                                                MD5

                                                                                a31308b0b1d96710544208a3d31e210d

                                                                                SHA1

                                                                                6655548a5350ac1f6a4277a5b632b26ab2099966

                                                                                SHA256

                                                                                4a71e579c302bf7b4fba7e01c53713c90272540576a41a1c5c12351fd35e70d0

                                                                                SHA512

                                                                                b4b3d021485a0db64cb81b93e43cd220102d7762b1367ab6b5b8324050b5cf3d84962581b021498a76725d821fe4ebe04955156ee54476bbc251bee5cbb7b4dc

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-SUVAS.tmp\Tr Tools PRO 1.0.5.2.tmp

                                                                                Filesize

                                                                                1.1MB

                                                                                MD5

                                                                                305b687809e4a805f882638880257277

                                                                                SHA1

                                                                                953fa4da79541d85e73696c3ce34c39437efd834

                                                                                SHA256

                                                                                987dcd7f1c22fd0b0f05c168f4d4db78bae80577d37a1c324b42bb86cd0734b1

                                                                                SHA512

                                                                                e0e8162cbdc677d6e70f10853e2e0a5476937e94aa0d6efb6d66364198b2634f63648d46e10496fac05093dc2f22ab24a7ac967701c54e626f46cea158375495

                                                                              • C:\Users\Admin\AppData\Local\Temp\is-SUVAS.tmp\Tr Tools PRO 1.0.5.2.tmp

                                                                                Filesize

                                                                                819KB

                                                                                MD5

                                                                                1f77fc74016aff06d69e2588a3d443ed

                                                                                SHA1

                                                                                8320d0682a4904c05513aacaa65a6113e562d8c1

                                                                                SHA256

                                                                                d52f4a1a711a8d3957b302b3ee32fccc33ade0233192fb117886b68faab20f6d

                                                                                SHA512

                                                                                18be6217f77c56c6966fd91cce6f2b514c2f8edee5bf016f195ad08b900a24f108f74ae6c0cd9fb2b050c9f601a159b47933ef15b8d81948dd63d76f26f13dbb

                                                                              • C:\Windows\Installer\MSI96CC.tmp

                                                                                Filesize

                                                                                28KB

                                                                                MD5

                                                                                85221b3bcba8dbe4b4a46581aa49f760

                                                                                SHA1

                                                                                746645c92594bfc739f77812d67cfd85f4b92474

                                                                                SHA256

                                                                                f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

                                                                                SHA512

                                                                                060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

                                                                              • F:\3fdc88b7fc3078f88fcdbd19b17a4384\install.exe

                                                                                Filesize

                                                                                547KB

                                                                                MD5

                                                                                4138c31964fbcb3b7418e086933324c3

                                                                                SHA1

                                                                                97cc6f58fb064ab6c4a2f02fb665fef77d30532f

                                                                                SHA256

                                                                                b72056fc3df6f46069294c243fe5006879bf4a9d8eef388369a590ca41745f29

                                                                                SHA512

                                                                                40cf2f35c3a944fca93d58d66465f0308197f5485381ff07d3065e0f59e94fc3834313068e4e5e5da395413ff2d3d1c3ff6fa050f2256e118972bf21a5643557

                                                                              • \??\Volume{6d8be5d0-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{26a668c3-8727-4790-a26f-394e0c9753c1}_OnDiskSnapshotProp

                                                                                Filesize

                                                                                6KB

                                                                                MD5

                                                                                a92ee035791f82aeec5b65e45bfe0565

                                                                                SHA1

                                                                                affcdbf7fa40d3a464204d02bf2b728a05395ad1

                                                                                SHA256

                                                                                5cd58b3beb37b5ed38418ba8091b4ea3cad7c8be2eab2a04575ddb8c7275433c

                                                                                SHA512

                                                                                5cc7d3bbe26101fdc3d8b4f3207a3d0a766152737817655066210d7b09bf6924370ccf7bc6134fa22d92b9fc5486f9e3cdfb99603eb21c4790f2d1f262309104

                                                                              • \??\f:\3fdc88b7fc3078f88fcdbd19b17a4384\install.exe

                                                                                Filesize

                                                                                381KB

                                                                                MD5

                                                                                12dac352f69040cc5c03e3de3fde6a59

                                                                                SHA1

                                                                                8fddfdcb060fe7cf296013e2a8325aec137ce675

                                                                                SHA256

                                                                                ddb96873f2c0a0e251140a58fb129aafc36671c5c6d96b16fa61937015353a12

                                                                                SHA512

                                                                                830f732ae641e90ba8c1259e9100950d47d2c27cbcfeaff4fb4329394aa1998484232f6661e1d33f0f834898b2ce6910a5122080a789fded8e5f40282aedc588

                                                                              • memory/1128-1729-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1724-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1789-0x00000000190E0000-0x00000000190E1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1788-0x0000000018E00000-0x0000000018E01000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1787-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1786-0x0000000012C40000-0x0000000012C41000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1782-0x00000000190E0000-0x00000000190E1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1781-0x0000000018E00000-0x0000000018E01000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1780-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1719-0x0000000013020000-0x0000000013021000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1720-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1779-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1721-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1723-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1725-0x0000000013040000-0x0000000013041000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1726-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1727-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1711-0x0000000012BE0000-0x0000000012BE1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1710-0x0000000012BD0000-0x0000000012BD1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1712-0x0000000000400000-0x0000000001400000-memory.dmp

                                                                                Filesize

                                                                                16.0MB

                                                                              • memory/1128-1709-0x0000000012BC0000-0x0000000012BC1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1708-0x0000000012BB0000-0x0000000012BB1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1707-0x0000000012B80000-0x0000000012B81000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1706-0x0000000012B70000-0x0000000012B71000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1705-0x0000000012B60000-0x0000000012B61000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1718-0x0000000012C40000-0x0000000012C41000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1722-0x0000000013030000-0x0000000013031000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1733-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1734-0x0000000013BC0000-0x0000000013BC1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1732-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1731-0x0000000013060000-0x0000000013061000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1128-1730-0x0000000012C70000-0x0000000012DB0000-memory.dmp

                                                                                Filesize

                                                                                1.2MB

                                                                              • memory/1128-1728-0x0000000013050000-0x0000000013051000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/1180-1678-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                Filesize

                                                                                864KB

                                                                              • memory/1180-1680-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                Filesize

                                                                                864KB

                                                                              • memory/1180-1696-0x0000000000400000-0x00000000004D8000-memory.dmp

                                                                                Filesize

                                                                                864KB

                                                                              • memory/2236-662-0x0000000001070000-0x0000000001071000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/2368-1704-0x0000000000400000-0x00000000004E5000-memory.dmp

                                                                                Filesize

                                                                                916KB

                                                                              • memory/2368-6-0x0000000000400000-0x00000000004E5000-memory.dmp

                                                                                Filesize

                                                                                916KB

                                                                              • memory/2368-0-0x0000000000400000-0x00000000004E5000-memory.dmp

                                                                                Filesize

                                                                                916KB

                                                                              • memory/3572-80-0x0000000000400000-0x000000000071F000-memory.dmp

                                                                                Filesize

                                                                                3.1MB

                                                                              • memory/3572-1700-0x0000000000400000-0x000000000071F000-memory.dmp

                                                                                Filesize

                                                                                3.1MB

                                                                              • memory/3572-5-0x00000000025D0000-0x00000000025D1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/3572-1703-0x0000000000400000-0x000000000071F000-memory.dmp

                                                                                Filesize

                                                                                3.1MB

                                                                              • memory/3572-7-0x0000000000400000-0x000000000071F000-memory.dmp

                                                                                Filesize

                                                                                3.1MB

                                                                              • memory/3572-16-0x0000000000400000-0x000000000071F000-memory.dmp

                                                                                Filesize

                                                                                3.1MB

                                                                              • memory/3572-21-0x0000000000400000-0x000000000071F000-memory.dmp

                                                                                Filesize

                                                                                3.1MB

                                                                              • memory/4396-1684-0x00000000025D0000-0x00000000025D1000-memory.dmp

                                                                                Filesize

                                                                                4KB

                                                                              • memory/4396-1695-0x0000000000400000-0x000000000071A000-memory.dmp

                                                                                Filesize

                                                                                3.1MB

                                                                              • memory/5000-524-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

                                                                                Filesize

                                                                                4KB