bfa7a13a97f61cc63ae748ad806978d11391a5c17b1a8a8f4fbaadf07f4e0891

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
17/02/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Mia_Khalifa 18+.msi
Size

64.5MB
MD5

a347250844a6e54c27bd5fcc464dae85
SHA1

3b27a896233eb882d1475f773836bf69d1c3bddf
SHA256

bfa7a13a97f61cc63ae748ad806978d11391a5c17b1a8a8f4fbaadf07f4e0891
SHA512

9b9b3776ee46ed61bb9ecf8b9c04a4607097c88a873616ab83b21c5a1fde304424191d5399899b1665f9d99824d3243e3cc29a9358a857872c93f7e6aa0a5935
SSDEEP

1572864:Y4pJnZxr9EOH5skMiNRvKT8SVNWX/nNKRtYA3X8gHAn/VIK:YgJL3svi3iTNVNWX/n0rDnNgn/G

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	4464	msiexec.exe
7	4464	msiexec.exe
11	4464	msiexec.exe
13	4464	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-996941297-2279405024-2328152752-1000\Control Panel\International\Geo\Nation	InstallerPlus_v3e.5m.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIF50E.tmp	msiexec.exe
File created	C:\Windows\Installer\e57f1b5.msi	msiexec.exe
File created	C:\Windows\Installer\e57f1b3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f1b3.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{012FB3C5-AEAA-4AD9-BE59-398414C7C234}	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3496	InstallerPlus_v3e.5m.exe
3892	Installer-Advanced-Installergenius_v4.8z.1l.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fe4aef237c2afe490000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fe4aef230000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fe4aef23000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfe4aef23000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fe4aef2300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	msiexec.exe
5036	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4464	msiexec.exe
Token: SeSecurityPrivilege	5036	msiexec.exe
Token: SeCreateTokenPrivilege	4464	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4464	msiexec.exe
Token: SeLockMemoryPrivilege	4464	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4464	msiexec.exe
Token: SeMachineAccountPrivilege	4464	msiexec.exe
Token: SeTcbPrivilege	4464	msiexec.exe
Token: SeSecurityPrivilege	4464	msiexec.exe
Token: SeTakeOwnershipPrivilege	4464	msiexec.exe
Token: SeLoadDriverPrivilege	4464	msiexec.exe
Token: SeSystemProfilePrivilege	4464	msiexec.exe
Token: SeSystemtimePrivilege	4464	msiexec.exe
Token: SeProfSingleProcessPrivilege	4464	msiexec.exe
Token: SeIncBasePriorityPrivilege	4464	msiexec.exe
Token: SeCreatePagefilePrivilege	4464	msiexec.exe
Token: SeCreatePermanentPrivilege	4464	msiexec.exe
Token: SeBackupPrivilege	4464	msiexec.exe
Token: SeRestorePrivilege	4464	msiexec.exe
Token: SeShutdownPrivilege	4464	msiexec.exe
Token: SeDebugPrivilege	4464	msiexec.exe
Token: SeAuditPrivilege	4464	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4464	msiexec.exe
Token: SeChangeNotifyPrivilege	4464	msiexec.exe
Token: SeRemoteShutdownPrivilege	4464	msiexec.exe
Token: SeUndockPrivilege	4464	msiexec.exe
Token: SeSyncAgentPrivilege	4464	msiexec.exe
Token: SeEnableDelegationPrivilege	4464	msiexec.exe
Token: SeManageVolumePrivilege	4464	msiexec.exe
Token: SeImpersonatePrivilege	4464	msiexec.exe
Token: SeCreateGlobalPrivilege	4464	msiexec.exe
Token: SeBackupPrivilege	4588	vssvc.exe
Token: SeRestorePrivilege	4588	vssvc.exe
Token: SeAuditPrivilege	4588	vssvc.exe
Token: SeBackupPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe
Token: SeTakeOwnershipPrivilege	5036	msiexec.exe
Token: SeRestorePrivilege	5036	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4464	msiexec.exe
4464	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5036 wrote to memory of 4996	5036	msiexec.exe	95
PID 5036 wrote to memory of 4996	5036	msiexec.exe	95
PID 5036 wrote to memory of 3496	5036	msiexec.exe	97
PID 5036 wrote to memory of 3496	5036	msiexec.exe	97
PID 5036 wrote to memory of 3496	5036	msiexec.exe	97
PID 3496 wrote to memory of 3892	3496	InstallerPlus_v3e.5m.exe	99
PID 3496 wrote to memory of 3892	3496	InstallerPlus_v3e.5m.exe	99
PID 3496 wrote to memory of 3892	3496	InstallerPlus_v3e.5m.exe	99

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I "C:\Users\Admin\AppData\Local\Temp\Mia_Khalifa 18+.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4464

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5036
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4996
- C:\Users\Admin\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe
  "C:\Users\Admin\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe" -pe548ycMIJPeyhTd
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer-Advanced-Installergenius_v4.8z.1l.exe
    "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer-Advanced-Installergenius_v4.8z.1l.exe"
    3⤵
    - Executes dropped EXE
    PID:3892

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57f1b4.rbs

Filesize
8KB

MD5
a8681155622dfd0812e619e293f4b545

SHA1
561411ae46f8d1553ab9e3787d3884b4eea16a64

SHA256
86e6ea768e2b1c41d16c61deadb7c9c92d028a37abceb589fb83a53ae1fe993f

SHA512
ff2be837fbd799aad7feecaa19aeac238920e10eb31647b55b1bcb4ffc02b93ae53993bce214d6842717f11183a8bac6e46565326f042b74384927672e051d15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\40C68D5626484A90937F0752C8B950AB

Filesize
834B

MD5
9b1f6b70bda69a1103260c6951aa560f

SHA1
121da6f9d62998913f09dedbb4b23efdc2d509c2

SHA256
fb69fd0d9babc979c3b479a20301fb658b23ccab1b0377925423860439dda4d5

SHA512
3ab2380733ec7c1e1bdf2252cecaf4b5d50aff8b887184de127b0849016a19dd332dc9d392254f4dcca71c730f17bb9d1a57b1fe47e32adc78a1021d433448d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\EA618097E393409AFA316F0F87E2C202_B06B4CAE26C37390498546FC139D1207

Filesize
1KB

MD5
80363ef1a846b4f35a81d5010539b527

SHA1
aaee095f79ebe471551d6d2fb69caec7d44f5c4e

SHA256
c12220f8d3e80368a7e0ebc45422840d7facc6123d98ece664a5d2a3c55e0d20

SHA512
232c17ec09ce1e2977d796e048ad41b6c54fbf7cd49a80fc146974436a8e615577d634a2d1ad465b7135d078354fe93606df30286aa59059ad82865a9eb8b8d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\40C68D5626484A90937F0752C8B950AB

Filesize
180B

MD5
de924a8d9f3c7c14a955c11e5fbafa6e

SHA1
20b1f2ba1b58c0fa216d02385ee10098e0ec8f40

SHA256
b29d17dbd2d1ffb6952fbad54d512218068925490b3dbf340aafccfbd8569aaa

SHA512
af05dd2d91a666ac00c235dfcb67f082bc9fb09f9b844f73236d0f56458e2e10ad5e1f2038a73c9bf5ee667a3591cf38c8e1208aace8fffe51e999f30501240c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C46E7B0F942663A1EDC8D9D6D7869173_6043FC604A395E1485AF7AC16D16B7CE

Filesize
398B

MD5
277c19d99c2fda6dee1a7d61c9c2d894

SHA1
8a016f3d5f171c6ebcb17e10761dbf4a99bcd27b

SHA256
b474a3d27f7c308a6fbb272487922cd898acf82056053db5f7a43066d58823f6

SHA512
a599c85078a10256ff8135acb1e8f630585d0bcc4af1b693ab7be06b4ea5fce5748519d1190351f7514c4cee678f8e525e83d7130abac986b84717a4087da51e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\EA618097E393409AFA316F0F87E2C202_B06B4CAE26C37390498546FC139D1207

Filesize
402B

MD5
e440862aae80c77cd639d62f6fa81ee4

SHA1
4c51497da2437aaaa03eee962ae648a05364777b

SHA256
2ad7f1ffadebb71409b79c6a67d20c6310e9a983c41ee41e4a04ef548cc4aac7

SHA512
3c48cac352ac984289caabe74e7baaff5cd1ab28b0d8db67394c449cd8326f4d1c11b779136a7780295410352355ce0d60f1b7a318acb7f5084a4c16d0ef4940

Download Submit
C:\Users\Admin\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe

Filesize
14.4MB

MD5
329db0061d20c474a5360c5ea1ab35bb

SHA1
4c1a133de743a651d2f7bf7aa615d4b5d04c1d24

SHA256
c180ec1c48f6723b35ae8156f4001a65497c06bd37ea6e3b3beea53e620cf012

SHA512
18b7baa37e6e61b2b6a49b8b00d8ac9e5c6fcf4b1797592049f2d6d577fd75fd17de4a8b14c8d1aeda36c04eb93385bcd44f4ca42315a6e8c9bc726d85a1cd6e

Download Submit
C:\Users\Admin\AppData\Local\Outweep Dynes\InstallerPlus_v3e.5m.exe

Filesize
5.6MB

MD5
0ae10e646a25c69e651e90896ba18eab

SHA1
d754af7eddbb46540de65d1b3e61f130ef2caf38

SHA256
450923963de86e71139c22d6d15b90aa6ae40165b15cec06dd18254ef0874d6e

SHA512
ba3ea6f05d32be229f5f00369e430f255a49c28816a9ced8fd8bb286a884f674d82dc7e71f28f78f102a34a23f08557339bb8a7fa0b79fd6a7f24c45148f18e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer-Advanced-Installergenius_v4.8z.1l.exe

Filesize
43.8MB

MD5
c1cf1da5a2ceabd65d15fdc85b10ff32

SHA1
4b25f263be6881482c2559ce98bf21b6540094d7

SHA256
9575294e68ffd3001c061e864b2e103dfe4c7a08e0d6d29d11d1b944266e5845

SHA512
175b0d01a27bc74fd320cb6261c33977c0fa36ad3cf8ffe845263e81907df47f8f0090d9d52a8587403c98330bebb4353d2ae61ed66fef9791d47163a1e1aff4

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer-Advanced-Installergenius_v4.8z.1l.exe

Filesize
10.1MB

MD5
a590853c52c60e1715916df0a06bc0f1

SHA1
2b1efca2ef08197d371193cab9b42bb7125eb519

SHA256
c1eee67052a05a4aa21fa3ab8b899c8d0eea04fbac8c6136b2e216e683205bc7

SHA512
55df2837b84db5dde0afcd3ba60cf78c8a0b922709f7d62538b8757e49c35b1ab4803d0873a87d1ed00e5f00180c5890d3d48138a949a43fea387e4e079ff043

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Installer-Advanced-Installergenius_v4.8z.1l.exe

Filesize
10.4MB

MD5
a81b4cdf9c03361995a4374f8f534a18

SHA1
187786613a1834aeb8746e5dd479c28634f99a2a

SHA256
41781ed90ed8aca31a6e60d2f7f23aaae3a8feb5570122a7cb142a490e9e7e21

SHA512
28b04d54efeb9dbce42634b995f55f4118e364a47afd1e22857f0f2da4258be798c189d9b33bc7a8beaa24955fc07429efd3ce1e2a17878bfd468a516f2e15b1

Download Submit
C:\Windows\Installer\e57f1b3.msi

Filesize
11.2MB

MD5
6d3eb47c2d839f6be6158098889e2f5d

SHA1
7d857dee7111722f4906e1c30516c23f90d92d24

SHA256
9692eeb66b0b8067c0cd739f135a3368cdd083f328ce8ea59af8973d19168b3b

SHA512
312436458a60cb4c073b27986314df751de95df97e70416078d927bd4b36fff622a532b5f9825f07b18f1b2032c2bb2701305910925ff2aaf66d8432999d8221

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
4.5MB

MD5
4359effc53361dc98fb769564dcc3f7a

SHA1
87be347f1aee6a7a1bd4b6a67e1f8cf299934ada

SHA256
d5e7773013a79d36577ee9835755dce5c8835d2fa382135d6dc2baaf4828ffd6

SHA512
5628192dfd31b3d9c5076760914f180e45ec8c114323f8ad83f4eb2dba4fc2fe09e99cf5410518a3cb7628e4d22dd4b779370543ce9774d3996f000e3be75e42

Download Submit
\??\Volume{23ef4afe-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bc37382b-e86d-42da-9511-9ae6153d64d5}_OnDiskSnapshotProp

Filesize
6KB

MD5
c5b04714ace56da5b9871ff7ac268699

SHA1
d4c2c7623365db70d01cc3d6cb26256dc5462215

SHA256
09d29a7e4be8d44bb9e5421a1d8916e4e480859da9bcdc0093c9504c610b405a

SHA512
d79840c0aba009b13fb9741fedb3ab77c612974f99eb6e1ce780e758c9dd5e7b4efc938c3534b17b6c6a169cf69422cae94a8e15a5dcc88dbee56929c2d4141b

Download Submit
memory/3892-61-0x0000000072AA0000-0x0000000073250000-memory.dmp

Filesize
7.7MB

Download