Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-es -
resource tags
arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
30-03-2024 23:18
General
-
Target
GhostGG.rar
-
Size
110.2MB
-
MD5
8acaf25715e8b6a7cfe0c8d2109627ca
-
SHA1
9e09e2b8649963e6a0bcc693a4fbd4ee860b928d
-
SHA256
9f77ba3c437c3f4e532b91bb6a35142e972bea79a5dd6c1e463e68464dd03422
-
SHA512
81bd25dfff1ab9c45821e18c0ea4b642bef9d139e96b6962d5d68a8352c19dd54de2c3d2fe4057ab2b9274821a54d43ebb2f0a1acbceb4c81fe51bf5c18dcd8f
-
SSDEEP
3145728:iU7ny3r/wq2wmc8j/OEqSdZYuaamBg+J0zD:f4DPs3drmi++zD
Malware Config
Signatures
-
Detect Umbral payload 4 IoCs
resource yara_rule behavioral1/files/0x0008000000023234-18.dat family_umbral behavioral1/memory/2940-25-0x000002D849270000-0x000002D8492AC000-memory.dmp family_umbral behavioral1/files/0x0008000000023239-52.dat family_umbral behavioral1/memory/2456-59-0x000001B73DA40000-0x000001B73DA7C000-memory.dmp family_umbral -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation GhostGG.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation GhostGG.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation GhostGG.exe Key value queried \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000\Control Panel\International\Geo\Nation cmd.exe -
Executes dropped EXE 6 IoCs
pid Process 1004 GhostGG.exe 2940 UmbralNOVOCAIUOANTIGO.exe 3496 GhostGG.exe 2456 Umbral.exe 3032 GhostGG.exe 3180 UmbralNOVOCAIUOANTIGO.exe -
Blocklisted process makes network request 1 IoCs
flow pid Process 44 4264 msiexec.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\e58c697.msi msiexec.exe File opened for modification C:\Windows\Installer\e58c697.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007667065a040ee7130000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007667065a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809007667065a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d7667065a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007667065a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-983155329-280873152-1838004294-1000_Classes\Local Settings GhostGG.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 3128 msiexec.exe 3128 msiexec.exe 2828 7zFM.exe 2828 7zFM.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2828 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeRestorePrivilege 2828 7zFM.exe Token: 35 2828 7zFM.exe Token: SeSecurityPrivilege 2828 7zFM.exe Token: SeDebugPrivilege 2940 UmbralNOVOCAIUOANTIGO.exe Token: SeIncreaseQuotaPrivilege 3476 wmic.exe Token: SeSecurityPrivilege 3476 wmic.exe Token: SeTakeOwnershipPrivilege 3476 wmic.exe Token: SeLoadDriverPrivilege 3476 wmic.exe Token: SeSystemProfilePrivilege 3476 wmic.exe Token: SeSystemtimePrivilege 3476 wmic.exe Token: SeProfSingleProcessPrivilege 3476 wmic.exe Token: SeIncBasePriorityPrivilege 3476 wmic.exe Token: SeCreatePagefilePrivilege 3476 wmic.exe Token: SeBackupPrivilege 3476 wmic.exe Token: SeRestorePrivilege 3476 wmic.exe Token: SeShutdownPrivilege 3476 wmic.exe Token: SeDebugPrivilege 3476 wmic.exe Token: SeSystemEnvironmentPrivilege 3476 wmic.exe Token: SeRemoteShutdownPrivilege 3476 wmic.exe Token: SeUndockPrivilege 3476 wmic.exe Token: SeManageVolumePrivilege 3476 wmic.exe Token: 33 3476 wmic.exe Token: 34 3476 wmic.exe Token: 35 3476 wmic.exe Token: 36 3476 wmic.exe Token: SeIncreaseQuotaPrivilege 3476 wmic.exe Token: SeSecurityPrivilege 3476 wmic.exe Token: SeTakeOwnershipPrivilege 3476 wmic.exe Token: SeLoadDriverPrivilege 3476 wmic.exe Token: SeSystemProfilePrivilege 3476 wmic.exe Token: SeSystemtimePrivilege 3476 wmic.exe Token: SeProfSingleProcessPrivilege 3476 wmic.exe Token: SeIncBasePriorityPrivilege 3476 wmic.exe Token: SeCreatePagefilePrivilege 3476 wmic.exe Token: SeBackupPrivilege 3476 wmic.exe Token: SeRestorePrivilege 3476 wmic.exe Token: SeShutdownPrivilege 3476 wmic.exe Token: SeDebugPrivilege 3476 wmic.exe Token: SeSystemEnvironmentPrivilege 3476 wmic.exe Token: SeRemoteShutdownPrivilege 3476 wmic.exe Token: SeUndockPrivilege 3476 wmic.exe Token: SeManageVolumePrivilege 3476 wmic.exe Token: 33 3476 wmic.exe Token: 34 3476 wmic.exe Token: 35 3476 wmic.exe Token: 36 3476 wmic.exe Token: SeDebugPrivilege 2456 Umbral.exe Token: SeIncreaseQuotaPrivilege 1652 wmic.exe Token: SeSecurityPrivilege 1652 wmic.exe Token: SeTakeOwnershipPrivilege 1652 wmic.exe Token: SeLoadDriverPrivilege 1652 wmic.exe Token: SeSystemProfilePrivilege 1652 wmic.exe Token: SeSystemtimePrivilege 1652 wmic.exe Token: SeProfSingleProcessPrivilege 1652 wmic.exe Token: SeIncBasePriorityPrivilege 1652 wmic.exe Token: SeCreatePagefilePrivilege 1652 wmic.exe Token: SeBackupPrivilege 1652 wmic.exe Token: SeRestorePrivilege 1652 wmic.exe Token: SeShutdownPrivilege 1652 wmic.exe Token: SeDebugPrivilege 1652 wmic.exe Token: SeSystemEnvironmentPrivilege 1652 wmic.exe Token: SeRemoteShutdownPrivilege 1652 wmic.exe Token: SeUndockPrivilege 1652 wmic.exe Token: SeManageVolumePrivilege 1652 wmic.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 2828 7zFM.exe 2828 7zFM.exe 2828 7zFM.exe 4264 msiexec.exe 4264 msiexec.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2720 wrote to memory of 2828 2720 cmd.exe 89 PID 2720 wrote to memory of 2828 2720 cmd.exe 89 PID 2828 wrote to memory of 1004 2828 7zFM.exe 101 PID 2828 wrote to memory of 1004 2828 7zFM.exe 101 PID 1004 wrote to memory of 2940 1004 GhostGG.exe 103 PID 1004 wrote to memory of 2940 1004 GhostGG.exe 103 PID 2940 wrote to memory of 3476 2940 UmbralNOVOCAIUOANTIGO.exe 104 PID 2940 wrote to memory of 3476 2940 UmbralNOVOCAIUOANTIGO.exe 104 PID 1004 wrote to memory of 3496 1004 GhostGG.exe 106 PID 1004 wrote to memory of 3496 1004 GhostGG.exe 106 PID 3496 wrote to memory of 2456 3496 GhostGG.exe 107 PID 3496 wrote to memory of 2456 3496 GhostGG.exe 107 PID 2456 wrote to memory of 1652 2456 Umbral.exe 108 PID 2456 wrote to memory of 1652 2456 Umbral.exe 108 PID 3496 wrote to memory of 4264 3496 GhostGG.exe 111 PID 3496 wrote to memory of 4264 3496 GhostGG.exe 111 PID 3128 wrote to memory of 2252 3128 msiexec.exe 116 PID 3128 wrote to memory of 2252 3128 msiexec.exe 116 PID 3032 wrote to memory of 3180 3032 GhostGG.exe 119 PID 3032 wrote to memory of 3180 3032 GhostGG.exe 119 PID 3180 wrote to memory of 4356 3180 UmbralNOVOCAIUOANTIGO.exe 120 PID 3180 wrote to memory of 4356 3180 UmbralNOVOCAIUOANTIGO.exe 120 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\GhostGG.rar1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\GhostGG.rar"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\7zOC0B8A2A7\GhostGG.exe"C:\Users\Admin\AppData\Local\Temp\7zOC0B8A2A7\GhostGG.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1004 -
C:\Users\Admin\AppData\Local\Temp\UmbralNOVOCAIUOANTIGO.exe"C:\Users\Admin\AppData\Local\Temp\UmbralNOVOCAIUOANTIGO.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2940 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid5⤵
- Suspicious use of AdjustPrivilegeToken
PID:3476
-
-
-
C:\Users\Admin\AppData\Local\Temp\GhostGG.exe"C:\Users\Admin\AppData\Local\Temp\GhostGG.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Users\Admin\AppData\Local\Temp\Umbral.exe"C:\Users\Admin\AppData\Local\Temp\Umbral.exe"5⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2456 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid6⤵
- Suspicious use of AdjustPrivilegeToken
PID:1652
-
-
-
C:\Windows\System32\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\Cloudflare_WARP_Release-x64.msi"5⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of FindShellTrayWindow
PID:4264
-
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3128 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2252
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
PID:3868
-
C:\Users\Admin\Desktop\GhostGG.exe"C:\Users\Admin\Desktop\GhostGG.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Users\Admin\AppData\Local\Temp\UmbralNOVOCAIUOANTIGO.exe"C:\Users\Admin\AppData\Local\Temp\UmbralNOVOCAIUOANTIGO.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Windows\System32\Wbem\wmic.exe"wmic.exe" csproduct get uuid3⤵PID:4356
-
-
-
C:\Users\Admin\AppData\Local\Temp\GhostGG.exe"C:\Users\Admin\AppData\Local\Temp\GhostGG.exe"2⤵PID:468
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize471B
MD5fc03765c9a8b0dd4f785c265701d3eea
SHA18a84ce174b6a784dbba2b59b06f5c2afdf7204f1
SHA2564d5a1208d9e42b9d873783eab933c79b8725d7c36ef66fbefb4590019e18908a
SHA512f8cd74257c5550353af89a9e572f56a72a0ed3ae6382576b567421f3796100f52f5545b93b89e1484ed15e5b6e8fb471e553b4a5b3940c6eb7ae22c99c212d2e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8
Filesize727B
MD5b5d1937a6d611d15ca735b9bec5f3a74
SHA1d1be338bac608c2e39ccce681f88ecae3c5f61db
SHA2567ce74aac7b165146ac7fb9804a4dcb6d0ea548abece6876f49e0b53cb15abfcc
SHA512c4420b36fa4b7cc9095c0613c8cade7c477b112c0ee17be00f3a84ee4fd7f1e8c4cadff8d9b686575183a784a47b9590868dce5b023df8b261a8d5748ad5fc7b
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize727B
MD5caf7a2823cf4243f6fbb7f78eefb7f0c
SHA186309ab3eb8e269ea9e6719e60ade3f94dc6584a
SHA256c2edd0d269efe06f64cc45bd4971bf0f6d4bdb139bebb5e5829e6f032f1965ea
SHA51293b2aa3705be67f9f3f49d0e035e9a5e130b6871fdd16e5614f783eb7ad52006fa2ee5dcb4c27b13f310319849f814c90dd52f058ada0db5c90da136cc0c6589
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB
Filesize400B
MD5d04784328bc6124ffc26d52e92023f80
SHA1adbb0c67523175cf6a9f94bfbaa1f41262e17a21
SHA256f46f4c9428b997974bc18dd92c2e4c9e4d0afff89a068cb48fe614f30b00aabb
SHA512d30409022190f58e074f92daec8c3b80ec4c6afd4e56e22098511d168685b0fd977d2770fb79e65dc1ba50cad40de6c4304d7c4b1484895ae2b7f9532073ce47
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_83EE79D1FEE086A5198EA6E5637C35C8
Filesize412B
MD5939cb3dfba956c5230a60aa958fae04d
SHA1a9222406f17a8e0df711a1615517fcc2aa69a23c
SHA256ea660fa182d2622ffe9806606ea49750c790a10633b1bb497c0cffe095d82929
SHA512c4b39a7dd22959ecc06f54f989a448c98c9aedefe7a2c73f085d6f67ccfca603f7f56fe3aa58c7cb347034dfde0a4b7583deb91648a1cd576cc737c35d5a4251
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141
Filesize412B
MD57fc959bb1b101b4af0972baa992fd155
SHA1a2ff2dd0243906a4dc1c8f46dc84d1190526d54a
SHA25638acee9dab1d5e0463c7c5ad2de0fe45c90d17faf775c2e5a1d2454fa37cdd7e
SHA5128b1a293970d310bcb55a1b515679647e0f1dab9922dfe77c4767edcc16e3f0c4f5063d64e31775ec96dfd621e9997f2fb0426b646b338217c3d968bf9aeb49c8
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
1KB
MD58094b248fe3231e48995c2be32aeb08c
SHA12fe06e000ebec919bf982d033c5d1219c1f916b6
SHA256136c30d964f4abbb5279bdc86d0e00578333782f15f05f0d2d050730dcb7a9bc
SHA512bf27a3822008796370e2c506c910a40992b9240606ea1bc19f683b2fee86b81897660ac0cf8e746ca093dae9e408949e2e9002ded75678a69f020d3b0452801f
-
Filesize
110.2MB
MD513a2e1132daa04190e78b227f7ddfd36
SHA14b12145233c281e9c4dea50c7c47caa9bc7fa0fe
SHA25656e445850b4d7e3492e34db688b6d72e9621d9bf4b06849a4dc4a0998f1e8afb
SHA512e143ff90aec38f7a687e0478da00761707c2f96959a54c1800c441f7d97008b8f94179ff4b9be48ec47165c9e3ee01ccdbed9598dea744fedaba08b0c2c0f094
-
Filesize
109.8MB
MD50b1a5d7c05ea3f39b8365cd9ec114236
SHA1ad42f6143089554c38c860c849f4e094e0c56bcc
SHA256315b111aa81dba6e45b000fd05e99569103a7906d1305c3420989aaee7747f76
SHA512395744ae795cc313ccbba5885d780499e8e91a8c9e046dad7e740bf5d26d59e428e98923e77607713479a2c1125625e45e12070f5ebf873ccd23f208458261d1
-
Filesize
812KB
MD530e773848170699419b4538a88cc675b
SHA1fa222243e6a3ea19a71b07097d05aac695fcec7b
SHA2560c25dd0f9739dccf70b9660afd39140d64bdde244d40ff86d6fe2e02699e200d
SHA51222538f0c5dcb1269b2ece3e3189bdbc279ee482d625296afd5639c77fd4f102fd9a71ead41746b35634e20ac65fcf176d90364d65bd14d14c3518abfe3ed0af9
-
Filesize
1.8MB
MD524138fb0e262d3da9931fc736767f290
SHA17f0abd7dc8ae972c023ead1c0dc44cb44223053f
SHA256790b1ebd10fb6ba299f0d8a3c7f3651e44037e41196be52c4a4ffaf08ac1bc29
SHA5121cd476632989ecb2ab8b221b6e1400de08a1533bcdd32e9063c5a363cfb284b580af54ba9d86adea1eaf45b940f000f8c72f5df704b8853f5f1a26541c438f91
-
Filesize
110.0MB
MD5d2c791ea51ac8b340011de325fe43940
SHA13ea38b93289c93b86f2c331ec5757eb643d55718
SHA256ab69f05cea3e0402516dadfffaf3b32805705acc0b42597ff1e6e4ddf6e241e2
SHA512bdf6607250644f076cb1326f7d7e56920d8963d5eee6cc9ff19b8ea9c91019b049375eea439254d194c0c64c15b60551a43fcbe2e91b362db220349a854f5aa2
-
Filesize
37KB
MD5285db2657e97e0d1abf3d05753716966
SHA15a5c24a050164d3273296bbe411e9e1e60b71d77
SHA2566decf0d4f677ac940cf909bc9f432163ebe400363bb0b2d3a8bd8d2cf6496515
SHA512a4d860e722869e0ba1804c5c4f5fb14b82ee0b7069f6583193ab5f907b02c786b640eae8151e9918370aa848e065122ebfb6b717054d2534218e7d39b912c7a8
-
Filesize
214KB
MD533146958c21bd9b1f102089e91dc80dd
SHA1dd420eddb9aeafb64a5e3dca7be963e966b82377
SHA2564405f9f7cc6173d2c833a3ad6628ed89a43eb91fe0de1b15d40b87e34c0ed7a1
SHA512e833bda0ff7e0793eaab1618c476cccb137bd097679fb1a2a085ca79a21b34b57fd891404b2493d72cc5cab43b3ccc0b696b4ee195105aab50e96f9b5b4a4e75
-
Filesize
214KB
MD529f8b51d283c8bbece9adb150540417f
SHA11912cff475f49c61388b66aaee3a9c83195600ab
SHA2566a835f3302a80250e97cb80322e9341b0779c16af9d49a4c9399981351decf7a
SHA512f28a9be9a5cdd321b7edece0c1f17a333d1e64c9c52a39993d95df81c6afa3fb07fafda55ba074521f164998d5f1f2840f6014d3050294d5b31f04e7e9c83dd6
-
Filesize
23.7MB
MD5e76e317001ac49397515112a656d39c3
SHA1fc5bc6833714438281e69b3cdbeac2c0554e5984
SHA2563367aaf3763d047321e3377a7027cb91f3118e24d129c712ba0b70f2807629db
SHA5127eda14d702880d0be72063f2ab541ee93ca577ab534cb89aacf54d283f9e6ed5dc48f57d268b52aa2db98d9055f6a7273f5f5640624dafd61aac71d23d521bf8
-
\??\Volume{5a066776-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{7c377346-a63f-4378-85c7-fa69295b9d72}_OnDiskSnapshotProp
Filesize6KB
MD55b0605d3a504157daacf775e9a29d625
SHA1660fb7ab6726bb35b319210a85c075d862cc7a2a
SHA25684ecf49a72fe524aa4ca5fc1823c221df52e1ec3cec553d89622fa76615872eb
SHA5125e92c10f30856a5cc2b98ac805b018782c71c20dd05f4e0b825da9b572f0b55652d374961928758d56b8a11dd66237a0bb165508c3be4be6be9b4409411a19d1