Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/08/2024, 23:34

General

  • Target

  • Size

    4.1MB

  • MD5

    4dd7bd5bc7ad5494b39c033290136207

  • SHA1

    aeac40777f86c172d8872643c9c537f53cdf1f5d

  • SHA256

    30949949855ec60455a390a5f77ce7eaf52b3917a963a27ecc7dd1946862e852

  • SHA512

    483c6099e920c5b36cd052e59b331d720cebbbf242d190c1b5383b5a7a6327abfc45f2311f58332822d4ec6f726722cf4f16f1c61071d10307a9a6a32849df37

  • SSDEEP

    98304:0BZc4QcOiOqteN/+G5s5jmL0tipvHYzlgpwS+nqA5:IzOVq29mJmgw0gpwSa

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Checks whether UAC is enabled 1 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Modifies WinLogon 2 TTPs 9 IoCs
  • Drops file in System32 directory 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 26 IoCs
  • Drops file in Windows directory 9 IoCs
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 12 IoCs
  • Modifies registry class 30 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 30 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\[email protected]
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2368
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4784
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:2128
      • C:\Windows\Installer\MSIBE21.tmp
        "C:\Windows\Installer\MSIBE21.tmp" /FromMSI
        2⤵
        • Checks whether UAC is enabled
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe
          "C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe " "/Action SetupUnattendedSilent" "/DownloadServer https://launch.getgo.com" "/EGWAddress 216.115.218.197" "/EGWDNS egw1.express.gotoassist.com" "/EGWPort 8200,80,443" /FromMSI "/Language en_US" "/LoaderPath C:\Windows\Installer\MSIBE21.tmp" "/LogPath C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\" "/Mode Normal" "/RestartReason Start" "/ServiceAllowed Yes" "/StartAsService Yes" "/Stat On" "/StatDb On" "/Trigger Web" "/UnattendedSetupToken 5331656515450037371" "/WebsiteUrl http://support.gotoassist.com" "/locale en_US" "/silent"
          3⤵
          • Checks whether UAC is enabled
          • Drops file in Program Files directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies system certificate store
          • Suspicious use of WriteProcessMemory
          PID:2800
          • C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
            "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=install_manual&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
            4⤵
            • Modifies WinLogon
            • Drops file in Program Files directory
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:2932
          • C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
            "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=start_session&Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&RestartReason=Start&ServiceAllowed=Yes&StartAsService=Yes&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            PID:4404
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4532
    • C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe
      "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_service.exe" "Start=service"
      1⤵
      • Drops file in System32 directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe
        "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_comm_customer.exe" "Action=SetupUnattendedSilent&DownloadServer=https://launch.getgo.com&EGWAddress=216.115.218.197&EGWDNS=egw1.express.gotoassist.com&EGWPort=8200,80,443&Language=en_US&LoaderPath=C:\Windows\Installer\MSIBE21.tmp&LogName=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\GoToAssist Remote Support Customer.LOG&LogPath=C:\Users\Admin\AppData\Local\Temp\LogMeInLogs\GoToAssist Remote Support Customer\1575\20240824_233524\&Mode=Normal&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RestartReason=Start&RunningAsService=YES&ServiceAllowed=Yes&Start=service&StartAsService=Yes&StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&Stat=On&StatDb=On&Trigger=Web&UnattendedSetupToken=5331656515450037371&UniqueId=1896&WebsiteUrl=http://support.gotoassist.com&locale=en_US"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies data under HKEY_USERS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe
          "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_system_customer.exe" "StartID={6EFAC87B-3BB8-4940-8458-5B2133ED1C4A}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2424
        • C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe
          "C:\Program Files (x86)\GoToAssist Remote Support Customer\1575\g2ax_user_customer.exe" "StartID={45CB397D-781F-4B69-955E-7EB5F5BDC348}&ResourceDll=g2ax_customer_resource_win32_x86_en_US.dll&RunningAsService=YES&Debug=Off&Stat=On&StatDb=On&Index=0"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:1908
      • C:\Windows\system32\regsvr32.exe
        "C:\Windows\system32\regsvr32.exe" /s C:\Windows\system32\g2ax_credential_provider64_1575.dll
        2⤵
        • Loads dropped DLL
        • Modifies registry class
        PID:2980

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e57bd38.rbs

      Filesize

      8KB

      MD5

      57f28c949cc49a5db1b2aa31b0d3e266

      SHA1

      fb685368ea423acb0dc5517662795b25db819006

      SHA256

      712b055ffbb4d68d9095578cb6051552e69c0fce75b942c711badd0b47eceef5

      SHA512

      711a426e11208e022b0e3a6df7881c2aca5f0c4213c49babc0972ae11a85f12ef4cf912d9d96d750db726b3d2ae9e0bc23d24e2e28457805adc8d1e1449786bc

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_combined_customer.dll

      Filesize

      9.0MB

      MD5

      b281109807f069ee71ad44a5c2ed4638

      SHA1

      88d58db2ea9d8ab72504ad3933acedd69c919cf7

      SHA256

      3d8d246a69eb0a66c52d8a713c2797b28d05e7c2ac9157fea5692bf6e9dfdda8

      SHA512

      11fb0515904a24a041c02f89819b43cf30e4b791eac559084c0ab90c458ed46d0aff2ab9fe4e4a1e9c915d080eff212754d68643c67e4690237dab6a67cd2249

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_credential_provider.dll

      Filesize

      113KB

      MD5

      6acbff3ffbf1d3b4ef2e590807b82a7f

      SHA1

      0f781965145db5d9c97e471b8bc7236dee81c71c

      SHA256

      e870ce924d6797c053a14647184ad9d7e6bf641c2c1de901e747449964afdb22

      SHA512

      734aaa7ca45209c7d67e743c7bd43130da709d3503ee3a127919aa676c7e9cc932707522e0355d8e17b8bb02dbb53109c7df9ddef7c118814e5a4f04ce712139

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_credential_provider64.dll

      Filesize

      122KB

      MD5

      2f9bde855a7df5ab1a5d4bc549170064

      SHA1

      dab528bd0e4054926d4646d762f08d85e164c469

      SHA256

      ee0432569bfadee88267ae64d2b11a6d258225c74358f142afa4bec8d6236dd5

      SHA512

      ce19050bc003f290172efab577bfa36ca17bb5e5b9efd4e4443ca037f59a1ea2ac635ae1592d51354485df0ef274f0516a3501228f11edd16ef1c6d723820afb

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_de.dll

      Filesize

      2.7MB

      MD5

      95d28b0ae03c0e0dbebaac0354bd665d

      SHA1

      16ad8de089f85810678235cac2a332069e4a757e

      SHA256

      2e0fd5b081c3a35f97fc15a37d254c46e09a57724dae50853cd6f7675b5502bd

      SHA512

      5ec5d5d1b113c633364181411516b7de8e4ebf47d1bdbdb5cabec06a040671f5e69540b9b0f067fec593d26f6d1d97ca764c50d2adbd768b1e3cbf91b758ad27

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_en_US.dll

      Filesize

      2.7MB

      MD5

      626dc7beea7eef7dbbad77b3f693eb49

      SHA1

      1e25d0ca6c7678bb3775728bdd631f2bfe79ebc0

      SHA256

      5bea8b91ed32fe2b925a8942a2706d8b84d75b00cac8f4ec1009c911a201a6f9

      SHA512

      a1609e5949721165773fec457f798ea9083257b19eeeafb3d40382f9763392862a976f2b892b6dadfe1df6c83e70b496c10ce688440fa5d97c78c6a0821d165a

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_es.dll

      Filesize

      2.7MB

      MD5

      d4b3e89862a5b2583b6da76aa12e225c

      SHA1

      2f158da475e5a20f8e7c9b7effa7295fc07e7fd9

      SHA256

      5bac52692ea070aa9a6cb4655ca1346818235e79d4ac234127c87f9bd26de5d2

      SHA512

      2e792fa40569198a52df8796328ee0e6c93da9b861599e04bd0c0c7430b1c368c5ef60ca0bcda9297dcffd3e9312cdf12d62fdfd3febff4ec4a0ec55d2607a7f

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_fr.dll

      Filesize

      2.7MB

      MD5

      cdb5345e298d427450fe244a2e1cd16c

      SHA1

      e2e3402696090998174f686128af6d5791dd725a

      SHA256

      a476086f0c10426df4880f77e7333fa9aaab088421b5b9fab4937a65d734c817

      SHA512

      f036d3b164b3983f4684d3e3383ed2a67ebd674b5ea4d764189b429b3cecc81f5b0a4bf8a4e6e6d7e2aac27b7fb6edaf909835d2890000d3aded887e20776141

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_it.dll

      Filesize

      2.7MB

      MD5

      4c6d97f5793a8806d1b07f7805c1290f

      SHA1

      6ed0ae206d5e3fd7cb19634aef5f0055f0832d83

      SHA256

      3798840e3ddf8025648420c2971c4434608f908bfd83437c239220e28e925323

      SHA512

      c13fba4f00340ab3be3b1f58bdd17fd1d3e95c1819b7a8d82b8e6cb7bc8bece9cf2d97ede47e57b062bb8008031f58b36934a5da0c452e17309f832b42b5e2ef

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_customer_resource_win32_x86_pt.dll

      Filesize

      2.7MB

      MD5

      42accada99f11973893559eb80dbd7cc

      SHA1

      9ed76304bf4af87210044d9fcbcb62f2f6f49fce

      SHA256

      c07707fdee8d761999bd63e44fdca04503ccbb2fde1e02d2eab6d3f99744840a

      SHA512

      24177df97a981f2a5d0896d143b3f8057631a17ab18e00bf540b70a921d66f5876ee0985e4b32165fabedefebc0ad1329be4860619b1ea40274cfe2beaf0d696

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_exe_customer_adminui.exe

      Filesize

      599KB

      MD5

      139e140841795d1d3b31ca9f0d2a18f0

      SHA1

      c8348ffcc2792edf84c7d0a60af9fced0cee74d2

      SHA256

      814f387ab117191bc9cf9c33743bd792735237354ec83df4e014c7e7bc1e46ba

      SHA512

      98bf1f4043ccd59bb2c86b56dda9b30426160cb093585e9378cd5930ab8d5485591ea1f59196fb64ec3e0cc2845bdf43d936e8ae303914df56a8bd82b9fcd42b

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer.exe

      Filesize

      599KB

      MD5

      7c9b0bde69c16ece846a56106b11dbfa

      SHA1

      80c42eb9351f611a395256531c5ed4931be981cf

      SHA256

      02d19f030b1f116c26bc3d1e6b03071b6f13ce7c7ea499603a5dfd571f3a96b6

      SHA512

      7826faa0627a5e57cd4ad3076391cec125314339d59ac6ad2e623a82522e870ecbc12b42b5868484550ede7e8d3012f06bef5463b624636aea3f0343ccdd810a

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_installer_customer_admin.exe

      Filesize

      599KB

      MD5

      d4ee9d0af2825048d4bfd48f48bd464b

      SHA1

      a3a25e68132a4288b6b394623fd206fbf8899092

      SHA256

      e1ae8e4f45552d82ea9154a02d7b900f42cad77777d6b6d6872f3f96efde491c

      SHA512

      ff6a70d7edb1e0aef632027e50b264bfed1aa27bcf114c65b79da7894b6f2b48675d78bc698f0006973f24a9ca465ffb5ae82600d5f065dba14593ade31ffc47

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_processfactory.exe

      Filesize

      680KB

      MD5

      63f225100403cd9d98e5c20a2f13c7f9

      SHA1

      e4152545009c0bcbdbb9bed52f2935d55ba7da01

      SHA256

      450ba2dc70b1bbb9cd808be082cc90ee2be2e27e678d37b27400a90e0e4463f8

      SHA512

      58886a5b9455e56e86b227c7a49535b638a9379ab8752c58d8560987c7585d7a42eac2e88b19c82a52f8eb13aabfc436ada14673878a80667ae30b369a1ed409

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_winlogon.dll

      Filesize

      598KB

      MD5

      8b64004a064179c50ab204cb8baacdb1

      SHA1

      357fe1c8cc37ff7a7c064ed6f49360692a4a8254

      SHA256

      20b7b7290d17b2b3b9d6bb01d7f540dcd780944a9a2873d641e973433173a781

      SHA512

      0ce7693c4c54db616f1c30899bbe77f4a6033ee034a389d032dcc3e8c84d3361f3beaab82508c69e1b8a4b4104590953c2a9abef354680043a2964fd8106af74

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\g2ax_winlogonx64.dll

      Filesize

      599KB

      MD5

      234f00413858db80b4b51c1abede4152

      SHA1

      e2606f11691de55ac8f491050abbcbe71c0ad1ba

      SHA256

      c5daa86b380ed04bc2ec92bbe74c8aff958edeabd240411b7ecb7f5721ba548d

      SHA512

      0a242a4516cfa722e35f5cb9a6e815d03e00b63e8ef648532526e8a0d228f4d00c2367d65bf402d1c564a208e1d5747b2ba1350bc0e637743373898fc37cd41c

    • C:\Users\Admin\AppData\Local\Temp\LogMeInInc\GoToAssist Remote Support Customer\1575\g2aC062.tmp\uninshlp.dll

      Filesize

      20KB

      MD5

      0868827e42db552e5427f277fedf1e6b

      SHA1

      9fb59bbb4edbcc98fdb36ffff378d0bb9ddcc4fb

      SHA256

      f6684c5dbce46be754e61da86757278bb6a9c7def6810504a1dc389920b5d38a

      SHA512

      607064c1bc4aa627dc130d3a34d19bd512324bb9bd91ceaa6bcb20f0e218d070ef7021c921318a4d6474e95979bd569c2776b414269aeade5fa884876d58c3d1

    • C:\Windows\Installer\MSIBE21.tmp

      Filesize

      3.6MB

      MD5

      10691eb99593e235b86d018ebaf7d4e6

      SHA1

      35e0444bb572f3890f327afc1feba32e9833d5b4

      SHA256

      4e945ddc84443a2ac2f845693461a7bda2ab07b24eb3b980c1b86dd5f2d8ed2b

      SHA512

      10e1ee6fa616d92d1bc5bca358321c0fd4b18767a7eb7fd7bdf19c3302b23163a37e904f162d57097d40ca10b68494c7f5d029db4f9f91ac62351c48d150377f

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

      Filesize

      23.7MB

      MD5

      390cdffdce1ec568d3a24ae516ce47d3

      SHA1

      2d1c318ac2e8e764197af84bf497a48c287a273a

      SHA256

      c67633d1cc6fb7c3d2b38a9cef750089b6863d9e890bddf11377a0e4a4fb0d81

      SHA512

      bea053363ebfee438ba9ff826a1b26a7d8084719a94fcc893ff765ca42d4f813323d1b6d9dadb5e7b4fba9524eb07cd2354e872ffa9c734878c3fe8edf0b1fc7

    • \??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0af9ce3c-45b7-4eba-8644-cf7b053b8c8d}_OnDiskSnapshotProp

      Filesize

      6KB

      MD5

      5e7a4ca9a1d572e1e35601918b83a1cf

      SHA1

      a81809daf229b3422575d90cd7b681ecac3a1227

      SHA256

      a25f72c48a50d60a7e6b2980adf3859c7a897a03552255b655ff72d30004a3e4

      SHA512

      0c27e233d0a0eaff8e6640ecce5a7e051e58d4672a781519b8c391ab1d31206aeef69a3e9e834c88563f3c2eed97bb8cd753e404522cd8b6a35d6a7c00157467

    • memory/2964-111-0x0000000000400000-0x000000000225E000-memory.dmp

      Filesize

      30.4MB

    • memory/2964-117-0x0000000000400000-0x000000000225E000-memory.dmp

      Filesize

      30.4MB

    • memory/2964-11-0x0000000000400000-0x000000000225E000-memory.dmp

      Filesize

      30.4MB