Analysis

  • max time kernel
    139s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-10-2024 11:17

General

  • Target

    MuddyWater.msi

  • Size

    2.6MB

  • MD5

    809334c0b55009c5a50f37e4eec63c43

  • SHA1

    24b60847bc0712c9ba0b8036c59ee16c211fa8bb

  • SHA256

    2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b

  • SHA512

    a615b5ebce41db0ee6318d845daff393372fe4bf93d7f8af5f450df1ecdb9a9ebde9af39c40b5980b4d1002eb609ddffe6010247971842a855fd3922000322bd

  • SSDEEP

    49152:r51VAM5R2KAHlcp8qFmmzDza2Rqr+kMdPTEe/pjO8xn+ch/TzOFNOnUI:rPCMr2NMRmk/XeM9TEeRvx+ch/TzAr

Malware Config

Signatures

  • AteraAgent

    AteraAgent is a remote monitoring and management tool.

  • Detects AteraAgent 1 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 16 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 17 IoCs
  • Drops file in Windows directory 16 IoCs
  • Executes dropped EXE 4 IoCs
  • Launches sc.exe 1 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Loads dropped DLL 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Modifies registry class 22 IoCs
  • Modifies system certificate store 2 TTPs 5 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\MuddyWater.msi
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1124
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3328
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 119C42A24646E7AA3C24C6AA13913C05
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3552
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSICFC3.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240636125 2 AlphaControlAgentInstallation!AlphaControlAgentInstallation.CustomActions.ShouldContinueInstallation
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:5068
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 5402052C3331B127143113CB44E315DF E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4472
      • C:\Windows\SysWOW64\NET.exe
        "NET" STOP AteraAgent
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Windows\SysWOW64\net1.exe
          C:\Windows\system32\net1 STOP AteraAgent
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4864
      • C:\Windows\SysWOW64\TaskKill.exe
        "TaskKill.exe" /f /im AteraAgent.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4816
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe" /i /IntegratorLogin="[email protected]" /CompanyId="1" /IntegratorLoginUI="" /CompanyIdUI="" /FolderId="" /AccountId="001Q3000008IyacIAC"
      2⤵
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:3332
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:412
  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe
    "C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe"
    1⤵
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Executes dropped EXE
    • Modifies data under HKEY_USERS
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2280
    • C:\Windows\System32\sc.exe
      "C:\Windows\System32\sc.exe" failure AteraAgent reset= 600 actions= restart/25000
      2⤵
      • Launches sc.exe
      PID:1792
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9af4d46a-f8dc-4cd6-828a-56b90eef74b8 "8fcf30c1-38a0-41a2-b26f-ef09f8f0bf1b" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
      2⤵
      • Drops file in System32 directory
      • Executes dropped EXE
      PID:4160
    • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe
      "C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe" 9af4d46a-f8dc-4cd6-828a-56b90eef74b8 "8ff3c6e9-1d24-4a7a-9c8a-931bd294529f" agent-api.atera.com/Production 443 or8ixLi90Mf "minimalIdentification"
      2⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      PID:2404

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57cf38.rbs

    Filesize

    8KB

    MD5

    dc5f45cdeb9882a4b8530080dfdc2ed9

    SHA1

    ae33b309f8951e16b8d32132981b9b66f577033f

    SHA256

    988923b4bff895671a1b021f9ef2747311326c5fd1e729713355b404f6a8fc79

    SHA512

    7546ef0929e607f8985413acf407fd963ac13d46ab1c55b8568719ca4fb233b07822407e932e7846ad6e9944c3ee4f5e5704143cea492695456bfefa181f2800

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe

    Filesize

    140KB

    MD5

    2899046a979bf463b612b5a80defe438

    SHA1

    21feaa6f3fbb1afa7096c155d6b1908abf4ea3b9

    SHA256

    486b2c2b0ca934ab63a9cf9f4b660768ad34c8df85e6f070aec0b6a63f09b0d8

    SHA512

    8c60eb0d9e82326543f2fbcd08783e041a7f5598723666b1c9ea5df7808d0c4947e8e64c2dcd46331bc3dbc38c6ec8b85ed2fcc5b97eaf0465ea624167829368

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\AteraAgent.exe.config

    Filesize

    1KB

    MD5

    b3bb71f9bb4de4236c26578a8fae2dcd

    SHA1

    1ad6a034ccfdce5e3a3ced93068aa216bd0c6e0e

    SHA256

    e505b08308622ad12d98e1c7a07e5dc619a2a00bcd4a5cbe04fe8b078bcf94a2

    SHA512

    fb6a46708d048a8f964839a514315b9c76659c8e1ab2cd8c5c5d8f312aa4fb628ab3ce5d23a793c41c13a2aa6a95106a47964dad72a5ecb8d035106fc5b7ba71

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\ICSharpCode.SharpZipLib.dll

    Filesize

    209KB

    MD5

    a41c23558b3c07f8c749844bb553d545

    SHA1

    8473013cf5f2be8158c13f1056675d1cbd10586f

    SHA256

    a6193fc0a09ad7145fe38494bcf67fecbc10c07a5f3936e419895b018e85a766

    SHA512

    5930f14f3be4aed70a1ff93dbb75022c2d947a0a2344031992167d72192e0a51d207fc2255cb0ca1fb21b20b1277a528bbf739bbdf8676f7a0786efd132b436f

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Newtonsoft.Json.dll

    Filesize

    693KB

    MD5

    64e122b28a1e548c1cca376e32cdd248

    SHA1

    4506de40b8422c9be58333f35325a86674ca650c

    SHA256

    0ee2dd095b1cc4c3cda44a237a188e16c8614c107ad9d37ad8a581473ad42215

    SHA512

    36fc7dd056303822b23f9173b43522dee23431a419bdbae43a850e87f37b936b34ed2ef5013997d6d8b59d74627d55b0cc622da751d3ed828c850c7982a0d8fa

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.INI

    Filesize

    12B

    MD5

    dc63026e80d2bb04f71e41916f807e33

    SHA1

    6cda386d2c365f94ea3de41e2390fd916622eb51

    SHA256

    3b54d00f00aa80384de88e4f4005e9d4d889a2ccf64b56e0c29d274352495c85

    SHA512

    61da550efd55187978872f5d8e88164a6181a11c8a720684eaa737e0846fe20b9e82b73e1f689a6585834b84c4cee8dd949af43e76fd0158f6cafa704ab25183

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe

    Filesize

    173KB

    MD5

    31def444e6135301ea3c38a985341837

    SHA1

    f135be75c721af2d5291cb463cbc22a32467084a

    SHA256

    36704967877e4117405bde5ec30beaf31e7492166714f3ffb2ceb262bf2fb571

    SHA512

    bd654388202cb5090c860a7229950b1184620746f4c584ab864eade831168bc7fae0b5e59b90165b1a9e4ba2bd154f235749718ae2df35d3dd10403092185ed1

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\AgentPackageAgentInformation.exe.config

    Filesize

    546B

    MD5

    158fb7d9323c6ce69d4fce11486a40a1

    SHA1

    29ab26f5728f6ba6f0e5636bf47149bd9851f532

    SHA256

    5e38ef232f42f9b0474f8ce937a478200f7a8926b90e45cb375ffda339ec3c21

    SHA512

    7eefcc5e65ab4110655e71bc282587e88242c15292d9c670885f0daae30fa19a4b059390eb8e934607b8b14105e3e25d7c5c1b926b6f93bdd40cbd284aaa3ceb

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Atera.AgentPackage.Common.dll

    Filesize

    94KB

    MD5

    9d8b5941ea5b905e8197a175ef2b15a9

    SHA1

    86a078e94b5578ec4125f50f78c8518a8ce1d086

    SHA256

    c6f05b647dbadc15ab97d31790fc8ace054986ec33e9178feead4235ad15cb0d

    SHA512

    fab5fe82873862ce8ed1a427482093cca307f6663e9f6497fdc244ce461312872d419ff274cdca0c496414c28681901f335c9911b95d2a7c112d30e32d74e498

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Packages\AgentPackageAgentInformation\Newtonsoft.Json.dll

    Filesize

    688KB

    MD5

    ba66874c510645c1fb5fe74f85b32e98

    SHA1

    e33c7e6991a25cc40d9e0dcc260b5a27f4a34e6c

    SHA256

    12d64550cb536a067d8afff42864836f6d41566e18f46d3ca92cb68726bdd4e9

    SHA512

    44e8caa916ab98da36af02b84ac944fbf0a65c80b0adbdc1a087f8ed3eff71c750fb6116f2c12034f9f9b429d6915db8f88511b79507cc4d063bab40c4eaa568

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\Pubnub.dll

    Filesize

    588KB

    MD5

    82b17dc9838e1e21e5c6f53d2867e94a

    SHA1

    a09bfe6582bff9193337cc7dbab79d0b6b723205

    SHA256

    8e7210c1cd0955aeb4cbbdce362d4c450e0bf1be47bdf263fbf2789a4d98fd00

    SHA512

    c1b259655e2514449366f2d150d020a1eabb0e67af29c5e26c3a00f1d84d805216016c306d48e37354de09d4a056dc071c0d0d0d36f8ec9775843e6ae2712430

  • C:\Program Files (x86)\ATERA Networks\AteraAgent\log.txt

    Filesize

    169B

    MD5

    8519059994de62eefef340f078eb6f0e

    SHA1

    15085cc6a21d9a89d338091102dc8beb22d9d1a1

    SHA256

    406ffb12aee81f358da2af9d1b3a7dac4c76d70e16ab75d0beac912a2ae0cdcb

    SHA512

    6b0886e1007324c9c5503db142f4f514eb35c78015ef3658170f101ae78e4d7b3e77a0ad4252e307bcb0d1c187c3f25b7d17d0683935c210fe48a23f466bd876

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    471B

    MD5

    65e2192e4dc04fc206f436f9a86e1023

    SHA1

    6435da8290f576c8604ddcddbb40bacd19458c8e

    SHA256

    8df5fb73b8f3f863f2829e3911cd5446c5426437ec869bb87309c639ede8aec8

    SHA512

    215b8f9c268587b4ba022e2d5374cfaa0d680a7f5277db9207367a4d9387d91ddefb4686c4449a6e80e473be6d67ddb7d80247586401c4dce9656a5e17290a31

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    727B

    MD5

    eeceb3251441abeae81509d5ce1626f4

    SHA1

    8fb5a5fafcbe46ec6eec7336a0c7d43fe7d65334

    SHA256

    037873c51f408c96c3d3ec8cd05d4550a965b3e449d12a078a2505041e43b0ff

    SHA512

    e6a93fb7f18e2074e2d7f1772277f8692a9acd8fa15bfc72ee1911c0484fa6f17f553dc945904373c41c5757ce9ec828318314c4a822c75a0d9cd3d06f50bc4e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    727B

    MD5

    72db13da5fff7268cc2462be217daac9

    SHA1

    3eab5c472f6a341d752a3c38a9447db3eaeede10

    SHA256

    08441bff263e0edff40c3d7b80737a4bfc3a0c93832daf1166bb512045282735

    SHA512

    7d88cd7fc9371eae08d40e19f4d9f2204fa83716056d8ba5ba332eef278861907bc967b3e8f74c8a12e1be15f481ea7216c3ff669917943d462df3bc0c25de89

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

    Filesize

    400B

    MD5

    8cd75558710f85a2bc9f2f4d56f6b7aa

    SHA1

    5df1d15bc70b579af03350091906e4a38312dabd

    SHA256

    a1d82069b7dc42d173e63426dd51d75725dc6adf44f8f0b98728ae6c65098fe7

    SHA512

    d1c8a3e2b1d4047683f72cb1280d13df2ecc682e4421c422a271ac26ac769a9f1f12fc5dfed03dacb4e290ec75d81be934723027649c6ea109ea8727cfd02e3d

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_DEB07B5578A606ED6489DDA2E357A944

    Filesize

    404B

    MD5

    776b41b636cde7a4b79efd84795a0f62

    SHA1

    adabfe80562dcbbffb28d9b515bc4c4cc71a9c7a

    SHA256

    5fb9dd586ff4deb246e6a20ff2bf5fcb965093f780a8f2779da4b24324043680

    SHA512

    0566a02d849bb410cc435ce37f7c1c4dc523c6dde4a406e093e9f1a21eb5cee399c5d7099b1b13789611fe4a8d18d0ef6dbd2b5bb3166ad6ba18f97355b1e92a

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    412B

    MD5

    19e8b4b88d8ed923ecc6ac78ea191958

    SHA1

    ba227c67d1e15a04cc58574338497dc6ee6d5a32

    SHA256

    d7ac02d648b6737750e402a5c76c73d4206672891391319f7781293058bfae68

    SHA512

    addb2203db63c1a24c34f28c84cf3ec4bb996f7d248a376af943992e7eba168bb821eeed77a3e70b21e23dc15ea2b1e928a642fff8ec8802fe864f4d049c75ae

  • C:\Windows\Installer\MSICFC3.tmp

    Filesize

    275KB

    MD5

    672e03b9d7a2d50f3e935909a198928b

    SHA1

    6cc8a45126243c6ad8a6336ef1789e6a8b5dd33f

    SHA256

    c4772f8a8761f052bd0336923539699ba2f358ac203beb197cda576146e05a0d

    SHA512

    bf5833ea48942319d560fb4dad62997fa5495e0d9c634361d919d3328364d0f4a999dfb56590d48227c3690d8a867b022f6d5fd01c46f27d2ad6421d88380372

  • C:\Windows\Installer\MSICFC3.tmp-\AlphaControlAgentInstallation.dll

    Filesize

    19KB

    MD5

    4db38e9e80632af71e1842422d4b1873

    SHA1

    84fe0d85c263168487b4125e70cd698920f44c53

    SHA256

    4924aad650fa0f88c6fc6ca77068d73f70f0d0866a98212b615290ffb0b04efa

    SHA512

    9ce1e75b11e43369fe2320cf52bef856170385a8e898a934c735cb92a8399e5e612a54b248579687c372dae58e47e05d9095116313aea9555cf2358944252d77

  • C:\Windows\Installer\MSICFC3.tmp-\Microsoft.Deployment.WindowsInstaller.dll

    Filesize

    179KB

    MD5

    1a5caea6734fdd07caa514c3f3fb75da

    SHA1

    f070ac0d91bd337d7952abd1ddf19a737b94510c

    SHA256

    cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

    SHA512

    a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

  • C:\Windows\Installer\MSID4F5.tmp

    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

  • C:\Windows\Installer\e57cf37.msi

    Filesize

    2.6MB

    MD5

    809334c0b55009c5a50f37e4eec63c43

    SHA1

    24b60847bc0712c9ba0b8036c59ee16c211fa8bb

    SHA256

    2722e289767ae391e3c3773b8640a8b9f6eb24c6a9d6e541f29c8765f7a8944b

    SHA512

    a615b5ebce41db0ee6318d845daff393372fe4bf93d7f8af5f450df1ecdb9a9ebde9af39c40b5980b4d1002eb609ddffe6010247971842a855fd3922000322bd

  • C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

    Filesize

    412B

    MD5

    4f18a5ae1a8772ec82f65b0d844d9a57

    SHA1

    661f3441f05ddcc53088b8e6092dfc8ef3678bb4

    SHA256

    da91054c3dacd0216ef552d8e523bd1c68c7a44efcb9e70e83170aea07e54968

    SHA512

    07ba56a1ab21d02ea6eeefea7ee05ccced9af65a1fff8dce969081378678653d352ac7f947495fc83feb0d4a420596edad6ba6a24b8904da14b376984bfc6c78

  • C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\AgentPackageAgentInformation.exe.log

    Filesize

    1KB

    MD5

    9cad061ddf5ad182cfe7879190aeed71

    SHA1

    cfd292d16d937f95b642527464403b7e5ef6af96

    SHA256

    b2d273fa926ebf6946e69e8808ad332db42bc65f449748082e088aa732e408ca

    SHA512

    df517d66358f441a7c4c690cd90e214f18d490e3de767dd76164effaa179b1dd865a0056d68ce3ab6aee55917465c7f39146e7694b1ac475fcc95c280fb29e92

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

    Filesize

    24.1MB

    MD5

    56e3f57ce879e15ac593e9bd3669fb12

    SHA1

    433150d5723ea1b3f78d65ca5dc7057237866f0d

    SHA256

    588afc18f61d2eda122993312c9bcf1331911459862b5c91712b5bca16718f76

    SHA512

    3dd6da2c0bfbc0a3de7d70b1a7b1a14d25b5db85d82b908e00e0e2be237044b058f28a2b622481330f07a9ef832a5aab81a70c0dc9350e7b1adba93ae25ebf3e

  • \??\Volume{ff55cfe6-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{690aa413-d39a-4158-84ff-4fe9df8b5176}_OnDiskSnapshotProp

    Filesize

    6KB

    MD5

    3acd1e75b2924df546b78f91afa00ccc

    SHA1

    c82ead82e7d5d88c36a405f37172d5cb38da092d

    SHA256

    ab98094b3d03426c986780d1c8e18ca5738790800a8539110175126928e19892

    SHA512

    278079212f61892a14b4456e817b7870547fbdb85d59d688aef904131e34404aad034cba68cb3591fb4036f0c398340d7ee2710bc6ed822f9cbc26c2e6ff5457

  • memory/2280-131-0x0000010FB2880000-0x0000010FB2932000-memory.dmp

    Filesize

    712KB

  • memory/2280-143-0x0000010FB3160000-0x0000010FB3198000-memory.dmp

    Filesize

    224KB

  • memory/2280-137-0x0000010FB2820000-0x0000010FB2842000-memory.dmp

    Filesize

    136KB

  • memory/3332-99-0x000001867CD90000-0x000001867CDA2000-memory.dmp

    Filesize

    72KB

  • memory/3332-126-0x000001867CDB0000-0x000001867CDD2000-memory.dmp

    Filesize

    136KB

  • memory/3332-100-0x000001867CDF0000-0x000001867CE2C000-memory.dmp

    Filesize

    240KB

  • memory/3332-95-0x000001867CE30000-0x000001867CEC8000-memory.dmp

    Filesize

    608KB

  • memory/3332-83-0x0000018662570000-0x0000018662596000-memory.dmp

    Filesize

    152KB

  • memory/4160-175-0x000001B6A2FF0000-0x000001B6A3020000-memory.dmp

    Filesize

    192KB

  • memory/4160-180-0x000001B6A3980000-0x000001B6A399C000-memory.dmp

    Filesize

    112KB

  • memory/4160-178-0x000001B6BC180000-0x000001B6BC230000-memory.dmp

    Filesize

    704KB

  • memory/5068-45-0x0000000002970000-0x00000000029D6000-memory.dmp

    Filesize

    408KB

  • memory/5068-44-0x00000000028F0000-0x00000000028FC000-memory.dmp

    Filesize

    48KB

  • memory/5068-40-0x00000000028A0000-0x00000000028CE000-memory.dmp

    Filesize

    184KB