Overview

overview

9

Static

static

9

tox tweaki...or.exe

windows10-ltsc 2021-x64

1

tox tweaki...or.exe

windows10-ltsc 2021-x64

1

tox tweaki...CK.exe

windows10-ltsc 2021-x64

9

tox tweaki...ew.exe

windows10-ltsc 2021-x64

6

tox tweaki...up.exe

windows10-ltsc 2021-x64

1

tox tweaki...8.appx

windows10-ltsc 2021-x64

1

Microsoft.UI.Xaml.dll

windows10-ltsc 2021-x64

1

Microsoft.UI.Xaml.dll

windows10-ltsc 2021-x64

1

tox tweaki...up.exe

windows10-ltsc 2021-x64

8

tox tweaki...LG.exe

windows10-ltsc 2021-x64

1

tox tweaki...el.exe

windows10-ltsc 2021-x64

1

tox tweaki...un.exe

windows10-ltsc 2021-x64

3

Export.bat

windows10-ltsc 2021-x64

1

Import.bat

windows10-ltsc 2021-x64

1

SCEWIN_64.exe

windows10-ltsc 2021-x64

1

amifldrv64.sys

windows10-ltsc 2021-x64

1

amigendrv64.sys

windows10-ltsc 2021-x64

1

tox tweaki...64.exe

windows10-ltsc 2021-x64

1

tox tweaki...CL.exe

windows10-ltsc 2021-x64

1

tox tweaki...64.exe

windows10-ltsc 2021-x64

7

tox tweaki...64.sys

windows10-ltsc 2021-x64

1

tox tweaki...64.sys

windows10-ltsc 2021-x64

1

tox tweaki...vc.exe

windows10-ltsc 2021-x64

1

CRU/CRU.exe

windows10-ltsc 2021-x64

3

CRU/reset-all.exe

windows10-ltsc 2021-x64

3

CRU/restart.exe

windows10-ltsc 2021-x64

5

CRU/restart64.exe

windows10-ltsc 2021-x64

5

tox tweaki...on.exe

windows10-ltsc 2021-x64

1

Export.bat

windows10-ltsc 2021-x64

3

tox tweaki...ll.exe

windows10-ltsc 2021-x64

7

tox tweaki...xp.exe

windows10-ltsc 2021-x64

8

tox tweaki...tr.exe

windows10-ltsc 2021-x64

1

Analysis

  • max time kernel
    95s
  • max time network
    142s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    08-11-2024 15:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tox tweaking/niggers/openshell.exe

  • Size

    7.9MB

  • MD5

    cf93ef6708b8026ff44e5dfe26d6d387

  • SHA1

    8b1666ce02c032cbdc1a7afcd1e9395a892da386

  • SHA256

    31e616f27fad0c9b14a22c02ded2dc524411abf53d72c4136f22db1be0156865

  • SHA512

    9d30881098f283bf478b56267623f3d4559ca7554fabdaf777458dec1368a4d6d84b8bd7ff0982060aeea85c69f8d160b2afcfbe5bbbffb2d425bc2a8dd63f52

  • SSDEEP

    196608:4A+K5NrULkCZNxUmPYLWDYqqaUeqA923VnJEhqY1TUmPYbWDi2r:4A1rUIMNWmQaD/t7GVnJErwmQqDx

Score
7/10
adwarediscoverypersistenceprivilege_escalationstealer

Malware Config

Signatures

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Modifies system executable filetype association 2 TTPs 10 IoCs
    persistence
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 40 IoCs
  • Drops file in Windows directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\openshell.exe
    "C:\Users\Admin\AppData\Local\Temp\tox tweaking\niggers\openshell.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4324
    • C:\Windows\SysWOW64\msiexec.exe
      msiexec.exe /i "C:\ProgramData\OpenShellSetup64_4_4_190.msi"
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4028
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
      2⤵
        PID:3448
      • C:\Windows\syswow64\MsiExec.exe
        "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer32.dll"
        2⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:3124
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Program Files\Open-Shell\ClassicExplorer64.dll"
        2⤵
        • Loads dropped DLL
        • Installs/modifies Browser Helper Object
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:1852
      • C:\Windows\syswow64\MsiExec.exe
        "C:\Windows\syswow64\MsiExec.exe" /Y "C:\Windows\SysWOW64\StartMenuHelper32.dll"
        2⤵
        • Loads dropped DLL
        • Modifies system executable filetype association
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        PID:4576
      • C:\Windows\System32\MsiExec.exe
        "C:\Windows\System32\MsiExec.exe" /Y "C:\Windows\system32\StartMenuHelper64.dll"
        2⤵
        • Loads dropped DLL
        • Modifies system executable filetype association
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:1368
      • C:\Program Files\Open-Shell\StartMenu.exe
        "C:\Program Files\Open-Shell\StartMenu.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        PID:3156
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2268
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
      • System Location Discovery: System Language Discovery
      PID:540

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Browser Extensions

    1
    T1176

    Event Triggered Execution

    2
    T1546

    Change Default File Association

    1
    T1546.001

    Component Object Model Hijacking

    1
    T1546.015

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    2
    T1546

    Change Default File Association

    1
    T1546.001

    Component Object Model Hijacking

    1
    T1546.015

    Defense Evasion

    Modify Registry

    4
    T1112

    Credential Access

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    2
    T1012

    System Information Discovery

    3
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e582854.rbs
      Filesize

      19KB

      MD5

      53f69969109f319c60daf79adb74b12c

      SHA1

      af5d11f1245cefc111a782af2d029dbf093202d9

      SHA256

      07fbe416c900a1bc9d2d05fe5145d7349625229dcf43610e88e270687a38b5a1

      SHA512

      2ee8d83f21e628f434b856e35cb5dc8d5a29f085551f358f4255203a16c50b71307388fdd495821ff758479a03b6f879bda701e92091f19e0e13b2d56ab3e127

      Download Submit

    • C:\Program Files\Open-Shell\ClassicExplorer32.dll
      Filesize

      863KB

      MD5

      4e8857fb490c01a686095785bbef5896

      SHA1

      975dd96ce38ad1ec0b25decf4c8d36d583a9f02a

      SHA256

      ba769f3ac5d06433babf0c260f9e6178834ebdad5bbd43bcdabe5ca3ea140d77

      SHA512

      e23bcc3809fa35a99aabf1fef54faeeaff491e5e7afa0e1a69c5ff2ee95fac02d6111fda6831964edae6b3cadaf17553a9cb4e1a0fa39e942e303b264f2c0f66

      Download Submit

    • C:\Program Files\Open-Shell\ClassicExplorer64.dll
      Filesize

      964KB

      MD5

      e668a04a52acc169c16717d4b1184f17

      SHA1

      1f6e4293c919bddc9e3cfa324724a07f309e95e0

      SHA256

      9c52a38e89a954d9e200fcd3a8b29fa92dd0239945902b817732e45c3a216f1f

      SHA512

      5f09aabc536b593c043b32a7d2400cbcd4e9b8e5346c116ff58337a30c6b8704e91551fbae57d3afdc32e14446c39f85ef4d2839fed9b6ab6c9fc0fa453ac720

      Download Submit

    • C:\Program Files\Open-Shell\ExplorerL10N.ini
      Filesize

      98KB

      MD5

      6ed13b9c1719b252e735ba7e33280e67

      SHA1

      f3753deab4d99dbee4821a8a70fe6e978e1a45f6

      SHA256

      b351158059f3d94c112863defad9063c5cdb81dea0b47530809ef4d8de4b68ab

      SHA512

      f529034e5853624f7bcce9a7ab93c205ec8fd1c671009e0a0b767f3268525ec2b91e75eeda2eb5f9f4c58a6d713b56e09a23aefd52d4b51eadd1fcef2c016afc

      Download Submit

    • C:\Program Files\Open-Shell\Start Menu Settings.lnk
      Filesize

      1KB

      MD5

      8ebbbf5e5590842f341c12e05def6058

      SHA1

      ad31e8f6d33d3ad5923645f138558638176cc47b

      SHA256

      ea15044318b05e02a07d440857391b8be677226eea10b63a5e3b3be6868a83b7

      SHA512

      0c353820a4d7c144d8ec1610298a1e69535930229b94392794d208df2241300d88d1c9d241c7eaec77a46f5407589c6a47f43b8dcb4c79ad64215ef7de29d343

      Download Submit

    • C:\Program Files\Open-Shell\Start Menu Settings.lnk~RFe582b41.TMP
      Filesize

      1KB

      MD5

      75624bee731e36ef3a9e6ba636c38659

      SHA1

      4680db471c1b4b369edbe4635bb5f8581f1dc595

      SHA256

      989f84cd823bdd05cad84a2e226605f8c04bcbabfb61002747acf4e016f68c49

      SHA512

      fa727e9674972b6b30f3a523ae54809fcb8c110b1d195a672d644224d9c4d1fc690cb5cc13b0f0d4d45b008be54dd47f2b048dd13d2526b61cdc2ea7402d9fd7

      Download Submit

    • C:\Program Files\Open-Shell\Start Screen.lnk
      Filesize

      1KB

      MD5

      be841866cb7d65c1a2d71789ccf1007c

      SHA1

      1167542585eb7fbffc43d335f5291a86ee1b3d84

      SHA256

      3437edd8242a78a8101b1c049d2e87e9cd79e59bc51cfa894313999803961cb5

      SHA512

      19b29c31f3164dd56956d287b3bddf011b355d8ad616f21cca46b9ddc4a5877fdf37ea62817077a46d2046ddd839ce0c10ad2522da6f98eebf0bfbae47cc0311

      Download Submit

    • C:\Program Files\Open-Shell\Start Screen.lnk
      Filesize

      2KB

      MD5

      d5d9ea5060b43ad8ae908f3a48ef2f3e

      SHA1

      77847e265f130d30c8f914aea1b236081c13d7cc

      SHA256

      645c5f2fdbe98013cdf4f18360c403f786ca280f242418d6fe4c9037ca6b987b

      SHA512

      0053117180b6ca48ad38008fbd21a2b73fd182118e1040f8d057fbf12d9b5f2043a900fb60100b2fd505f113be99cf01eacf5bf693b2763b9cca8fdf2b90c7ce

      Download Submit

    • C:\Program Files\Open-Shell\Start Screen.lnk~RFe582b60.TMP
      Filesize

      1KB

      MD5

      7ef701a99a6bb9e914c6196d64734cab

      SHA1

      70a6f6fb3e8a10aab956e5d9bdb5d4ce230f9eda

      SHA256

      4208941306aaf7ef6388a48ed42d225a28b82849d356d7e29172f3ef41618655

      SHA512

      55c2ec23a8765318ea55e6288becb805795d0e16ef58e5d0194be630d168a4879fd36c3951aa58bfab048b83460ade6a347f59a0490ac314bff7bb74030590b8

      Download Submit

    • C:\Program Files\Open-Shell\StartMenu.exe
      Filesize

      259KB

      MD5

      6f7907b4b6e7332fdc29835198fe98d4

      SHA1

      4c7447137678209a1acbe58ef91db60f706e2b50

      SHA256

      08f505b325a67b61eb997cd45d61fb04851b6e6477110739a7cfc1ef5d290fae

      SHA512

      030f3b80f320005a27cab243573a704a46ed6cc342b2f9aef128511f132b9e1ffcf3759c44fe6252e045ce6368376cfddca5a8fab07664d9ea89acc9666e48b2

      Download Submit

    • C:\Program Files\Open-Shell\StartMenuDLL.dll
      Filesize

      2.7MB

      MD5

      1a4b83094fa595506d8d33663edfd64b

      SHA1

      49956cacdec572f5311a23fcc9499a63943df0b9

      SHA256

      3a2898c5a1c71c42a95583ccd2ad72e30f43d815b3da3452b3d245ba5c0aa1e5

      SHA512

      ac48376c9085976eff72702136a94ff66c53ca58624b00557e39ed1accc4de074c9f7fed877f030b4936dde41faa627920a9b7332dd721adc38871778f08f6b3

      Download Submit

    • C:\Program Files\Open-Shell\StartMenuHelperL10N.ini
      Filesize

      11KB

      MD5

      29221f620ea6b5893add15dd6c307684

      SHA1

      97c31bb9585a0896e1fcea8efa3f05ff16823da2

      SHA256

      53cafbc10e671b2885775dc7d7b66e93156a4fb661aee95e03c2dd74ea99fa84

      SHA512

      b4c98f1352d7f8c60eb785b1849673bfa880242fe3daceb2bf9e69ec7ddd6c707df905c7b18b2888d87ba47a36f967761c8ff69d8082ebbf5dbf3a21aba55f42

      Download Submit

    • C:\Program Files\Open-Shell\StartMenuL10N.ini
      Filesize

      286KB

      MD5

      673bb428b6d3fab8cba07890cad09d0e

      SHA1

      45039820289bdb485bb761e9b267f6de9e18a26c

      SHA256

      ff4ba6dc92215a59e2d84e2ec489bb5cdc3b3799f08d83a0b27639117e25ce33

      SHA512

      2da16a2be769290f457b471155b6da838ce089c85a8d0fdd8c65b58a20212eb719893a16cbcb9510f01c6a10eb23c7b53e396f97445cb802a39b9c8ed4f0962e

      Download Submit

    • C:\Program Files\Open-Shell\~tart Screen.tmp
      Filesize

      2KB

      MD5

      7455e9b6652ef325b79b4ef666361701

      SHA1

      9af77968d5d764705f343c073c18eaaa23a01a55

      SHA256

      fb490f82b585648ee739208d372286faf8c58ec4fd845bb56209d449103da3d5

      SHA512

      1ee165fd713eef3e923c53a34989a224bcc7dbdc5cba1964a2b10bd769012af4bf1487b12b174dca44a062628e1073fc5216bf1e46bc49536cd482227c2c2a2f

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk
      Filesize

      1KB

      MD5

      5adf157923fe6ea732a8909e842d67ba

      SHA1

      87f4da8f7eb1e2c0d0b2bf1163adef426441c83b

      SHA256

      6a175cce6a793e946ba4cf83c27f3b9881681509cbf72217982c35eeafabfcc9

      SHA512

      a7dde2e200b3b02718db64675736083169d9af73d1cce5f35746a12d00cfd04a5beebef6c623b9f30bf49e01156bbfc7934b70e82172a5140b05c1c777b35c07

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Classic Explorer Settings.lnk~RFe582b22.TMP
      Filesize

      1KB

      MD5

      b2d080b56730278a08e37e1b37c4bc95

      SHA1

      8be8d98abb7300807bf12cdd95d0d29cc32a8109

      SHA256

      71168979993324fa3625900240a18fb2da846ec99f8cab6038710f6c4a60eb24

      SHA512

      86c0839785ef377eae2ce9dabd2f63686d444a491fe58c85579264a432b4a1d093d31427e7a86024e20040143e0298eec4ee192957e7ef50cd85f4119f6ec499

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk
      Filesize

      1KB

      MD5

      43339561150a6ee40b192057cd4d89f2

      SHA1

      facf3c101b94b0baf3c327f547b953cbeb8a4c01

      SHA256

      db91dc35bb5ecf96027dd3df722cce43b3dd936a610f23fc7b3f827355c4d63f

      SHA512

      a1a9151e48f68484cbbbbe1f6b4d638a47cecfc2e1b5e094a3da18ef96906e2d15a17d331fe3193162b829e69ba3beeb7e1c99df0d11071b02152141d6245aba

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Menu Settings.lnk~RFe582b32.TMP
      Filesize

      1KB

      MD5

      709a7d8118e2c9f519cee3c2a02ecf5e

      SHA1

      a986848da7033b506e3fe41bfb4e7c5468db44bb

      SHA256

      33c493a73a4bab28182fb2e1e96cddbd8908c1c9b734514f319f494223444d3f

      SHA512

      bfe0752fa24bec6df43fcacdb5a105d7f386e7348513a5e21b1a4c20565c1a7a752f0a7a28a02dab6b645d54f19aabaf0519c8bc844cad17a4bb510e6a70b569

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk
      Filesize

      1KB

      MD5

      47648a0dd01132f6bf4bd6ac22add6d3

      SHA1

      b72967345117560aeefd04c2a543462c4dfe4647

      SHA256

      6733ef443bdd175393795a5cbf75c48e136a0546b15ed550f9a7084b08f5881a

      SHA512

      89490a6e26ee67d86b5544de06d16957e38a6354ac1de14d9aa26d8ed08916d82333cabfdd82092833a7e80d5fbc02e1172af046aaa7b3665721e272efce8858

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk
      Filesize

      1KB

      MD5

      69bd9aa39dee24a9c725018e65d78bfe

      SHA1

      4750794905fb67b6d128689c58889ba75a7b86c4

      SHA256

      597e636d5ea586c64d1aabf5a1507fdd4d88e7f967320791c3337463c39ec783

      SHA512

      0baff7e19f387d7549ff80dc377dd54fd504bb63fa437ab00b53aa6188f4a676b42f038530f04eb853d858926cfd72066111647e51fedd9fdb84620f1247cb44

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Open-Shell\Open-Shell Update.lnk~RFe582b12.TMP
      Filesize

      1KB

      MD5

      44d1f9844a5fdf24901198c45d8dcefe

      SHA1

      ab074b6d1f69cc46ccc4514875b64e44020d2513

      SHA256

      b7d9e6a53aab5f49bae28e1b160009ad2f8527b5d8c86d4ca57fb33abda50bde

      SHA512

      e6f8d186971515a86e0aecb1aa57179676172529f51790d0cb5ea48909fdd2b88935d4bc353e502e0301d53fae5daec7e06431d47c68a2c65ae9d529656f4a07

      Download Submit

    • C:\ProgramData\OpenShellSetup64_4_4_190.msi
      Filesize

      5.3MB

      MD5

      971e810ca9478a41252ff920520f108a

      SHA1

      5d0919ba92d0983afa4754c1659f5db619c84f1a

      SHA256

      7a22d669ffdd65e71c15f517af6c8013931a61e6da67b5642604fef61038e85e

      SHA512

      4c7b8a396ad3eea6f7294add7d2696240fe40910d166e59f51611cbd020430a675fb266256c09f95728fc7db563430ebc6c5d7c0d10bf8942c8406aeaf85d931

      Download Submit

    • C:\Windows\SysWOW64\StartMenuHelper32.dll
      Filesize

      350KB

      MD5

      4bb413dd44c6cb51d04095d45c7ff040

      SHA1

      8048d8c2c012a7d967f9201b5be51221b0ed0afa

      SHA256

      4677b065ed62539047f893f96691ae07570b1ac7c2172c6705c053ba6f75a277

      SHA512

      9d4344dbde6ad8a8fab66c494ce13f8cf3b79b312a65f71c559093179a95c155586ed532fc3d8c34363bd0aea53236e3a2552371230c3c57071eab493a77572f

      Download Submit

    • C:\Windows\system32\StartMenuHelper64.dll
      Filesize

      426KB

      MD5

      efb282fe9c98bfac6480575a211b02ff

      SHA1

      0b0a2e34f00c985a0574c47ff0c950f5e9db3f40

      SHA256

      84782c13c8d9fc68c2e86c204c2be99b846e39824096f64dd06b578841467d65

      SHA512

      7180ea2ccb5cd47398a009903450c9b4370bda4c73ddd5c11e4be5f6e0756e0466770df2ca82a1d5b78b619a90ffd17a88e15a9a5d073c3b5e97be9226c5b994

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      23.9MB

      MD5

      a388e1bbf0a80db914550230911de1f4

      SHA1

      56e99dd6a9eeffd15e6fdcd8de829976eab5ee72

      SHA256

      3004a30cdb457a2b9576bbcac11dc3180931ae5346fd1891be6131ba996568ed

      SHA512

      7e99140e44452ed3b1b609b68649debb7fca7dd2e662c84770df0f78872ffea23db050eecdeeccf1fa629f3d8726ce42cedd7a25088e313782158b71b3c4c79c

      Download Submit

    • \??\Volume{8fc2d019-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a0efd45f-0d93-4c40-abec-73d90e73ae85}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      829e550c284cf1d6f6b143ddcb86ace2

      SHA1

      594bce7ba14c27054054420a7413783b6e95cfd9

      SHA256

      92c797855986685e9b28c2ee2b04e1c52b83f877349c0d3c05fff4ead27cafd1

      SHA512

      917719e6ca6432cbd243bcc32538c7434eec1a79de0fee140d506f99e0f3af14ac678993783971d21140cab7561a1fab4000337089608af036e86411cef8e9d5

      Download Submit