Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06-12-2024 19:44
Static task
static1
Behavioral task
behavioral1
Sample
ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi
Resource
win10v2004-20241007-en
General
-
Target
ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi
-
Size
532KB
-
MD5
ceb305646f9a8229ff55bf26432eb527
-
SHA1
247ff878939c7ca96db9715afc03e5032c143909
-
SHA256
e9eee1a0652b7aeb0e816ad27e45d791d5d2e576d7f57833f0de46bc1c651a0e
-
SHA512
c7bd25a68c8344b2315ab3bcd7ba6741cdd93cad3a63274c6a65f727ed5ea5e11bae10db1e88b9e3687cc08736488c3d47375a11514dd5e541cb26e048fab4d3
-
SSDEEP
6144:QES4fnuEgmu4ZVKgCV7PKgJSbMw2D7PIDAtVsEHoALjYKmFe3l/H9m7u:QErfng6VKgCV7PKQUSD7w2CvKmelk
Malware Config
Extracted
formbook
3.9
le
ilicak2.net
altinchap.com
junenng-zh.com
forourcountryus.com
windrez.com
xlogicsolutions.com
laboratorydetaillingcar.com
vaynhanhmaritimebank.com
starshipvi.com
fpstemplate.com
individualacountmanager.com
soapquinns.com
bestcra.com
masu.ltd
lkxfdb.info
newhydeparkdentalservices.com
borjahospital.com
0856.ink
siemenscustomercare.com
woaichaye.com
freemirae.com
ruanjianplus.com
alscout.com
larimari.com
zeichentabelle.com
fact-law.com
amhzpx.com
hoatuoiphuongan.com
heroes.university
trimax-us.com
arabic.today
lovepoppy.com
kamagraseti.com
estudioemme.net
kemantang.net
perth.ltd
monsterpostcards.com
chante18.com
idf-mfg.net
parentingsocial.com
housegardens.fish
ferrariofop.info
pethealthmattersmedia04.net
villadesglycines.com
keygens.site
quniform.info
theageofthepredator.com
baldoblog.com
womenbeautyhouse.com
xn--designmbelsale-1pb.com
sigfinancialllc.com
hurricaneirma.lawyer
bitraces.com
tjkaiyang.com
sellsnowboots.com
netfirstplatinumvideo.com
les3drapeaux.com
25falcon.com
globetrotisourdance.com
forevershan.com
buscandoutopia.com
colleenleonardo.com
tanpasampah.com
faming.ink
solabentvx.com
Signatures
-
Formbook family
-
Formbook payload 3 IoCs
resource yara_rule behavioral2/memory/2648-15-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/2648-31-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral2/memory/2648-32-0x0000000000400000-0x000000000042A000-memory.dmp formbook -
Adds policy Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\RJG8PVYPFZS = "C:\\Program Files (x86)\\Cu2udk\\jjoejotqrmx.exe" help.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run help.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\U: msiexec.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 3420 set thread context of 2648 3420 MSIB4CA.tmp 97 PID 2648 set thread context of 3524 2648 MSIB4CA.tmp 56 PID 2648 set thread context of 3524 2648 MSIB4CA.tmp 56 PID 3732 set thread context of 3524 3732 help.exe 56 -
Drops file in Program Files directory 1 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Cu2udk\jjoejotqrmx.exe help.exe -
Drops file in Windows directory 8 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIB46B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIB4CA.tmp msiexec.exe File created C:\Windows\Installer\e57b381.msi msiexec.exe File opened for modification C:\Windows\Installer\e57b381.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{29EF7317-DCA1-4159-97B2-C883AD400AC6} msiexec.exe -
Executes dropped EXE 2 IoCs
pid Process 3420 MSIB4CA.tmp 2648 MSIB4CA.tmp -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 2108 msiexec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MSIB4CA.tmp Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language help.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
description ioc Process Key created \Registry\User\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 help.exe -
Suspicious behavior: EnumeratesProcesses 56 IoCs
pid Process 2224 msiexec.exe 2224 msiexec.exe 2648 MSIB4CA.tmp 2648 MSIB4CA.tmp 2648 MSIB4CA.tmp 2648 MSIB4CA.tmp 2648 MSIB4CA.tmp 2648 MSIB4CA.tmp 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe 3732 help.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
pid Process 2648 MSIB4CA.tmp 2648 MSIB4CA.tmp 2648 MSIB4CA.tmp 2648 MSIB4CA.tmp 3732 help.exe 3732 help.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2108 msiexec.exe Token: SeIncreaseQuotaPrivilege 2108 msiexec.exe Token: SeSecurityPrivilege 2224 msiexec.exe Token: SeCreateTokenPrivilege 2108 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2108 msiexec.exe Token: SeLockMemoryPrivilege 2108 msiexec.exe Token: SeIncreaseQuotaPrivilege 2108 msiexec.exe Token: SeMachineAccountPrivilege 2108 msiexec.exe Token: SeTcbPrivilege 2108 msiexec.exe Token: SeSecurityPrivilege 2108 msiexec.exe Token: SeTakeOwnershipPrivilege 2108 msiexec.exe Token: SeLoadDriverPrivilege 2108 msiexec.exe Token: SeSystemProfilePrivilege 2108 msiexec.exe Token: SeSystemtimePrivilege 2108 msiexec.exe Token: SeProfSingleProcessPrivilege 2108 msiexec.exe Token: SeIncBasePriorityPrivilege 2108 msiexec.exe Token: SeCreatePagefilePrivilege 2108 msiexec.exe Token: SeCreatePermanentPrivilege 2108 msiexec.exe Token: SeBackupPrivilege 2108 msiexec.exe Token: SeRestorePrivilege 2108 msiexec.exe Token: SeShutdownPrivilege 2108 msiexec.exe Token: SeDebugPrivilege 2108 msiexec.exe Token: SeAuditPrivilege 2108 msiexec.exe Token: SeSystemEnvironmentPrivilege 2108 msiexec.exe Token: SeChangeNotifyPrivilege 2108 msiexec.exe Token: SeRemoteShutdownPrivilege 2108 msiexec.exe Token: SeUndockPrivilege 2108 msiexec.exe Token: SeSyncAgentPrivilege 2108 msiexec.exe Token: SeEnableDelegationPrivilege 2108 msiexec.exe Token: SeManageVolumePrivilege 2108 msiexec.exe Token: SeImpersonatePrivilege 2108 msiexec.exe Token: SeCreateGlobalPrivilege 2108 msiexec.exe Token: SeBackupPrivilege 2516 vssvc.exe Token: SeRestorePrivilege 2516 vssvc.exe Token: SeAuditPrivilege 2516 vssvc.exe Token: SeBackupPrivilege 2224 msiexec.exe Token: SeRestorePrivilege 2224 msiexec.exe Token: SeRestorePrivilege 2224 msiexec.exe Token: SeTakeOwnershipPrivilege 2224 msiexec.exe Token: SeRestorePrivilege 2224 msiexec.exe Token: SeTakeOwnershipPrivilege 2224 msiexec.exe Token: SeRestorePrivilege 2224 msiexec.exe Token: SeTakeOwnershipPrivilege 2224 msiexec.exe Token: SeDebugPrivilege 2648 MSIB4CA.tmp Token: SeRestorePrivilege 2224 msiexec.exe Token: SeTakeOwnershipPrivilege 2224 msiexec.exe Token: SeRestorePrivilege 2224 msiexec.exe Token: SeTakeOwnershipPrivilege 2224 msiexec.exe Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeShutdownPrivilege 3524 Explorer.EXE Token: SeCreatePagefilePrivilege 3524 Explorer.EXE Token: SeBackupPrivilege 2232 srtasks.exe Token: SeRestorePrivilege 2232 srtasks.exe Token: SeSecurityPrivilege 2232 srtasks.exe Token: SeTakeOwnershipPrivilege 2232 srtasks.exe Token: SeBackupPrivilege 2232 srtasks.exe Token: SeRestorePrivilege 2232 srtasks.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2108 msiexec.exe 2108 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3420 MSIB4CA.tmp -
Suspicious use of WriteProcessMemory 21 IoCs
description pid Process procid_target PID 2224 wrote to memory of 2232 2224 msiexec.exe 92 PID 2224 wrote to memory of 2232 2224 msiexec.exe 92 PID 2224 wrote to memory of 3420 2224 msiexec.exe 95 PID 2224 wrote to memory of 3420 2224 msiexec.exe 95 PID 2224 wrote to memory of 3420 2224 msiexec.exe 95 PID 3420 wrote to memory of 2648 3420 MSIB4CA.tmp 97 PID 3420 wrote to memory of 2648 3420 MSIB4CA.tmp 97 PID 3420 wrote to memory of 2648 3420 MSIB4CA.tmp 97 PID 3420 wrote to memory of 2648 3420 MSIB4CA.tmp 97 PID 3420 wrote to memory of 2648 3420 MSIB4CA.tmp 97 PID 3420 wrote to memory of 2648 3420 MSIB4CA.tmp 97 PID 3420 wrote to memory of 2648 3420 MSIB4CA.tmp 97 PID 3524 wrote to memory of 3732 3524 Explorer.EXE 99 PID 3524 wrote to memory of 3732 3524 Explorer.EXE 99 PID 3524 wrote to memory of 3732 3524 Explorer.EXE 99 PID 3732 wrote to memory of 3412 3732 help.exe 100 PID 3732 wrote to memory of 3412 3732 help.exe 100 PID 3732 wrote to memory of 3412 3732 help.exe 100 PID 3732 wrote to memory of 4616 3732 help.exe 104 PID 3732 wrote to memory of 4616 3732 help.exe 104 PID 3732 wrote to memory of 4616 3732 help.exe 104 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3524 -
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ceb305646f9a8229ff55bf26432eb527_JaffaCakes118.msi2⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2108
-
-
C:\Windows\SysWOW64\autoconv.exe"C:\Windows\SysWOW64\autoconv.exe"2⤵PID:824
-
-
C:\Windows\SysWOW64\help.exe"C:\Windows\SysWOW64\help.exe"2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Installer\MSIB4CA.tmp"3⤵
- System Location Discovery: System Language Discovery
PID:3412
-
-
C:\Windows\SysWOW64\cmd.exe/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V3⤵
- System Location Discovery: System Language Discovery
PID:4616
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2224 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2232
-
-
C:\Windows\Installer\MSIB4CA.tmp"C:\Windows\Installer\MSIB4CA.tmp"2⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3420 -
C:\Windows\Installer\MSIB4CA.tmp"C:\Windows\Installer\MSIB4CA.tmp"3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2648
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2516
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Installer Packages
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
663B
MD5a1d8a78225d9e9c73034e7f83e453973
SHA1eec1def0ee1dc230046f9f01eb47d0156560f5d4
SHA25682b70b6754bd65bf7153703b5e02873411954046192596aaf27adfca53a297aa
SHA512ef1b7c45cd6c2bbddd74444fe2c7bfe621c46f427238396c87fb3b1a7c84919784b973d6fddd0c21053fe2e03d53b2b3f15f41aa4ebdff1a563a8ae17104cc2d
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
75KB
MD5901511e618005bbfb8fdc3a19e7134ac
SHA11cb4804bd7dbfb74621ae08751e5eb7352fc7afb
SHA256d0e600dcd9036261c4106293df918adf2fa6335a5a4e98d9498f3c178269599d
SHA512bc36a1383622a21a99f0b330facb15daa21626a05727e41708e9ae5b2ae06a6c829307d686cfd60425a40234bcee42143b72a24b2b8b32cbe38217c35e1e9d00
-
Filesize
38B
MD54aadf49fed30e4c9b3fe4a3dd6445ebe
SHA11e332822167c6f351b99615eada2c30a538ff037
SHA25675034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945
-
Filesize
40B
MD5d63a82e5d81e02e399090af26db0b9cb
SHA191d0014c8f54743bba141fd60c9d963f869d76c9
SHA256eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA51238afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad
-
Filesize
872B
MD5bbc41c78bae6c71e63cb544a6a284d94
SHA133f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA5120aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4
-
Filesize
508KB
MD562feb8bc6bd67f1199dc35696bb84e17
SHA1ab8a6abd103d3a430d5f8e91e74feead5da02ece
SHA2567591e80ee7d1f219d8472cc16d504a5df94a336d510b714f10a4ae79531d5368
SHA5123ffd066cef30ca363a5e47277411379e41753dd5a6cd30c1f1a7019ebaa7b35ebe52b358750dfb114d21777c5c7b3d2b251b989cce17b4046aa22b0162047141
-
Filesize
24.1MB
MD5d22bb5132f29ede5229f6762fa32b939
SHA193bfe6ccf8398dc94e2ddc6cd1189121d509cf7a
SHA25649ceca6196b16ab5c89af20de87f5f81004faaa01fe04a6364c875e1a66ae879
SHA5123a2168661799059e64735f03e39cc323731a001e9b30f29c2556c02024415c1fd11faff008e0105e7585fb81404caf11aea44012a8e14f1c3545475c6a6d7ce2
-
\??\Volume{f9c79713-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{15e063c9-01fc-42fd-b7aa-659d320d88ec}_OnDiskSnapshotProp
Filesize6KB
MD564fe3c2067ef3b026e1ceff30ba19c8e
SHA117bdc01a2ee8cf9ab629535dece39b65506beb1d
SHA25642fb36706b4e7abc7de18583d527dba66baf448bf9683fee3ee6d10e32f975e4
SHA512bee1b8a47194e5e16f9b130b4ebc279846fb3a514533d84b06755eced2a2020c79b661209b3566f7caa7d7c137da1acfbbf9b00eb14fa0c280d762b5bd0bb8ef