Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-01-2025 20:32
Static task
static1
Behavioral task
behavioral1
Sample
DogusignReader1.26g.msi
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
DogusignReader1.26g.msi
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral3
Sample
DogusignReader1.26g.msi
Resource
win11-20241007-en
General
-
Target
DogusignReader1.26g.msi
-
Size
10.5MB
-
MD5
35f774e65e57f419fff8d8f74945ea51
-
SHA1
c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb
-
SHA256
d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2
-
SHA512
34db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26
-
SSDEEP
196608:xaZKIcPtwQbOmV7SPjZJrtiXPFsKASDdybmR67JU6OpkKM1sQT9nAJDPMRAl6q7r:Y3cPt30JrtiXdsKAcrR67J0kR1syAtMU
Malware Config
Extracted
lumma
https://robinsharez.shop/api
https://handscreamny.shop/api
https://chipdonkeruz.shop/api
https://versersleep.shop/api
https://crowdwarek.shop/api
https://apporholis.shop/api
https://femalsabler.shop/api
https://soundtappysk.shop/api
Signatures
-
Lumma family
-
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\J: msiexec.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1624 set thread context of 2284 1624 RttHlp.exe 88 PID 4260 set thread context of 4552 4260 RttHlp.exe 90 -
Drops file in Windows directory 12 IoCs
description ioc Process File created C:\Windows\Installer\e579990.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{9E7FC4DE-E781-4DF2-B3A9-BEB9E721ACAB} msiexec.exe File opened for modification C:\Windows\Installer\MSI9A8A.tmp msiexec.exe File created C:\Windows\SystemTemp\~DF72CF17F244CB6F42.TMP msiexec.exe File opened for modification C:\Windows\Installer\e579990.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\SystemTemp\~DFCA58BCB99B5B07B4.TMP msiexec.exe File created C:\Windows\SystemTemp\~DFEFCDB54D3B003C9F.TMP msiexec.exe File created C:\Windows\Installer\e579992.msi msiexec.exe File created C:\Windows\SystemTemp\~DFB5C87EE2F696A0BA.TMP msiexec.exe -
Executes dropped EXE 3 IoCs
pid Process 2640 RttHlp.exe 4260 RttHlp.exe 1624 RttHlp.exe -
Loads dropped DLL 16 IoCs
pid Process 2640 RttHlp.exe 2640 RttHlp.exe 2640 RttHlp.exe 2640 RttHlp.exe 2640 RttHlp.exe 2640 RttHlp.exe 4260 RttHlp.exe 4260 RttHlp.exe 1624 RttHlp.exe 1624 RttHlp.exe 1624 RttHlp.exe 1624 RttHlp.exe 1624 RttHlp.exe 1624 RttHlp.exe 1624 RttHlp.exe 1624 RttHlp.exe -
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
pid Process 3920 msiexec.exe -
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RttHlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RttHlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RttHlp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language explorer.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000485242783223abf50000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000485242780000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090048524278000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d48524278000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000004852427800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.
description flow ioc HTTP User-Agent header 4 Go-http-client/1.1 -
Suspicious behavior: EnumeratesProcesses 11 IoCs
pid Process 4176 msiexec.exe 4176 msiexec.exe 2640 RttHlp.exe 4260 RttHlp.exe 4260 RttHlp.exe 1624 RttHlp.exe 1624 RttHlp.exe 2284 cmd.exe 2284 cmd.exe 4552 cmd.exe 4552 cmd.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
pid Process 1624 RttHlp.exe 4260 RttHlp.exe 2284 cmd.exe 4552 cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 3920 msiexec.exe Token: SeIncreaseQuotaPrivilege 3920 msiexec.exe Token: SeSecurityPrivilege 4176 msiexec.exe Token: SeCreateTokenPrivilege 3920 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 3920 msiexec.exe Token: SeLockMemoryPrivilege 3920 msiexec.exe Token: SeIncreaseQuotaPrivilege 3920 msiexec.exe Token: SeMachineAccountPrivilege 3920 msiexec.exe Token: SeTcbPrivilege 3920 msiexec.exe Token: SeSecurityPrivilege 3920 msiexec.exe Token: SeTakeOwnershipPrivilege 3920 msiexec.exe Token: SeLoadDriverPrivilege 3920 msiexec.exe Token: SeSystemProfilePrivilege 3920 msiexec.exe Token: SeSystemtimePrivilege 3920 msiexec.exe Token: SeProfSingleProcessPrivilege 3920 msiexec.exe Token: SeIncBasePriorityPrivilege 3920 msiexec.exe Token: SeCreatePagefilePrivilege 3920 msiexec.exe Token: SeCreatePermanentPrivilege 3920 msiexec.exe Token: SeBackupPrivilege 3920 msiexec.exe Token: SeRestorePrivilege 3920 msiexec.exe Token: SeShutdownPrivilege 3920 msiexec.exe Token: SeDebugPrivilege 3920 msiexec.exe Token: SeAuditPrivilege 3920 msiexec.exe Token: SeSystemEnvironmentPrivilege 3920 msiexec.exe Token: SeChangeNotifyPrivilege 3920 msiexec.exe Token: SeRemoteShutdownPrivilege 3920 msiexec.exe Token: SeUndockPrivilege 3920 msiexec.exe Token: SeSyncAgentPrivilege 3920 msiexec.exe Token: SeEnableDelegationPrivilege 3920 msiexec.exe Token: SeManageVolumePrivilege 3920 msiexec.exe Token: SeImpersonatePrivilege 3920 msiexec.exe Token: SeCreateGlobalPrivilege 3920 msiexec.exe Token: SeBackupPrivilege 4476 vssvc.exe Token: SeRestorePrivilege 4476 vssvc.exe Token: SeAuditPrivilege 4476 vssvc.exe Token: SeBackupPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe Token: SeTakeOwnershipPrivilege 4176 msiexec.exe Token: SeRestorePrivilege 4176 msiexec.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 3920 msiexec.exe 3920 msiexec.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4176 wrote to memory of 4576 4176 msiexec.exe 83 PID 4176 wrote to memory of 4576 4176 msiexec.exe 83 PID 4176 wrote to memory of 2640 4176 msiexec.exe 85 PID 4176 wrote to memory of 2640 4176 msiexec.exe 85 PID 4176 wrote to memory of 2640 4176 msiexec.exe 85 PID 2640 wrote to memory of 4260 2640 RttHlp.exe 86 PID 2640 wrote to memory of 4260 2640 RttHlp.exe 86 PID 2640 wrote to memory of 4260 2640 RttHlp.exe 86 PID 4260 wrote to memory of 1624 4260 RttHlp.exe 87 PID 4260 wrote to memory of 1624 4260 RttHlp.exe 87 PID 4260 wrote to memory of 1624 4260 RttHlp.exe 87 PID 1624 wrote to memory of 2284 1624 RttHlp.exe 88 PID 1624 wrote to memory of 2284 1624 RttHlp.exe 88 PID 1624 wrote to memory of 2284 1624 RttHlp.exe 88 PID 4260 wrote to memory of 4552 4260 RttHlp.exe 90 PID 4260 wrote to memory of 4552 4260 RttHlp.exe 90 PID 4260 wrote to memory of 4552 4260 RttHlp.exe 90 PID 1624 wrote to memory of 2284 1624 RttHlp.exe 88 PID 4260 wrote to memory of 4552 4260 RttHlp.exe 90 PID 2284 wrote to memory of 4852 2284 cmd.exe 92 PID 2284 wrote to memory of 4852 2284 cmd.exe 92 PID 2284 wrote to memory of 4852 2284 cmd.exe 92 PID 4552 wrote to memory of 904 4552 cmd.exe 93 PID 4552 wrote to memory of 904 4552 cmd.exe 93 PID 4552 wrote to memory of 904 4552 cmd.exe 93 PID 2284 wrote to memory of 4852 2284 cmd.exe 92 PID 4552 wrote to memory of 904 4552 cmd.exe 93 PID 4552 wrote to memory of 904 4552 cmd.exe 93 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\DogusignReader1.26g.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3920
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:4576
-
-
C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe"C:\Users\Admin\AppData\Local\Yarrow\RttHlp.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exeC:\Users\Admin\AppData\Roaming\configRemote_PZ4\RttHlp.exe3⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4260 -
C:\Users\Admin\AppData\Roaming\configRemote_PZ4\OBWZNIMQKWP\RttHlp.exeC:\Users\Admin\AppData\Roaming\configRemote_PZ4\OBWZNIMQKWP\RttHlp.exe4⤵
- Suspicious use of SetThreadContext
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2284 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe6⤵
- System Location Discovery: System Language Discovery
PID:4852
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\SysWOW64\cmd.exe4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4552 -
C:\Windows\SysWOW64\explorer.exeC:\Windows\SysWOW64\explorer.exe5⤵
- System Location Discovery: System Language Discovery
PID:904
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4476
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD52ed809e31f495b248deaedf543347faa
SHA165096801f9fbed4807bfd5a7763654cc58749510
SHA256bbbc983eb5442971ad8dddd8a41b90e282f9b65e92334fad6d54f837e77e494a
SHA512bdc3b85107a454de965158c968e1cc2613fb5e5cc7c0f380a9b589a0b0fe842c9ae0f69ec838ea5d03a75fc7455ff617416dc06b88c23ac353d0dbdf2e8f81fd
-
Filesize
12.9MB
MD5292e1de184fa9ca75e51655a6b4f6a29
SHA1f77a35c6ee97fde2db7ec907429ce3a3c1253779
SHA2563f79bd84af57b8e9d4b563009e0757e5b874680154b1d99ff766378280c5ffd7
SHA512e38bc37622bb393971da43c186e7649aa6e1d1f767e66f4cd9137385d2b5def64a047a1ca3ac7bf911bd8958f609555ba6e2c52b2327edef1d3c738a8585100e
-
Filesize
1.0MB
MD51baaf964219fb1ba94f0cc0f42f0db98
SHA14606493dc4830bbbd9f1ca62e3868ce00c143974
SHA256f69e8e44c00bbb583900f9218e859589fbeca65b14bf540b5f16906322d421f2
SHA5123a4c9f8c394fa915f115aacaefca6adb69b5d911741f0535f3c8d0ac8107894162e98cf6330847e611fb87f492efd184114f66b9996464f092b6f96ba197e997
-
Filesize
1.0MB
MD540b9628354ef4e6ef3c87934575545f4
SHA18fb5da182dea64c842953bf72fc573a74adaa155
SHA256372b14fce2eb35b264f6d4aeef7987da56d951d3a09ef866cf55ed72763caa12
SHA51202b0ea82efbfbe2e7308f86bfbec7a5109f3fe91d42731812d2e46aebedce50aabc565d2da9d3fbcd0f46febbff49c534419d1a91e0c14d5a80f06b74888c641
-
Filesize
135KB
MD5a2d70fbab5181a509369d96b682fc641
SHA122afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA2568aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83
-
Filesize
10.5MB
MD595a61e7f85bc8b48e6e52992d39eefc6
SHA1df90ab3e50a7e566948ff56dde540139d23934c0
SHA2560cea6a8a1b71eaaf329b70552ebe353d1a468ae2da5ac9c018d1927b55406bf5
SHA5127a2ebb2caebe5efed73b701ee96a7880dea32301776a16beb288ab008531b396d06e36f6d0c4e60590c02355b4e1fc206e1468bc181042900fc18bc7b9f20086
-
Filesize
52KB
MD5038c02b1cdce1b2738c09d9d2b8bbd74
SHA10f20d6c4a1cb65ca8a33c613b0f297148f9a39b2
SHA256ff5f5110ca6ca5d57db34ec4ea566d28d4b2535d71540331448711a25a89b3f4
SHA512afb692a8bddf29feb352a3129165c045187c5a41ac134515d5d5ff884b26f24789113929e9c49f0277b8e509755566f5725be05d15a268fd07f03771ab004717
-
Filesize
1.1MB
MD5adf82ed333fb5567f8097c7235b0e17f
SHA1e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA5122253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92
-
Filesize
1.9MB
MD537c89f8997af129d230837c87997b737
SHA15031df412eaf09cc72688e7865e4604cda6c2fbd
SHA256f3ea5d6457089b4c4ab207f0b96dd5f321cdc7b3360ca27cd6ed273ec25d807e
SHA5123ede7277cb8d16c83e65bb6e6626f30b124ff9cb1579cfc8fbea7358489f9520d416238e998707219b4b0debb6cc1fc2634133f2fe9457a840d8b2bc76ddb3bf
-
Filesize
791KB
MD528431839e39dffad0485cc51b34c705f
SHA10b63857ea0abe841fdae8fd8b9f9b3ef0af881a0
SHA256d832c2fd66e09b3eb829901fa6e7a2b610a398d8e007d6352edf4763ea3ce363
SHA512cca16a18f52f2d059308214897673acd48cfca144a5075fba372ad33b8c645d202ebf32576d9d299d95e37e059d78dfdf70f7e844c479bd8c8484dc06bfe9d03
-
Filesize
10.5MB
MD535f774e65e57f419fff8d8f74945ea51
SHA1c3e1d2d50a9bbca445576e0d71c6984cc1dc60bb
SHA256d00a3e22e53210acbd5c3e39b85332e3d47c8ec001d2bbf7a13abb07427bbba2
SHA51234db08df1751754159ca37249dd8a66a811150e2a0bbdc020858f5ee55f9fb8ef763bb74bbb723633f79ea9fde8dd0feeb0c79e0c442ca6f15a8c6d8ffa58a26
-
Filesize
24.6MB
MD5a59f38d3ec31b2529727a4b34a44ce23
SHA1de98c8b9d657b01288639c29824b8b95e9f3c59d
SHA2567d4aa517f0db2fa9cf41279dfb7e9fdd47a4e526663e31fa743310d266f55e34
SHA5122c563bc64148b3a3122812a24281f3cafa75eb4fcea57f4dd7584cf2a22b8e7d4cd4054b918c65a6d23cfeb25a99c4ec2643def30dc18beea8842dc7a2a32513
-
\??\Volume{78425248-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d4c2de6e-9473-49df-abf5-8c896920768b}_OnDiskSnapshotProp
Filesize6KB
MD5b6cbd825b6bc559a64f1553bc899c565
SHA15ed83198450abafe9203c3b9d3dd10db9dfb584f
SHA256fa065210c39a3223b8d8617a864522820847f78fda72e0ab6f22e53023bbe65f
SHA5128ccb9ba91c0343f097a34f45d148a4c8f598224e7355244bc4b891b0c128c6a1d87a83113320bec528a375b2ec45939ceb85a2ac34d8491a000bd7e4e88e8cc5