d4a65beb44a941913e8a34d50f9932e45832a453725e58d6eb7ed3815ab4fca8

Analysis

max time kernel
84s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2022, 05:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.BScope.Adware.Searcher.10533.exe
Size

2.5MB
MD5

b7ad583979099b800db79a1dc6c7423a
SHA1

324f9df08052bb1c2c1062057f26ae065f6ef1bf
SHA256

d4a65beb44a941913e8a34d50f9932e45832a453725e58d6eb7ed3815ab4fca8
SHA512

f28adc3b2b3b59c1c03ac731d74963379a064ea9255e051d0a76b1b9391e007a85cda2b340be97a868ffdd7d0450b97e45d1333272f34059e42b91a00c65e144
SSDEEP

49152:LQDxO8/GZlXs06kXMtWvaiJLCQeD0hbLogisuBLwswQRNmksH:LQ8LFekXMtWyiJsDcbLoRr5hwUm/H

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
16	2752	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2572	Setup.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.BScope.Adware.Searcher.10533.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WuTility\data.cab	msiexec.exe
File created	C:\Program Files (x86)\WuTility\WuTility.chm	msiexec.exe
File created	C:\Program Files (x86)\WuTility\WuTility.exe	msiexec.exe
File created	C:\Program Files (x86)\WuTility\PuttyTel.exe	msiexec.exe
File created	C:\Program Files (x86)\WuTility\Setup.exe	msiexec.exe
File created	C:\Program Files (x86)\WuTility\Uninstall.bat	msiexec.exe
File created	C:\Program Files (x86)\WuTility\ixWuTil.exe	msiexec.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{EA6900A6-C24B-4B3C-AE0D-B15397F6DFBE}\App.ico	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{EA6900A6-C24B-4B3C-AE0D-B15397F6DFBE}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13A7.tmp	msiexec.exe
File created	C:\Windows\Installer\{EA6900A6-C24B-4B3C-AE0D-B15397F6DFBE}\App.ico	msiexec.exe
File created	C:\Windows\Installer\{EA6900A6-C24B-4B3C-AE0D-B15397F6DFBE}\Uninst.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\{EA6900A6-C24B-4B3C-AE0D-B15397F6DFBE}\Uninst.ico	msiexec.exe
File created	C:\Windows\Installer\e571222.msi	msiexec.exe
File created	C:\Windows\Installer\e571220.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e571220.msi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000dcccb42f1bc641320000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000dcccb42f0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900dcccb42f000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000dcccb42f00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe

Modifies registry class 23 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\Language = "1033"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F49F53190DEB6A544B1047C4F32E5E3E\6A0096AEB42CC3B4EAD01B35796FFDEB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\SourceList\PackageName = "WuT_EN.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\ProductName = "WuTility Version 4"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\PackageCode = "45486FDE77B8D14409E906C9C3915058"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\ProductIcon = "C:\\Windows\\Installer\\{EA6900A6-C24B-4B3C-AE0D-B15397F6DFBE}\\App.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\F49F53190DEB6A544B1047C4F32E5E3E	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6A0096AEB42CC3B4EAD01B35796FFDEB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\6A0096AEB42CC3B4EAD01B35796FFDEB\MainApplication	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\Version = "67239936"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\6A0096AEB42CC3B4EAD01B35796FFDEB\Assignment = "1"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2096	msiexec.exe
2096	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2752	msiexec.exe
Token: SeSecurityPrivilege	2096	msiexec.exe
Token: SeCreateTokenPrivilege	2752	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2752	msiexec.exe
Token: SeLockMemoryPrivilege	2752	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2752	msiexec.exe
Token: SeMachineAccountPrivilege	2752	msiexec.exe
Token: SeTcbPrivilege	2752	msiexec.exe
Token: SeSecurityPrivilege	2752	msiexec.exe
Token: SeTakeOwnershipPrivilege	2752	msiexec.exe
Token: SeLoadDriverPrivilege	2752	msiexec.exe
Token: SeSystemProfilePrivilege	2752	msiexec.exe
Token: SeSystemtimePrivilege	2752	msiexec.exe
Token: SeProfSingleProcessPrivilege	2752	msiexec.exe
Token: SeIncBasePriorityPrivilege	2752	msiexec.exe
Token: SeCreatePagefilePrivilege	2752	msiexec.exe
Token: SeCreatePermanentPrivilege	2752	msiexec.exe
Token: SeBackupPrivilege	2752	msiexec.exe
Token: SeRestorePrivilege	2752	msiexec.exe
Token: SeShutdownPrivilege	2752	msiexec.exe
Token: SeDebugPrivilege	2752	msiexec.exe
Token: SeAuditPrivilege	2752	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2752	msiexec.exe
Token: SeChangeNotifyPrivilege	2752	msiexec.exe
Token: SeRemoteShutdownPrivilege	2752	msiexec.exe
Token: SeUndockPrivilege	2752	msiexec.exe
Token: SeSyncAgentPrivilege	2752	msiexec.exe
Token: SeEnableDelegationPrivilege	2752	msiexec.exe
Token: SeManageVolumePrivilege	2752	msiexec.exe
Token: SeImpersonatePrivilege	2752	msiexec.exe
Token: SeCreateGlobalPrivilege	2752	msiexec.exe
Token: SeBackupPrivilege	5056	vssvc.exe
Token: SeRestorePrivilege	5056	vssvc.exe
Token: SeAuditPrivilege	5056	vssvc.exe
Token: SeBackupPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe
Token: SeTakeOwnershipPrivilege	2096	msiexec.exe
Token: SeRestorePrivilege	2096	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2752	msiexec.exe
2752	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 2752	4140	SecuriteInfo.com.BScope.Adware.Searcher.10533.exe	83
PID 4140 wrote to memory of 2752	4140	SecuriteInfo.com.BScope.Adware.Searcher.10533.exe	83
PID 4140 wrote to memory of 2752	4140	SecuriteInfo.com.BScope.Adware.Searcher.10533.exe	83
PID 2096 wrote to memory of 2972	2096	msiexec.exe	96
PID 2096 wrote to memory of 2972	2096	msiexec.exe	96
PID 2096 wrote to memory of 2572	2096	msiexec.exe	98
PID 2096 wrote to memory of 2572	2096	msiexec.exe	98
PID 2096 wrote to memory of 2572	2096	msiexec.exe	98

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Adware.Searcher.10533.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BScope.Adware.Searcher.10533.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i C:\Users\Admin\AppData\Local\Temp\WuT_EN.msi
  2⤵
  - Blocklisted process makes network request
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2752

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2096
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2972
- C:\Program Files (x86)\WuTility\Setup.exe
  "C:\Program Files (x86)\WuTility\Setup.exe" /Install
  2⤵
  - Executes dropped EXE
  PID:2572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5056

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WuTility\Setup.exe

Filesize
74KB

MD5
05073efd3742920194a9258906011a88

SHA1
d217d0b4f97e8ce79e8a69c5b342b21817915a99

SHA256
a8115365d5eeec4b1adca94a94c7dde0a44370b6d70199e7809dacd3a2fa2695

SHA512
6d02e91d662f5e841a576964c23db3cad68c9c4c72eacf2064a4cd9d399563c607f90d4df0f806d2706c4209313fd535d6459033ce873817879497e94c5a0ffa

Download Submit
C:\Program Files (x86)\WuTility\Setup.exe

Filesize
74KB

MD5
05073efd3742920194a9258906011a88

SHA1
d217d0b4f97e8ce79e8a69c5b342b21817915a99

SHA256
a8115365d5eeec4b1adca94a94c7dde0a44370b6d70199e7809dacd3a2fa2695

SHA512
6d02e91d662f5e841a576964c23db3cad68c9c4c72eacf2064a4cd9d399563c607f90d4df0f806d2706c4209313fd535d6459033ce873817879497e94c5a0ffa

Download Submit
C:\Program Files (x86)\WuTility\WuTility.exe

Filesize
1.4MB

MD5
456252a895c7acccd17a48408c2965cb

SHA1
581713b9f56b196a7b9fe1910eb3f7cd63b77c46

SHA256
f34b878e4b4ccbbc744bdb6ce0a4cc039ca31dde5f26ce89f8a309fe180637a4

SHA512
c4391e65c37fff90d781fc5573967e09e2e0135b3b2720c19a1c303bc4b2f904214126eb969d53d0957c92493ef9b7959bf42563082e7e83d0a278d1f6379e8d

Download Submit
C:\Program Files (x86)\WuTility\data.cab

Filesize
330KB

MD5
0d7ee2c8e8df3b128f92952d199d3f3d

SHA1
9e2826b929df9c4c7f85f8f4d34dda3bbf326b24

SHA256
c0aa0bb6ea106ac17d20d5726406336aba8a23ff0e527411391381c33bde196e

SHA512
ecc95729b0b1ea350899d03e0771df950692f3baeaca8f93a2f46517ccf02e7d654dd9a7fb47bd1cc64a007ec22bc1192d4d0d85d79082fbed5e5a255dccf3e1

Download Submit
C:\Program Files (x86)\WuTility\ixWuTil.exe

Filesize
84KB

MD5
6cb78fec537740b2af53d824a191a955

SHA1
6ccde1c9f07634b5deb81e074fa9d058c75b44db

SHA256
1db028ac4e6c0db2d0b9dd1e4065e98e6af2c96343e5d982a9ee60942c4ed761

SHA512
ce8690457a51de98454fbd8f3e4fa1d13f45420c8df9268accb615baf77ab881efedc243f4596a7b9f158fd4c5eec78f627e8b00eb2cf7037c9b5486e93e6139

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_57C39702942D4C8437A6BFA260B3C96C

Filesize
1KB

MD5
3ff019860cef8c63892be48489489c4a

SHA1
ef82c295925b9b3d76bc6213b4c814a55a1dee95

SHA256
5bf23a85599a64b15ac94b71dec6cf2ed0d5d29ff8613b6ffe816bd1199627ba

SHA512
e83a8c05ceaec3dc87ae112a0ae6fa2baba925495311d4f8a1679c5e825586225170dab8ca8c07bbf67321120868b23892585934d198ca210c7a3d75f91fb55b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_57C39702942D4C8437A6BFA260B3C96C

Filesize
404B

MD5
9564174fbcb5bc66fe7c0b1ec6cdff78

SHA1
efd6d012e0d38d7c1bb4623da83a1adef086a27b

SHA256
59cc2794b850c914fef1b70688c5dac9872bf43f00eef46ca1adb381b5a39a34

SHA512
4b9a42a824d2eb5578a518ed3f46bef7375a51c747bbc6d028b8bf40ae7948e0686d507a7f2ebfe3938b303accfadba06f4ec50c0ac21635773edc25d03630a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\WuT_EN.msi

Filesize
1.1MB

MD5
1701fba90d4ffc5556f71f068ac450d6

SHA1
da1b86038d23d85f2735b17d7165a836ce73d9c2

SHA256
b215adad01c611aff36029460a099703c24e784400e9f321dbe694a7838d1ad0

SHA512
240eed37013d972fbca556494e3330683dd0bc27ceb14fc58a6115dee0a944fcb3a3c449581a9301642ea2e5f273c18b24b2709778abbc8da4dcf34d03d8eef4

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
0d77da606a52c1afcf1b8ded4881fa4c

SHA1
64c463669b451fedcd6d52293c01d4db97e5b20f

SHA256
ca86d3dcec48f8e95f79e96695fd12f7e78bc513200563fc44123ef38878c550

SHA512
8fed6c5e18b365cc2e542d6df3fcdb07b5ae338befc89904f3dac769e4db01a59cb67907d54348f728348350d18be241da54d8972885a287b88fac42d061745e

Download Submit
\??\Volume{2fb4ccdc-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a76570e3-76ef-448e-9c26-aec95c16d12b}_OnDiskSnapshotProp

Filesize
5KB

MD5
f23238898fb0638c2b529c70d0e2af3c

SHA1
0c2bb6a715406f073f9e0978e712a7c30351684a

SHA256
2d5f2d963d7c3b357e4ff4141b395233b40d4f9d702c51912e32456ebc00d507

SHA512
489e67b72519f0d234a4e1d74106d00edf10ad297963557271f9b624b2008bd0bfb22583834ac40bfb11740ea09a134442a0cc39afbf924e1788d7c4f3419a1b

Download Submit