99ac505046f8107bc987f83b5ede64975d14e00f0feb1eb94e023695ef9c5842

Resubmissions

21/04/2023, 17:49

230421-wd5fgshb47 7

21/04/2023, 17:35

230421-v56besba3x 7

21/04/2023, 15:06

230421-sg9b3aab61 7

Analysis

max time kernel
497s
max time network
503s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21/04/2023, 17:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GoLabel_Install_enUS_V1.13C/setup.msi
Size

44.7MB
MD5

3640ca067162ae9e3ee3e37372a9f7d4
SHA1

56b14409608ed38f80287e1c8a766d41d82e5758
SHA256

e39056e70a6d2f18eed3b32bc508e2c0637149f37a5ec40a57e7079199229429
SHA512

7991282a39a5fef1b540b90bdc705ecc964ab76a8908b3f663500dd5e0821ec53478748f5d682fa75c67aa2750d67454a0b65bd2cfb4a808f657e5e091c1153d
SSDEEP

786432:7uDB+6HMPrLOOo2Ss+1L73vwM2kf0wsua1pNtSS5cst6zeWYzMjdISG2uwxLN:FaMPrLy2o1//thf011pNAUVt60zMjdDN

Score

7^/10

persistence

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
368	MsiExec.exe
368	MsiExec.exe
1304	MsiExec.exe
1304	MsiExec.exe

Registers COM server for autorun 1 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\InprocServer32\ThreadingModel = "both"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ole db\\vfpoledb.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ole db\\vfpoledb.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ole db\\vfpoledb.dll"	msiexec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GoDEX\GoLabel\es-ES\GoLabel On-line Help.pdf	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\PrinterModel.xml	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\zh-TW\WiFiTool.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\it-IT\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\zh-CN\GlobalForm.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\Neodynamic.SDK.Barcode.xml	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\pl-PL\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\ja-JP\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fa\GlobalInfo.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\GODEX.TTF	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\sl-SI\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fr-FR\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\pt-PT\QlabelDlg.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\zh-CN\GlobalInfo.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\GoLabel On-line Help.pdf	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\ko-KR\QlabelDlg.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\zh-CN\GoLabel On-line Help.pdf	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\ru-RU\QlabelDlg.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\es-ES\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\ar\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\th-TH\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\Trace.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\MyWordArt.DLL	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\bg-BG\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\ru-RU\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\de-DE\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\pt-PT\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\SocketSDK.DLL	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\hr-HR\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\hr-HR\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\de-DE\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\QLabelSDK.DLL	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\it-IT\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\pl-PL\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\zh-TW\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\Icons_GoLabel_64_201312.ico	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\DownloadObject.XML	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\ar\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\hu-HU\GlobalInfo.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\hu-HU\QlabelDlg.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\GlobalInfo.DLL	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\sl-SI\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\zh-CN\QlabelDlg.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\sr\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fr-FR\GoLabel On-line Help.pdf	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\pl-PL\QlabelDlg.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fr-FR\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fa\GlobalForm.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\es-ES\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fa\QlabelDlg.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fi-FI\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fi-FI\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\zh-CN\WiFiTool.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\cs-CZ\GoLabel.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\GlobalForm.DLL	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fr-FR\GlobalForm.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\ru-RU\GoLabel On-line Help.pdf	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\GoLabel.exe	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\QlabelDlg.DLL	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\hu-HU\GlobalForm.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\de-DE\GoLabel On-line Help.pdf	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\CmdlineHelp.txt	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\bg-BG\DBQuery.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\GoDEX\GoLabel\fi-FI\QlabelDlg.resources.dll	msiexec.exe

Drops file in Windows directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC4F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSICB9A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-4238149048-355649189-894321705-1000	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-4238149048-355649189-894321705-1000\A24BE02E3B98DFF47939FAE09F58F262\1.0.320\_6FFC5609BD4C4F24B56E0D7D2699A264	msiexec.exe
File created	C:\Windows\Installer\e58c2ff.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58c2fd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC62A.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e58c2fd.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E20EB42A-89B3-4FFD-9793-AF0EF9852F26}	msiexec.exe
File created	C:\Windows\Fonts\GODEX.TTF	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\UnManaged	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-4238149048-355649189-894321705-1000\A24BE02E3B98DFF47939FAE09F58F262	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-4238149048-355649189-894321705-1000\A24BE02E3B98DFF47939FAE09F58F262\1.0.320	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\UnManaged\S-1-5-21-4238149048-355649189-894321705-1000\A24BE02E3B98DFF47939FAE09F58F262\1.0.320\_6FFC5609BD4C4F24B56E0D7D2699A264	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Vfpoledb.ConnectionPage.1	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ole db\\vfpoledb.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\TypeLib	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\GoLabel Label File\shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\GoLabel Label File\ = "Godex Bar Code Label"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\VersionIndependentProgID\ = "VFPOLEDB.ErrorLookup"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\ExtendedErrors\ = "Extended Error Service"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB\CurVer\ = "VFPOLEDB.1"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.1\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\TypeLib\{50BAEECA-ED25-11D2-B97B-000000000000}\1.0	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.ErrorLookup.1\CLSID\ = "{50BAEEDA-ED25-11D2-B97B-000000000000}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\TypeLib\{50BAEECA-ED25-11D2-B97B-000000000000}\1.0\FLAGS	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Vfpoledb.ConnectionPage	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.ErrorLookup.1\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\ProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.1	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\ExtendedErrors\{50BAEEDA-ED25-11D2-B97B-000000000000}\ = "VFPOLEDB Error Lookup"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\GoLabel Label File\shell\open\command\ = "\"C:\\Program Files (x86)\\GoDEX\\GoLabel\\GoLabel.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\TypeLib\{50BAEECA-ED25-11D2-B97B-000000000000}\1.0\0	msiexec.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\OLEDB_SERVICES = "4294967295"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB\CurVer	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Vfpoledb.ConnectionPage\CLSID\ = "{50BAEEDB-ED25-11D2-B97B-000000000000}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB\CLSID\ = "{50BAEED9-ED25-11D2-B97B-000000000000}"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\TypeLib\{50BAEECA-ED25-11D2-B97B-000000000000}\1.0\FLAGS\ = "0"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\TypeLib\{50BAEECA-ED25-11D2-B97B-000000000000}\1.0\ = "Microsoft OLE DB Provider for Visual FoxPro 7.0 Type Library"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\TypeLib\{50BAEECA-ED25-11D2-B97B-000000000000}\1.0\HELPDIR	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Vfpoledb.ConnectionPage.1\CLSID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ole db\\vfpoledb.dll"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\VersionIndependentProgID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB\CLSID	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\GoLabel Label File\shell\open\ = "&Open"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.ezpx	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.ErrorLookup\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\.ezpx\GoLabel Label File	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\GoLabel Label File\DefaultIcon\ = "%APPDATA%\\Microsoft\\Installer\\{E20EB42A-89B3-4FFD-9793-AF0EF9852F26}\\_853F67D554F05449430E7E.exe,0"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.ErrorLookup.1	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}\Programmable	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}\InprocServer32\ = "C:\\Program Files (x86)\\Common Files\\System\\ole db\\vfpoledb.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB\ = "Microsoft OLE DB Provider for Visual FoxPro"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\ExtendedErrors	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\TypeLib\{50BAEECA-ED25-11D2-B97B-000000000000}\1.0\0\win32\ = "C:\\Program Files (x86)\\Common Files\\System\\ole db\\vfpoledb.dll"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Vfpoledb.ConnectionPage\CurVer\ = "vfpOLEDBDLink.ConnectionPage.1"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\ = "VFPOLEDB"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\TypeLib\{50BAEECA-ED25-11D2-B97B-000000000000}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}\InprocServer32	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDB-ED25-11D2-B97B-000000000000}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\OLE DB Provider	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Vfpoledb.ConnectionPage\ = "VfpOLEDBConnectionPage Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.ErrorLookup.1\ = "VFPOLEDB Error Lookup"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Vfpoledb.ConnectionPage.1\ = "VfpOLEDBConnectionPage Class"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.ErrorLookup\ = "VFPOLEDB Error Lookup"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\Implemented Categories\{D267E19A-0B97-11D2-BB1C-00C04FC9B532}\	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\TypeLib\ = "{50BAEECA-ED25-11D2-B97B-000000000000}"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\GoLabel Label File\shell\open	msiexec.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\GoLabel Label File\shell\open\command\command = 4d0044005f00600071005e00300039006500410067002a0035006600270052002b0034003f0030003e002800240073004e0035006b0054007b007100430054005400420054005a00500069004700340036002000220025003100220000000000	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEEDA-ED25-11D2-B97B-000000000000}\InprocServer32\ThreadingModel = "both"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\Implemented Categories\{D267E19A-0B97-11D2-BB1C-00C04FC9B532}	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\VFPOLEDB.1\ = "Microsoft OLE DB Provider for Visual FoxPro"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\WOW6432Node\CLSID\{50BAEED9-ED25-11D2-B97B-000000000000}\ExtendedErrors\{50BAEEDA-ED25-11D2-B97B-000000000000}	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3572	msiexec.exe
3572	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	3572	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeMachineAccountPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeTakeOwnershipPrivilege	4328	msiexec.exe
Token: SeLoadDriverPrivilege	4328	msiexec.exe
Token: SeSystemProfilePrivilege	4328	msiexec.exe
Token: SeSystemtimePrivilege	4328	msiexec.exe
Token: SeProfSingleProcessPrivilege	4328	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	msiexec.exe
Token: SeCreatePagefilePrivilege	4328	msiexec.exe
Token: SeCreatePermanentPrivilege	4328	msiexec.exe
Token: SeBackupPrivilege	4328	msiexec.exe
Token: SeRestorePrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeAuditPrivilege	4328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4328	msiexec.exe
Token: SeChangeNotifyPrivilege	4328	msiexec.exe
Token: SeRemoteShutdownPrivilege	4328	msiexec.exe
Token: SeUndockPrivilege	4328	msiexec.exe
Token: SeSyncAgentPrivilege	4328	msiexec.exe
Token: SeEnableDelegationPrivilege	4328	msiexec.exe
Token: SeManageVolumePrivilege	4328	msiexec.exe
Token: SeImpersonatePrivilege	4328	msiexec.exe
Token: SeCreateGlobalPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4328	msiexec.exe
Token: SeMachineAccountPrivilege	4328	msiexec.exe
Token: SeTcbPrivilege	4328	msiexec.exe
Token: SeSecurityPrivilege	4328	msiexec.exe
Token: SeTakeOwnershipPrivilege	4328	msiexec.exe
Token: SeLoadDriverPrivilege	4328	msiexec.exe
Token: SeSystemProfilePrivilege	4328	msiexec.exe
Token: SeSystemtimePrivilege	4328	msiexec.exe
Token: SeProfSingleProcessPrivilege	4328	msiexec.exe
Token: SeIncBasePriorityPrivilege	4328	msiexec.exe
Token: SeCreatePagefilePrivilege	4328	msiexec.exe
Token: SeCreatePermanentPrivilege	4328	msiexec.exe
Token: SeBackupPrivilege	4328	msiexec.exe
Token: SeRestorePrivilege	4328	msiexec.exe
Token: SeShutdownPrivilege	4328	msiexec.exe
Token: SeDebugPrivilege	4328	msiexec.exe
Token: SeAuditPrivilege	4328	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4328	msiexec.exe
Token: SeChangeNotifyPrivilege	4328	msiexec.exe
Token: SeRemoteShutdownPrivilege	4328	msiexec.exe
Token: SeUndockPrivilege	4328	msiexec.exe
Token: SeSyncAgentPrivilege	4328	msiexec.exe
Token: SeEnableDelegationPrivilege	4328	msiexec.exe
Token: SeManageVolumePrivilege	4328	msiexec.exe
Token: SeImpersonatePrivilege	4328	msiexec.exe
Token: SeCreateGlobalPrivilege	4328	msiexec.exe
Token: SeCreateTokenPrivilege	4328	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4328	msiexec.exe
Token: SeLockMemoryPrivilege	4328	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4328	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3572 wrote to memory of 368	3572	msiexec.exe	84
PID 3572 wrote to memory of 368	3572	msiexec.exe	84
PID 3572 wrote to memory of 368	3572	msiexec.exe	84
PID 3572 wrote to memory of 1792	3572	msiexec.exe	96
PID 3572 wrote to memory of 1792	3572	msiexec.exe	96
PID 3572 wrote to memory of 1304	3572	msiexec.exe	98
PID 3572 wrote to memory of 1304	3572	msiexec.exe	98
PID 3572 wrote to memory of 1304	3572	msiexec.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GoLabel_Install_enUS_V1.13C\setup.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4328

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 736584B24E39DAC7A6891AAA7832AD19 C
  2⤵
  - Loads dropped DLL
  PID:368
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1792
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CE4BC027115633B6C40BCE8BFE3C3FE7
  2⤵
  - Loads dropped DLL
  PID:1304

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4400

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e58c2fe.rbs

Filesize
83KB

MD5
e52db737d2cf40641bbed93edc31b6d2

SHA1
4dffbd57202ebfcae1776ab7db0507ec628bceea

SHA256
01a87ff11f9a6cb577d5a962215e3a0d832aca13b5a04ac569cb0a6067a85575

SHA512
196955d369fa881cf0361a28685ffc86f1c4ca2cc3fb322bfa4e1c387f5bcb6e65efea28e848d0509a142d2f4bf0f4a0ceb50419cfb7771fe734df1a7bbf8e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB338.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB338.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC20D.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIC20D.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{E20EB42A-89B3-4FFD-9793-AF0EF9852F26}\_282C5B7AB9823B3125F10E.exe

Filesize
16KB

MD5
540ac83a401bf85503d0b95eeaa78465

SHA1
ec0f75397bedfa501e051d1af378245bf8519feb

SHA256
257b74dffd2af76e015fe29c227f4a7f6dc7ae91e67ae6ae93609ce2c7aa74ad

SHA512
ce9bc4711f5b2f13a583af7db09befab528892f8fac3c0ca4ae46bf4b10f5e513896333410f3b5968acaf80f03aba19bb0dcbcdff2c8f4c24f8c9d7bbf4fda03

Download Submit
C:\Windows\Installer\MSIC4F1.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Windows\Installer\MSIC4F1.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Windows\Installer\MSIC4F1.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Windows\Installer\MSIC62A.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Windows\Installer\MSIC62A.tmp

Filesize
231KB

MD5
0a2626fc9e4e0ca18386c029e9efffd9

SHA1
ac5576497afac2456f485cdb14bf52d895769651

SHA256
97a55524e0bf06419143b1b71778c0ec867716079ab477e8404a0f3125da7dc3

SHA512
40b25e507e64b5634e13e83d4bc420196b1294d533e60b01dae8898a8eed939417aec8341b409f59a722d14fb63884c24c5a31985da63933b761f1fc3acb24da

Download Submit
C:\Windows\Installer\e58c2ff.msi

Filesize
44.7MB

MD5
3640ca067162ae9e3ee3e37372a9f7d4

SHA1
56b14409608ed38f80287e1c8a766d41d82e5758

SHA256
e39056e70a6d2f18eed3b32bc508e2c0637149f37a5ec40a57e7079199229429

SHA512
7991282a39a5fef1b540b90bdc705ecc964ab76a8908b3f663500dd5e0821ec53478748f5d682fa75c67aa2750d67454a0b65bd2cfb4a808f657e5e091c1153d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
37e2898e8619bb5b0878541272fd36b6

SHA1
7d1c4f0d7d1392b972aca99f36c5c49c11df140f

SHA256
9cfa76c8c192ff10db0b6532a3f07f992ba6998696fe1d4ee27c94d938a4c623

SHA512
6df2afa6a2933b19a19305d543d5739530cee53b1f5d399b41b18470a908d0df6b9b439d0a5c1d582b836989d22a1a2400e399f427a4ab792845db702eea7785

Download Submit
\??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b5580626-c9bc-44f3-955b-c1332fcf0401}_OnDiskSnapshotProp

Filesize
5KB

MD5
6248a9320b98d1ae90fea9f205a4c519

SHA1
07e1fa1438f1905439c059a3262f086952708f69

SHA256
9fd0826ac0dd9335d8d1e2ce3a87a2378419cee03c42191b7f8fefc24b1c0078

SHA512
60715725174d705c58b50f6ba863d84933cce516fafabaceca8cd5d5044f183fae581fa3f86c3760e6c3ccd66d032ce88763bbd1bb8358f6e851ec16bc5b3263

Download Submit