d81b9ef03cdf5bd1cbb8f07c0a1f53cefbaffdc340990c63bce24bc58401e332

Analysis

max time kernel
52s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
05-03-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SetupDTC300.exe
Size

311.6MB
MD5

b9b9b28358039da480658d974dfff10b
SHA1

dbf74fc97651715f9aa4b5b764aad3dc69255c0f
SHA256

d81b9ef03cdf5bd1cbb8f07c0a1f53cefbaffdc340990c63bce24bc58401e332
SHA512

9a4b748b59c3ccb1a0b9d6e0d5f80f83f8a762db3f35c3df5ff40d02253a722fff382e74d58749917b8fd68e33e6196df4f72e18fdfdc10189057948a875c490
SSDEEP

6291456:EWgMkN6RS41bMCeQggF+w2NdlDwIbXTiZxVwn0kOZYHYZ4X03WFk4kcYa/o:Eik6S4AG8NsgDiZxVwuggp7

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3040	SetupDTC300.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	MSIEXEC.EXE
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	MSIEXEC.EXE
File opened (read-only)	\??\J:	MSIEXEC.EXE
File opened (read-only)	\??\L:	MSIEXEC.EXE
File opened (read-only)	\??\X:	MSIEXEC.EXE
File opened (read-only)	\??\Y:	MSIEXEC.EXE
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	MSIEXEC.EXE
File opened (read-only)	\??\R:	MSIEXEC.EXE
File opened (read-only)	\??\W:	MSIEXEC.EXE
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	MSIEXEC.EXE
File opened (read-only)	\??\I:	MSIEXEC.EXE
File opened (read-only)	\??\K:	MSIEXEC.EXE
File opened (read-only)	\??\U:	MSIEXEC.EXE
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	MSIEXEC.EXE
File opened (read-only)	\??\V:	MSIEXEC.EXE
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	MSIEXEC.EXE
File opened (read-only)	\??\G:	MSIEXEC.EXE
File opened (read-only)	\??\S:	MSIEXEC.EXE
File opened (read-only)	\??\Z:	MSIEXEC.EXE
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\H:	MSIEXEC.EXE
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	MSIEXEC.EXE
File opened (read-only)	\??\Q:	MSIEXEC.EXE
File opened (read-only)	\??\T:	MSIEXEC.EXE
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3040 set thread context of 4512	3040	SetupDTC300.exe	92

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{8829F292-D449-4EB5-B17A-0E15C834F005}\ARPPRODUCTICON.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{8829F292-D449-4EB5-B17A-0E15C834F005}\DTC300.exe11_D5A49CC07FF044D09E08E3E0ABBD652D.exe	msiexec.exe
File created	C:\Windows\Installer\e57de0e.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8829F292-D449-4EB5-B17A-0E15C834F005}	msiexec.exe
File opened for modification	C:\Windows\Installer\{8829F292-D449-4EB5-B17A-0E15C834F005}\ARPPRODUCTICON.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DFA4254F4AD08F5198.TMP	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE5EB.tmp	msiexec.exe
File created	C:\Windows\Installer\{8829F292-D449-4EB5-B17A-0E15C834F005}\DTC300.exe11_D5A49CC07FF044D09E08E3E0ABBD652D.exe	msiexec.exe
File created	C:\Windows\Installer\e57de0c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57de0c.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF9EBC6B7FC709AB39.TMP	msiexec.exe
File created	C:\Windows\Installer\{8829F292-D449-4EB5-B17A-0E15C834F005}\DTC300.exe1_E779032897D947529ECCC086FA838B2F.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{8829F292-D449-4EB5-B17A-0E15C834F005}\DTC300.exe1_E779032897D947529ECCC086FA838B2F.exe	msiexec.exe
File created	C:\Windows\SystemTemp\~DF73047833471B5CA9.TMP	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF16ED3024E77E8FE.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000239892d157dd5a9c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000239892d10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900239892d1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d239892d1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000239892d100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22	msiexec.exe

Modifies registry class 24 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292F9288944D5BE41BA7E0518C430F50	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\PackageCode = "4D02832696B49AA4B967E418A1E5BEB3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\Version = "252972574"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\SourceList\Media\1 = "DISK1;1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\292F9288944D5BE41BA7E0518C430F50\My_Project_Name_2_Files	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\ProductName = "DTC300"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1CF5B4C65F6D00B4CB788D264C7ADDD7	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\1CF5B4C65F6D00B4CB788D264C7ADDD7\292F9288944D5BE41BA7E0518C430F50	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\ProductIcon = "C:\\Windows\\Installer\\{8829F292-D449-4EB5-B17A-0E15C834F005}\\ARPPRODUCTICON.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\SourceList\PackageName = "DTC300.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\292F9288944D5BE41BA7E0518C430F50\Clients = 3a0000000000	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3684	msiexec.exe
3684	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	536	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	536	MSIEXEC.EXE
Token: SeSecurityPrivilege	3684	msiexec.exe
Token: SeCreateTokenPrivilege	536	MSIEXEC.EXE
Token: SeAssignPrimaryTokenPrivilege	536	MSIEXEC.EXE
Token: SeLockMemoryPrivilege	536	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	536	MSIEXEC.EXE
Token: SeMachineAccountPrivilege	536	MSIEXEC.EXE
Token: SeTcbPrivilege	536	MSIEXEC.EXE
Token: SeSecurityPrivilege	536	MSIEXEC.EXE
Token: SeTakeOwnershipPrivilege	536	MSIEXEC.EXE
Token: SeLoadDriverPrivilege	536	MSIEXEC.EXE
Token: SeSystemProfilePrivilege	536	MSIEXEC.EXE
Token: SeSystemtimePrivilege	536	MSIEXEC.EXE
Token: SeProfSingleProcessPrivilege	536	MSIEXEC.EXE
Token: SeIncBasePriorityPrivilege	536	MSIEXEC.EXE
Token: SeCreatePagefilePrivilege	536	MSIEXEC.EXE
Token: SeCreatePermanentPrivilege	536	MSIEXEC.EXE
Token: SeBackupPrivilege	536	MSIEXEC.EXE
Token: SeRestorePrivilege	536	MSIEXEC.EXE
Token: SeShutdownPrivilege	536	MSIEXEC.EXE
Token: SeDebugPrivilege	536	MSIEXEC.EXE
Token: SeAuditPrivilege	536	MSIEXEC.EXE
Token: SeSystemEnvironmentPrivilege	536	MSIEXEC.EXE
Token: SeChangeNotifyPrivilege	536	MSIEXEC.EXE
Token: SeRemoteShutdownPrivilege	536	MSIEXEC.EXE
Token: SeUndockPrivilege	536	MSIEXEC.EXE
Token: SeSyncAgentPrivilege	536	MSIEXEC.EXE
Token: SeEnableDelegationPrivilege	536	MSIEXEC.EXE
Token: SeManageVolumePrivilege	536	MSIEXEC.EXE
Token: SeImpersonatePrivilege	536	MSIEXEC.EXE
Token: SeCreateGlobalPrivilege	536	MSIEXEC.EXE
Token: SeBackupPrivilege	1312	vssvc.exe
Token: SeRestorePrivilege	1312	vssvc.exe
Token: SeAuditPrivilege	1312	vssvc.exe
Token: SeBackupPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeBackupPrivilege	1868	srtasks.exe
Token: SeRestorePrivilege	1868	srtasks.exe
Token: SeSecurityPrivilege	1868	srtasks.exe
Token: SeTakeOwnershipPrivilege	1868	srtasks.exe
Token: SeBackupPrivilege	1868	srtasks.exe
Token: SeRestorePrivilege	1868	srtasks.exe
Token: SeSecurityPrivilege	1868	srtasks.exe
Token: SeTakeOwnershipPrivilege	1868	srtasks.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe
Token: SeTakeOwnershipPrivilege	3684	msiexec.exe
Token: SeRestorePrivilege	3684	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
536	MSIEXEC.EXE
536	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 3040	4144	SetupDTC300.exe	81
PID 4144 wrote to memory of 3040	4144	SetupDTC300.exe	81
PID 4144 wrote to memory of 3040	4144	SetupDTC300.exe	81
PID 3040 wrote to memory of 536	3040	SetupDTC300.exe	82
PID 3040 wrote to memory of 536	3040	SetupDTC300.exe	82
PID 3040 wrote to memory of 536	3040	SetupDTC300.exe	82
PID 3684 wrote to memory of 1868	3684	msiexec.exe	89
PID 3684 wrote to memory of 1868	3684	msiexec.exe	89
PID 3040 wrote to memory of 4512	3040	SetupDTC300.exe	92
PID 3040 wrote to memory of 4512	3040	SetupDTC300.exe	92
PID 3040 wrote to memory of 4512	3040	SetupDTC300.exe	92
PID 3040 wrote to memory of 4512	3040	SetupDTC300.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\SetupDTC300.exe
"C:\Users\Admin\AppData\Local\Temp\SetupDTC300.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\SetupDTC300.exe
  C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\SetupDTC300.exe /q"C:\Users\Admin\AppData\Local\Temp\SetupDTC300.exe" /tempdisk1folder"C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}" /IS_temp
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    "C:\Windows\system32\MSIEXEC.EXE" /i "C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\DTC300.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="SetupDTC300.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:536
- - C:\Windows\SysWOW64\explorer.exe
    C:\Windows\system32\explorer.exe
    3⤵
    PID:4512

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3684
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1868

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1312

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57de0d.rbs

Filesize
12KB

MD5
f0e93c844b0cdc7be73e8a6a420f0c2e

SHA1
7a8e5de5a2104d87aaf5c235365131de9b8e56ff

SHA256
fd18878d9efdbd95a76b734c482f31250e4be5f0933f778817d9312b45bc8946

SHA512
46b84d76e36ec0703864528781b192d5710d86722bb02e664a402133ede2ce22f3a1e77d9466dac7a1d420551b9dc255b0b7bc0e9980d5a223d7864a75f9f0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\0x0409.ini

Filesize
21KB

MD5
a108f0030a2cda00405281014f897241

SHA1
d112325fa45664272b08ef5e8ff8c85382ebb991

SHA256
8b76df0ffc9a226b532b60936765b852b89780c6e475c152f7c320e085e43948

SHA512
d83894b039316c38915a789920758664257680dcb549a9b740cf5361addbee4d4a96a3ff2999b5d8acfb1d9336da055ec20012d29a9f83ee5459f103fbeec298

Download Submit
C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\DTC300.msi

Filesize
751KB

MD5
ccefae48b3c67a59e9e85f399329a3e9

SHA1
ade027ecf28a1d1095d3ae637f39ee67f7535854

SHA256
106075b6347801e699805ce3dceb17b4f327177b6386d579522e074e1f13995f

SHA512
10df8dd718cb1b7a6fa7f87f33941ed8085db7ceffb1d0de2975d5386de97256467555dc4084d4647cc483f3d19200d0b25f9ca7478c39f4103b7e451eedfcf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\SetupDTC300.exe

Filesize
35.5MB

MD5
2ee49e4598a6554d7147d614975bbc42

SHA1
2592514d8992ce9d97cdbcf962cf3c9d56196a5f

SHA256
609e42a2856259186496eb4d974d79eaae0c9d849faa1e3269deffc5b8b4192b

SHA512
23ed80624eed79e33b69115f1ffd25a84d402a830598796b88e45608c36aac5b13f78cda1af4b5f3fee887ccb6de215d1dd052b40eba4058a7f0549d85c541fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\SetupDTC300.exe

Filesize
49.7MB

MD5
83eb6d35e90e984dc1429ffea4cff010

SHA1
d2a07b7092c3a4f16367fd5bd968f73c65ae9269

SHA256
0d75494720796fe24aacf6f8a3c05844d7a3ad0f84534d048ffc297c9081d057

SHA512
8bf979e469ee61f32c29171a134eeeec4d17e6ea9e75867ccf3906de9e9bfe466161f7373668fa92bc43642a6ef41d1282491b691a552bafcc4442c3670a082f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{56DF11BF-1DAB-4988-9FA2-AA3F221BB072}\_ISMSIDEL.INI

Filesize
616B

MD5
3cd6da8796786e6755ae9e05cae7c782

SHA1
04adb5f6ac7066e6ef9f8438d7748f758bdb9cfd

SHA256
460282a36747774aa57beda9e337edd3892403022477cc112da703202f76691d

SHA512
b73e0847ba88a5adf6f2a339c7c4326afa73ea093dccb51740772ac3590cc936ca4a0cb4f60a67d8259c2cf92743c0afd99728d270f732ccb8130f7cf810c867

Download Submit
C:\Users\Admin\AppData\Local\Temp\~6C77.tmp

Filesize
5KB

MD5
c1d0ccfbf7ae8d3057166e915b3d2312

SHA1
60b7fb7c8f1a1b58379343424c0cf786dfa78186

SHA256
c2b9bf478bbcdbac993f37b2fb4fde259d3f8434b3c88321a89fe7bc8f75783b

SHA512
7e9d6031456a32314af45dbe49deff8c5072217a3091cab15e91a527616ad2301531adb62e68d6c31f02f6d85060bce930960ac3af68a485052159f69426a426

Download Submit
C:\Windows\Installer\e57de0c.msi

Filesize
11.2MB

MD5
ccf68cff8ab1fe757c4030e3f4868750

SHA1
367cd9dee926ae69397edcece1fc4c011dde4166

SHA256
e1f1734e60446a2eb54cbfeb4010063ee99c40010d385bd42e94add483a38abb

SHA512
89e1941c00cc18ab755c7753eab21c938688220e1739951749a86e8717bcb8ebec3c050f30f51ef5bb84d0bcde6eb7cb3e9bc80c7584aa1e65277ed041d6616f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
10.7MB

MD5
ed162f0b16afb7b0f877db0f92357990

SHA1
8ba1cc5265e8b7a0d8c4f6211e99072ff00ae6ef

SHA256
790c6fe082711949528b7b43ce2cfee28abc0be77f9da342f0e92edb953e1cb3

SHA512
31e686e440332d0ceb933e03df6cd5df43c87496d77dc0ba454f81892ad3161eed901f5691bd8088ff2543364ac31f4ef6dd4a74d09f90e21385a2f2e5a0c92e

Download Submit
\??\Volume{d1929823-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{a4b216a3-8422-4338-be37-6d1dd262838d}_OnDiskSnapshotProp

Filesize
6KB

MD5
66fe87b6ccd4a9fc421ab61c3687c659

SHA1
d559886159a771631a3ed980718aacea5a3ae817

SHA256
656b0a91ecfba01f48cddfa395ddbb119c5f20996bed226e5748b1c221b67f80

SHA512
2a84f67dca9e5d558042da014f6aa3f935de7f1f3bb5c98f0e57c5b85446faa302ce4b118ddb61326a288bc8522ebd5a0510fe1ff5ce36126c2558c2fd9dd010

Download Submit