e64775374097f1b1c8fd4173f7d5be4305b88cec26a56d003113aff2837ae08e

Analysis

max time kernel
35s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
28-05-2024 03:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

putty-64bit-0.78-installer.msi
Size

3.5MB
MD5

108b432c4dc0a66b657d985e180bec71
SHA1

262812d43303b7ddc7c04a1c243172ebe6579f00
SHA256

e64775374097f1b1c8fd4173f7d5be4305b88cec26a56d003113aff2837ae08e
SHA512

5ddb97078b417f22c54dce768564dec58fd92a9c190f7a6cac9c7979a0f136dd439da1d59dd3c088e709433f5c4f79c033abd4b6ca8989d38620c20f4623386e
SSDEEP

98304:Ujhyh9EoxGHgBRn8Tg4IDrwRW8FMDMb34+NHC6:UjhyJPR8Tg4IDrwdFMD048

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 4 IoCs

flow	pid	Process
5	1844	msiexec.exe
7	1844	msiexec.exe
9	1844	msiexec.exe
11	1844	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\PuTTY\putty.chm	msiexec.exe
File created	C:\Program Files\PuTTY\psftp.exe	msiexec.exe
File created	C:\Program Files\PuTTY\website.url	msiexec.exe
File created	C:\Program Files\PuTTY\pscp.exe	msiexec.exe
File created	C:\Program Files\PuTTY\putty.exe	msiexec.exe
File created	C:\Program Files\PuTTY\puttygen.exe	msiexec.exe
File created	C:\Program Files\PuTTY\README.txt	msiexec.exe
File created	C:\Program Files\PuTTY\LICENCE	msiexec.exe
File created	C:\Program Files\PuTTY\pageant.exe	msiexec.exe
File created	C:\Program Files\PuTTY\plink.exe	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e578750.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{4EEF2644-700F-46F8-9655-915145248986}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI88C7.tmp	msiexec.exe
File created	C:\Windows\Installer\e578752.msi	msiexec.exe
File created	C:\Windows\Installer\e578750.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
224	putty.exe

Loads dropped DLL 2 IoCs

pid	Process
5076	MsiExec.exe
5076	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000c9712a8ab103c3e30000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000c9712a8a0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900c9712a8a000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dc9712a8a000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000c9712a8a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell\open\command	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell\edit	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell\edit\ = "Edit with PuTTYgen"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.ppk	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.ppk\ = "PPK_Assoc_ProgId"	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell\open\ = "Load into Pageant"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	MsiExec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\ = "PuTTY Private Key File"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell\edit\command	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell\open\command\ = "\"C:\\Program Files\\PuTTY\\pageant.exe\" \"%1\""	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell\edit\command\ = "\"C:\\Program Files\\PuTTY\\puttygen.exe\" \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\.ppk\Content Type = "application/x-putty-private-key"	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\PPK_Assoc_ProgId\shell\open	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2996	msiexec.exe
2996	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1844	msiexec.exe
Token: SeSecurityPrivilege	2996	msiexec.exe
Token: SeCreateTokenPrivilege	1844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1844	msiexec.exe
Token: SeLockMemoryPrivilege	1844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1844	msiexec.exe
Token: SeMachineAccountPrivilege	1844	msiexec.exe
Token: SeTcbPrivilege	1844	msiexec.exe
Token: SeSecurityPrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeLoadDriverPrivilege	1844	msiexec.exe
Token: SeSystemProfilePrivilege	1844	msiexec.exe
Token: SeSystemtimePrivilege	1844	msiexec.exe
Token: SeProfSingleProcessPrivilege	1844	msiexec.exe
Token: SeIncBasePriorityPrivilege	1844	msiexec.exe
Token: SeCreatePagefilePrivilege	1844	msiexec.exe
Token: SeCreatePermanentPrivilege	1844	msiexec.exe
Token: SeBackupPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeShutdownPrivilege	1844	msiexec.exe
Token: SeDebugPrivilege	1844	msiexec.exe
Token: SeAuditPrivilege	1844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1844	msiexec.exe
Token: SeChangeNotifyPrivilege	1844	msiexec.exe
Token: SeRemoteShutdownPrivilege	1844	msiexec.exe
Token: SeUndockPrivilege	1844	msiexec.exe
Token: SeSyncAgentPrivilege	1844	msiexec.exe
Token: SeEnableDelegationPrivilege	1844	msiexec.exe
Token: SeManageVolumePrivilege	1844	msiexec.exe
Token: SeImpersonatePrivilege	1844	msiexec.exe
Token: SeCreateGlobalPrivilege	1844	msiexec.exe
Token: SeCreateTokenPrivilege	1844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1844	msiexec.exe
Token: SeLockMemoryPrivilege	1844	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1844	msiexec.exe
Token: SeMachineAccountPrivilege	1844	msiexec.exe
Token: SeTcbPrivilege	1844	msiexec.exe
Token: SeSecurityPrivilege	1844	msiexec.exe
Token: SeTakeOwnershipPrivilege	1844	msiexec.exe
Token: SeLoadDriverPrivilege	1844	msiexec.exe
Token: SeSystemProfilePrivilege	1844	msiexec.exe
Token: SeSystemtimePrivilege	1844	msiexec.exe
Token: SeProfSingleProcessPrivilege	1844	msiexec.exe
Token: SeIncBasePriorityPrivilege	1844	msiexec.exe
Token: SeCreatePagefilePrivilege	1844	msiexec.exe
Token: SeCreatePermanentPrivilege	1844	msiexec.exe
Token: SeBackupPrivilege	1844	msiexec.exe
Token: SeRestorePrivilege	1844	msiexec.exe
Token: SeShutdownPrivilege	1844	msiexec.exe
Token: SeDebugPrivilege	1844	msiexec.exe
Token: SeAuditPrivilege	1844	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1844	msiexec.exe
Token: SeChangeNotifyPrivilege	1844	msiexec.exe
Token: SeRemoteShutdownPrivilege	1844	msiexec.exe
Token: SeUndockPrivilege	1844	msiexec.exe
Token: SeSyncAgentPrivilege	1844	msiexec.exe
Token: SeEnableDelegationPrivilege	1844	msiexec.exe
Token: SeManageVolumePrivilege	1844	msiexec.exe
Token: SeImpersonatePrivilege	1844	msiexec.exe
Token: SeCreateGlobalPrivilege	1844	msiexec.exe
Token: SeCreateTokenPrivilege	1844	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1844	msiexec.exe
Token: SeLockMemoryPrivilege	1844	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1844	msiexec.exe
1844	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2996 wrote to memory of 5076	2996	msiexec.exe	94
PID 2996 wrote to memory of 5076	2996	msiexec.exe	94
PID 2996 wrote to memory of 5076	2996	msiexec.exe	94
PID 2996 wrote to memory of 3684	2996	msiexec.exe	102
PID 2996 wrote to memory of 3684	2996	msiexec.exe	102
PID 5076 wrote to memory of 336	5076	MsiExec.exe	105
PID 5076 wrote to memory of 336	5076	MsiExec.exe	105
PID 5076 wrote to memory of 336	5076	MsiExec.exe	105

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\putty-64bit-0.78-installer.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1844

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B5B3DDF86FAAC7351E393F5B0519943D C
  2⤵
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files\PuTTY\README.txt
    3⤵
    PID:336
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3684

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:920

C:\Program Files\PuTTY\putty.exe
"C:\Program Files\PuTTY\putty.exe"
1⤵
- Executes dropped EXE
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e578751.rbs

Filesize
13KB

MD5
171933a65e70d57b972050f3fa70b2d6

SHA1
f6d0170abeb9612d40567a9787c3e45055a175d5

SHA256
3526cb9aabe8f990ae3ca0dc54f6fff85dc14819566271293288785b98d746be

SHA512
3e9c06b1f3d7ca2a83b35981c4134b45a4b198b33a241756d799f20a82bcdc6a9e47fbec9f4697581c830f8cfee53a22e7f7a34914de7a3a661994b9d7871a3d

Download Submit
C:\Program Files\PuTTY\README.txt

Filesize
1KB

MD5
6cf727766580b6019becca7e62c49e70

SHA1
6842fa969ca4a83a8780e59b75bd30d8859917c1

SHA256
11bdf4f12d34f617cf81f0c30aef7b596dbd00d0d19cf9e3c2e4648d672b3809

SHA512
0710ad72f032f54946b089aed10dc3da00f54d9bf835e09cd6fcc90603afb2ca91a6efd0a496b71d51275828f545996885a8718468d69edb45bd4070234b9234

Download Submit
C:\Program Files\PuTTY\putty.exe

Filesize
1.2MB

MD5
14080a3e4e877be235f06509b2a4b6a9

SHA1
868866bd51f1ac744991c08eda6446222a0ccdae

SHA256
35c9df3a348ae805902a95ab8ad32a6d61ef85ca8249ae78f1077edd2429fe6b

SHA512
78c8fe794d0634c74cf172649cd6c6f46244f327dd1a7a8e029fd3c98302b2df6d6ba4279262cb425fca86fe8ba2ef38293c33b85acb3854faabce934a91fc32

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
765B

MD5
7129a1c8e2d16ebddce0602f794cc98d

SHA1
9d77f567e849734597d58c7f14df4906e4d2fbf3

SHA256
c7626df395bba847bf909e56d1f79f5c24df82e0b586d7183eb6c625eeb8741c

SHA512
efd3b594ca4e436be51a7607eb8bd5a953f92c39933f7997c33b944e135913b10c6300042d9dd45bde892298d317ad8846e3a65ee7ec61bc9fa4d8e56ff8f6f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\AEACCDA8653DD8D7B2EA32F21D15D44F_383EB3891E16580A90C892D349C28A00

Filesize
638B

MD5
78523242051e9c1ac484795c6212fe3d

SHA1
556f20504a5e6a7fd6d9a54645009e9a57788a39

SHA256
435e1f930f6a8392526059882a466be7bc5e2c18eabf1c7dfe4dbc156685864e

SHA512
6a0d775275f1f383ceee03271635e3b30a88fca2c0805bb9d3d289915f3af0e07f75e2ca74c285771b48335d2e50a69586923b666ce42c794767f4095958a4d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
1KB

MD5
8e65db4253b2a136b4dfdfb63f864fc5

SHA1
08290a6aa976eb4f2eeec3054d65f424b1d6a815

SHA256
59efb97c6799ec0fa31fe72ed0a35b22caf960e11561147352e717a81553cf39

SHA512
9c9a0fd4581682f1e3645df14f3ef2fc7b2c751637bd3a5fb9e1aabd7414d3c86517204a5971636fc96c8f4364b72f931082a493bca3cedf636dc984e72d56cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\18E6B4A57A6BC7EC9B861CDF2D6D0D02_C3B142D2C5374581DC2FDFFDEDBDEDDB

Filesize
484B

MD5
bd145ebd25e4ad36c8c3661375f52ddb

SHA1
86777972ce6874b73b381e5b4ee57ea33a329cb5

SHA256
bc869b9628901361b6237ee1870efdeeca0cc4c3d4786571d736d09156d11ba0

SHA512
28dde8c60111b35378b07549e1424821794b4e5dd8ebe39face726606ff57a046394b036d6808cb98d1a2d14bf2c5dd05b7f005106e6c373820933bfe6132450

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\AEACCDA8653DD8D7B2EA32F21D15D44F_383EB3891E16580A90C892D349C28A00

Filesize
488B

MD5
2f11aa946f044b15ce24931408833f02

SHA1
19669633e67e4c4d1874081b4be509b54c7af8f1

SHA256
3c912c974c39a93d8408de72aef9a084ea07b386559f7d42bf3fdeaad7a7090d

SHA512
5b00d76bcfa70feedaa8b7c7eaec171440cbc71830becf712f6fe9d0c46c4af29861c21995e3dcf3d69ce89bbc6e738b4b073a40676e08707af93e620b2f09e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_93702E680A5530C052C8D2BA33A2225F

Filesize
482B

MD5
55875caff6d80ed5d684765ad785c32d

SHA1
f508eedf320878dfe47e99265ce2d9fd9e2a2ab4

SHA256
ad3251443a1e1f1b291dda7c200320b66319fe2e1d11252ec6c29413bbfbbccf

SHA512
595c6755fd1277d880a4e6c985b23576c9be49630a2908ce00049713f820f92571bc54c34162f42acf61bd2890d9eb4f7d60d169cdc4a55cd4dc64a43363c57e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4E2F.tmp

Filesize
102KB

MD5
d9ac1b56edf330a6eb7894ab293f14f6

SHA1
022d8944e3927fff2b330dab54716ddcbb366d16

SHA256
097f1c3f27b18010448d77e3f70c4d9f774cb9c5ab435c62baa1c00e4cadd5ef

SHA512
e434410e2b2c2bb1fba4f3fc7c277b978c45b1df1d3c3994d6dc1530558393d7d42a713506bf95d013b2e40e9da36fd3e588fea8d8dc062a24ad931e4d76c328

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI94FD.tmp

Filesize
199KB

MD5
3a4e61909500d677745ef2ab508f3f3b

SHA1
ee398e1a153ca96c2592816eb8e8b2b7bb845e1e

SHA256
fb7a6eb19d1d1042d3bd8b3add9271116b8b6db3714dfcc0b6fee8e088d4a2cc

SHA512
feba07bba5007a20e0a1e2ca8c9050ae8624e8fbb0f24aada5dc7c2bde3be561b844453a573cab2a24c3769a8dba401db4eeef0d22ef86e2109b67e54392ee45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PuTTY (64-bit)\PuTTY.lnk

Filesize
1KB

MD5
883b6eb3c0a9b880e7d71e2b53b5932c

SHA1
35f1390be0779d42341831e868ea9a6005afff7c

SHA256
03f5c19d08557606d3cccd7c97b74e6eee80df18bbb5f478b269e07d1f89405b

SHA512
cafd6c37c2d933c75ebbbf142e08166e292da50a4c4e51a3475f23c346c239e9761e566abf636dfe73463e8543198188aef41caafc74fc8373d92fff399296ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\PuTTY (64-bit)\PuTTY.lnk~RFe578bb5.TMP

Filesize
1KB

MD5
711a8325a1d1477062c95be8e2c1e3b9

SHA1
53b3805c64e6cda0ffb5e5feec2c9f6c3ff62f33

SHA256
4e815b7a322eb0b3634ea537c68d64b12cec0bec8c01042782407443542d4bd1

SHA512
53440f5d269af140b98394e8f089ac996235d58077431d29f5346186a7db44f119dc8f65bf7984a10c5f73bc7eba2215c08ec767b1abfd0a1b7a8d9b50840a82

Download Submit
C:\Windows\Installer\e578750.msi

Filesize
3.5MB

MD5
108b432c4dc0a66b657d985e180bec71

SHA1
262812d43303b7ddc7c04a1c243172ebe6579f00

SHA256
e64775374097f1b1c8fd4173f7d5be4305b88cec26a56d003113aff2837ae08e

SHA512
5ddb97078b417f22c54dce768564dec58fd92a9c190f7a6cac9c7979a0f136dd439da1d59dd3c088e709433f5c4f79c033abd4b6ca8989d38620c20f4623386e

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
cc93aaed52c9131244503d841556bb5e

SHA1
d4b6a2e4acbeefdc25faec50a6a3ba56c50f4f24

SHA256
c6a434086bca70fa8164dcc8b6278d8400cae96bfc57ab6325deb410476bab3b

SHA512
d7fadbf81739845f8fb1e7e40f3e44ad2c5490fe072bc380f6490ee6f188936d47d50e8bd2a82db2081e3204dff0090a7374937386f5a26f2f82845512894f6d

Download Submit
\??\Volume{8a2a71c9-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0d4aed56-b617-420d-8f63-83fc36fc67e5}_OnDiskSnapshotProp

Filesize
6KB

MD5
adc2b5fb505b3cc1dae1e52efb7209d3

SHA1
16867cf6ab4fa11c78226221d1ded1834702aa90

SHA256
b0a8d50467c4233601fba974853ca851378630bfdff3cd4c9989bfacd63681af

SHA512
873cad6a3f8cc6ac98556c8358b3a5c8b685ab92ae3d07aa0df36c131a724b8e7052c578fdd303cf6fee58ade36bb5098d9af1954be7431d5040b930714178bb

Download Submit