7a23a713910c3c369b1e7cb85472709bbbe27227b5e3033ce5f2f83f8f571f0b

Analysis

max time kernel
149s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
13/06/2024, 11:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

MTK Setup Yan Sanayi 2023/setup.exe
Size

501KB
MD5

ef88383d678def60df0ecbe0604343a1
SHA1

90abf6ed361e3462ac0267b7f7845dbb1adf1430
SHA256

c065398c50957b851f43f0d4a640dbcb41806f9354f22a14701c47aa0beae5d0
SHA512

5d993f6286071eccba13a3854f4569893785fb2c7d6ae73cbad226d00d8e8eb3023876773e3945834c44d21f45f9dee1387caae65eb1bbc8170edb9c20e31771
SSDEEP

12288:sDPdsil5fCMggBIiMVO26kk+FG9eMb01JQntLOCVMU:sD1s2ts96kTGemV

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 4 IoCs

pid	Process
1700	MsiExec.exe
1700	MsiExec.exe
4164	MsiExec.exe
4164	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e59695f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI69CC.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A4A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF29230B6B83697A6.TMP	msiexec.exe
File created	C:\Windows\Installer\SourceHash{8D4FF92D-A975-4ED4-B1E5-E6EF3D18F4BA}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6A99.tmp	msiexec.exe
File created	C:\Windows\Fonts\pdf417_0.ttf	msiexec.exe
File created	C:\Windows\Fonts\code128.ttf	msiexec.exe
File created	C:\Windows\Installer\{8D4FF92D-A975-4ED4-B1E5-E6EF3D18F4BA}\_5F5DDA5918C8C8F4805010.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{8D4FF92D-A975-4ED4-B1E5-E6EF3D18F4BA}\_5F5DDA5918C8C8F4805010.exe	msiexec.exe
File created	C:\Windows\Installer\e596961.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DF139E904560A43A58.TMP	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFAE1A7B0DBE301468.TMP	msiexec.exe
File created	C:\Windows\Installer\e59695f.msi	msiexec.exe
File created	C:\Windows\SystemTemp\~DFF3E9DBA756935B62.TMP	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000ee7f732e8cf5793f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000ee7f732e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900ee7f732e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dee7f732e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000ee7f732e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe

Modifies registry class 28 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Arcelik\|MTKSetup\|bcr.DLL	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\ProductName = "MTKSetup"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\89BF4BF1C9339D24AAB98B1E50455575	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\MTK Setup Yan Sanayi 2023\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D29FF4D8579A4DE41B5E6EFED3814FAB\DefaultFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\89BF4BF1C9339D24AAB98B1E50455575\D29FF4D8579A4DE41B5E6EFED3814FAB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\SourceList\Media	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Arcelik\|MTKSetup\|DataMatrix.net.DLL	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\PackageCode = "A5756C59564CF59469B7F3CD947D8AE3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\SourceList\Media\1 = ";"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MTK Setup Yan Sanayi 2023\\"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Arcelik\|MTKSetup\|bcr.DLL\bcr,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2700470052004b0055006b003d005800440041004100680071002b0076002800700046002a0065003e0029004b0062006a004f0031007e005a0059004d00600053002d00300051003d00560040006600380000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Arcelik\|MTKSetup\|MTK.exe\MTK,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="x86" = 2700470052004b0055006b003d005800440041004100680071002b0076002800700046002a0065003e005100210051007b0051002a00700029002c00280024005400450076003f00390056004e0043005a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\SourceList\PackageName = "MTKSetup.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D29FF4D8579A4DE41B5E6EFED3814FAB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\Version = "16777216"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Arcelik\|MTKSetup\|DataMatrix.net.DLL\DataMatrix.net,Version="1.0.0.0",Culture="neutral",ProcessorArchitecture="MSIL" = 2700470052004b0055006b003d005800440041004100680071002b0076002800700046002a0065003e0043003600660065004700520046007d00340078007a004b0045006a007200560069005d002500480000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\C:\|Arcelik\|MTKSetup\|MTK.exe	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D29FF4D8579A4DE41B5E6EFED3814FAB\DeploymentFlags = "3"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3864	msiexec.exe
3864	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4692	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4692	msiexec.exe
Token: SeSecurityPrivilege	3864	msiexec.exe
Token: SeCreateTokenPrivilege	4692	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4692	msiexec.exe
Token: SeLockMemoryPrivilege	4692	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4692	msiexec.exe
Token: SeMachineAccountPrivilege	4692	msiexec.exe
Token: SeTcbPrivilege	4692	msiexec.exe
Token: SeSecurityPrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeLoadDriverPrivilege	4692	msiexec.exe
Token: SeSystemProfilePrivilege	4692	msiexec.exe
Token: SeSystemtimePrivilege	4692	msiexec.exe
Token: SeProfSingleProcessPrivilege	4692	msiexec.exe
Token: SeIncBasePriorityPrivilege	4692	msiexec.exe
Token: SeCreatePagefilePrivilege	4692	msiexec.exe
Token: SeCreatePermanentPrivilege	4692	msiexec.exe
Token: SeBackupPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeShutdownPrivilege	4692	msiexec.exe
Token: SeDebugPrivilege	4692	msiexec.exe
Token: SeAuditPrivilege	4692	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4692	msiexec.exe
Token: SeChangeNotifyPrivilege	4692	msiexec.exe
Token: SeRemoteShutdownPrivilege	4692	msiexec.exe
Token: SeUndockPrivilege	4692	msiexec.exe
Token: SeSyncAgentPrivilege	4692	msiexec.exe
Token: SeEnableDelegationPrivilege	4692	msiexec.exe
Token: SeManageVolumePrivilege	4692	msiexec.exe
Token: SeImpersonatePrivilege	4692	msiexec.exe
Token: SeCreateGlobalPrivilege	4692	msiexec.exe
Token: SeCreateTokenPrivilege	4692	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4692	msiexec.exe
Token: SeLockMemoryPrivilege	4692	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4692	msiexec.exe
Token: SeMachineAccountPrivilege	4692	msiexec.exe
Token: SeTcbPrivilege	4692	msiexec.exe
Token: SeSecurityPrivilege	4692	msiexec.exe
Token: SeTakeOwnershipPrivilege	4692	msiexec.exe
Token: SeLoadDriverPrivilege	4692	msiexec.exe
Token: SeSystemProfilePrivilege	4692	msiexec.exe
Token: SeSystemtimePrivilege	4692	msiexec.exe
Token: SeProfSingleProcessPrivilege	4692	msiexec.exe
Token: SeIncBasePriorityPrivilege	4692	msiexec.exe
Token: SeCreatePagefilePrivilege	4692	msiexec.exe
Token: SeCreatePermanentPrivilege	4692	msiexec.exe
Token: SeBackupPrivilege	4692	msiexec.exe
Token: SeRestorePrivilege	4692	msiexec.exe
Token: SeShutdownPrivilege	4692	msiexec.exe
Token: SeDebugPrivilege	4692	msiexec.exe
Token: SeAuditPrivilege	4692	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4692	msiexec.exe
Token: SeChangeNotifyPrivilege	4692	msiexec.exe
Token: SeRemoteShutdownPrivilege	4692	msiexec.exe
Token: SeUndockPrivilege	4692	msiexec.exe
Token: SeSyncAgentPrivilege	4692	msiexec.exe
Token: SeEnableDelegationPrivilege	4692	msiexec.exe
Token: SeManageVolumePrivilege	4692	msiexec.exe
Token: SeImpersonatePrivilege	4692	msiexec.exe
Token: SeCreateGlobalPrivilege	4692	msiexec.exe
Token: SeCreateTokenPrivilege	4692	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4692	msiexec.exe
Token: SeLockMemoryPrivilege	4692	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4692	msiexec.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2004 wrote to memory of 4692	2004	setup.exe	79
PID 2004 wrote to memory of 4692	2004	setup.exe	79
PID 2004 wrote to memory of 4692	2004	setup.exe	79
PID 3864 wrote to memory of 1700	3864	msiexec.exe	84
PID 3864 wrote to memory of 1700	3864	msiexec.exe	84
PID 3864 wrote to memory of 1700	3864	msiexec.exe	84
PID 3864 wrote to memory of 1484	3864	msiexec.exe	88
PID 3864 wrote to memory of 1484	3864	msiexec.exe	88
PID 3864 wrote to memory of 4164	3864	msiexec.exe	90
PID 3864 wrote to memory of 4164	3864	msiexec.exe	90
PID 3864 wrote to memory of 4164	3864	msiexec.exe	90

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\MTK Setup Yan Sanayi 2023\setup.exe
"C:\Users\Admin\AppData\Local\Temp\MTK Setup Yan Sanayi 2023\setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2004
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\MTK Setup Yan Sanayi 2023\MTKSetup.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4692

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3864
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CD30DA386A4C53954B55D7B8569992F3 C
  2⤵
  - Loads dropped DLL
  PID:1700
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1484
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BF789224BA3FEF85656C05F2E117E72A
  2⤵
  - Loads dropped DLL
  PID:4164

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:4480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e596960.rbs

Filesize
9KB

MD5
a196892065af0408c8b3d0be53a21990

SHA1
42ab3db657e320dff14a3c5cb09c42a4af272cdf

SHA256
7739edfe1c6912c6d39dcc1029b6f18fff51f345b230c1776eee7539b31a8dff

SHA512
6e5cdefb09c3a0aa8559a94eace0cc5ddc009bd45c84926e113fd8b550aefce667cddadc37f88591e6aa54aceee7979da3872bed8225a70b7eaa6d8d7813d06c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4BFD.tmp

Filesize
325KB

MD5
f048cf239cc583f8433634acf23cae55

SHA1
7d3a296a05267855cc637c5bf95fe687b7a765a2

SHA256
4d6efad25f62f4c34998385819e46569869b09de4d8b3f1e22dc9e8f032ed3bb

SHA512
a021d559150338ef823b8749d95ac262ec13d9c9ed80d2d0d67e0d7690ae61713219a5edf88d83832ad673f0d7a1d306b49af4f07020c98bac2cfb006bcf0c53

Download Submit
C:\Windows\Installer\e59695f.msi

Filesize
1006KB

MD5
cd159904e090b9335fd8d172e0c05e2c

SHA1
0bd03e10d9a2b9bbac01564443298995a6b54157

SHA256
36dc8011068857dee3ffbd9322bca6901623ffe7d49fa5b2d70d116fcb895e69

SHA512
b0e95fef2cdeecccde5ee90b5fa8c4a043cc543960f76e85b36c9cf5b0a7a08c2a3e9bcf6948512c6353ca1a56a85f62385e779b55b2db170a3aa68377c0e991

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
12.8MB

MD5
95113f73bf3d8675a7c8c6aa17feec03

SHA1
364594b97bbecd00e64e804ad42bf097756c9b03

SHA256
0ac96a03b984162f36318e77ea4d2daa278dac23acea41f7cccf756abeeeb692

SHA512
4aebcea8ab1300992968d11f2327ef63a3076c86dd226d8ce918bbcd87512dddff59cc3df347bb9424ab32fcfb192a69192555e879713dcd6b72747f51b3086d

Download Submit
\??\Volume{2e737fee-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b9d9bbee-e25e-4f55-b4fb-ecf868d17149}_OnDiskSnapshotProp

Filesize
6KB

MD5
b51a56fe79728b5b890a8018fd6b3f08

SHA1
95791c8ea3e4d9cb8f97a34626ba9acbabe147df

SHA256
ac31fe595b7b189db927bea53cba2af1e5c01f3a8ed4db5748cc3e9accb7f8b4

SHA512
e21454bafb277885d47d1f359a3db13ac7289a1f2bc98ea9fe589d5f990aba26c1f10e00e8c83cda005066c114c5f81e0097e2eb9c6b75c88b504bf538b86146

Download Submit