91ff5e398d2c7b7c04e7ddfd58936246839f27d8db7b7474d55e1b38a7b634d0

Analysis

max time kernel
44s
max time network
46s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
20/08/2024, 23:47

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

playit-windows-x86_64-signed.msi
Size

2.1MB
MD5

818632a790c6f405474d29e66bd9bcec
SHA1

0140d14851f2a16e37fe4a3b1c126d4b2cead3b1
SHA256

91ff5e398d2c7b7c04e7ddfd58936246839f27d8db7b7474d55e1b38a7b634d0
SHA512

2285fa657cb372e571d3487d68be9b534b8308cfd086e8a0499945f604339a9d71e4103494d41eaed783bb1ff986307ef9e18dfce67c5e53d4b0b5dd53327b04
SSDEEP

49152:2+vdFMXhTj0et/HJQ+rd7OYJCYE312NXNdmVci2wy9SIT7ZGjYTytJPr+VuOSAEq:2+rYxQ+rxOZ12NbmVci2wy9SIT7ZGjYB

Score

6^/10

persistence privilege_escalation

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
4	860	msiexec.exe
7	860	msiexec.exe
9	860	msiexec.exe
14	860	msiexec.exe
28	860	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\playit_gg\bin\playit.exe	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{FAA19963-3A59-4528-BE85-485602B8F9D1}\ProductICO	msiexec.exe
File created	C:\Windows\Installer\e57e512.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\SourceHash{FAA19963-3A59-4528-BE85-485602B8F9D1}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE678.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{FAA19963-3A59-4528-BE85-485602B8F9D1}\ProductICO	msiexec.exe
File created	C:\Windows\Installer\e57e510.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e510.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
3064	playit.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
860	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a2808484d8f468e90000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a28084840000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a2808484000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da2808484000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a280848400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe

Modifies registry class 25 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\SourceList\Media\1 = ";CD-ROM #1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\SourceList\Media\DiskPrompt = "Playit Installation"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\PackageCode = "FE28E6A39F5D08044AC354D4523B6DD4"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AEF046202130BD4399AB6404AFE7E2D	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36991AAF95A38254EB588465208B9F1D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\ProductName = "playit"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\SourceList\PackageName = "playit-windows-x86_64-signed.msi"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\Version = "983059"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\ProductIcon = "C:\\Windows\\Installer\\{FAA19963-3A59-4528-BE85-485602B8F9D1}\\ProductICO"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36991AAF95A38254EB588465208B9F1D\Environment = "Binaries"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\4AEF046202130BD4399AB6404AFE7E2D\36991AAF95A38254EB588465208B9F1D	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\36991AAF95A38254EB588465208B9F1D\Binaries	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\36991AAF95A38254EB588465208B9F1D	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3316	msiexec.exe
3316	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	860	msiexec.exe
Token: SeSecurityPrivilege	3316	msiexec.exe
Token: SeCreateTokenPrivilege	860	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	860	msiexec.exe
Token: SeLockMemoryPrivilege	860	msiexec.exe
Token: SeIncreaseQuotaPrivilege	860	msiexec.exe
Token: SeMachineAccountPrivilege	860	msiexec.exe
Token: SeTcbPrivilege	860	msiexec.exe
Token: SeSecurityPrivilege	860	msiexec.exe
Token: SeTakeOwnershipPrivilege	860	msiexec.exe
Token: SeLoadDriverPrivilege	860	msiexec.exe
Token: SeSystemProfilePrivilege	860	msiexec.exe
Token: SeSystemtimePrivilege	860	msiexec.exe
Token: SeProfSingleProcessPrivilege	860	msiexec.exe
Token: SeIncBasePriorityPrivilege	860	msiexec.exe
Token: SeCreatePagefilePrivilege	860	msiexec.exe
Token: SeCreatePermanentPrivilege	860	msiexec.exe
Token: SeBackupPrivilege	860	msiexec.exe
Token: SeRestorePrivilege	860	msiexec.exe
Token: SeShutdownPrivilege	860	msiexec.exe
Token: SeDebugPrivilege	860	msiexec.exe
Token: SeAuditPrivilege	860	msiexec.exe
Token: SeSystemEnvironmentPrivilege	860	msiexec.exe
Token: SeChangeNotifyPrivilege	860	msiexec.exe
Token: SeRemoteShutdownPrivilege	860	msiexec.exe
Token: SeUndockPrivilege	860	msiexec.exe
Token: SeSyncAgentPrivilege	860	msiexec.exe
Token: SeEnableDelegationPrivilege	860	msiexec.exe
Token: SeManageVolumePrivilege	860	msiexec.exe
Token: SeImpersonatePrivilege	860	msiexec.exe
Token: SeCreateGlobalPrivilege	860	msiexec.exe
Token: SeBackupPrivilege	3540	vssvc.exe
Token: SeRestorePrivilege	3540	vssvc.exe
Token: SeAuditPrivilege	3540	vssvc.exe
Token: SeBackupPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe
Token: SeTakeOwnershipPrivilege	3316	msiexec.exe
Token: SeRestorePrivilege	3316	msiexec.exe

Suspicious use of FindShellTrayWindow 4 IoCs

pid	Process
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe
860	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 3316 wrote to memory of 1944	3316	msiexec.exe	101
PID 3316 wrote to memory of 1944	3316	msiexec.exe	101

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\playit-windows-x86_64-signed.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:1944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3540

C:\Program Files\playit_gg\bin\playit.exe
"C:\Program Files\playit_gg\bin\playit.exe"
1⤵
- Executes dropped EXE
PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57e511.rbs

Filesize
9KB

MD5
3c8dce2f3278f3f80b7a9623803ea113

SHA1
394be01c4ccf784bda12b5de7c66149047a26ce1

SHA256
34f535969b603d4864cdddb497c65ea9ddd830a9d25627ce0db3240ace6397b2

SHA512
639459704ea805ea2c301c8fabd2341c58ead4f32c2e7f3e4bf395c9f0db6729ac6cd6e95b921b5fb48cad6f66bfa505e490aa1e1a061fe6985b95d0244cb5a5

Download Submit
C:\Program Files\playit_gg\bin\playit.exe

Filesize
3.8MB

MD5
8af54595d5bdfec004a39451268573b2

SHA1
f03fea37148bba2ef7a2d57286a1d85a463287b0

SHA256
f87212b62acb8d8f3b1a0ccc1b02d7af44ba09c7d6a8bf3c62bb7ec03f736166

SHA512
2473aab6ed691483ca5ad52530c648139d20cc5d55875848adfc92fdb415521031f947a80c5c1cb07316ee904b4651ce3f18cc540010d067dce561f889931393

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C42BC945025A34066DAB76EF3F80A05

Filesize
63KB

MD5
44dbe3aa02117bdede435e83b2e215ad

SHA1
2c6a5a8389b76a6f45879c3a3475253084ad5eb5

SHA256
c1eea21d2024ddb7738c29402fb050c7231ecc56fb120852a9fc05c964dc264d

SHA512
f8c6d74c8d9e461734c2ae1e90a5e6e90fed1c64917fbe11ec5f56cb57756462758caed757dbf3442a6f6dbe394473b23dface88589511333e8fafc2736d185e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
727B

MD5
7a3b8457313a521e0d44f91765a4e041

SHA1
4ea8ecb5e7b4c11f4c491caf6cee7ced5ec4c267

SHA256
2b08ecf53bb8b6c430659926148f896102dc80b5f38b0ec5efe122199659651c

SHA512
7349fd1b8c490d540a8bb25f40587f9874ff5d9b1f9bdb2ea69db9218ebdbdccea5e4d6645fbd1098d051b008b1ebfd12a619c3a4d6fb54940705ab14933e159

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C42BC945025A34066DAB76EF3F80A05

Filesize
314B

MD5
dba7ed8860974e3bbbf689823733459d

SHA1
a64ef8419b0cd1e6d7ed715eb39f476ac362b831

SHA256
874d6e539cc78d3d8a2310e714962e382c46414486c4b3558aaedf44d125f88c

SHA512
6ec750202a8624f66c110e9acd3808727bc5daef93aa439de5570922dfe767c8bf771b3f9bdee4538230b9a93f3b928c4b8ad175f9dada0c26081e4c1f5fbf91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FE17BEC2A573BC9AE36869D0274FFA19_6DA81F04C5F9EAD2CD0268808FCE61E1

Filesize
478B

MD5
81517578d2c1f5aa1d8cccba2f828318

SHA1
f67d7e7299a8d24a4efaac85ba288c378c193f33

SHA256
7736a6331e571cb6e189128795ec4019c82ded4309e3bb2aea00fdaf65a9ce74

SHA512
fb9357c3b9a7868cb74bf98307fe7fc2e526c0d4d58f029a27e9464ea19cc67ca6384e3273d034748cac7ac6a534e78563f3bba068af08dfae37d589168d0ba8

Download Submit
C:\Windows\Installer\e57e510.msi

Filesize
2.1MB

MD5
818632a790c6f405474d29e66bd9bcec

SHA1
0140d14851f2a16e37fe4a3b1c126d4b2cead3b1

SHA256
91ff5e398d2c7b7c04e7ddfd58936246839f27d8db7b7474d55e1b38a7b634d0

SHA512
2285fa657cb372e571d3487d68be9b534b8308cfd086e8a0499945f604339a9d71e4103494d41eaed783bb1ff986307ef9e18dfce67c5e53d4b0b5dd53327b04

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
49255eb6ae8a975fc1aa9a81f1e06a3a

SHA1
23b3fc84b7f8be1d0e7ff4a712cbffbc371869ec

SHA256
f7cfec6381369383b2c66bf1c440bbc8ce89a5688487417465a263afa5075252

SHA512
c354e6997e469c905c4795be88a665ef32cab1dcd6185e72213811929004406c9ca35ceaa3b5c70cb6d71c5d88fc6f0b3072c9f593adb32de08a847f5aabc911

Download Submit
\??\Volume{848480a2-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e83ffa53-eafc-48f1-9e35-ddad80127965}_OnDiskSnapshotProp

Filesize
6KB

MD5
d7686fadba20191931cbd0773ea2954f

SHA1
02ad092bbabde3a9675cf77596c7d53934d16772

SHA256
336b5fdf8f2d2c6837ef278d8d29845c5aef1e87804bd9ed911dbb4fa5551051

SHA512
67b0191e820d91a95818a4c4cf6128536f12659fe445b2c81bbd8450c0d91bb3a028ed593d9b5f42ff9226472e743e4716e711ed656a03a76a208c3bf755c204

Download Submit