netsupport | 98e12e68c45dc1b540c7f1c87e4293e3f0f0fecae98d3f49b60fdb4f646082d1

Analysis

max time kernel
92s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

98e12e68c45dc1b540c7f1c87e4293e3f0f0fecae98d3f49b60fdb4f646082d1(1).msi
Size

2.2MB
MD5

0a86f111f1e8ec51d2ce46864f7f4576
SHA1

7f3065bca7f7d261b431a909c7bb051c7bd79eae
SHA256

98e12e68c45dc1b540c7f1c87e4293e3f0f0fecae98d3f49b60fdb4f646082d1
SHA512

f5528f4039eeae866edbe378a54f1480e0ad621fbe895e01d933699ab7361e529720b23b98587a02b78571f5b45ce71840295697a2a1a34b77aec7fd067c5be9
SSDEEP

49152:lEiJT5NKpt6ikhfxm2C6VQQQe/dJLXgiTRsanWzywHB5PML5YmbKF:lEiJVNut6zhfxo6aArs1yg5P4bKF

Score

10^/10

netsupport discovery persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSOneDrive = "C:\\Users\\Admin\\AppData\\Local\\MsOneDrive\\client32.exe"	reg.exe

Blocklisted process makes network request 3 IoCs

flow	pid	Process
4	3664	msiexec.exe
6	3664	msiexec.exe
8	3664	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e57a6fe.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5FE62CC3-0C02-41FE-96AE-EEEECA11AE27}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA846.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a700.msi	msiexec.exe
File created	C:\Windows\Installer\e57a6fe.msi	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
4676	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
4676	client32.exe
4676	client32.exe
4676	client32.exe
4676	client32.exe
4676	client32.exe
4676	client32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3664	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
5060	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3336	msiexec.exe
3336	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	3336	msiexec.exe
Token: SeCreateTokenPrivilege	3664	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3664	msiexec.exe
Token: SeLockMemoryPrivilege	3664	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3664	msiexec.exe
Token: SeMachineAccountPrivilege	3664	msiexec.exe
Token: SeTcbPrivilege	3664	msiexec.exe
Token: SeSecurityPrivilege	3664	msiexec.exe
Token: SeTakeOwnershipPrivilege	3664	msiexec.exe
Token: SeLoadDriverPrivilege	3664	msiexec.exe
Token: SeSystemProfilePrivilege	3664	msiexec.exe
Token: SeSystemtimePrivilege	3664	msiexec.exe
Token: SeProfSingleProcessPrivilege	3664	msiexec.exe
Token: SeIncBasePriorityPrivilege	3664	msiexec.exe
Token: SeCreatePagefilePrivilege	3664	msiexec.exe
Token: SeCreatePermanentPrivilege	3664	msiexec.exe
Token: SeBackupPrivilege	3664	msiexec.exe
Token: SeRestorePrivilege	3664	msiexec.exe
Token: SeShutdownPrivilege	3664	msiexec.exe
Token: SeDebugPrivilege	3664	msiexec.exe
Token: SeAuditPrivilege	3664	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3664	msiexec.exe
Token: SeChangeNotifyPrivilege	3664	msiexec.exe
Token: SeRemoteShutdownPrivilege	3664	msiexec.exe
Token: SeUndockPrivilege	3664	msiexec.exe
Token: SeSyncAgentPrivilege	3664	msiexec.exe
Token: SeEnableDelegationPrivilege	3664	msiexec.exe
Token: SeManageVolumePrivilege	3664	msiexec.exe
Token: SeImpersonatePrivilege	3664	msiexec.exe
Token: SeCreateGlobalPrivilege	3664	msiexec.exe
Token: SeBackupPrivilege	2180	vssvc.exe
Token: SeRestorePrivilege	2180	vssvc.exe
Token: SeAuditPrivilege	2180	vssvc.exe
Token: SeBackupPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe
Token: SeTakeOwnershipPrivilege	3336	msiexec.exe
Token: SeRestorePrivilege	3336	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
3664	msiexec.exe
3664	msiexec.exe
4676	client32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3336 wrote to memory of 3024	3336	msiexec.exe	94
PID 3336 wrote to memory of 3024	3336	msiexec.exe	94
PID 3336 wrote to memory of 5060	3336	msiexec.exe	97
PID 3336 wrote to memory of 5060	3336	msiexec.exe	97
PID 3336 wrote to memory of 4676	3336	msiexec.exe	96
PID 3336 wrote to memory of 4676	3336	msiexec.exe	96
PID 3336 wrote to memory of 4676	3336	msiexec.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\98e12e68c45dc1b540c7f1c87e4293e3f0f0fecae98d3f49b60fdb4f646082d1(1).msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3664

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3336
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:3024
- C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe
  "C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:4676
- C:\Windows\system32\reg.exe
  reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MSOneDrive /t REG_SZ /d "C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:5060

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a6ff.rbs

Filesize
10KB

MD5
8879e0d10d6a9c7ee710f87783bf3b51

SHA1
66e7d3b0c4b769d59511f74b7941f8cf95295180

SHA256
3aece3a19c84a8f11960e41cdf3ffe4f89a19c9c1f3685f8600484ae824842ed

SHA512
7e941441df8654a5ab2c16658f281201181b01e4b0226f9bb7efe52ee1f849975c01cc9f8fe52c6134e10ebc1f8f7b462635c9316e58246aaec7efb596129f3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_E55ED4737D009406C9A7181799A97235

Filesize
1KB

MD5
3d18f4b1088e56cd9504f6e257bd0cf7

SHA1
ce17cc39462d149a3bb6cb00e9d1f032efbff6c6

SHA256
c4e6f77edc9aedd20110e30bb2f13eaf21e5787e4306f8c79bd515c29140be0e

SHA512
2d4eed1a09f967a56f3f4d172567e6dfd0e69880c2163525f5fa658ca2168145b2cd6ef7c807fa96253e9ef6b19644653b3d08cce4f997e0f4652974314ec073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
1KB

MD5
2133785474a990d5a11c5f6578f22d54

SHA1
e6b602c6c8f1155b0795b967c50151adf87d63c4

SHA256
b94159c59d0f4d721336049c4f16d5184dc73bc34fab608d29e4e6897e30cfdb

SHA512
3f6f858c82eaa57a4e18cd074e29d029b2e69ef0e1c914dcab66f79d7a8ba399a49e9792d13c8d45e560e4c8f552ba81307acc09d645426e26249066604430ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_E55ED4737D009406C9A7181799A97235

Filesize
536B

MD5
62f2b1e2d00ceb0fd94981ce915f3c4a

SHA1
28fed2334f287caf859cf71733076d9c9f24736f

SHA256
77b73dfd614840fa1fd070858d142caa462a4731362569ab470faeeaa0db6cbc

SHA512
53b578841281957fde80712291d6b7cddf7f409ae8d22ea049552af80f33359ae24274e1db0c18ba2bf2fdf9bf4382bcd3f66e6ae68b95a5c49f71a46659ac83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E

Filesize
536B

MD5
c5a1fbcfd4fb7a1c4f3ea0316f96d6f1

SHA1
59fec8648bd381169cfd8fcbec97a0e1bd0a4715

SHA256
8894e9a6766b828267ff8d6e285ba44fa1725664d3c65a0e766bcc289c6f1ab5

SHA512
c8c97443634f1e9a4bbe1124ed8ca05835c91feaef3bd2c973fb1430dfd2d403e4ff8408833f16ef01c65b6aa9318108b9c4fac7feff85125a570c3283caf05b

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\HTCTL32.DLL

Filesize
306KB

MD5
3eed18b47412d3f91a394ae880b56ed2

SHA1
1b521a3ed4a577a33cce78eee627ae02445694ab

SHA256
13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

SHA512
835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\NSM.LIC

Filesize
262B

MD5
b9956282a0fed076ed083892e498ac69

SHA1
d14a665438385203283030a189ff6c5e7c4bf518

SHA256
fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

SHA512
7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\PCICHEK.DLL

Filesize
27KB

MD5
e311935a26ee920d5b7176cfa469253c

SHA1
eda6c815a02c4c91c9aacd819dc06e32ececf8f0

SHA256
0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

SHA512
48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\PCICL32.dll

Filesize
3.3MB

MD5
f782c24a376285c9b8a3a116175093f8

SHA1
b8fdb6e95c7313cf31f14a3a31cc334b56e6df09

SHA256
c7baf1647f6fef1b1a4231c9743f20f7a4b524ca4eb987a0acbeeef7e037d7e3

SHA512
256385a6663dcf70a5a9a1b766d1f826760f07efa9b9248047dc43d41f6a9f4dd56ca2b218c222ea1d441e2f7ba9bb114cde6954827b9761ebb1f23bba7ad1bb

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe

Filesize
104KB

MD5
f6abef857450c97ea74cd8f0eb9a8c0a

SHA1
a1acdd10f5a8f8b086e293c6a60c53630ad319fb

SHA256
db0acb4a3082edc19ca9a78b059258ea36b4be16eee4f1172115fc83e693a903

SHA512
b6a2196ebfa51bb3fb8fb2b95ad5275828ab5435fd859fc993e2b3ed92a74799fe1c8b178270f99c79432f39aa9dbc0090038f037fcb651ab75c14b18102671f

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\client32.ini

Filesize
664B

MD5
14f6ebed5e1176f17c18d00a2dc64b2e

SHA1
cb9c079373658ce098e1d07d4a2c997bf3141b4b

SHA256
d4c1f00382f01abbb3142ef6d9c3e51557d0ced12a52861d8c5df44d1ce723ac

SHA512
e5f24a695749d693e873ea60b8caaff5cb3b306887721e3f9f308afe697fba37f3a6226322aedebb46764d6bbbaf21df44d4c6a02db49b067437d7e7d0cceaf9

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\pcicapi.dll

Filesize
44KB

MD5
9daa86d91a18131d5caf49d14fb8b6f2

SHA1
6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

SHA256
1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

SHA512
9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

Download Submit
C:\Windows\Installer\e57a6fe.msi

Filesize
2.2MB

MD5
0a86f111f1e8ec51d2ce46864f7f4576

SHA1
7f3065bca7f7d261b431a909c7bb051c7bd79eae

SHA256
98e12e68c45dc1b540c7f1c87e4293e3f0f0fecae98d3f49b60fdb4f646082d1

SHA512
f5528f4039eeae866edbe378a54f1480e0ad621fbe895e01d933699ab7361e529720b23b98587a02b78571f5b45ce71840295697a2a1a34b77aec7fd067c5be9

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
2c5f2daedfe6cf0458c4d9fe4d41d7a6

SHA1
7dc5bca07b75c1730f6734fce219e573c06ff56d

SHA256
a2f80c9f3f72e9f7c54a57d333f85e11c8e06e73c7997a2d80dd7c55caf0bb75

SHA512
30cf992529ea32999b54b0f4692064b96631ca68404027c2a9d9eaf347f95808ca884ecc4b48110d93f6bc69d774fed2ab1116c8d54113da8c108672fd56e960

Download Submit
\??\Volume{fa35ad82-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e622796e-008d-4d1c-bd39-f117a9d7ede0}_OnDiskSnapshotProp

Filesize
6KB

MD5
d5c9bd0cb2bfcb565456013ebd845a52

SHA1
c4901e235e0bf83a4d7c5cb3ea5ef12b3430d597

SHA256
88605749491cfa9c8d5d39fdc664bfc79ee230cda223e8e617787136bce93e34

SHA512
05a0bbd1cf7c06f726f31e96b3ef01fba34e9268316ffa5aa7389da39b3c6d4969e4e89a51318b24fd688435187b0bee113d651b496162c109e6238d046dccb5

Download Submit