netsupport | 922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3

Analysis

max time kernel
93s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/09/2024, 02:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3.msi
Size

2.2MB
MD5

bbf5cd6b084221a207c6d4948b48cf52
SHA1

6c4560eb2358f2a0041e1db56bcce232fb13d20d
SHA256

922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3
SHA512

09f6eb8582c170fb5bd01d5f9f57697d5c3e011df1790ddc44cff2c15a7df35d2c7273f68ffef7a54e45c72e99299ddf048ea65696a9eaf70df7d6005ab5e328
SSDEEP

49152:FEiJT5NKpt6ikhfxm2C6VQQQe/dJLXgiTRsanWzywHB5PML5YmbK:FEiJVNut6zhfxo6aArs1yg5P4bK

Score

10^/10

netsupport discovery persistence privilege_escalation rat

Malware Config

Signatures

NetSupport
NetSupport is a remote access tool sold as a legitimate system administration software.
rat netsupport

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSOneDrive = "C:\\Users\\Admin\\AppData\\Local\\MsOneDrive\\client32.exe"	reg.exe

Blocklisted process makes network request 4 IoCs

flow	pid	Process
2	4676	msiexec.exe
6	4676	msiexec.exe
10	4676	msiexec.exe
12	4676	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA3D1.tmp	msiexec.exe
File created	C:\Windows\Installer\e57a2ca.msi	msiexec.exe
File created	C:\Windows\Installer\e57a2c8.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57a2c8.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5FE62CC3-0C02-41FE-96AE-EEEECA11AE27}	msiexec.exe

Executes dropped EXE 1 IoCs

pid	Process
2620	client32.exe

Loads dropped DLL 6 IoCs

pid	Process
2620	client32.exe
2620	client32.exe
2620	client32.exe
2620	client32.exe
2620	client32.exe
2620	client32.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4676	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client32.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e7a671f193ce7b7c0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e7a671f10000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e7a671f1000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de7a671f1000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e7a671f100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2532	reg.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3392	msiexec.exe
3392	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4676	msiexec.exe
Token: SeSecurityPrivilege	3392	msiexec.exe
Token: SeCreateTokenPrivilege	4676	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4676	msiexec.exe
Token: SeLockMemoryPrivilege	4676	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4676	msiexec.exe
Token: SeMachineAccountPrivilege	4676	msiexec.exe
Token: SeTcbPrivilege	4676	msiexec.exe
Token: SeSecurityPrivilege	4676	msiexec.exe
Token: SeTakeOwnershipPrivilege	4676	msiexec.exe
Token: SeLoadDriverPrivilege	4676	msiexec.exe
Token: SeSystemProfilePrivilege	4676	msiexec.exe
Token: SeSystemtimePrivilege	4676	msiexec.exe
Token: SeProfSingleProcessPrivilege	4676	msiexec.exe
Token: SeIncBasePriorityPrivilege	4676	msiexec.exe
Token: SeCreatePagefilePrivilege	4676	msiexec.exe
Token: SeCreatePermanentPrivilege	4676	msiexec.exe
Token: SeBackupPrivilege	4676	msiexec.exe
Token: SeRestorePrivilege	4676	msiexec.exe
Token: SeShutdownPrivilege	4676	msiexec.exe
Token: SeDebugPrivilege	4676	msiexec.exe
Token: SeAuditPrivilege	4676	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4676	msiexec.exe
Token: SeChangeNotifyPrivilege	4676	msiexec.exe
Token: SeRemoteShutdownPrivilege	4676	msiexec.exe
Token: SeUndockPrivilege	4676	msiexec.exe
Token: SeSyncAgentPrivilege	4676	msiexec.exe
Token: SeEnableDelegationPrivilege	4676	msiexec.exe
Token: SeManageVolumePrivilege	4676	msiexec.exe
Token: SeImpersonatePrivilege	4676	msiexec.exe
Token: SeCreateGlobalPrivilege	4676	msiexec.exe
Token: SeBackupPrivilege	4380	vssvc.exe
Token: SeRestorePrivilege	4380	vssvc.exe
Token: SeAuditPrivilege	4380	vssvc.exe
Token: SeBackupPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe
Token: SeTakeOwnershipPrivilege	3392	msiexec.exe
Token: SeRestorePrivilege	3392	msiexec.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4676	msiexec.exe
4676	msiexec.exe
2620	client32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4576	3392	msiexec.exe	92
PID 3392 wrote to memory of 4576	3392	msiexec.exe	92
PID 3392 wrote to memory of 2532	3392	msiexec.exe	95
PID 3392 wrote to memory of 2532	3392	msiexec.exe	95
PID 3392 wrote to memory of 2620	3392	msiexec.exe	94
PID 3392 wrote to memory of 2620	3392	msiexec.exe	94
PID 3392 wrote to memory of 2620	3392	msiexec.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3.msi
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4676

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3392
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4576
- C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe
  "C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  PID:2620
- C:\Windows\system32\reg.exe
  reg add HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v MSOneDrive /t REG_SZ /d "C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe"
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2532

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57a2c9.rbs

Filesize
10KB

MD5
8bdb64e1e7c7a1ea1b0a80ec0e79a655

SHA1
98d383cc9f08cdabc846cdccedcd7bb02a9c2c70

SHA256
b3c7b4a036a871e2b59bb1a5d32a2fbff84ac2537a1bc8378a9f2ac2cc995703

SHA512
f15636ba7d08850f618b301c2bd1656c948c60ae291d93a4ad9da3dab7a1a5869cb639e4341b37d389836fbf1f589ca2894cbf79354de48198f00cbb0b9458f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

Filesize
1KB

MD5
d0412981888317bab9a04146957f3573

SHA1
933b8dd26c04196f28932b578f209736717ed85a

SHA256
dc2bf8a6ed4da7c429c8893f061b532e8d33e16f0e3e8fb4a4bb7195a2daccdf

SHA512
c427548bbaf8313834af55d641b2c736dc3c0e8e62014980e8c54894586176fdaed4c94a65a9c0e8e5162f080bb16694bc13267a2e98615bf826a1623695311c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B03113490075047F519A3F760F0FF379_EAA7EAA3882323A05D27C396DC25384C

Filesize
2KB

MD5
830f23aac335fdb9ee36cea170f4d4f5

SHA1
2db892d01fd2b2936666c8f4bade59a98e8abf88

SHA256
304094b2b4556837950512f2b174c48ccbecf75dc6eef9c1180a0f4154c97055

SHA512
2d0b7f380c16661547042175fc1acebdc170e6c6a149612b2602d7d4d7495b2d44186a6cd66ba95f8a5150881573a2dcee3443cce89fe93da7008bd65b1f153e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30069012ED3CF5DB92F9F4FC78D55E2D_16AA5B9B040CB195ADDB70661F18F3C5

Filesize
412B

MD5
606daf9f63f90940541f33f239513acd

SHA1
9881b04b8b2a686f2735844176743480c8136ee5

SHA256
25d4fe2e1bb18cad85e24cef9faad494471270ff88aaad459979d87d9a42543f

SHA512
6846184d5450d3e986c74cb105eae0ef7bbc7bb076a0d1d49fc4d4bada843cf10fdd6a4aeb137adac61ecd606de3bf11dc2931dc2178d0e586ddf09477b846f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B03113490075047F519A3F760F0FF379_EAA7EAA3882323A05D27C396DC25384C

Filesize
428B

MD5
e574f29c58cc2674044c77b4a774d92d

SHA1
89e4c28d98c3f9092cc5b99dab681c9ab4917a75

SHA256
5dcc486b8c29cfa04464a3556d3b92649ab76d45e10f6feecf7576e1aefc8061

SHA512
29f5cf48bff6b197bef791dde32a061f7a2d9664def3c969e2c7da4f442a8138a59ab98b4b9a684b4077fb209508fdf53ce51bc738b8a0f981a67bd43610236c

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\HTCTL32.DLL

Filesize
306KB

MD5
3eed18b47412d3f91a394ae880b56ed2

SHA1
1b521a3ed4a577a33cce78eee627ae02445694ab

SHA256
13a17f2ad9288aac8941d895251604beb9524fa3c65c781197841ee15480a13f

SHA512
835f35af4fd241caa8b6a639626b8762db8525ccceb43afe8fffc24dffad76ca10852a5a8e9fc114bfbf7d1dc1950130a67037fc09b63a74374517a1f5448990

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\NSM.LIC

Filesize
262B

MD5
b9956282a0fed076ed083892e498ac69

SHA1
d14a665438385203283030a189ff6c5e7c4bf518

SHA256
fcc6afd664a8045bd61c398be3c37a97536a199a48d277e11977f93868ae1acc

SHA512
7daa09113c0e8a36c91cc6d657c65851a20dff6b60ac3d2f40c5737c12c1613c553955f84d131ba2139959973fef9fc616ca5e968cb16c25acf2d4739eed87eb

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\PCICAPI.dll

Filesize
44KB

MD5
9daa86d91a18131d5caf49d14fb8b6f2

SHA1
6b2f7ceb6157909e114a2b05a48a1a2606b5caf1

SHA256
1716640cce74322f7ee3e3e02b75cd53b91686f66e389d606dab01bd9f88c557

SHA512
9a98e0d9e2dda8aefa54bddb3c7b71501d638dff68863939de6caa117b0e7bf15e581a75419ef8a0da3f1c56a19f1b0f4c86d65f8581773ab88ff5764b9bb3aa

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\PCICHEK.DLL

Filesize
27KB

MD5
e311935a26ee920d5b7176cfa469253c

SHA1
eda6c815a02c4c91c9aacd819dc06e32ececf8f0

SHA256
0038ab626624fa2df9f65dd5e310b1206a9cd4d8ab7e65fb091cc25f13ebd34e

SHA512
48164e8841cfc91f4cbf4d3291d4f359518d081d9079a7995378f970e4085b534f4bafc15b83f4824cc79b5a1e54457b879963589b1acbcfe727a03eb3dffd1c

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\PCICL32.dll

Filesize
3.3MB

MD5
f782c24a376285c9b8a3a116175093f8

SHA1
b8fdb6e95c7313cf31f14a3a31cc334b56e6df09

SHA256
c7baf1647f6fef1b1a4231c9743f20f7a4b524ca4eb987a0acbeeef7e037d7e3

SHA512
256385a6663dcf70a5a9a1b766d1f826760f07efa9b9248047dc43d41f6a9f4dd56ca2b218c222ea1d441e2f7ba9bb114cde6954827b9761ebb1f23bba7ad1bb

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\client32.exe

Filesize
104KB

MD5
f6abef857450c97ea74cd8f0eb9a8c0a

SHA1
a1acdd10f5a8f8b086e293c6a60c53630ad319fb

SHA256
db0acb4a3082edc19ca9a78b059258ea36b4be16eee4f1172115fc83e693a903

SHA512
b6a2196ebfa51bb3fb8fb2b95ad5275828ab5435fd859fc993e2b3ed92a74799fe1c8b178270f99c79432f39aa9dbc0090038f037fcb651ab75c14b18102671f

Download Submit
C:\Users\Admin\AppData\Local\MsOneDrive\client32.ini

Filesize
664B

MD5
14f6ebed5e1176f17c18d00a2dc64b2e

SHA1
cb9c079373658ce098e1d07d4a2c997bf3141b4b

SHA256
d4c1f00382f01abbb3142ef6d9c3e51557d0ced12a52861d8c5df44d1ce723ac

SHA512
e5f24a695749d693e873ea60b8caaff5cb3b306887721e3f9f308afe697fba37f3a6226322aedebb46764d6bbbaf21df44d4c6a02db49b067437d7e7d0cceaf9

Download Submit
C:\Windows\Installer\e57a2c8.msi

Filesize
2.2MB

MD5
bbf5cd6b084221a207c6d4948b48cf52

SHA1
6c4560eb2358f2a0041e1db56bcce232fb13d20d

SHA256
922590e679f418d5e871ed027a0fb986c15439d381046e2c6c01d1f100da1ed3

SHA512
09f6eb8582c170fb5bd01d5f9f57697d5c3e011df1790ddc44cff2c15a7df35d2c7273f68ffef7a54e45c72e99299ddf048ea65696a9eaf70df7d6005ab5e328

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
a168d288ec4ddca59252fb63b1634543

SHA1
50485c9e2b7c2d31f78a16371db2499150ac8fac

SHA256
37f3d5960a3a5beb82c00bb98330a7c8f61bbf84ce94858e54224884a0ba9a74

SHA512
5c5b6e7a706dc02fb8f525098ac89ceea75265cca7574d4162b38f3a22c15209d088bb6582ccd0e31792ed98d57924c67b694b72f2d1cedc0a00c5ee943b0eee

Download Submit
\??\Volume{f171a6e7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{b298bd3d-b913-47de-9152-2f84f1164f1e}_OnDiskSnapshotProp

Filesize
6KB

MD5
78d330358eb4003685b810878f737bf0

SHA1
f6e1c88225c001dececa075d9e12bc28d5b00902

SHA256
0dfa0299bf99d3e5484da6c3169d09b4a9d1a460ea29a5183d7759599f0d9e96

SHA512
f1a745b40d93e5b36ab9e4dccd15e6fc1633e400300bac3717e2e83f74c3e0deab04fabe90e08fdd433e5ce2909e4996e3153b84a7d5c5d1d9a4cd951fa76347

Download Submit