42c1db18694a798a9248ac6b771fcf7701c6a38a70bd2efbe93828abd896305d

Resubmissions

03-10-2024 12:59

241003-p8gvca1gme 6

03-10-2024 12:56

03-10-2024 12:53

03-10-2024 12:52

03-10-2024 12:46

Analysis

max time kernel
92s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2024 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GazeRecorder1.9.2.msi
Size

19.5MB
MD5

3e0e430226b9781f0a71356d6b6b8d78
SHA1

cdfc7317daca37e7e0ad6b6091d9284cd6b18dea
SHA256

42c1db18694a798a9248ac6b771fcf7701c6a38a70bd2efbe93828abd896305d
SHA512

4655e4a764ac56a49d45b876bd6717aea18fbea4741b649fa441721937fef23c67e4bc3d2067497c9a91bfb9f0004b06d8473e56fd78656b2e343092f3f5971a
SSDEEP

393216:kQcxyvHncyhhFuQYHfWCzFBhHLP532F7WRGz74ehIbLsTHDPBZW9XJAEUNovd:rcEvpHYxxHchDz0SYLsjDPG9/

Score

6^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe

Drops file in Program Files directory 56 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_stitching248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Eye.ico	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\haarcascade_mcs_righteye.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Shortcut to User's Desktop.lnk	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_flann248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\haarcascade_eye.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\GazeBoardLIcencja2.rtf	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_calib3d248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\GazeRecorderdfddddf.exe.config	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_video248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\wmp.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\GazeRecorder\GazeRecorder\icon.ico	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\DLL.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_objdetect248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Data\Tests\empty\TestFileSettings.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Interop.WMPLib.DLL	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_superres248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\NAudio.DLL	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\iViewXAPI.h	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\SMIConnectionSettings.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_imgproc248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Intrinsics.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\haarcascade_frontalface_default.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_highgui248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\GraphLib.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_legacy248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\haarcascade_frontalface_alt.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\icon.ico	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_contrib248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_photo248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Options.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_ocl248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\GazeRecorderdfddddf.exe	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_ml248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\ShellBasics.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\AxInterop.WMPLib.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\head.raw	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\EyeTouch.bmp	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\haarcascade_mcs_nose.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\NAudio.WindowsMediaFormat.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\NAudio.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Shortcut to Primary output from GazeRecoreder (Active).lnk	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\TestFileSettings.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_core248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_gpu248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\haarcascade_mcs_lefteye.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\EyeLib.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\colorscale.jpg	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_features2d248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_ffmpeg248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_nonfree248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Distortion.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\opencv_videostab248.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\Trajecoty.xml	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\InputSimulator.dll	msiexec.exe
File created	C:\Program Files (x86)\GazeRecorder\GazeRecorder\haarcascade_mcs_mouth.xml	msiexec.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI2F39.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3053.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{44538B2D-B056-4652-8E12-B63C2F959AF7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI318D.tmp	msiexec.exe
File created	C:\Windows\Installer\e582eeb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e582eeb.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\e582eee.msi	msiexec.exe

Loads dropped DLL 4 IoCs

pid	Process
4832	MsiExec.exe
4832	MsiExec.exe
4476	MsiExec.exe
4476	MsiExec.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4704	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000532ba7f3274a467a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000532ba7f30000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900532ba7f3000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d532ba7f3000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000532ba7f300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4504	msiexec.exe
4504	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4504	msiexec.exe
Token: SeCreateTokenPrivilege	4704	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4704	msiexec.exe
Token: SeLockMemoryPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeMachineAccountPrivilege	4704	msiexec.exe
Token: SeTcbPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeLoadDriverPrivilege	4704	msiexec.exe
Token: SeSystemProfilePrivilege	4704	msiexec.exe
Token: SeSystemtimePrivilege	4704	msiexec.exe
Token: SeProfSingleProcessPrivilege	4704	msiexec.exe
Token: SeIncBasePriorityPrivilege	4704	msiexec.exe
Token: SeCreatePagefilePrivilege	4704	msiexec.exe
Token: SeCreatePermanentPrivilege	4704	msiexec.exe
Token: SeBackupPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeDebugPrivilege	4704	msiexec.exe
Token: SeAuditPrivilege	4704	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4704	msiexec.exe
Token: SeChangeNotifyPrivilege	4704	msiexec.exe
Token: SeRemoteShutdownPrivilege	4704	msiexec.exe
Token: SeUndockPrivilege	4704	msiexec.exe
Token: SeSyncAgentPrivilege	4704	msiexec.exe
Token: SeEnableDelegationPrivilege	4704	msiexec.exe
Token: SeManageVolumePrivilege	4704	msiexec.exe
Token: SeImpersonatePrivilege	4704	msiexec.exe
Token: SeCreateGlobalPrivilege	4704	msiexec.exe
Token: SeCreateTokenPrivilege	4704	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4704	msiexec.exe
Token: SeLockMemoryPrivilege	4704	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4704	msiexec.exe
Token: SeMachineAccountPrivilege	4704	msiexec.exe
Token: SeTcbPrivilege	4704	msiexec.exe
Token: SeSecurityPrivilege	4704	msiexec.exe
Token: SeTakeOwnershipPrivilege	4704	msiexec.exe
Token: SeLoadDriverPrivilege	4704	msiexec.exe
Token: SeSystemProfilePrivilege	4704	msiexec.exe
Token: SeSystemtimePrivilege	4704	msiexec.exe
Token: SeProfSingleProcessPrivilege	4704	msiexec.exe
Token: SeIncBasePriorityPrivilege	4704	msiexec.exe
Token: SeCreatePagefilePrivilege	4704	msiexec.exe
Token: SeCreatePermanentPrivilege	4704	msiexec.exe
Token: SeBackupPrivilege	4704	msiexec.exe
Token: SeRestorePrivilege	4704	msiexec.exe
Token: SeShutdownPrivilege	4704	msiexec.exe
Token: SeDebugPrivilege	4704	msiexec.exe
Token: SeAuditPrivilege	4704	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4704	msiexec.exe
Token: SeChangeNotifyPrivilege	4704	msiexec.exe
Token: SeRemoteShutdownPrivilege	4704	msiexec.exe
Token: SeUndockPrivilege	4704	msiexec.exe
Token: SeSyncAgentPrivilege	4704	msiexec.exe
Token: SeEnableDelegationPrivilege	4704	msiexec.exe
Token: SeManageVolumePrivilege	4704	msiexec.exe
Token: SeImpersonatePrivilege	4704	msiexec.exe
Token: SeCreateGlobalPrivilege	4704	msiexec.exe
Token: SeCreateTokenPrivilege	4704	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4704	msiexec.exe
Token: SeLockMemoryPrivilege	4704	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4704	msiexec.exe
4704	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 4832	4504	msiexec.exe	84
PID 4504 wrote to memory of 4832	4504	msiexec.exe	84
PID 4504 wrote to memory of 4832	4504	msiexec.exe	84
PID 4504 wrote to memory of 4888	4504	msiexec.exe	96
PID 4504 wrote to memory of 4888	4504	msiexec.exe	96
PID 4504 wrote to memory of 4476	4504	msiexec.exe	98
PID 4504 wrote to memory of 4476	4504	msiexec.exe	98
PID 4504 wrote to memory of 4476	4504	msiexec.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\GazeRecorder1.9.2.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4704

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 288E4E81656A573C31F82B7AB3F0BAF2 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4832
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4888
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 134642ABDFD237D8E11DC5FA87EE8E38
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4476

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e582eec.rbs

Filesize
25KB

MD5
5dff45f87751aa517997454f676ea925

SHA1
7f0d2732e954fba92df6231489faa1e22fea2d28

SHA256
a7abbaa47aea4ce610d134bb699594224e1907b640f103b06a4bba3a92c66466

SHA512
7d7e0d4a564d36cb819452769d977556c2380b09e32845f8ce6f00af7f6ce0c66fe0cbbf4b66fd4784c2e0c3e02365484a0eb1ba616de570e62689892af2593e

Download Submit
C:\Program Files (x86)\GazeRecorder\GazeRecorder\icon.ico

Filesize
1KB

MD5
0e07a06c3e8444ac835774be6241cb51

SHA1
220306a1863f5afb49610c9a3759b9116500095f

SHA256
8010ae8b6b0e470b3483638d62a33d0cfb1ce8b1bc64fc087033dfcadb10e8eb

SHA512
0e00155923230f7c2c5b820684aa1b2fd009b657e5d1c36f99245fddb31de79996df759573306dc2a06210c464fb2a94c82c6db99c858e832c1f62df36a478d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAF7A.tmp

Filesize
231KB

MD5
5494165b1384faeefdd3d5133df92f5a

SHA1
b7b82805f1a726c4eee39152d1a6a59031d7798c

SHA256
ba0ad3a4d2112b269e379a2231128e7ebe23e95d5d04878d6ee8815e657bb055

SHA512
ecd5012df2a060fa58664e856a84716f162d3420e7a7a1368612451ec65f2dcd674c7031d780a6c9d357700f6baeb31325748bc29270850ee4070079f15be613

Download Submit
C:\Windows\Installer\e582eeb.msi

Filesize
19.5MB

MD5
3e0e430226b9781f0a71356d6b6b8d78

SHA1
cdfc7317daca37e7e0ad6b6091d9284cd6b18dea

SHA256
42c1db18694a798a9248ac6b771fcf7701c6a38a70bd2efbe93828abd896305d

SHA512
4655e4a764ac56a49d45b876bd6717aea18fbea4741b649fa441721937fef23c67e4bc3d2067497c9a91bfb9f0004b06d8473e56fd78656b2e343092f3f5971a

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.7MB

MD5
981284f49ab82a1af0cf301632521573

SHA1
bfad9be9791e53a60a1bb92eb5ac1a6f736d7278

SHA256
4cf2419425b1210642cf60a3a312ec90de5d6d0c8fa134c46653e41d6260b314

SHA512
1d3b64aa2cf9e88474ba69b9bb345d305a012ba79b77cccc40629b1bbf86ae34f2478b4c1b31fe0267c53948f2089035f92216653256f5ee72c989c3fa50ae48

Download Submit
\??\Volume{f3a72b53-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{0114b156-7492-4ae8-a9ff-9835c2d6a8ec}_OnDiskSnapshotProp

Filesize
6KB

MD5
11179dac16fe8ead0516719d525ff32f

SHA1
f87d18a5cd5fc214aeeb6d6f3bb24650eb76ccdd

SHA256
52452c13050ae7d8ed307a922b4fa78d1200329907f5fe4b000f54a03abdd6bb

SHA512
b003ea4be0625dc54670d399bc2ba030c815a7119749e2ead71e0f7ba9fe075bfb91d99e1fd19a7beb88ebddfb79434f2645781487598dd6478955f33c35795a

Download Submit