bf066388ba859d290970a6011de59455dcaa6059b0ca120213b0b601ffe59369

Resubmissions

01-12-2024 18:15

241201-wwd19axqbx 10

01-12-2024 18:07

241201-wqgj7axpct 10

Analysis

max time kernel
92s
max time network
159s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
01-12-2024 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

KiPoypXaweM/Requirements/Visual-C-Runtimes-All-in-One-May-2024/vcredist2005_x64.exe
Size

3.0MB
MD5

56eaf4e1237c974f6984edc93972c123
SHA1

ee916012783024dac67fc606457377932c826f05
SHA256

0551a61c85b718e1fa015b0c3e3f4c4eea0637055536c00e7969286b4fa663e0
SHA512

f8e15363e34db5b5445c41eea4dd80b2f682642cb8f1046f30ea4fb5f4f51b0b604f7bcb3000a35a7d3ba1d1bcc07df9b25e4533170c65640b2d137c19916736
SSDEEP

49152:+r67+stI6RWGTAdyvlADUrpTmcOgohwJpEM5grO3oc1OXZViFeRyDErkLUMHzkRN:AM9l8pUr9m30L5grOQXZKAsErkbQRN

Score

7^/10

discovery persistence privilege_escalation

Malware Config

Signatures

Loads dropped DLL 1 IoCs

pid	Process
3500	MsiExec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	vcredist2005_x64.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles	TiWorker.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml	TiWorker.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml	TiWorker.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml	TiWorker.exe
File opened for modification	C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml	TiWorker.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VC\amd64\msdia80.dll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\WinSxS\InstallTemp\20241201181757731.0\8.0.50727.6195.policy	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181757356.0\ATL80.dll	msiexec.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189.manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\b0f7495b1d44db0126000000b807ac0a\26e3555b1d44db012e000000b807ac0a_mfc80jpn.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\14a4b75b1d44db0148000000b807ac0a.Generalize.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\f867bc5b1d44db014a000000b807ac0a.Cleanup.xml	TiWorker.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\WinSxS\Temp\InFlight\b0f7495b1d44db0126000000b807ac0a\c51f515b1d44db012c000000b807ac0a_mfc80fra.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_policy.8.0.microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_06366735fd130439.cat	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181757746.0\8.0.50727.6195.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\e011685c1d44db0163000000b807ac0a.Respecialize.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\a819ae5b1d44db0144000000b807ac0a\a819ae5b1d44db0145000000b807ac0a_manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\afcdda591d44db0106000000b807ac0a.amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8a1dd9552ed7f8d8.manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\88c0f15a1d44db0117000000b807ac0a\88c0f15a1d44db0119000000b807ac0a_mfc80u.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\7948c05c1d44db0166000000b807ac0a\7948c05c1d44db0168000000b807ac0a_catalog	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181757387.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest	msiexec.exe
File created	C:\Windows\WinSxS\Temp\InFlight\b0f7495b1d44db0126000000b807ac0a\4cbb4e5b1d44db0129000000b807ac0a_mfc80esp.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241201181757715.1	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\4f6feba9ef47626e8728278c7fcdff893b0135e29ed845800a2caae16364031a.cat	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\f6bb2f5b1d44db011f000000b807ac0a.Specialize.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\8ff02f780acfee139426fe743f849038b8eeb9ce2b41325713d50dae1bfaeb14.cat	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\f41b705b1d44db0135000000b807ac0a.Respecialize.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\f379a62da7882cfaeecf349a3e71f7ce3a8fb9d10252ea6dfe82aade98d9c1c7.cat	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\1408d6591d44db0103000000b807ac0a\1408d6591d44db0104000000b807ac0a_atl80.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8a1dd9552ed7f8d8	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\88c0f15a1d44db0117000000b807ac0a\e7e6f85a1d44db011b000000b807ac0a_mfcm80u.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\5fdcd15b1d44db014e000000b807ac0a\5fdcd15b1d44db014f000000b807ac0a_manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Manifests\amd64_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_0609074f6952eb26.manifest	TiWorker.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\88c0f15a1d44db0117000000b807ac0a\e7e6f85a1d44db011a000000b807ac0a_mfc80.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\b0f7495b1d44db0124000000b807ac0a\b344585b1d44db0130000000b807ac0a_catalog	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\6a203ae94e79b521120dc6becc0a8685eafa0631fa3c4ff93aae85b475d966a0.cat	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\5fdcd15b1d44db014e000000b807ac0a\5fdcd15b1d44db014f000000b807ac0a_manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\e0efe45b1d44db0152000000b807ac0a\e0efe45b1d44db0153000000b807ac0a_manifest	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181757387.0\msvcm80.dll	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Catalogs\42094bd6ffb22c1b7ba25167ce361b0ef8de5b55799879a43d35182ef6d15b89.cat	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\518c015c1d44db015c000000b807ac0a\518c015c1d44db015d000000b807ac0a_manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\0e01d15c1d44db016a000000b807ac0a.Generalize.xml	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181757387.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat	msiexec.exe
File created	C:\Windows\WinSxS\Manifests\amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8a1dd9552ed7f8d8.manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\5c5def5a1d44db0115000000b807ac0a\5c5def5a1d44db0116000000b807ac0a_manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Manifests\amd64_policy.8.0.microsoft.vc80.openmp_1fc8b3b9a1e18e3b_8.0.50727.6195_none_23dd61529b99d19d.manifest	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181757668.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\a388995a1d44db0109000000b807ac0a.Cleanup.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\82c2b35a1d44db0114000000b807ac0a.amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294.manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\b0f7495b1d44db0126000000b807ac0a\fb594c5b1d44db0128000000b807ac0a_mfc80cht.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\518c015c1d44db015c000000b807ac0a\518c015c1d44db015e000000b807ac0a_catalog	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_policy.8.0.microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_0609074f6952eb26.cat	TiWorker.exe
File created	C:\Windows\WinSxS\InstallTemp\20241201181757559.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\c4a3985b1d44db0140000000b807ac0a.Cleanup.xml	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\mfc80u.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\1408d6591d44db0103000000b807ac0a\1408d6591d44db0104000000b807ac0a_atl80.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_88e41e092fab0294\msvcp80.dll	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\5fdcd15b1d44db014e000000b807ac0a\5fdcd15b1d44db0150000000b807ac0a_catalog	TiWorker.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\88c0f15a1d44db0117000000b807ac0a\88c0f15a1d44db0118000000b807ac0a_mfcm80.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.vc80.mfc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8448b2bd328df189\mfc80.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\PendingRenames\b344585b1d44db0131000000b807ac0a.amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_bc20f59b0bdd1acd.manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_bc20f59b0bdd1acd\mfc80CHS.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8a1dd9552ed7f8d8.manifest	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Manifests\amd64_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.6195_none_8a1dd9552ed7f8d8.cat	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\amd64_microsoft.vc80.mfcloc_1fc8b3b9a1e18e3b_8.0.50727.6195_none_bc20f59b0bdd1acd\mfc80KOR.dll	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\Temp\InFlight\35f3875b1d44db0138000000b807ac0a\35f3875b1d44db0139000000b807ac0a_manifest	TiWorker.exe
File created	C:\Windows\WinSxS\Temp\InFlight\a819ae5b1d44db0144000000b807ac0a\a819ae5b1d44db0146000000b807ac0a_catalog	TiWorker.exe

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
1088	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vcredist2005_x64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000fbf239697f82b3040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000fbf239690000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900fbf23969000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1dfbf23969000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000fbf2396900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\25	msiexec.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e005a00310021003d00520046007900460072005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFCLOC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00530021004900240047002e004f005f0078006800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.OpenMP,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007e0078002d00360076007a0045007a007e003200650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\5 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\PackageCode = "C558A51006735C645AEE5A0FC6A310C9"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6\1af2a8da7e60d0b429d7e6453b3d0182	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\6 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\VC_Redist	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Language = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\2 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\9 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\10 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\7 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\8 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\11 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.CRT,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0049004c005400540052005900320074004f005700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.ATL,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007b004c0046003d0042004900620074004f002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1af2a8da7e60d0b429d7e6453b3d0182\Servicing_Key	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AdvertiseFlags = "388"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\92091D8AC5E822E408118470F0E997E6	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Net	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.MFC,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e0069002a0048004e00530057007d0024007e005500650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.OpenMP,type="win32",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e007a0050005400310026006e0073004b0064007a00650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.CRT,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e004b0039007000540041002700650026005d002900650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\ProductName = "Microsoft Visual C++ 2005 Redistributable (x64)"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\PackageName = "vcredist.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\1 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\3 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\SourceList\Media\4 = ";Microsoft Visual C++ 2005 Redistributable (x64) [Disk 1]"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00240062003000290043004b0076003d0035002700650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\policy.8.0.Microsoft.VC80.MFCLOC,type="win32-policy",version="8.0.50727.6195",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="amd64" = 2c006c0076006a0060006f002c0042002d00400050002e0059002e00430039007300560073003000560043005f005200650064006900730074003e00500054005d002700660025002b0027004b002800650038004d006b0062004900640046007700550000000000	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\Version = "134278728"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1af2a8da7e60d0b429d7e6453b3d0182\AuthorizedLUAApp = "0"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3564	msiexec.exe
3564	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1088	msiexec.exe
Token: SeSecurityPrivilege	3564	msiexec.exe
Token: SeCreateTokenPrivilege	1088	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1088	msiexec.exe
Token: SeLockMemoryPrivilege	1088	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1088	msiexec.exe
Token: SeMachineAccountPrivilege	1088	msiexec.exe
Token: SeTcbPrivilege	1088	msiexec.exe
Token: SeSecurityPrivilege	1088	msiexec.exe
Token: SeTakeOwnershipPrivilege	1088	msiexec.exe
Token: SeLoadDriverPrivilege	1088	msiexec.exe
Token: SeSystemProfilePrivilege	1088	msiexec.exe
Token: SeSystemtimePrivilege	1088	msiexec.exe
Token: SeProfSingleProcessPrivilege	1088	msiexec.exe
Token: SeIncBasePriorityPrivilege	1088	msiexec.exe
Token: SeCreatePagefilePrivilege	1088	msiexec.exe
Token: SeCreatePermanentPrivilege	1088	msiexec.exe
Token: SeBackupPrivilege	1088	msiexec.exe
Token: SeRestorePrivilege	1088	msiexec.exe
Token: SeShutdownPrivilege	1088	msiexec.exe
Token: SeDebugPrivilege	1088	msiexec.exe
Token: SeAuditPrivilege	1088	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1088	msiexec.exe
Token: SeChangeNotifyPrivilege	1088	msiexec.exe
Token: SeRemoteShutdownPrivilege	1088	msiexec.exe
Token: SeUndockPrivilege	1088	msiexec.exe
Token: SeSyncAgentPrivilege	1088	msiexec.exe
Token: SeEnableDelegationPrivilege	1088	msiexec.exe
Token: SeManageVolumePrivilege	1088	msiexec.exe
Token: SeImpersonatePrivilege	1088	msiexec.exe
Token: SeCreateGlobalPrivilege	1088	msiexec.exe
Token: SeBackupPrivilege	5040	vssvc.exe
Token: SeRestorePrivilege	5040	vssvc.exe
Token: SeAuditPrivilege	5040	vssvc.exe
Token: SeBackupPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe
Token: SeTakeOwnershipPrivilege	3564	msiexec.exe
Token: SeRestorePrivilege	3564	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1088	msiexec.exe
1088	msiexec.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 1088	3068	vcredist2005_x64.exe	84
PID 3068 wrote to memory of 1088	3068	vcredist2005_x64.exe	84
PID 3068 wrote to memory of 1088	3068	vcredist2005_x64.exe	84
PID 3564 wrote to memory of 4680	3564	msiexec.exe	92
PID 3564 wrote to memory of 4680	3564	msiexec.exe	92
PID 3564 wrote to memory of 3500	3564	msiexec.exe	94
PID 3564 wrote to memory of 3500	3564	msiexec.exe	94
PID 3564 wrote to memory of 3500	3564	msiexec.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2005_x64.exe
"C:\Users\Admin\AppData\Local\Temp\KiPoypXaweM\Requirements\Visual-C-Runtimes-All-in-One-May-2024\vcredist2005_x64.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Windows\SysWOW64\msiexec.exe
  msiexec /i vcredist.msi
  2⤵
  - Enumerates connected drives
  - Event Triggered Execution: Installer Packages
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1088

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3564
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
  2⤵
  PID:4680
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding DC4F7AA8BDD88FC3E4BE91F25F3D2737
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3500

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5040

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
PID:1976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5816e1.rbs

Filesize
73KB

MD5
a7843ed179ab6215cf645fe89ee4d213

SHA1
bb0ea8a5165e5e534f88b744d691c29fbce3e551

SHA256
6d4ff935684ee977195d488a51e92191003f201995070d6946061833830a8e64

SHA512
17109e4ee136ab66f886ecdd6e4a28c07dfe1c450ebc39f8ecc1f9eba2535a92ed1722dd5cb8d0e504f1da4ffbec7a1b4e8606ec38f611cf093ae746ecbbb783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredis1.cab

Filesize
312KB

MD5
77a9bff5af149160775741e204734d47

SHA1
7b5126af69b5a79593f39db94180f1ff11b0e39d

SHA256
20a26ed9a1edf7763a9b515522c5e29720048a482c7fbc8b7ff6bbdd27e61038

SHA512
bb0440f58f07e113bddd9a0afb5aab8af6493218784fe5fa6f4032e3a37088f91b7e766dee87cec4a9ea11d425d27b3b536430de3a52222e8bca3e0247d81e3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\vcredist.msi

Filesize
3.0MB

MD5
6dbdf338a0a25cdb236d43ea3ca2395e

SHA1
685b6ea61e574e628392eaac8b10aff4309f1081

SHA256
200fef5d4994523a02c4daa00060db28eb289b99d47fc6c1305183101e72bdeb

SHA512
6b5b31c55cf72ab92b17fb6074b3901a1e6afe0796ef9bc831e4dfb97450376d2889cd24b1cf3fce60eb3c1bcd1b31254b5cfa3ef6107974dfa0b35c233daf5a

Download Submit
C:\Windows\Installer\MSI1DB4.tmp

Filesize
28KB

MD5
85221b3bcba8dbe4b4a46581aa49f760

SHA1
746645c92594bfc739f77812d67cfd85f4b92474

SHA256
f6e34a4550e499346f5ab1d245508f16bf765ff24c4988984b89e049ca55737f

SHA512
060e35c4de14a03a2cda313f968e372291866cc4acd59977d7a48ac3745494abc54df83fff63cf30be4e10ff69a3b3c8b6c38f43ebd2a8d23d6c86fbee7ba87d

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Cleanup.xml

Filesize
12KB

MD5
296b359c3619f6f180a8ef989aea3b21

SHA1
35c67178b7cc3bf3c2e59bfefe5e4f2ae5af94de

SHA256
7f56c3cc359aa2e0a23fe8bd849a5b5daec3917d62ecd883ea0bc7f741807cf7

SHA512
440899a43ac980ea212bbbb2b1b4ee9c1111619e7143dd9742dbf4d366b3c2ad4a24ea4dc5a0f1ba81f6ada645d6e1b28d789ec0a17565f772645e14c9957c36

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Generalize.xml

Filesize
32KB

MD5
59b37f5621fee0a6921a072a7907fb80

SHA1
46a87791d63bc683631c5939d01c16d6c01617ce

SHA256
ff55642502218ef2577dd4882bf85893e617ce2c8778375da403a7384ac29732

SHA512
c80546f63b55ee56dd62813752dd3c7807a4e2980f6a5746d58ff30e671e4f906eeee7689cdd11b67869393ae12e1b055935c5cfc86387c3a6bf627148ed2e44

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Respecialize.xml

Filesize
416B

MD5
1284256a218ce90dfc01e4c8b8c80144

SHA1
c2fd19e83bf04de35ebf2d94f22682f52631e482

SHA256
1ae7609bea7ad9dbb3dafb75c02b6db17d292b328a31efde93c5982b1b31c4dd

SHA512
2752918105d2636acbace3902e1a3faf1ba4083210cf31325b275965722fbd97c750feb15c9ab48c30a8151570b584eada538f69ed86580e7984a5416dfb01b0

Download Submit
C:\Windows\System32\Sysprep\ActionFiles\Specialize.xml

Filesize
19KB

MD5
e5caf8c8b79799a1c0b000e6a5203723

SHA1
e805dbd8cdf629d1485281affe3bbbf6ecf140e3

SHA256
8a534ebd54a7e193df2e605c493ebdd902652e489f08ed7fdf1e6b2b2590d9f8

SHA512
3f0eca05073782486d6467ff8a7f2f0dd3c3015f198dee205d007ffb7497bac08af883b55f81fb6750ab59f5be6571a0323c8f8be079e7a5dcaa7b7d430c3619

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757356.0\ATL80.dll

Filesize
111KB

MD5
b95f748c4f100dd0f6e8115cc0968670

SHA1
1fdf6b3801d4ebe3d29bfb4a9dbf9d5a5779ce37

SHA256
9a306e9c79df259187839ec74b7a9f2fcebfa5ee54184bb46c48e605b4120c36

SHA512
e97660a01dfa02464ffc48ebec6b9f2fec0daf12ddf169c811859c9947c2f73b696ab5b80acfc5210ff9e35a4ba723d42f7d8f691c370e19db066c812e8926a6

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757356.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.cat

Filesize
7KB

MD5
58246b81d7b5783485d651c893c6cbb7

SHA1
869ae6682001c94fb11886e77995ac295067439c

SHA256
8ff02f780acfee139426fe743f849038b8eeb9ce2b41325713d50dae1bfaeb14

SHA512
634c0ee577b044f8e3320af3a3f7ddd8bb3916411a39c0409b717f4d3ba39463bca9be46e2595b358209f8a1ba005b41b4e0d784127db343f1023c6e69fb5c6f

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757356.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_d6cffeda.manifest

Filesize
468B

MD5
a800edb21b7c61760f945a8a4342711e

SHA1
99c90d7ab5dd897f52ce0b75065cf57ef280614c

SHA256
2533db8081d4e5ad6a398b30f111a7b9a2ec4845e50a83b9ea1a59ee109e8720

SHA512
af6a0d26ac30b2c70ee18f516c34a12383e594636bd92b49da9bded43b2bd77ad2337de154c3ab6e02d7387a1dc58079436b295d75b07f84b7c03f53e2e23a42

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757387.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.cat

Filesize
7KB

MD5
b354cde1be33de4638c2ed962a4a2a08

SHA1
fd27c720683cdff3d03d51f889c372d6ed775f1a

SHA256
6cdbda542c517fe0e758a06948bb2a67a382aa0fa7ba2eec59e7dcdc44028a9c

SHA512
a2b9e1b346d2af88ab26737e8c0a855e657579987483af0d903fb21c9d81d04303e15fb254d0c2b16bb73e553337a1a8415186aa2ea9b330c3d3d383aa971dfa

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757387.0\amd64_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_76301166.manifest

Filesize
1KB

MD5
5007d16dc76d9690bd9f440ed4e0d8e9

SHA1
581a5d414bb73b185e739bf0e289185cd8924698

SHA256
166a9aab866eff598cc4f351741255bb7d9995c5dc2328b818bcedb03eab9b4e

SHA512
d4a4ab4b9214f03b25c1494591a94039897080683c90bf55ed2e62d759e12bb7206b32cbd75abc7c21a84b6630b3417cee9fbb78d03c7cedc7e403efdd65f06b

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757387.0\msvcp80.dll

Filesize
1.0MB

MD5
a8704a10ffde468f4ab18ebf82a9a86f

SHA1
33823c9ab1233de5c65d8af76ff7ba459903ad10

SHA256
40f6502679cee0b657b0005278fbe7213bdda6deaacf868058e17737c182e1b4

SHA512
5cb273ddcbba599293a9f1c2340f92333f5a09d2faddf23b7fdb8294f51ff9702eac19f3d58687a29cd21177da795f492e49064d6fbd9afff30d461a9d449100

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757387.0\msvcr80.dll

Filesize
783KB

MD5
ec6ba7c92fa5b2aa4afdf4df22aedab7

SHA1
12f75b92e743b8333c50afac1b2a3875cfaa222d

SHA256
690f12c490bee2bf17ab7b6804e6e9b96f51c304350ccde80fe5c7eefa89720e

SHA512
9cefd9e0410d5c694d7801bed8eb5266c7a57b10bccccce2c1b3e79ddfaf234e2f01ef7d5f6f1d468920fbe94b2e3e527c9ce871df83a04223d87a3967d79897

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757481.0\amd64_Microsoft.VC80.MFC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_4716846b.manifest

Filesize
2KB

MD5
53d0eb4787ab5147880d4247e866d3be

SHA1
5f56c8892c59d2754d43fe31d1afb8dd80c6a0df

SHA256
864b736f4a81101d4d11ba0785c0d71c1b8ac2bcfe07114f0d55790762985a1c

SHA512
5061910b335e2fae0465fc21154fcc40fbf769fe4d3e206412f840a21bbf25b55b0ed35537cabb83b40ca7e7c7553fc21438e1f51e436b1041f52dd312836581

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757481.0\mfc80u.dll

Filesize
1.6MB

MD5
b1fdcfff7609e121c10751a669ab1611

SHA1
9c4700012ef000fd8d9ceff0fa2914cd2efe1c27

SHA256
1181542d9cfd63fb00c76242567446513e6773ea37db6211545629ba2ecf26a1

SHA512
60fafda20ca7ec6e3da418181f11491e258ad37ba0b14ca6d7da498a8a9ddf5a0414f4a918f58bf8dce33c723ffa24d1c8506b3794ef4f57d02d83ce6245295b

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757481.0\mfcm80.dll

Filesize
63KB

MD5
7e39d0459ae7196c1645294bbfe9b1eb

SHA1
1bf2c8916af19dc4d42343cfa3d611d1cc296559

SHA256
c15707cd0df5c35a4a1a7e74330df4ce27668c6d95d35cc72664efcb08d5dde0

SHA512
10db4adb8e09c450f06791bca0794dd9af3918cd34a950af4f5489fb5ce03a9ba240f48437666e2fb581ba6642f5b7a226682d2e32582ff4864ba4e82c10843c

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.cat

Filesize
7KB

MD5
2521f433a529b990c8aec52651ad4762

SHA1
62172e865072466962b1c8861985eab36afd4f27

SHA256
6a203ae94e79b521120dc6becc0a8685eafa0631fa3c4ff93aae85b475d966a0

SHA512
637372201255b49fcfcfaaaf57a2714935d86bb8cef615032e5e72284d78a734465abfcdbf4c6a62fda63a8b8ef0802324a853bf35574813e50a028f93c38ca4

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\amd64_Microsoft.VC80.MFCLOC_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_9c659d69.manifest

Filesize
1KB

MD5
0a30e4abb49c877d643d8cff8e4c7977

SHA1
9dae7ef5e2903d846678b933c0be78f850c7d1b6

SHA256
ae42f6cb2fc2cf833a3fb68c0a0dd37b5aa5f53c4ff28dec310fe7f246368e06

SHA512
8db807a3af88624a91368cf23d32b5af024ab3d5ff7d55ad29d4229c515e842db238c02315492d9510d0bfe7adce1ebdcea04ae6b7f1726e17f52ed96b9fc4b7

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\mfc80CHS.dll

Filesize
32KB

MD5
89ef0f5bf7453a64bf81778040321548

SHA1
1950b676284c79db99098f99e56be6ffb68ce74b

SHA256
cb9153f71fbaa44cb4b40f44e4b3ef57135cf80a4d30e754373c84aee932c933

SHA512
0055043a25f71ff0a20b3e3799e48a5d6fcd32d37da099745a3798b4791b318f7886b1f2ff62b8c32e13cfadc902bbe97c419034f3eec0d255b29be7ec96d9d0

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\mfc80CHT.dll

Filesize
33KB

MD5
aced5a8f040f52b9ec676b8e1a8f3ffa

SHA1
95a0b1b3ab6e6645af10aa084f18a78bd18f13bf

SHA256
24f8092954769e087e45b5905d0dc6ea63802da89f0f9e6a57669071edfe6465

SHA512
a6cef4f4e1df279a81e2d8d7dc1a7e0d700df515e11b7f961453d30b7ba53eec052d90cc0914fd51a24435f0e7226d00f33529fa36c432fcc1127ab942fb2973

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\mfc80ENU.dll

Filesize
46KB

MD5
442235ac4f20b195f932990cae47408e

SHA1
c8031df9365b2c888d8bc3eee92e432169562b72

SHA256
811a03a5d7c03802676d2613d741be690b3461022ea925eb6b2651a5be740a4c

SHA512
5fca808a351cee28ccc5c7649f2d9f5c07e4129f24302fd3dcd8a921baf201a18d9ca7d76f10c148d6f17f40616bbee701d8d70a5e713052d85f5c4000c58136

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\mfc80ESP.dll

Filesize
50KB

MD5
d398ca3996602379bc0aca583ff63c0c

SHA1
f18477c60ce1a7da3fdbfb259ae443305d220409

SHA256
b95b98c5acaa8e0d2a3c779e01072c4bbe5551936b9ab484456335c4e58baa39

SHA512
bfe809fa500b66eaef03adc010e93f2292d499034290642ff7ba5670083de27a7cf1cb8bc9fde909a407df7184bab00dcfd82255d070b28aa7284838236a3ee1

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\mfc80ITA.dll

Filesize
51KB

MD5
fd3434c1cc2602b211acc6fa9e4eec22

SHA1
72657573856efd742fa1e49c9c90b62c1d2089a6

SHA256
7f0cc8119f2b9c4c11416ec2b41437f8a167cc7ba2694d1c17f6d57fb02d34db

SHA512
fc438023658c3bb644f2266e577af8be50b367b69b7980a953a458984587153fe41d4d90ba9bdbbc460f6c5d28240316ab842fa3f11e37fac5794f48c18720b5

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\mfc80JPN.dll

Filesize
38KB

MD5
a15f889b929ee56cc0e89f739cdc2339

SHA1
3704e6eefe4082caf93dd6e5933cbc93dc3486d5

SHA256
4db5cdcccbc0afc58176599f921ec9c99589cb1ae46e3552d5181e0b303053e0

SHA512
049daabb1860259e8eff90a5619334ad6d342b94612391f3c29b9d95c40773674e86c9b6eef0c0b44b73a2fd88ff18514dfa54f994244a4c5b5e062e27c93668

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757559.0\mfc80KOR.dll

Filesize
37KB

MD5
46603020a4999ebbd829930b82f42068

SHA1
32a0385ba33b9add62b667fda4836f3e3522220d

SHA256
02c7b3f37b8bdbf7d193b7c78489a4787459eb19e06ff9ac342911971b863738

SHA512
4c8c7cc48e74ebf43fabbf832d7b9a99b1d2471f407cdbf7ec75b14d428926573d809b7b1967bc432171e4064b56130281013b3cbad4ae01a5b7ded3934487bd

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757668.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.cat

Filesize
7KB

MD5
bc6287a77e9c14e1115a72c36e1f1d5b

SHA1
bce07cf37261072dc97a455da0fa3aa1a7b59fc7

SHA256
4f62ea395689af18e20d302982f2750c091929a70879ab580fa8178f137d11df

SHA512
fb59e86261aaf15bbb85c8992f34746434d7614e0bd8111082e79f0846110cbaafd9c31a4f52c6b49cc6923264759104d175e00f2f5022023f926be7d8b8aa27

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757668.0\amd64_Microsoft.VC80.OpenMP_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_7735df00.manifest

Filesize
471B

MD5
bdff146ddf80bbc613fdd3f8b768f516

SHA1
ba7844b8147691be6b1f76bab57277ada41411a3

SHA256
ecdee295b46b56cee4d5b4652afcb76ce8a89ba3c5608becc9cbee6d338d1eec

SHA512
9a54ea92e5bf7bbfc89c7a2023f792161716d77f55ab49cf201bf69b71642e568c34a9e89a0424433ad47056e4f79e4ead8cab2d72fca7358b903d7442f08d9d

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757668.0\vcomp.dll

Filesize
85KB

MD5
7dded2186b66976f153c49639de0ef6f

SHA1
2d3d5db864166083b29283430b7870919b752f59

SHA256
58f1e11860669a6782812b29b806f6e22f6a730941f4b7077cdc1628315c0f97

SHA512
dc1ee298edef952354732cc5ce36e09f78c2f61f47a8f3e9a3dfef0eca7afb73c373480dbf26e593536493c42f0862651bcbf60bde4bd0067f63e22aebbd1afb

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757700.0\8.0.50727.6195.cat

Filesize
7KB

MD5
3596efc007aba99f43932bad89de3b75

SHA1
86ce465282bccb4901b983fdc13197df78adc038

SHA256
63823f9854def18e6350783009baa784d3af2ee4513defacd2065b0f7be1651d

SHA512
14d1a20af9b48e72f2506b915dff3c9e63d861eb32923c6fb67d9fd49843df8dcb550c94d7f28d33fd93069685598fcb2fc76fe86b6c0b0509ad5390dd54ab5f

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757700.0\8.0.50727.6195.policy

Filesize
808B

MD5
257bb6731b8e0fad3208385c03e3373a

SHA1
d55623ad3245b5e1cb8d2cf64b2e9d9eb9e7a1fb

SHA256
d554bc68b9cce5ed2c68b23bb7001aaea0040bad7391b6a555cc493a23360779

SHA512
f1ef1ed6385c371471307c01fb7d1f42b43a2064b1d3f7f857ce85f5dffe76b0bcea0f1484c476da219c658b61519792c4144437b691907e84bb272baf2a2ede

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757715.0\8.0.50727.6195.cat

Filesize
7KB

MD5
c5d07781729503cf2a217088971ea6b2

SHA1
355d6447d464e1f9de91e51b2fbd549d7466392a

SHA256
62a38259b8e351c6fda81945bcee3d0c45977f638362284613f31463928ab981

SHA512
68d62701da08f7aae0907e5f44bfbbdfb01225efa4bb59d3480f846804f52bd6ffbeee47590685b7c76af264907f7b68c536908ea49b19b8dbe5a458ec4aaa88

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757715.0\8.0.50727.6195.policy

Filesize
808B

MD5
88aa67e60918c52c58a09e8d7f2d0c6b

SHA1
f20952ab2d73d5d09da3252e7a9459cda57f29ec

SHA256
fd79e7b44d13c528a5e98347c5600d589f2051827fc9db84ced593b1d6c6031e

SHA512
6d7f662847ad59e4969fe29f26963c473b9519387c6eae6bab7c001ffff59bbaa79e9e9dfe68ed9904b46a5b0c07137655ab460c073500cfebd667631494632a

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757715.1\8.0.50727.6195.cat

Filesize
7KB

MD5
3a3b80fe407a92934e4518ebade1979a

SHA1
1c437ad5ef8296d97b9e75a41f1198cdbcb1bf3d

SHA256
f379a62da7882cfaeecf349a3e71f7ce3a8fb9d10252ea6dfe82aade98d9c1c7

SHA512
83648c89eb8f610eecf571ccd4238a3c18f2a635c260976dd394675ea09681f6d84402e7509772f608d198a8bf0dc53f728ac3e773c04b528e5885ea1ad87b7d

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757715.1\8.0.50727.6195.policy

Filesize
808B

MD5
fdc6f08fc576e11f3641d072bdef897c

SHA1
4c6a512ce77643b9f808a50e196f2d937e89122c

SHA256
4f03e5f6486c8ff83e621c796ce7ae785b3ea8f0e963b28557494db329a35283

SHA512
e0e536d527a1f55befcf0a41bca68e002c880032308cca97d8db9d45b6b40db1a581ebd99a8e7f130cd539f7152b0b939b34d91e6af7b565ab90acc7a873e3e7

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757731.0\8.0.50727.6195.policy

Filesize
814B

MD5
893ad4ebca99cad3fc059c3c17263954

SHA1
f17ff3ba6d41949a8ba75884f04060909337ff6c

SHA256
521cc2fc97113a8da1c3b44e0eb470f16f441d45c0db95bc8d2290687540fa02

SHA512
f337369c0c9980fb3dd5afa5dcffd8df53b4ee6413dbccf988cfa111b04cd6625c718ddc6155d1d4870ad4e7ae1c1edc1cb651889ab8e39c10bceb80db482cbf

Download Submit
C:\Windows\WinSxS\InstallTemp\20241201181757746.0\8.0.50727.6195.cat

Filesize
7KB

MD5
951735a1486781bd7c99a0fcf9b797dd

SHA1
0da61c9e50cbaa015f5672c331b1907c58d3dcfe

SHA256
4f6feba9ef47626e8728278c7fcdff893b0135e29ed845800a2caae16364031a

SHA512
ee83bdc505a697df32eca9c8507b506d8918e99db2a1f9bb5d39b71c636be5a097f94bde69f6c68a8bdda732f019417ec698d8fd8e3ff060a8d3338999f2dee2

Download Submit
C:\Windows\WinSxS\Temp\InFlight\518c015c1d44db015c000000b807ac0a\518c015c1d44db015e000000b807ac0a_catalog

Filesize
7KB

MD5
43a8b1e76ea1caccc6057b08e724ba8b

SHA1
b55401836c3a3eab3ce29c53a648873906e0e356

SHA256
39979146256c348ebc7f52e18859f9517ef7bc8560dcaed95c1d8d2e4c8fc498

SHA512
09519d3914a1cd52602fec9b981a7fee14d4c03f49cbcbcf45d4bc4b3dc32712675eb5c6201233a6a60a9580feaf3f68d9db93dae9b711b89d3d65838fe4e28a

Download Submit
C:\Windows\WinSxS\Temp\InFlight\5c5def5a1d44db0115000000b807ac0a\e7e6f85a1d44db011c000000b807ac0a_catalog

Filesize
7KB

MD5
e84be5c560256089ac85baae7c8e8e25

SHA1
dcd932fa7e1e714b653ccf9199595d16d9534698

SHA256
42094bd6ffb22c1b7ba25167ce361b0ef8de5b55799879a43d35182ef6d15b89

SHA512
d5e8074de8d13328d0005325b19309461aec6524ba7356208f7984f95a3d48f1d8c6f7fc422ed3b22b1fb76f16e36351de1b64da5038f066ca7738cf27e26bb1

Download Submit
C:\Windows\WinSxS\Temp\InFlight\7948c05c1d44db0166000000b807ac0a\7948c05c1d44db0167000000b807ac0a_manifest

Filesize
814B

MD5
5683a1f4c14f8300ec1b56ec0833ae6c

SHA1
08d201267e5bd758bf5097e408befafc65e17bb7

SHA256
3bdd54c0c1d1cdcbe3e76c5fce35c0a298f6f41ebcda77d59ca1d3f4f803f36a

SHA512
259329a258206f88d1ec2c6f4476ec9a9a190d6b4153639e6aa4a8875d320e8dadc449ab464835f627ae4112b64fd32510096e5500daa31ce51ddd8389bf62df

Download Submit
C:\Windows\WinSxS\Temp\InFlight\88c0f15a1d44db0117000000b807ac0a\e7e6f85a1d44db011a000000b807ac0a_mfc80.dll

Filesize
1.6MB

MD5
6061114558d3d1cbe66f2ef2af148966

SHA1
868fdf79f649858ba46c46e66176c93f6743e1cd

SHA256
22b9a40cce2c79d2dfa42b653ce02b7b2d78faf15a0762a00b6b7d8bb6d4cf51

SHA512
e711713ddec4d28c42c28625f13e7fefaf092704299ba31e17dc25c4ddcdb1e4ddd0ea39b9a2470f21620a2b02177ed07300d29282e9968533b8ec08a8fdb88f

Download Submit
C:\Windows\WinSxS\Temp\InFlight\88c0f15a1d44db0117000000b807ac0a\e7e6f85a1d44db011b000000b807ac0a_mfcm80u.dll

Filesize
62KB

MD5
a3fed5334dbb597becd6c66ab5a8f688

SHA1
99eabfc0af71989c4fb21a6f777c804c3c9bd84a

SHA256
51df1ca5507ac1525baf2727abb6e2ee10f9354ca98089d75448dec86967087e

SHA512
0c5e4bc98f216b028d0e963a3cde3834ce57f73f76e70f6e4fe5d0c5fca8e619d0400de278eb8e3e8fd5a642e56caf1430a7365164f3cd5370c5376d1d1b9f48

Download Submit
C:\Windows\WinSxS\Temp\InFlight\b0f7495b1d44db0126000000b807ac0a\c51f515b1d44db012b000000b807ac0a_mfc80deu.dll

Filesize
53KB

MD5
d0acc020301c86d91cf85c5e84e3f1a5

SHA1
35493af1649e3dc8ed5e192d8305837e98b126dc

SHA256
7d282751179fc9110aff8ffddb45bf716c7c09c8ea758a9017cf42d8906c9011

SHA512
359255c61f8accfed9ab34e69f4b77a4c5d41b0d3dd0e22bc1f9aa2e815e40132655138a52d116b01984d2c53e718b3ce7b3c0b2f2945591c7dfd9f4d35fc079

Download Submit
C:\Windows\WinSxS\Temp\InFlight\b0f7495b1d44db0126000000b807ac0a\c51f515b1d44db012c000000b807ac0a_mfc80fra.dll

Filesize
51KB

MD5
7294a6b310e898247120f69774fac9a8

SHA1
6625d36c6bd20c67e3d6bf5cfcfc0cc6a4c49c13

SHA256
5906a72b441962750124d9647a8cb0f7c21456bb17bf3a109662d06818ed991b

SHA512
67ee24a0be544243471adf1989d2689c7cc1203dafe04feb936ed883a4d6c459d3ea4eef64a771613322f1d0e8fc54eee7044e552f0a234de7c5df1a394233ac

Download Submit
C:\Windows\WinSxS\Temp\InFlight\d85fb15a1d44db010f000000b807ac0a\82c2b35a1d44db0112000000b807ac0a_msvcm80.dll

Filesize
503KB

MD5
a7e03e5e0c27ddd4cfe8f243fbe853f8

SHA1
49195761495f675808a26092975d89e59e0dea8e

SHA256
835195907e9f3731a07e590e4bf15a3ebce17f53d3bb6cd6ef7cfb26fbde1f55

SHA512
369708e3625d9a9619524b270e96498d434b3eb5ad5a4694ad1807def4524a22c8ae3bd1bb215343660267ee9db72d156503434a59aec6a0ffc8401c2a57a8ae

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.9MB

MD5
d8d38f4736be3978c754239c19e71106

SHA1
1a6ab2a8e8b3a6a51ad009df6f5e647949275a8c

SHA256
cbfcbf04266b9fd61e4d0524e432ffbe6d2f4fc7e594318f0edfebb167199b00

SHA512
4d0fb27d56488cb905b9c7816860dd4cb5ed4bb2812a3bfb8ed098629cd44830e2458b967c06f5661f715420844921ed20f131ed6b5f0ed505a808ec0923b058

Download Submit
\??\Volume{6939f2fb-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f02b2816-d2a2-4eaa-bb8d-4241b6d44b77}_OnDiskSnapshotProp

Filesize
6KB

MD5
4c781671d63148ea19fe56aa7434b58f

SHA1
111b7bf02460dec71cb98e8ad6c9a02742a924d9

SHA256
c6922b5491743745d0f196107f40ed200d3a1e05c4c552df294ab3146bf572d6

SHA512
d69083f7632f764102aa90d722e2d24570e1aa102659baf9576b943ef1b651c8d6da11973788eba0c78a5bbcbaebffd0c4432017b7724b17924a11d976121b22

Download Submit