Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Chaos Rans...er.exe

windows10-2004-x64

Resubmissions

26/03/2024, 03:42

240326-d9ssfsfe3x 10

24/03/2024, 08:51

240324-ksdersdh8x 10

23/03/2024, 11:47

240323-nxzeksff97 10

Analysis

  • max time kernel
    612s
  • max time network
    613s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/03/2024, 11:47

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Chaos Ransomware Builder.exe

  • Size

    550KB

  • MD5

    8b855e56e41a6e10d28522a20c1e0341

  • SHA1

    17ea75272cfe3749c6727388fd444d2c970f9d01

  • SHA256

    f2665f89ba53abd3deb81988c0d5194992214053e77fc89b98b64a31a7504d77

  • SHA512

    eefab442b9c1be379e00c6a7de9d6d7d327ad8fd52d62a5744e104f6caa44f7147a8e74f340870f9c017980a3d8a5a86a05f76434539c01270c442a66b2af908

  • SSDEEP

    3072:9UJAYdi2YcRVm16Pn6tpzqJG/sX9i2YcRPm16Pn6ckCjSH5EyR9aKZt18rTu+i2S:9aiWm162qJEsNiym16ryAiym168

Score
10/10
chaosevasionransomwarespywarestealer

Malware Config

Signatures

  • Chaos

    Ransomware family first seen in June 2021.

    ransomwarechaos
  • Chaos Ransomware 4 IoCs
  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 6 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops desktop.ini file(s) 34 IoCs
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 10 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies data under HKEY_USERS 15 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder.exe
    "C:\Users\Admin\AppData\Local\Temp\Chaos Ransomware Builder.exe"
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1552
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xny2v1ie\xny2v1ie.cmdline"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4952
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7574.tmp" "c:\Users\Admin\Desktop\CSC30DFECC22B1042E58AA0F7DCD868ACB.TMP"
        3⤵
          PID:1492
    • C:\Users\Admin\Desktop\cs go cheats.exe
      "C:\Users\Admin\Desktop\cs go cheats.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3712
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Checks computer location settings
        • Drops startup file
        • Executes dropped EXE
        • Drops desktop.ini file(s)
        • Sets desktop wallpaper using registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:60
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4204
          • C:\Windows\system32\vssadmin.exe
            vssadmin delete shadows /all /quiet
            4⤵
            • Interacts with shadow copies
            PID:3644
          • C:\Windows\System32\Wbem\WMIC.exe
            wmic shadowcopy delete
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:3820
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4568
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} bootstatuspolicy ignoreallfailures
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:4284
          • C:\Windows\system32\bcdedit.exe
            bcdedit /set {default} recoveryenabled no
            4⤵
            • Modifies boot configuration data using bcdedit
            PID:2524
        • C:\Windows\System32\cmd.exe
          "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3860
          • C:\Windows\system32\wbadmin.exe
            wbadmin delete catalog -quiet
            4⤵
            • Deletes backup catalog
            PID:448
        • C:\Windows\system32\NOTEPAD.EXE
          "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\read_it.txt
          3⤵
          • Opens file in notepad (likely ransom note)
          PID:3548
    • C:\Users\Admin\Desktop\cs go cheats.exe
      "C:\Users\Admin\Desktop\cs go cheats.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3284
      • C:\Users\Admin\AppData\Roaming\svchost.exe
        "C:\Users\Admin\AppData\Roaming\svchost.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1392
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4668
    • C:\Windows\system32\wbengine.exe
      "C:\Windows\system32\wbengine.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1348
    • C:\Windows\System32\vdsldr.exe
      C:\Windows\System32\vdsldr.exe -Embedding
      1⤵
        PID:1812
      • C:\Windows\System32\vds.exe
        C:\Windows\System32\vds.exe
        1⤵
        • Checks SCSI registry key(s)
        PID:3660
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SDRSVC
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4736
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:1308
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Drops startup file
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4752
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:1084
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa389c855 /state1:0x41c64e6d
          1⤵
          • Modifies data under HKEY_USERS
          • Suspicious use of SetWindowsHookEx
          PID:2668

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cs go cheats.exe.log
          Filesize

          226B

          MD5

          28d7fcc2b910da5e67ebb99451a5f598

          SHA1

          a5bf77a53eda1208f4f37d09d82da0b9915a6747

          SHA256

          2391511d0a66ed9f84ae54254f51c09e43be01ad685db80da3201ec880abd49c

          SHA512

          2d8eb65cbf04ca506f4ef3b9ae13ccf05ebefab702269ba70ffd1ce9e6c615db0a3ee3ac0e81a06f546fc3250b7b76155dd51241c41b507a441b658c8e761df6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\.ses
          Filesize

          53B

          MD5

          306215148dfdddecdca3e0d9d8b6e8a0

          SHA1

          61850dae13aaa1b2492092244db18d57658d3e7c

          SHA256

          4fe65655965af5b21f69e513ff63594584ed4bd1773a902f571ce3346d4969bb

          SHA512

          6a71652a7ac3a5b6a0464d4876ea3eacbd085b64e6998f302b966fc57cc29d332b7996beb96cc36de196cf75563a066caaa38a3ec5d17c8766c5840a574e25fd

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\123-decrypter\publicKey.chaos
          Filesize

          397B

          MD5

          a7644bd42e36fd49420b27c6fbf80a1a

          SHA1

          5361985c8265fe96ecf28ff1fa8c04d31c0a183f

          SHA256

          4612cccf419770ca20fec849f2a581bccdd3286c107267743edeaab0a7a804c7

          SHA512

          fbcf06caf5330c1467e494ceb11c444f97b7763776b598eb482ecd881af60144d01335d23447f92127c964d6a3db0075c41d63b7ccfc4769969e7abd83df86cb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log
          Filesize

          1KB

          MD5

          06341a508e6c38f17b6fbbc69ea0c544

          SHA1

          be07f0b34cea34332e89c3b782b9ef50c5cf1d53

          SHA256

          1513ea1d5935cf8fbeaee54572da656a70602cc4b376bfe0ce997426b2ae0f89

          SHA512

          4d355109b661cb562ddd8c35b30d24541fff8b6fda473ba871ac4364ca84ec7715ec0a8e015012937df4073e0191bd432028e9f62273cf9f45b78aad3b0663f9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\FHOHZANM-20240226-1610.log
          Filesize

          57KB

          MD5

          6a16e2a6bd8698747848f67d03e9e852

          SHA1

          1b677667e679c823dc4268aa9a76c1581e8d95e9

          SHA256

          f8af4b2574c043d8db7143291356fea0a939b1311c74e4ba87dd6801b8c1f55f

          SHA512

          a314ec33cf31a3ee9c322a26d7f32c965075e5ffb9b5713aea9be62ac1c3c28f4ea2f6c3283412215d624d0749b3e640f6df9e78d471d1edbb9f6e647b6e56e1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\FHOHZANM-20240226-1610a.log
          Filesize

          181KB

          MD5

          38de32a9c13f9c27bef1fbb07df8dd9e

          SHA1

          5e4c0c4c0369e4696732c449c8a1db5e6ef923b2

          SHA256

          334b0a2a5b5561e52d01472887c299c37a46ad228450e86a8ae0c8cdac922bc1

          SHA512

          13883a76412382620b8da314fcad2b6337b3131ee984c6268885316e0b111d5b1dafe27e9958178caa366115b77f82a3899ad83f655f523cd2e16fe8adf88111

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log
          Filesize

          13KB

          MD5

          df855ce7e88a8afcc01d501c4014128d

          SHA1

          6939baf5e6df2ed3f8054918d6bbf47500c36ce1

          SHA256

          19992eb51ea2c9b4f2d69a3f3b66bfb38d8de5a50fa911623dd1206b1092bb5f

          SHA512

          9ffd284660dfd5efd30a705b828681163861d144eae3548e50ad2e5413f73d9a18fb90559ac897d0f11224c5be09fc3e7844ce29fe77f7d8842d6020ffff5eaa

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240226_160545023.html
          Filesize

          93KB

          MD5

          6f33033740479b0c6e87e896b79a1de0

          SHA1

          8f7e146302ea2d458cd1d83d757f97dd3c8d3110

          SHA256

          599bedd2361568882293ec390671f8b1b97332ac9083d730bab3390657633bcd

          SHA512

          10baffbd8b734650caa2c093fa2754aae1e54abf0992139500c60e337ea821fe9b07a2be373ffc013ecc3aa5a69ecd0115cf33d4bba2a24b3fe2817b0949a4c2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625.log
          Filesize

          15KB

          MD5

          d0f54eb1bfca61ba2d2b30cd05673a6f

          SHA1

          4ff9750999363278a5a44188c124b64d608132f8

          SHA256

          69a1d47a09bcc81857aaf8a2684ea9fe9612749716471e94a5bf80ef3738784a

          SHA512

          e6b1795bd5aa0246663becec89eff216c972e6a0138b4c45265ad719122d519423b21442950a93b70479d733ee360d98ebc298bb8b1c32aa748b8d46fd24480e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625_000_dotnet_runtime_6.0.25_win_x64.msi.log
          Filesize

          551KB

          MD5

          6f6a8b70df2daf8b4a2a1957cebb0522

          SHA1

          de0f0a0baf5d8f908d0193cb05c3f2859315118d

          SHA256

          2935ea1fd4a238fb2d795570d49bb0e1b11b1ab19b60c362f2eea2e690af8a7d

          SHA512

          3a51b327eea3e73581492339ed88404782121ac269cda7f9fdb19a192fd3d0065334cc88bbff901ec01bd48e32038793ce62959ff56424cf5ba1762da0b0fda6

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625_001_dotnet_hostfxr_6.0.25_win_x64.msi.log
          Filesize

          95KB

          MD5

          2bae6fdd2877d1214b22afc2a3fa5e35

          SHA1

          bed7ae237b99a235b62a1e2c0adab5eeefaa746c

          SHA256

          75f3b7785b9e622bf0e78a5f1fe995a0bf72c2d5d104e1857335b00f67ee38cb

          SHA512

          859f6e1b2695142caeef12f5f7c18a3974d9640253fed8bd7b52cf27a7b192e5e8a0ea0b069086d2756af7999b9b791d7d1c92db69661980939281e943869087

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625_002_dotnet_host_6.0.25_win_x64.msi.log
          Filesize

          105KB

          MD5

          b08d03a3c2915387f97ae14075b6233a

          SHA1

          cac6d25e5c8fca69c8d7669af67227ee3805f863

          SHA256

          ee21a4a8eec4b1380899df28eb60859f452debdce13409b438f687b3955303a9

          SHA512

          4e54441716af36a28321dd63f4e1fb16cef87d0447e1595b11f6f20105d1e0adaa52061312461b33a7ddbaf52e69fb5f663e926bfc4b49c326ac596fa2a158ba

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240226160625_003_windowsdesktop_runtime_6.0.25_win_x64.msi.log
          Filesize

          849KB

          MD5

          99e1da1908fdb563ab39c0204df0608c

          SHA1

          7738578f4d9ee01b069dc99f97ff6df36a5ec90b

          SHA256

          238021e307df9b22311f420c1932736a2476e764f93fb6bf7c8e12f775184491

          SHA512

          4c99ece00382f809d728fe1d0e43c06b3437fac2fab5f5bff6dede670cf9447f4f773736d7bed6cb4a69e78c8740f61983f717e6674c421ada02fb5cbc0306e9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240226160708.log
          Filesize

          15KB

          MD5

          6525fb96c306c332e5c9d44e8d3c578c

          SHA1

          fd56e498884c7c16a7da599e73b874f770677387

          SHA256

          2f7696929a1f5954cfbbfd10b4caba411b1ed6cce9fd2e8a51dbbb85fd00c533

          SHA512

          a96e435b3e6e484899fa19da6c5e67a08f0567264ecb5f0900ce5f93a6487a9847b42c335702a2c46c5470e75082d32214de652ae3944fb35da4b716d724cf60

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\RES7574.tmp
          Filesize

          1KB

          MD5

          b2b34f49edc94f3a5fc932a1bb1e1866

          SHA1

          2cc4ae9906f64d4232d3abf53070463303a035b2

          SHA256

          a82c42cb9866be55d9d6bac990e472412b711602dae6248858228736cb34da7a

          SHA512

          a0cb2c7c412c9d211057e70fd64ce9d92862875d3783de4709c23746628d6ced06c69cc22b59d42457ff5601205d6750a1fe75b96fd75ccc5ee480f716fd60df

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\aria-debug-2484.log
          Filesize

          470B

          MD5

          a6825c7252e78c4db2108fecd17dc75c

          SHA1

          a036fb3ec82ea604e9b87b319b4b1b883cedf9da

          SHA256

          74f478e144a356ca393e41e798a7f1d05072560d86b95d099ea8980b51f2b073

          SHA512

          5d33c4314317d6a932f97471a39e4e7541412e877c46558159f178c417181bf6516dfffa52aa0cfdfee8483c2746c8c7e54442dfae8a8f236e5ab1464eb1cf74

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\chrome_installer.log
          Filesize

          6KB

          MD5

          d0d9f87e424e72a3dd34c35333708ee4

          SHA1

          9e164478dad84078bca6f7ffe5b4349238b17660

          SHA256

          43e02f6861d01d2ab6fd5a9a5cebefb48ac2e534a071d36b758607d22c4470f1

          SHA512

          bf26f35f29cec6f892335c0bebf6865727c804ce6c58403514114434ca37071bbf92c8fddd9a83062046a2940957edb14c7386eefc847c69e26ce353ce967ea1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\cqk4zi3ch.jpg
          Filesize

          457KB

          MD5

          17889ec41ab3bd83e30ab54161f3c3aa

          SHA1

          04c253c672ea7a85fd0eae43bb01bf82059d9dac

          SHA256

          9899c79af2bca83ee873c053febcd2cc2d559580fc1c55fb301d7e8b782d5854

          SHA512

          40aac0c5f9131924b45f6905271581f8aa32acd43d129cf54fe12d64f7e4c3eec0878404becea5bb422232a5416a0a543ac99c69f574b30e5e06887b3b76ddf1

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt
          Filesize

          1KB

          MD5

          e9cac14c469fa28d1d7335d426283162

          SHA1

          ae16be05a6be98c9654fd01b471e591f6c4bc030

          SHA256

          a460c1a6d4fcb81a308990b73df8887e019501a2a34f4549bdbc911ea6c0616b

          SHA512

          ba5877ee4c2827a31275cc22eebd7cd6bf085c31c829d6d96285de52d2483f64d40797daef71c3c45e85186f116ff5b68c10df8606b6faef9ead9fbdcf95cbbb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI12AB.txt
          Filesize

          427KB

          MD5

          4535ef5999cb6389c8281ab2521d43ed

          SHA1

          c0404b87521382dec08aa878a83b0021a72653f8

          SHA256

          57c84cbf23938f510ec234ff3cfb724459aa0eb95dbb86820048c5760e410288

          SHA512

          d01447c585b818ba15a3215db374825b6e25f20ec09caaa3e0f55954dea8b93391bbeda6b588e8ad064f5c2bb144a4a2c9ff4b7e8a5e99bb369d2830e72d0395

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI12CF.txt
          Filesize

          416KB

          MD5

          48d548dc7b2fb537178ef69d2fbad987

          SHA1

          5e9fdc225dff9a2b4f0132d27aa45408c6b7b1db

          SHA256

          6fe0c9f02539240b215b2afc94613accedf32e531d896b6fa6179bf4c5f6ca29

          SHA512

          37c1ce717348919cfd8bafaa0714b790587e8ae9bfe09b13d348a840a84d4b68c1aedf2988243ce48e2f3e3d17fcc2601131ce836463a150a2f439738b82a273

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI12AB.txt
          Filesize

          11KB

          MD5

          0b46662bc6fc4ba3f81f5161fe26cff5

          SHA1

          9d3b5b27dba2783db787594826bae1527b3953f9

          SHA256

          8509b559ff81edcdd7cd249e6ea15c0c94b6f27c333c54ea041ca7579fa1c5ac

          SHA512

          2416f1d2b62fa020e6d6e84dad288ba61cfdd8b858d76b6d4ed3978da428bccbcba1ef14cf7956bf99be15171665b93623593c566e8f9006dd4a09b710e6c8eb

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI12CF.txt
          Filesize

          11KB

          MD5

          3407fc3198d6041b52fe04c75472a6e1

          SHA1

          d4e5ced551b401f409878e816334e9df0aeea30c

          SHA256

          1db4d460e5e5215ac70c3275693297dc3f0bdb0361444ec1a727cd3bab7b24a2

          SHA512

          7eeb5b73e5ba56faa1cc0c2fff6c6a0129bae49ab5f69a0aac88ff0d98013821f7ff1624a6ca175ca18cf28a7f1271c58296caa3b760b9e0ec47d604f2c5ff4e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jawshtml.html
          Filesize

          13B

          MD5

          b2a4bc176e9f29b0c439ef9a53a62a1a

          SHA1

          1ae520cbbf7e14af867232784194366b3d1c3f34

          SHA256

          7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

          SHA512

          e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\jusched.log
          Filesize

          153KB

          MD5

          621b739fd58d24876b895f17e9e9f3f4

          SHA1

          eb80edd1b89c95df33b1eef20530e15f03cb835a

          SHA256

          fb354420ebeeb45ed4307cdace7167b78dc9176629d2358322bfbe97c5a2fff7

          SHA512

          6cee6da130b20b47467c986ce3eda891f4334a72ad80436c5a1c4871d5d7ece19c01db0bec3199b2512d36281b2f26dc9ee47d5b61b134f56c4d2f5f55c1d2fd

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.ma20
          Filesize

          436B

          MD5

          0224dc7129519ce4d84779dcdfaf656a

          SHA1

          f4f1e40a30bb9502ee6b0878ce6cc078b03083ae

          SHA256

          cc3ade22fbd3367e4477102b4119e08bd341189a96f5caf79cf59db5582f6da7

          SHA512

          2460d11be7ea39ed928b8ffac0425de467f8d9baf6a7c9923be1e4fa80adb8752fab3973492537e8c0b165668984ca8ee5ebc322be2d72f0a6d8d80aceb7c6e1

          Download Submit

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url
          Filesize

          142B

          MD5

          1a09a38485cbf1d59c29d8e3213e1ab9

          SHA1

          9cbe6ebd07b13a0d4b2565dc15a273629aa97251

          SHA256

          0a3bdc40dc0d243784bc5fa887b79110350b3d3200684f3ba99880fcea40e3b8

          SHA512

          a33c228196a4b3f14e40ac6ccb6c43002de28063594c472db852bedac20a6725f4e7601b9f32516e2c6bea35f83746973b3f1d200d9e5d668bda7553b62ac616

          Download Submit

        • C:\Users\Admin\AppData\Roaming\sdf.txt
          Filesize

          812KB

          MD5

          c2cf29426c262a289f26061687d45be7

          SHA1

          303a03360c5afc29b746592f203334dc1afd6534

          SHA256

          4147b7e0c0f55696390e69d7e7afeaf0c9d023a0e1945417d53b63c6750ae280

          SHA512

          3c1aa22856db4902219f02c817332c32efef9ed1c94c2eaf5a8137359a53752f21934647ae08c5f15b62cb7405b4bfcbf92abd484f026a01cb5b6a0162e72053

          Download Submit

        • C:\Users\Admin\Desktop\cs go cheats.exe
          Filesize

          1.2MB

          MD5

          944765474d1095e82f49305eb97f5eb7

          SHA1

          5e1e5c58a143dfa7532d8c7dab0c9951b948a1cc

          SHA256

          5b51b6de226f11a27c776488c1d454027cac6aed09784efcb70d93836e8cfc09

          SHA512

          03edbc201dedd823f818160a3a5bd1929abea95432707a350384a44505920b9e10e56166a2c6feb187c807bb635f1c3a30fa8596dd67d638ee9923c7a259f703

          Download Submit

        • C:\Users\Admin\Documents\read_it.txt
          Filesize

          8B

          MD5

          739389ad8f18404863d24d138a4dfb70

          SHA1

          6bbe895e5f307bc2ebf876b7fb3120c2086c58cf

          SHA256

          8235ae9fab4ab01ca7c181ecb8d094b58cf1999af0700feae504561afb69c09e

          SHA512

          ffb12f936357f5f5220d5a78df24066d84ae9495958dd0762ac9f7d1df3f8277a4981baece4eb1feef7d6745758dc2bd4a3fd2a6d357e1d2d10e9d310b63d39e

          Download Submit

        • C:\Windows\System32\gw1gni.exe
          Filesize

          7.2MB

          MD5

          e79cbf4b8cef12fc28460c57083f1186

          SHA1

          3ef31989b8d2199edd8e01997656ce4e0dd5e18d

          SHA256

          d95c7b2e5cac794ad6116e26a9bd394164c2f29775cd8d419d57b513ab974bc2

          SHA512

          a43193ff935df9dc4ac0cd1c1d3f51a50d8a17f518af18a47ce67a825b0e6065a5b8cb05cd2d44e746c863bc4b5232facffd250d836a13ca7417ee4d50f4e06d

          Download Submit

        • C:\vcredist2010_x64.log-MSI_vc_red.msi.txt
          Filesize

          380KB

          MD5

          9412eab52c23b200bfe27eacb1862349

          SHA1

          8b0798e7a4db80b3773c8c42f7cffbcec8326130

          SHA256

          829a125e5f83650081e6a0135231f82b62ec0fee40b68653ba9f71f66d2e4316

          SHA512

          64d2786187b64629cddc930e8100381d80b787a29fe50be2f189e0601f9ee6a27eb8c7ddb9bffe705cd6e34d67d65168d8464c48052aa7bf514719f0dbaa7769

          Download Submit

        • C:\vcredist2010_x64.log.html
          Filesize

          86KB

          MD5

          7631b765f193c01c392cdcfed056f82b

          SHA1

          912b078ace304a7a4f0b94434f330669f80b7221

          SHA256

          53ce916649818842bf7a82f27837bb3ad5648ba1e7858669534df30b1ca92a71

          SHA512

          31da7baf73c4521bdd53336ea1015c223f316c10582e0aa3f5968f01e1896f154edfafbc2938b2fa043bbd0de27bb8f374fd8d963f2372df77c5fd98d3939ff8

          Download Submit

        • C:\vcredist2010_x86.log-MSI_vc_red.msi.txt
          Filesize

          395KB

          MD5

          c35b66fb7aad24e26a89da695c14946e

          SHA1

          0de5c0eb0592378fcea90384556881b954254c1c

          SHA256

          fc4822c03e3ce76c3f5b0a5daa12affce28cefb0ef33161d1d26b4ce4ec8998b

          SHA512

          abff78a8c52ca4278b16f998d07d266a8c1a603d32cf83f3e06683c55e89d060e927babaee94ee127f20ee980b1c1c275537f0beee94c07f0569ab7c9f3e0f83

          Download Submit

        • C:\vcredist2010_x86.log.html
          Filesize

          80KB

          MD5

          d5b60929d748e93c0dd676a00aec5698

          SHA1

          9aef20394e798f685674c811c235873b49daf84d

          SHA256

          badabe7b4af2e2429a94f2a9608aff88c72992e3ee54787991fa205bb91bbb82

          SHA512

          a0d058c5338b761e4d96afad599ba064d65d06c9fb596796931254ba101a56a8967ff709edade163882e65916828da4b6af7e8a5fcc598845cc1f82dc3638445

          Download Submit

        • C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log
          Filesize

          168KB

          MD5

          861c17524cdc6940fe9d7552938dff39

          SHA1

          e12d6a271e385e3eeb18a8cc7fea0934547eee05

          SHA256

          320bf8b97f1e816055dfbaae959f8fd0221343c19402cb8b365697ce31b62f77

          SHA512

          08965c719951498896d8f4b3724f3b25eb23489b7624bff252b20abdd98da1b08efb4404d485a9b52ad820548ce84bf1cbf979a495f1817339ae523020bdeb0b

          Download Submit

        • C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log
          Filesize

          195KB

          MD5

          a27f5bad578205f7145b7ac3663b5c32

          SHA1

          e16afe1b40d31e98a549573fe2e0c4a74d91ff6c

          SHA256

          62f4df2dcb1c7ee2373c23f97689a9cfba1263501d2f7094281f4cd5cce5689f

          SHA512

          fa7e5c5a5f1b7df2dbdb663bc79bbb57414a86a22e8d44a444d803c226b0c6874049ba90228109bb2a95e252028c4c67a18c4b9fa584fcb35a50d0cf005b0e31

          Download Submit

        • C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log
          Filesize

          171KB

          MD5

          e08edfbea54d9505cbc42726c50d1a47

          SHA1

          03448963f701a3caf9cee5386d3a24a166586f82

          SHA256

          9a92879369170caabcb878eeacf063db9792d9a67f361c29088b4c4dc35775c2

          SHA512

          e7e00730274669e09f40e66c58fe74d1eb5c808b829e27f10153d7e94ebd9ef8966613791f3288ad2d780a590e8a2eb45c82bd3f2bbf65429c99bf39c93e3741

          Download Submit

        • C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log
          Filesize

          208KB

          MD5

          60c8750fc057d296ef7ccd6b6a06b4f7

          SHA1

          bc81f2dbd088582fa5e9b8b6b7cf09c1d735d1c6

          SHA256

          8241549f5caa14629e530b8bf9369df9f363f869d0c749f44881729381cd1ccb

          SHA512

          658aa38c6c53c3b6f2201251f52d8acef0123aa2a7c681767c139a1eed7bdc0f43fe03cb67bde2fc39a5fb56fd65943821554d62846a03423c1a520caa6d11a0

          Download Submit

        • C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log
          Filesize

          170KB

          MD5

          a7c473ccb44debcf06cdd7aca08ddfbc

          SHA1

          dc48fdb8d1da8dfc0c04e4aff180712f2abea765

          SHA256

          a5b539a40e4d05370f779c44c931cde569da2783051cbc760269260092613d30

          SHA512

          e1a3c83824dc3dfa96345860bbc762ecdee54808e2a87bf9879acf08f61633ca1c5c71edae5e79266c30ee7d8282757d62e49c7b9b2e1b36857f4de6ab943b54

          Download Submit

        • C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log
          Filesize

          190KB

          MD5

          d21e548c53741fc17d0cb2f55ad7667d

          SHA1

          58d040687a3e344605c43035e9884a4e0f07461d

          SHA256

          a925c55032643fdcbfb1382149d261233fd923de3c963fd73c401b3c2bb36898

          SHA512

          387b87d2186ee465276a361c6698a1e9aeb687255ffa5b5e18239bf2c625c364a073ae49d14c98d2a4785cd73e29664b3390ae9c0a2961dbcf703638fe1c2688

          Download Submit

        • C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log
          Filesize

          170KB

          MD5

          98443db47e0c30ce7b095d26f540c03b

          SHA1

          cc1324af291a8f714de8b7dbf2dfd11e0e3c1fc7

          SHA256

          a429c25a39d83913a7370fb45475bb6e8ec687d972bd6b95eb30a9c9372b38f0

          SHA512

          6668aa8c5e6d0734f2656e8a5eee0af5cbabfd419c23736aa6c4340f2ee325748c25a49ea79f9203a6ea133af628d4180a66ea3619a35296fe3662b5c2bc67d7

          Download Submit

        • C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log
          Filesize

          198KB

          MD5

          4687c217498778c703775232dfead1b1

          SHA1

          8bd1330dc3a321ad2d0b2c9f4e8b960ffabf2b65

          SHA256

          dedaa47dc02aeadc04fafc744f7947389a4bfb1e5de284bfdb448d568089af80

          SHA512

          e83aba1506db1b6bee107e5651e8eb4edb88db387bb34190a40053c19fc0a2ae1213516d24192f0acad399c2c7f9292f5302cb66baa0da35e38ef6f06160b897

          Download Submit

        • C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log
          Filesize

          123KB

          MD5

          96d373c0e13466293030b4a270ab6080

          SHA1

          899d2cc51fe5b7f807781c217390edc160961b39

          SHA256

          9207e0ce4955856ac22efcaf4a81246b46e34748e974b93583f6ae0d23f8297d

          SHA512

          3bb1a76f22055784c0883beb367e3eaf6a9b0b628c65f1d549993ae708210b7a3a2aafc6440bad008d4d6c42c9bd28106eac7cd699c91d776b8335f4c2c4f07a

          Download Submit

        • C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log
          Filesize

          129KB

          MD5

          07be6c897e514b7f45aeb1d83babbce2

          SHA1

          ad7c89d34886e1c9c9aec4c28e60e084761a6efa

          SHA256

          fd2333ac1151fbda8c43c433024e41419798610c7d623b7d136ffd8bf3cd3690

          SHA512

          54fa0ddd1b5dcf1782dbfdb1bd9d2a77a125f5029d9727e1882529db5696d34ea31749124b8939f4f25f4990a02ef7ff2b48955d0009d06c6d42b8729170148d

          Download Submit

        • C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log
          Filesize

          123KB

          MD5

          8d964851dcdc3f94a3e11542b331f89a

          SHA1

          c4fd1bc70d97a48826ced0df2bf6a8ab639450e9

          SHA256

          b99c5faf359c18d32f188ec979d58a8899e8f8edeebde6fea2aa5189afce3cb9

          SHA512

          b757485f12625d4f987df7b542ce54f5790ebc9ae1d01a17a6f976684b5380507002f0a74f1c600702c2274fcdb9c1de97fdb761ea0582142b9d641f656f3323

          Download Submit

        • C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log
          Filesize

          135KB

          MD5

          8f99fd9f2c3bb799d6e34f3897b79c7c

          SHA1

          63d4a68f4588e97060ab670dbe1cbb3c0f22a823

          SHA256

          cdb680985b7e6c40be725e47e2413eebee28048fb7ac700816422aa2bc90bec0

          SHA512

          fda1e78671bc05352e89808bea01c2a903c69faf25baa29b9e18598d68d13c6308e07159f49a77587cf7f98580688d68612fdef3f6f063cd5a09c8cede4d34b4

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\xny2v1ie\xny2v1ie.0.cs
          Filesize

          639KB

          MD5

          de4d340de974c446c6de8a7e8503bd9c

          SHA1

          60961486da4b4bd70c8e9c7150603442e7e57e1e

          SHA256

          a74ed2e5d6f8691580d24fac91c0c3c7743f98e629a5a10c0defc4e16e59a48e

          SHA512

          6c1125ccdd9e9ee2bbb9b736b8b14c3af346e0e039b726501825a6c1cc959600ca1010ff5dce91b094d84ea2c1fac1077e91d67ab9e07c1b43ac5c64b01bd5d1

          Download Submit

        • \??\c:\Users\Admin\AppData\Local\Temp\xny2v1ie\xny2v1ie.cmdline
          Filesize

          338B

          MD5

          5928255919d26cf5f16653d1f469f6df

          SHA1

          2ca9f5a6f43bbd8a75f8596b7231cfef417a3803

          SHA256

          7854294180c5e8750d4e57211eef3bc7c0debd19ad67548963095261d5778947

          SHA512

          90637ccc246c490e832b7f4e7b9b0844f0c504be1e8fbfbc2e8291b29f3d08bb92be970f24fff7e1ea4bf6fc35a2223f15ce76fde63219d50329becb19a9f064

          Download Submit

        • \??\c:\Users\Admin\Desktop\CSC30DFECC22B1042E58AA0F7DCD868ACB.TMP
          Filesize

          1KB

          MD5

          d49dde1bb5d8afdc3869c23449997747

          SHA1

          400d15b447fb8c336fc6aa43633d80f726b0283d

          SHA256

          dbb765e226a516eaf39468bbe4087f0d0cd8ceed3127ba8e248839c086b84206

          SHA512

          b12a46898131b7306be3a17c92a523dd88156f24763e706f381d50e744d6e072bc1e2c36db2c15557cf4e7195e570053a311852033f8e118302093281f403db4

          Download Submit

        • memory/60-49-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/60-498-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/60-479-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1084-557-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-558-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-551-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-550-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-549-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-556-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-554-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-555-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1084-553-0x00000248D4B60000-0x00000248D4B61000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1392-135-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1392-431-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1552-4-0x000000001B520000-0x000000001B530000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1552-0-0x0000000000880000-0x000000000090E000-memory.dmp

          Filesize

          568KB

          Download

        • memory/1552-2-0x000000001B520000-0x000000001B530000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1552-1-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1552-548-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1552-3-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/1552-5-0x000000001B520000-0x000000001B530000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1552-8-0x000000001B520000-0x000000001B530000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1552-7-0x000000001B520000-0x000000001B530000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1552-6-0x000000001B520000-0x000000001B530000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3284-52-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3284-134-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3712-34-0x0000000000AB0000-0x0000000000BEC000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/3712-48-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/3712-35-0x00007FF9FB120000-0x00007FF9FBBE1000-memory.dmp

          Filesize

          10.8MB

          Download

        • memory/4752-490-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-488-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-484-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-483-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-482-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-489-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-492-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-491-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-494-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download

        • memory/4752-493-0x000001AFA5D20000-0x000001AFA5D21000-memory.dmp

          Filesize

          4KB

          Download