chaos | 105563733da3a05eef4e63a8af883b600e071e5449c819f0780bec73d0c404bf

Resubmissions

31/03/2024, 14:49

240331-r687xsec77 10

29/03/2024, 09:29

29/03/2024, 08:58

29/03/2024, 08:57

29/03/2024, 08:49

Analysis

max time kernel
372s
max time network
408s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
29/03/2024, 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

antivirus.exe
Size

144KB
MD5

4016477fd044882c78f3c1a47d7322e1
SHA1

6c75ffa25ef2d1d6a658ff415b2e47964032fc6a
SHA256

fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633
SHA512

17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1
SSDEEP

3072:xokEUyr9ql5n3yU6S4M5Er8zwIMsoE0WNOBKHAHp+FBZ+:er9ql53y04QEwzh0FaAHQLZ

Score

10^/10

chaos evasion ransomware spyware stealer

Malware Config

Signatures

Chaos
Ransomware family first seen in June 2021.
ransomware chaos

Chaos Ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/2388-0-0x00000000007B0000-0x00000000007DA000-memory.dmp	family_chaos
behavioral1/files/0x00080000000277b9-6.dat	family_chaos

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3792	bcdedit.exe
4928	bcdedit.exe

Deletes backup catalog 3 TTPs 1 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1400	wbadmin.exe

Drops startup file 9 IoCs

description	ioc	Process
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\hahaha.txt	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini.4z0z	Decrypter.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	Decrypter.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.url	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	svchost.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hahaha.txt	svchost.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\desktop.ini.4z0z	taskmgr.exe
File opened for modification	\??\c:\users\admin\appdata\roaming\microsoft\windows\start menu\programs\startup\svchost.url	taskmgr.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\hahaha.txt	Decrypter.exe

Executes dropped EXE 1 IoCs

pid	Process
2380	svchost.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops desktop.ini file(s) 36 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	Decrypter.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\AccountPictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini	Decrypter.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	svchost.exe
File opened for modification	C:\Users\Public\Desktop\desktop.ini	svchost.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-3852399462-405385529-394778097-1000\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	svchost.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	svchost.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\haqhfswle.jpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\e3bwknwse.jpg"	Decrypter.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 7 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1996	vssadmin.exe

Modifies registry class 6 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3852399462-405385529-394778097-1000_Classes\Local Settings	explorer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2404	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2380	svchost.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2388	antivirus.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
2380	svchost.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
3756	Decrypter.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeDebugPrivilege	2388	antivirus.exe
Token: SeDebugPrivilege	2380	svchost.exe
Token: SeBackupPrivilege	1528	vssvc.exe
Token: SeRestorePrivilege	1528	vssvc.exe
Token: SeAuditPrivilege	1528	vssvc.exe
Token: SeIncreaseQuotaPrivilege	5116	WMIC.exe
Token: SeSecurityPrivilege	5116	WMIC.exe
Token: SeTakeOwnershipPrivilege	5116	WMIC.exe
Token: SeLoadDriverPrivilege	5116	WMIC.exe
Token: SeSystemProfilePrivilege	5116	WMIC.exe
Token: SeSystemtimePrivilege	5116	WMIC.exe
Token: SeProfSingleProcessPrivilege	5116	WMIC.exe
Token: SeIncBasePriorityPrivilege	5116	WMIC.exe
Token: SeCreatePagefilePrivilege	5116	WMIC.exe
Token: SeBackupPrivilege	5116	WMIC.exe
Token: SeRestorePrivilege	5116	WMIC.exe
Token: SeShutdownPrivilege	5116	WMIC.exe
Token: SeDebugPrivilege	5116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5116	WMIC.exe
Token: SeRemoteShutdownPrivilege	5116	WMIC.exe
Token: SeUndockPrivilege	5116	WMIC.exe
Token: SeManageVolumePrivilege	5116	WMIC.exe
Token: 33	5116	WMIC.exe
Token: 34	5116	WMIC.exe
Token: 35	5116	WMIC.exe
Token: 36	5116	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5116	WMIC.exe
Token: SeSecurityPrivilege	5116	WMIC.exe
Token: SeTakeOwnershipPrivilege	5116	WMIC.exe
Token: SeLoadDriverPrivilege	5116	WMIC.exe
Token: SeSystemProfilePrivilege	5116	WMIC.exe
Token: SeSystemtimePrivilege	5116	WMIC.exe
Token: SeProfSingleProcessPrivilege	5116	WMIC.exe
Token: SeIncBasePriorityPrivilege	5116	WMIC.exe
Token: SeCreatePagefilePrivilege	5116	WMIC.exe
Token: SeBackupPrivilege	5116	WMIC.exe
Token: SeRestorePrivilege	5116	WMIC.exe
Token: SeShutdownPrivilege	5116	WMIC.exe
Token: SeDebugPrivilege	5116	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5116	WMIC.exe
Token: SeRemoteShutdownPrivilege	5116	WMIC.exe
Token: SeUndockPrivilege	5116	WMIC.exe
Token: SeManageVolumePrivilege	5116	WMIC.exe
Token: 33	5116	WMIC.exe
Token: 34	5116	WMIC.exe
Token: 35	5116	WMIC.exe
Token: 36	5116	WMIC.exe
Token: SeBackupPrivilege	3236	wbengine.exe
Token: SeRestorePrivilege	3236	wbengine.exe
Token: SeSecurityPrivilege	3236	wbengine.exe
Token: SeDebugPrivilege	724	taskmgr.exe
Token: SeSystemProfilePrivilege	724	taskmgr.exe
Token: SeCreateGlobalPrivilege	724	taskmgr.exe
Token: 33	724	taskmgr.exe
Token: SeIncBasePriorityPrivilege	724	taskmgr.exe
Token: SeDebugPrivilege	3756	Decrypter.exe
Token: SeDebugPrivilege	3372	firefox.exe
Token: SeDebugPrivilege	3372	firefox.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe

Suspicious use of SendNotifyMessage 46 IoCs

pid	Process
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
724	taskmgr.exe
3372	firefox.exe
3372	firefox.exe
3372	firefox.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1704	OpenWith.exe
2604	OpenWith.exe
3992	OpenWith.exe
3372	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 2380	2388	antivirus.exe	80
PID 2388 wrote to memory of 2380	2388	antivirus.exe	80
PID 2380 wrote to memory of 132	2380	svchost.exe	82
PID 2380 wrote to memory of 132	2380	svchost.exe	82
PID 132 wrote to memory of 1996	132	cmd.exe	84
PID 132 wrote to memory of 1996	132	cmd.exe	84
PID 132 wrote to memory of 5116	132	cmd.exe	87
PID 132 wrote to memory of 5116	132	cmd.exe	87
PID 2380 wrote to memory of 4060	2380	svchost.exe	90
PID 2380 wrote to memory of 4060	2380	svchost.exe	90
PID 4060 wrote to memory of 3792	4060	cmd.exe	92
PID 4060 wrote to memory of 3792	4060	cmd.exe	92
PID 4060 wrote to memory of 4928	4060	cmd.exe	93
PID 4060 wrote to memory of 4928	4060	cmd.exe	93
PID 2380 wrote to memory of 4872	2380	svchost.exe	94
PID 2380 wrote to memory of 4872	2380	svchost.exe	94
PID 4872 wrote to memory of 1400	4872	cmd.exe	96
PID 4872 wrote to memory of 1400	4872	cmd.exe	96
PID 2380 wrote to memory of 2404	2380	svchost.exe	100
PID 2380 wrote to memory of 2404	2380	svchost.exe	100
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3152 wrote to memory of 3372	3152	firefox.exe	126
PID 3372 wrote to memory of 1880	3372	firefox.exe	127
PID 3372 wrote to memory of 1880	3372	firefox.exe	127
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128
PID 3372 wrote to memory of 3012	3372	firefox.exe	128

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\antivirus.exe
"C:\Users\Admin\AppData\Local\Temp\antivirus.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388
- C:\Users\Admin\AppData\Roaming\svchost.exe
  "C:\Users\Admin\AppData\Roaming\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Sets desktop wallpaper using registry
  - Modifies registry class
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C vssadmin delete shadows /all /quiet & wmic shadowcopy delete
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:132
  - - C:\Windows\system32\vssadmin.exe
      vssadmin delete shadows /all /quiet
      4⤵
      Interacts with shadow copies
      PID:1996
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic shadowcopy delete
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} bootstatuspolicy ignoreallfailures
      4⤵
      Modifies boot configuration data using bcdedit
      PID:3792
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /set {default} recoveryenabled no
      4⤵
      Modifies boot configuration data using bcdedit
      PID:4928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C wbadmin delete catalog -quiet
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4872
  - - C:\Windows\system32\wbadmin.exe
      wbadmin delete catalog -quiet
      4⤵
      Deletes backup catalog
      PID:1400
- - C:\Windows\system32\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Roaming\hahaha.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:2404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1528

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3236

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1328

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2604

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3992

C:\Windows\explorer.exe
"C:\Windows\explorer.exe" shell:::{52205fd8-5dfb-447d-801a-d0b52f2e83e1}
1⤵
PID:796

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
PID:3604

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2784

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:1012

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
1⤵
- Drops startup file
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:724

C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe
"C:\Users\Admin\Desktop\decryptor-decrypter\Decrypter.exe"
1⤵
- Drops startup file
- Drops desktop.ini file(s)
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\CompareExit.vbs"
1⤵
PID:3772

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.0.1722399989\408492447" -parentBuildID 20221007134813 -prefsHandle 1800 -prefMapHandle 1792 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {73664fb4-8085-4033-b26e-762b2ec848dd} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 1892 22509aedb58 gpu
    3⤵
    PID:1880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.1.5039792\2000528005" -parentBuildID 20221007134813 -prefsHandle 2244 -prefMapHandle 2240 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6306399d-af12-4881-8368-1e8876937a55} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 2264 22509a03258 socket
    3⤵
    PID:3012
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.2.1066167726\1543510774" -childID 1 -isForBrowser -prefsHandle 3368 -prefMapHandle 3364 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {64d81c09-a7c6-4d8a-9210-c35b745755a9} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 3380 22509a59c58 tab
    3⤵
    PID:1116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.3.1137703865\1357497206" -childID 2 -isForBrowser -prefsHandle 2812 -prefMapHandle 3100 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {307df162-0315-48a3-818e-1118a78ca09e} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 3792 2250d7ba258 tab
    3⤵
    PID:2552
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.4.763257778\120000477" -childID 3 -isForBrowser -prefsHandle 3964 -prefMapHandle 3968 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3e7832b-a929-42c0-b3f8-5302639cded6} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 4844 2250d750658 tab
    3⤵
    PID:1352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.5.759841763\1950709230" -childID 4 -isForBrowser -prefsHandle 4964 -prefMapHandle 4672 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {89603fad-c386-4c3f-bfda-73714bd1d656} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 4948 2250f719e58 tab
    3⤵
    PID:1512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.6.1680988422\223622494" -childID 5 -isForBrowser -prefsHandle 5188 -prefMapHandle 5192 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {909d0afe-3823-4899-9290-e71ff0f672aa} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5180 2250f71a458 tab
    3⤵
    PID:3972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3372.7.1022729885\1779676263" -childID 6 -isForBrowser -prefsHandle 5376 -prefMapHandle 5380 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1316 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {19d6d4ac-54bb-4fa0-b15a-3f5b18d8cb6c} 3372 "\\.\pipe\gecko-crash-server-pipe.3372" 5456 2250f71a758 tab
    3⤵
    PID:436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\cache2\entries\A72798DEF4F924983D5A0DB82D383C613B515FF2

Filesize
13KB

MD5
23798a67535363f871f955986e6fd6cd

SHA1
7824e96c03e777c541ab897c7bb29bdf3752d4ad

SHA256
22bf3fa0cd04b96b98b853116d52b66391ad4aec0dcb5f06411c6fcb9b207f9d

SHA512
5bde700a07746bd164dac2ae4127a0c62f019e9a29b400c37af03c45e42afaa1f2119156f22da8883dc578257928882843935a3694f702f128f39125fbe6075c

Download Submit
C:\Users\Admin\AppData\Local\Temp\.ses

Filesize
53B

MD5
4bdef3f72a5eba62ea4feba80e30e373

SHA1
900c79d35982e5c1cf45b32aaa664cba8a10bd38

SHA256
203678fb2c25bc9cb5263a1687aeda814b88489db8ad00389d5e489f3f3621a5

SHA512
c3fd088a5d2312364c11cc428d2fd2ef17f3a3a61194c27eeadb5d81d6762eb226acfd156f171612d7a86a4aaf673b6be7866e9d62343781f6277badbec96c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\AdobeSFX.log

Filesize
1KB

MD5
fe81920405e89473fb0c16155aabec04

SHA1
551dd434c6de3840b7442ee30efb5333cf74cbf9

SHA256
bb25cdab78eeb57277ad4d2d82b2aae9b49ad82edf188d4b335c8bd1deb779ca

SHA512
f8313f5fdfcdb3df3a998c32e82a104c987a34ad02c48d3abab2f52e4b120d160403f3e30a38673c04b017a6815e594821e59f586c4d105453847f4bca6d5e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

Filesize
13KB

MD5
9e9e06bf461f036de43aee3343e501f0

SHA1
e03f1560506ce88cce404029bff7ed66b156e9a4

SHA256
05854a2b93d670a26ca2244fa2a5d23ccf25ca1c7e2036ef4f8ca5a02e65da68

SHA512
0daa1a19b3b05d44366afe85561c162f2c796b4a898a04c96426618153b7b66b88be868474fca280b3eb49a32d9d02d5fab70bef2978dcde610ffb20b888dc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft .NET Framework 4.7.2 Setup_20240221_165314211.html

Filesize
94KB

MD5
3daa9ca83e7068dae25f6062403404b7

SHA1
99db4e7faaeef72fa6ac6b4e393e7083ad8d4c3f

SHA256
9bb0bc9ab86b77529ba27c28248bc32c8b928819bb8e7f3d21ea212bf33e0f38

SHA512
44c496dde6e30bdf691c54d042f855ae2decaa5529eb080aa35645cfb2b0f1822e29604564a7998c9328589a3c2cd998cbf957e754fead916f7389dce6e302a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343.log

Filesize
15KB

MD5
098985bf0dd8494048a341ec08f2a51b

SHA1
89db3c13492a66a48855517bacdb2be6770ff1ab

SHA256
f857ba1a364f56f563617b065bf52c925ce15433196f59da67c0ff300fd5e8bb

SHA512
8e9398bee3d16a8c02a676d07f176c4a6a3c639915d5f2ec7501c5e10019ed08504740b580fafc6ae3d68be257130bbacf36ecc0766cb4465b9a29abd8dd3ba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343_000_dotnet_runtime_6.0.25_win_x64.msi.log

Filesize
551KB

MD5
ab7d85e8d604ee313825bd2a080997e0

SHA1
27476bda106aa0f890effaf1a7db707cfcaa9676

SHA256
4f9c41167899557f76fddde70713ca5a4e607485e24f0603c348d62e2f7bea65

SHA512
5b440b24c942b85fde3153251ba3e2430450c6001a7b9cd56ba4770618627ec4f66d8f21f65dd227e86e5766f35192fe6ff2a3b62af5cb9911ad284f1b0471ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343_001_dotnet_hostfxr_6.0.25_win_x64.msi.log

Filesize
95KB

MD5
39ae573560abe3bbeebaec4d42ac83ff

SHA1
e86628b379fddcff1a0fd322d74b86647fc25df6

SHA256
e80f6b0e1faf16d478348f6f5cac05ed6c1c48177a65c18df52f5e4c7fa75e11

SHA512
59770841e232879610028f51e5443e22fd41aa64f1f81d0180ef2831161b90a5540d3c7d769edce18f50851cb0a3777192df58eaa26f90ae621ba898ee43c2cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343_002_dotnet_host_6.0.25_win_x64.msi.log

Filesize
105KB

MD5
8bc33ae945ef51b68e36854fae703a93

SHA1
c7f47ab96369b1ab7fe7d9f67adb259fd1328136

SHA256
18665b227b94362cafe2231271f82b6abe21b7de53191cc0d38a6621f2d5d9b0

SHA512
3bc0d4be1238e5b198ae97c24d75ede23d3ce552db7469569e983ea6db9e9ea80ef9a97313be6c1a10a09d4dc641eda2ea5119f3134b3a0d59ce527c5e937be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_6.0.25_(x64)_20240221165343_003_windowsdesktop_runtime_6.0.25_win_x64.msi.log

Filesize
849KB

MD5
58edf6ba6f2b133a45158751ff55f51e

SHA1
0b8f199cfcd5aaa325fbf3acaee32513402a3013

SHA256
73e3b57d0bb4d3ba0c63d63337b4f84752b16686002926088eb7e70b4990b8d8

SHA512
db640d3ed10efaa0606f6773b55a5b023ebc08996d8aa56ee7d04439de1a4a581aed35666c41554a38426e723e380e9f0e1ea81f6a07bb9ef872bd42909aa2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420.log

Filesize
15KB

MD5
3fb56eec599461705bf837172bbe526a

SHA1
067139b5b350226b6a915e582f74587653489a13

SHA256
fb24bb1080cf5fc82945c4baed7265f28a8102258a613fbc53ccbcb89fcc6957

SHA512
b0c1bee035be42858b12b48e4501f86f1a28ec76b60adb15f79a6ec63933000e9d8bef42cda311689b7bca6c9c771812a7aad69a2246811dd6eba98a24ff749b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420_000_dotnet_runtime_8.0.0_win_x64.msi.log

Filesize
469KB

MD5
bc8d207ac90a7318613c78334c5fa445

SHA1
c6274fa5672f90d4faff3b083b8f18dd0e9c581e

SHA256
39a50497483dad4f42feb2e18b54459a352980fabfb649e9ac3d7616f8ecea72

SHA512
049b29cc25f2e56b2e801a7b04282d49638dadd5321128748bce7122771149b123b7efd22c36d00080b36490b269954b965b6b549d2c48485ac7b752d23c9ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420_001_dotnet_hostfxr_8.0.0_win_x64.msi.log

Filesize
95KB

MD5
71da55d66441092baa662fb6c0fd5c6b

SHA1
d32efc6694afe866749600f1de8aa35523204036

SHA256
b3e092419eb7af3d8bd0ca89f3af19c6073adbb8fa1260c1cf0149bf3e576e57

SHA512
79b2d6fe1bf23df79c8c6d3c54d9b88bf73de20743a3fcf3a22d3e732e6a220dc6e6134f91fe9c1499f71cf001936da9da5ee0ede114a6a16835d78550cba7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420_002_dotnet_host_8.0.0_win_x64.msi.log

Filesize
109KB

MD5
e0c6984ad92cd0e5f876386515f50520

SHA1
6c326d8acba56ebe6efa6d4c7e3be2aad7baf149

SHA256
a590d9f6a6b454d45ac1a2608222c29473aa1ff5584df5bec479101ffe0c2a2d

SHA512
227f2c7fd2b6e95168a8d8ece9e79d97ec3571e7da190b799fe2ffeef406ee9c883bdb752a48cdae4f80e5ee5c3497023e6aaa0afa1688e973cc4996148d94de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Microsoft_Windows_Desktop_Runtime_-_8.0.0_(x64)_20240221165420_003_windowsdesktop_runtime_8.0.0_win_x64.msi.log

Filesize
847KB

MD5
b4337d7f4dd50d479c3a3c3f85b57139

SHA1
d3513710bbfadfe20f37308b5d033ef63315f4b2

SHA256
d465bdb15ed68a7b80c52bbc2a5cefa455ffa4ccb351f236cf7324951fb42f9e

SHA512
8e95cad6f202784cd30db83c5e31b7232fca80d66bef44a5f8e697fb00e33926541517531532a6f5660e02910f2be0e170740c0d3b2c669a6e78eb2ed5f9e4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCULLATI-20240221-1700.log

Filesize
57KB

MD5
d2b595f800227240946a4299741150b1

SHA1
a3879e37cd5b9e7f02692577697833d830a8336a

SHA256
8e6f10b4b0b99a6f5f7a1c1061e3670b06b01bfe3656f9459eb5bf79ff24b525

SHA512
8764ed62c694fea5ac0f8f02308bd7f3b296b9baa53651b4a91e0946b1b2f529dc0834d2af1390b8980a3c39cd924a9efd0c33ea01d2cddc366623d70a682c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\XCULLATI-20240221-1700a.log

Filesize
184KB

MD5
7d4952b9d5d7aced3c4a0f9f15236300

SHA1
f901404ac5cd8cfab394c93200871f7d7ca8c06f

SHA256
b483a2a3284076c2da60c794aa5b0f300fc24d79954b3c0b49f958e9b71bff82

SHA512
8e82fe4322b6eeca1c96423a075ceb07305f0cf9c69530f387de49a4c855ac4feab0c401b541f8bd1309be5d928b9a8bdea6f4f51841bd205df7e41069c290b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-2504.log

Filesize
470B

MD5
48f8aa137b6cc9f9e1474b3e798942bf

SHA1
63d52ed3057b045d709f1b504cbb400481709556

SHA256
4f7421ef5aa75c3007b1a7546458950c07a9881a4f735f3cdd729ae4df66b29d

SHA512
11adf7d397ad8cd53b9b2985f69888b27784b877a64a654438c62aa743fa2bcd5d6822e870f6b56e10d65f66da7210597855c1b02344dcd8e5ec881ddba0284a

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
0aebe2ee1336cb8e6c6a8077721061d7

SHA1
1bc1cd1a8535f880dba4bf6c9558631e4658b90d

SHA256
d4ed13de2bdb32de3553982147193d49b5e05408cbf5dafe85bd30d6fc461545

SHA512
8d948b0f4b850ec20ef9fef860064154319a89cf95becd2a62b349230833869629749d6952118e2f20e38d1d637eb26db675333a699dce7ac1378c6a90fd9520

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
4131d605a83a74b3219cdbea3ecb9d6c

SHA1
795cabd582478a2be61df32b301052fd690e8587

SHA256
b5036fa8a37713e69ee5936d77498e69273bac9e37c3058493af7d7b83b7f987

SHA512
c961a62fb1b0742a23e028cb1268c4646d8d4e5b89a5ef28241182e2c8b4153beb114330f8b78e36433f6a632277c812ac5af0021445d3b52e13d1f8d0b81905

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3034.txt

Filesize
427KB

MD5
f4a4c8a3a78400e51fcd43be2af9357d

SHA1
6d289e4c5bab93d799128660dd040e75a7e10b44

SHA256
8707aa473acfff29a1330273b572e6e80ce15828e37d05c5b870885180228680

SHA512
d3d96e8ca4474909f2f73133ba027910ce223730a3b0e43e6a5f14ab72a94ed0fe351d1098c5e7c4d9af046547558cfda1a974a14508056619e1215fdf0f6981

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistMSI3068.txt

Filesize
415KB

MD5
0de7b7824afc5c4d25e6a104f4127638

SHA1
d6061203019c78ffa3dbbbd0dac97013ced1f320

SHA256
e2c71735002c8948c145565f29c8e8233206ec8699d4d0d0271366b06b75442e

SHA512
0255459e4e2b8a9f391f95454143e6c19d8786d068d8601fe4b8982684ddc0e2b803bde10d949596497b1fb8d7035ba4bc2a2b17cd3132b50a22bec792a09861

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI3034.txt

Filesize
11KB

MD5
360dd201ef97b4dd8f146fa4a8a44ecf

SHA1
fe77de6ac8ad88ad5f5b947d28298349ce562211

SHA256
9ffca95b9b58d53574b494264bdf16a444dab23c73365166d59dd980010217a0

SHA512
5a6f58f39f9f93db81e6c364318dbde2768ca92e0f47481535c42238954fa1b939b363c264783d57e557b85b435062e7d29bf346144215c4dfbf68f5f72ff9a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_vcredistUI3068.txt

Filesize
11KB

MD5
cb09af13003bf948b9c2622022078bb3

SHA1
73d56e5b4124e4bcb015cafb14c9829497bc805c

SHA256
1c4857df09222e50dc9e05de3a2b4521284bcf77e4fc14fc7d29d35a079ddf7a

SHA512
9d39497253d02ce4bbba5fc37d5d13b26cf264a6d52dfea87e098346bebc04b6e5eb83524fd9b4a9d74e7dfc5bf7862316612d0399cac5009657a954405777fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\haqhfswle.jpg

Filesize
46KB

MD5
287bc47f9ad0a559fb0d88ee32447c96

SHA1
c32c7cc1604d9bcdc09065c4589cf3c60ac92acd

SHA256
e499873a9cfa83012bf8248fc1bfe6d355c4e286f7f2efb072b9da5b5451d738

SHA512
51308237be289df669573505c67a869e3957b5920f2216147ca512dcced1c9f8c6af67b1f97d85e343d287f144e207f5933a8294c00f8eb022d9680efb690640

Download Submit
C:\Users\Admin\AppData\Local\Temp\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\jusched.log

Filesize
153KB

MD5
10cff7fb6d3b83b13ea1ed0675af7670

SHA1
2a1c38f8a94b7713e6ba1d37fc6b8aacbfa5d0c8

SHA256
264b54124b93d7bc68e27dcd37bbadaf1a6b2255ed20e1e8dc9fb544849116f1

SHA512
318bc9c85bcfa11412e5056398ffe47e0d0572c8254f6f6d7fece7421e4d057d36a3b21b7538ca48ce974e45de81e6e2283e78c6df9bccfc11f9f27584e3b760

Download Submit
C:\Users\Admin\AppData\Local\Temp\msedge_installer.log

Filesize
2KB

MD5
52430a4f764dd5eea27446289e4cb34f

SHA1
c43afe31fa466987b72bef8394fd7fefe7e1cc68

SHA256
1d9efc8ffdb4002b56424297620fc2280234e26863a29ffcfc7fe13143eef82a

SHA512
251fb4e5bccbcdf3cfd4f2974a2b4cba33d2d3936962a5bbdb498f187270793aaed25c1681146a3fa4d243eb119f221b3241f0777f15730e76ca1ac7f929ea8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2716.tmp

Filesize
33.1MB

MD5
162e0458395e973b8ec1894a050bc4a0

SHA1
28ad9acf285eeb849542baa6b7407e4a243bb33d

SHA256
3a6924971813e9cc3e1da01e150add8532de225ee25d618a080df847b64142b0

SHA512
4ae46bf949c4c40ddaa339ec7cd4b14d5a9479ffd4bbd6fe0edf013861dbf3b96d5a44e6b47aa2d95c6bd87c62932c62c3cee9009d7dee5b4c09ebbcfbb06957

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct55CC.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct9B95.tmp

Filesize
40.2MB

MD5
fb4aa59c92c9b3263eb07e07b91568b5

SHA1
6071a3e3c4338b90d892a8416b6a92fbfe25bb67

SHA256
e70e80dbbc9baba7ddcee70eda1bb8d0e6612dfb1d93827fe7b594a59f3b48b9

SHA512
60aabbe2fd24c04c33e7892eab64f24f8c335a0dd9822eb01adc5459e850769fc200078c5ccee96c1f2013173bc41f5a2023def3f5fe36e380963db034924ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
693B

MD5
8c525575bf86d12b50136cfa3e728f1f

SHA1
51957d5d317262ca8f89dac17c6e48d9b2ca6375

SHA256
ca9022f29a57eb5a2fbaa7f340a36645b39fcf856f9edf1c83c111c32793ccf3

SHA512
2e1a58a795bb565e37a92808017c85c095d7dececbcc76b76d376746023d59b98a2b8c4d9a9a0325ba672858366feb10ba50acff3fe7796ffff3c62d62a1d779

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
a92c4cedeefd68d5143e77038c589ed6

SHA1
874b14cee662b4f78bc8bea5ba374010710acab3

SHA256
1277d4660850da7aae195ea807686e0e2d28685c5bf9682cad0caf6fcf5a7d0c

SHA512
5dde25955a07ebc064eebfec20e0d7e000729746edc06d9a42e7af1604b67cc855b911d7ede37fb1eb11c7f2cf7ee4b51350570e658c23da203651c737c0f8ea

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\pending_pings\100a50bd-ecde-4bea-b426-7f5112e0b2f4

Filesize
746B

MD5
e5e810abf4684e8c2309e4a4aaa2b470

SHA1
29c3e8633a855bd79690de7711a2a18878fa5593

SHA256
51ce48567cbfd7cea737f12ed8ed4eafa257734737face9d3cb8b961c621f90d

SHA512
d909454b1f6b85550a0862e99ee0c16ff5fffb58672fe292ac18dc21226c8cc693cef994555453b1a4991e25f6f54a46ae275b5261739797811f639b7817aadb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\datareporting\glean\pending_pings\78314dc1-5e53-4909-95e8-01d706050a9e

Filesize
12KB

MD5
b40d2a57dfe0f8d553a94b061f5c4d5b

SHA1
34c96fa2950eb638eb0cd07cfcf76245d1dda194

SHA256
1f236e7c5ffa96cfc3ad302412e299d7da41f0b5f9e765d7593bab6a30d281d8

SHA512
fa59ab9104fe656fa7818e914b988c74b28f036d90637d88cf667a6370fc8700716ae12b2a843192bb50879c23cc5cb30144444c7991595c8cf60cf8def8446a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\prefs-1.js

Filesize
7KB

MD5
41f588bd117dc42121b8d307607469ef

SHA1
840909024d78a42e8d87df119bfc83f77f05f3c0

SHA256
7bbd1013adcb5f7db96243194c6648c6032e61c5fae573eac23991cc069d6a10

SHA512
b0716cd41e2a7546b7db840da24c20363ece13d9ae208f4c8a3fa0cdfaf079d69a185c5d9883bacda1a641019ff5e918aea8f8e889483fdb56c0be78fc462ae1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\prefs-1.js

Filesize
9KB

MD5
d59a1164a4501aacd5b4489b804b8c8d

SHA1
d162226b93ec3b19f92233c3df9756b5456a7533

SHA256
7ec094a9a460792aa302b990a667e75ecca369e49dfc4aad100e61797c1e25b9

SHA512
1dfe6c343601f9521094bf2487878be7089c5b8d8754cc657a6a52dd704fbd1306fbaf6ea4f8832d64ef1566d68b2346b7fa38099d4772bc21e8276a1fdde810

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\prefs.js

Filesize
6KB

MD5
82db05f6e9bc17fb90b7d50aec53e709

SHA1
83644fd5c04e6014cc25996dae7f4438e149ca72

SHA256
06311e44bdd6760332c1cb2235d61de4eff9a3c3d766be0bc3d25d479f2c0b93

SHA512
0089df882585cf222474110119aa471068f58210b01ab03ae8525db473af44d4cada0114539c41de52bb77ad065e76d9377faf06fe563319372f0136a703ba20

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
ce7f19f2da9c64ea519478c92f8675c8

SHA1
c1ae66106cce28299a68a4b0784bee99fabe5992

SHA256
24745d2205e3bde0201a1458913aeb7fed948527dcfaf477b15019dc2ac88430

SHA512
6e44f6c2b64c3ebac5997be703b4180feaf846359a65049703e4dc5b743ba19e21378660d60abb721fab9a384664857944a7d37b62e958cc19f0b58bb7ee82f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
b36cb9aa6187e4955f42dc5d1b28d868

SHA1
b37c868921912af88ebbe63ea3940514aa3ba5f8

SHA256
26b29d4c12fe311b9ac744ca647fea3e1718564efd8f03a01731f4fd63c6be70

SHA512
9c7188a9d81e5b4bda803f3b0edb5669512132f89d0cfdae865e2407d9331f38512904ec43370a30ac7d4979b8e99ed098ecbbb758e5f15fd43b7f50879d480c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6vr1qaxh.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
3bc304e26bb0fdad8f1ddbda44e4c44d

SHA1
04faaaee12edaece08bbf4c3d35b81e0a95b4b1c

SHA256
016f80903e0a30fee70a76b92da19fc2bd2d8629d6fc3d0024b832c29b1f6ddf

SHA512
302a383b49b5f0a20e1de9d951f9461d2a62eb12f4704344830352373fe6f98f9445ff07df03a36066966a9d7ac804010767cc9022e60f85729a0c5ac940a851

Download Submit
C:\Users\Admin\AppData\Roaming\svchost.exe

Filesize
144KB

MD5
4016477fd044882c78f3c1a47d7322e1

SHA1
6c75ffa25ef2d1d6a658ff415b2e47964032fc6a

SHA256
fbbaef754d6dafaaf32ae5e7937135fe81075806e5e2b0db1d6f9441a1cd8633

SHA512
17706a8238817e135ffe378e60e1e52964a00aeee6c6b9bc7f288a0390ae97d958f053cf693a4d829a35acbe32e3ab9599c13150a3155c671490736e88d19df1

Download Submit
C:\Users\Admin\Documents\hahaha.txt

Filesize
63B

MD5
45dfa78907ccd5154a672941b7fd7805

SHA1
c96e039c5d260e3fc61d65da6718d3a832a182fd

SHA256
7d6a89c0a71eb6607c0f9226cbdbc241a154a49e463e599ea8ff126c161ad6af

SHA512
45b88dc885c14920f7e309566475c1c0d35b43dfade79ae951d41b422a4cba511f36b6305f0fde21af780399929f529661e1e9f1bcf0190e2b73472ed9950f2b

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt

Filesize
379KB

MD5
954c3da764a298aca2ed0f13231dc63f

SHA1
dedea29aa4ff99d3a46c9d4a1423f2d57ee73b98

SHA256
6e97cbc3e212f201f0c54a23e916a39bd74456de67bad336bfdadfd0ac26eb96

SHA512
c52bb97940eb5cba7aafc00295b490fc967d77a8246bde6e112a0b408857348814b161ad8d6cfcc1cb48754a7d21f5c72d3d2b17e7a8abf76a25beec8723f47c

Download Submit
C:\vcredist2010_x64.log.html

Filesize
85KB

MD5
58edb7e9ce36615ee65e4113562bfc0b

SHA1
bb0196d7789ef7a682000916574d5bcb63103948

SHA256
428cff9c42e862f1df2b3b108538a54a3d0146d514fdc5fd67156a0f4fa45dbc

SHA512
9874e2ee7b9426c0c55fe60f449da09613529e8bdc642f7b70007fb275e8ce37559454e606484b94a481e13aeee69c4140d2771f57c754a5bae064aad3f1a516

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

Filesize
395KB

MD5
b94bfa78ad6a5d122cbfc7534e68be52

SHA1
2470960f86ea48c6a64f315eaa9eefb59d6efa4c

SHA256
6250a56b3eea36c1461ac8cb823a907694c42edd8d722a4b95136caf98cc561f

SHA512
fed1dc097db3325f3c1de87e776ffbbdd8a3708f3ad140fd5c6f910ecc5b2dabfab3ee5d5966fceab106b603574c5ae679fd5929a207e4abdff26a6ec6cfb2dd

Download Submit
C:\vcredist2010_x86.log.html

Filesize
81KB

MD5
24a57acc3878dcb660a1caeffd6d72ee

SHA1
bfbb94640b03747ed14022ccafa1725f07d07b37

SHA256
cbd145a1cb9f59920a088e756d7d9f82d39a2dfd558eb32ec2ef1c4b2cda0e25

SHA512
597ca12ccf76c6233e12336438813f5949eea62eda84e42dca08603bcb0f293077be52a4a461a6e259186c38987b46bceb69867f717145be95919c2128ed3591

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log

Filesize
167KB

MD5
9cadb15530f1c76dd7755888771e7346

SHA1
9e850abfc27fd350dbca0a1256a093ecf34a6aa7

SHA256
234481e8e2bff7600a0fa157adaef6bd8de485ebd1a7a4f9a3e3e60d04e62485

SHA512
3cd00c8fa7550054d09d5ebb662af087b875ada9c9f8c9c2b11f62b21bf77c83fe36eeeab48cbf547cb72b4cb7bccc84213aa38778d3160345c40dc0b6abcfd3

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log

Filesize
195KB

MD5
4ed2fa0a13e28f41a30a2d8ca427079b

SHA1
dc1f900cd1c69b198f71a5e53c262d0b123d4b74

SHA256
798ec968299ea49901639878fd50fd67563c482f9f7d17e8b530ed2347a8c761

SHA512
b7fce82ad26ee333ec3d5e599a6397da8d8b20d62dca793687c83a23c6400eb70544ca56c6f69ebb2e12eda6e8fbb72f69861c4861cc11e83d66edcb75c6f949

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log

Filesize
171KB

MD5
904bd64e4bcce5303f835d0512b92b26

SHA1
619e91a2cfa42f15160f2142b001dba2f8a9c284

SHA256
332af8f8370c2a1c23d484d5f10427dc0f71128a7a63e4eb888e34017213fb9e

SHA512
0d4b0f72cad38464ecceb7e0e4e8e7098e9886ae768fc0cc293bb16ea3c26fbbfd04ba82fbd417773c54e2f9352f59c3bba7a4fd7b4b9eb6b063cb199c5cbd68

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log

Filesize
208KB

MD5
daae8a89ee77455e22de22c86f71c234

SHA1
135b680c389ec04462dfbba61a1f971a6c68943f

SHA256
0e225daeb32cd4199f4a92106d0e6b5fc9caa9d955208bd3d10dab5c7fd11df3

SHA512
d54af854ba253f2bae1e0ceeb4d1566c2e26b79a54239ae3804e57b03adbfeb6c5fd2d9a2c6281385461378fab5c98cc771301d80f44e0f7b5b84bcaf236c85d

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log

Filesize
170KB

MD5
5f218b2a478f5f3f0847873a94dc5e4f

SHA1
647f6c0f8bc73cadc0ff21c7a016183ec4bd17b2

SHA256
7e6e75859e73a4cb26dcf90d6485ff3b382f4a55eb396a8fbcf0a44d5f72cc8a

SHA512
cce28ac9506bd5aff5520fee399fdb94b7b5988b5df51082794a7ff35bac9f140d042d51aae8c2c290bb57cebb3596b95928122ede4d79d97c2f90ad1aa6d685

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log

Filesize
190KB

MD5
c248fbd159deb1d06e14cd6dce16e8bd

SHA1
7c7f1ed7a20b3897df87d30d31571de48e79e5ef

SHA256
1668187a0693d583ef80892d856a07d65c1812eda8b6bcefed5b7c77a599022b

SHA512
9cdec190625c405e48c675d5c214bd405a75880640b1c414470fa1a2b2ad6ce3bc8da456f848a3ef68ce42a9bc2a317bef2da20a267cb1095e331642944f6825

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log

Filesize
170KB

MD5
9bc6ee9b617a1d1ad237ae7f0278f175

SHA1
018ae33ce94c2b564e05fbad8aa8a670a9be0fa6

SHA256
cfe88cee11ee8c4ef6c4d2943e53418beb5222b0185e54cd1830d829a1c36070

SHA512
9ffb92f00ec06fd00ceac9ce3efb64d129ee0c77b78af4dab04927870631daa68200e212340f3f231b33dfa9457fd5bbc3b9ea3f65cd25f1db4cd791fec6e339

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log

Filesize
198KB

MD5
b287f609100e925e8cc3f3dd34770b62

SHA1
9f53c9685972648834a673b6e3b0098a3a76fec9

SHA256
8718c23829cd3e9950a2a1acb3e4a37c3fccc0e73d67ff6daa2e2b34d5237fcc

SHA512
a84815d813b2cc7125e240f257e0a768e022a1e4e520ae8c993e932baa7628db1f6f816839b0c15f7020b23254c7f36ded08890a09cf45bc780315bf8cc5ae28

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log

Filesize
123KB

MD5
40b99b23fff7ac985c2396f77c7cdfd2

SHA1
ef38186d5347f5bae992dd9b7958b30831aefa2b

SHA256
7012376cd56197192c87621a016b397020404dee5c827dadde479e3a88d3baea

SHA512
3a475eb5797c046caa58129dee8c799c84ecb37173af00346ab893b34a0344dabaa928d847923366a4451393c47ae8f857ccba6a0926523e37ffdb7bf0887901

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log

Filesize
129KB

MD5
c4a49dff151a3255b1fa126068cc3270

SHA1
d6d3818c4365889a94897943c322061d6c7acec2

SHA256
8bd7e15666141ee759ed602ede5bf83f27533e24aba2ad9454532575aa59a387

SHA512
179258f4c7604f7de5714fb1acd5a3a58143fea8cd2404d26092c3982601d287fd483ab78aa00df8a8c4f175256dd86c35d9fdb76f107ce2dde1076d0a1db0c8

Download Submit
C:\vcredist2022_x86_000_vcRuntimeMinimum_x86.log

Filesize
123KB

MD5
ac86f20ca2d20e060e0c31f24d78ec7e

SHA1
e529b2a1539e31f072db8ef4e027fb0215d67c5e

SHA256
7a13830f2caac3713e0e017f6e98460a86eabcfc375ea0fc77a64b9833e82717

SHA512
bef208fff98aabcadea1e6759b892962978f9a87d4f4b22133e9802725c0de6e7b55813c37f2b47462544232f43aff928f49727c66e5f776e41f32fa2c76ee5c

Download Submit
C:\vcredist2022_x86_001_vcRuntimeAdditional_x86.log

Filesize
135KB

MD5
4c1db7cd6c116f7436c474a2bae5ec30

SHA1
29143884a2c31c572153e26931cd973ec7dfff25

SHA256
cf1d5f99a43634ca9b03242a0410469b257e8a6fae124ae23a8db0bcc8e355e2

SHA512
6449d0c487acda5b34a0311bfbdb29a4c1e9e70d50831031dbafc3cfeccb31af2682f29a8a294dc8deee8ab44a13accf14249cc8a0aa2a9e6afbc8d33a36615a

Download Submit
memory/724-489-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-498-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-497-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-495-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-494-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-493-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-496-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-488-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-487-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/724-499-0x000002040B500000-0x000002040B501000-memory.dmp

Filesize
4KB

Download
memory/2380-500-0x00007FF8829C0000-0x00007FF883482000-memory.dmp

Filesize
10.8MB

Download
memory/2380-424-0x00007FF8829C0000-0x00007FF883482000-memory.dmp

Filesize
10.8MB

Download
memory/2380-14-0x00007FF8829C0000-0x00007FF883482000-memory.dmp

Filesize
10.8MB

Download
memory/2388-0-0x00000000007B0000-0x00000000007DA000-memory.dmp

Filesize
168KB

Download
memory/2388-15-0x00007FF8829C0000-0x00007FF883482000-memory.dmp

Filesize
10.8MB

Download
memory/2388-1-0x00007FF8829C0000-0x00007FF883482000-memory.dmp

Filesize
10.8MB

Download
memory/3756-890-0x00007FF8829D0000-0x00007FF883492000-memory.dmp

Filesize
10.8MB

Download
memory/3756-503-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3756-502-0x00007FF8829D0000-0x00007FF883492000-memory.dmp

Filesize
10.8MB

Download
memory/3756-501-0x00000000002A0000-0x00000000002DC000-memory.dmp

Filesize
240KB

Download
memory/3756-891-0x00000000025D0000-0x00000000025E0000-memory.dmp

Filesize
64KB

Download
memory/3756-893-0x00007FF8829D0000-0x00007FF883492000-memory.dmp

Filesize
10.8MB

Download