Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

TruCheck_v...er.exe

windows10-2004-x64

8

TruCheck_v...er.exe

windows11-21h2-x64

7

Resubmissions

08/04/2024, 14:58

240408-scmmhaca56 8

03/04/2024, 19:45

240403-ygeeksag7v 8

Analysis

  • max time kernel
    658s
  • max time network
    1174s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/04/2024, 14:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    TruCheck_v3.03.70_b3647_Updater.exe

  • Size

    195.7MB

  • MD5

    719e9af110e7527608b8006f6290a29c

  • SHA1

    74a0684bffc141503c55572c12eecba2a3d9e5a1

  • SHA256

    29dc4464ba770c14edd38234dc1a26fc6a983212831ed653b50945be99153c12

  • SHA512

    140e648a28ac5e7a3180f7f311f84ee0a393146f066d3d800d25efff9e5f278d97445117b10c28a382b45c5b345183bdf11fc5227d6e687dedbfc3b8372d87ae

  • SSDEEP

    3145728:caSFaGTMXZ+IasZ4AR/gh6O6gx7AFaTzT6B7jdsOL9Nf0iVbSJNTRK:2aGwJ+TO496nU/nO7jdnky

Score
8/10
persistence

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 64 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 48 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 30 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 54 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 8 IoCs
  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 37 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe
    "C:\Users\Admin\AppData\Local\Temp\TruCheck_v3.03.70_b3647_Updater.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3640
    • C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe
      "C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe" ud=true uf="Setup.exe PreInstallDriver=true"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4128
      • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe" PreInstallDriver=true
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4996
        • C:\Windows\SysWOW64\msiexec.exe
          "C:\Windows\SysWOW64\msiexec.exe" -I "C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi" PreInstallDriver=true
          4⤵
          • Blocklisted process makes network request
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:3184
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Drops file in Drivers directory
    • Sets service image path in registry
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1652
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 345F1FA01BDBEF712CCCF21834D60E1F C
      2⤵
      • Loads dropped DLL
      PID:224
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3800
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 7FE8FD4F0BC76A25A6BC4695CD139050
        2⤵
        • Loads dropped DLL
        • Checks SCSI registry key(s)
        • Suspicious use of WriteProcessMemory
        PID:4444
        • C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe
          "C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe" p
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          PID:3252
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4320
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
      1⤵
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious use of WriteProcessMemory
      PID:3692
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{cd855e7b-d099-164a-afb8-e9ebde89adf5}\trucheck.inf" "9" "455d358b7" "000000000000014C" "WinSta0\Default" "000000000000015C" "208" "C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers"
        2⤵
        • Manipulates Digital Signatures
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies data under HKEY_USERS
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\system32\rundll32.exe
          rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{3497a990-874f-a04f-8f71-26bd40143747} Global\{9a3a2c16-1f63-234a-ad95-197b619ffcfd} C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\trucheck.inf C:\Windows\System32\DriverStore\Temp\{fc203b4d-405f-7244-80f5-95f33df825d6}\webscan.cat
          3⤵
            PID:4328
      • C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe
        "C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4904
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 452
          2⤵
          • Drops file in Windows directory
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:3236
      • C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe
        "C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"
        1⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
          dw20.exe -x -s 2536
          2⤵
          • Checks processor information in registry
          • Enumerates system info in registry
          PID:2164
      • C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
        C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe
        1⤵
          PID:4824
        • C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe
          "C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"
          1⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:3844
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 2556
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:4688
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:2496
        • C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe
          "C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe"
          1⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4056
          • C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
            dw20.exe -x -s 2564
            2⤵
            • Checks processor information in registry
            • Enumerates system info in registry
            PID:4912
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:1592

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Config.Msi\e59fa94.rbs
            Filesize

            189KB

            MD5

            d6a724727ce418948eeb380821d7e6eb

            SHA1

            856e0966fee149992843ecb0ee9c7327b4202e87

            SHA256

            93e028541e8eedd217475b5a3a20c3afae82f46516763c12916b81843c542644

            SHA512

            525cb30e77b26bb27d293eba98fa8773c01c2789f7a156f80ff398f0ddc9a1b38a083e80883a24a6deb8b76103b22727dff961bd9323f579c9497f4949023e87

            Download Submit

          • C:\PROGRA~2\WEBSCA~1\TruCheck\Drivers\webscan.cat
            Filesize

            12KB

            MD5

            e8cd2be72e86698bf847c8ab02969af5

            SHA1

            7aa588e580dfa1c4699f6f27dbfed1d8c365ab48

            SHA256

            a41c6951d9365e774d97958b129679d175f70ca47c3a5ecd58bd42744ef21640

            SHA512

            f55cf41c5c07283fa6d55cf4a11979bcf120f31c1af7dcf69fc387b215374342aa6783d1a66fec0cd7d4599e5b0e4cc7513a8a380007c15178b256cbeb3b08a6

            Download Submit

          • C:\PROGRA~2\WEBSCA~1\TruCheck\Drivers\x64\CyUsb.sys
            Filesize

            51KB

            MD5

            f3f07cdd21b7b220a68005e6731496ca

            SHA1

            68e54ba66bb8e591d633e3d79658e03586e83311

            SHA256

            251b04deac7cecff790287dc6b212222ad85fea40e5e7f6e675a63000b336d93

            SHA512

            9ae2e7f6f7fca1dfe18c60653442adef506f8cb31e65624ff19cbfe4e20bd9d681236ad58ec15e80f427ef70dc289bf731b171257f2c86f85414c505b3555137

            Download Submit

          • C:\PROGRA~2\WEBSCA~1\TruCheck\Drivers\x64\PGRUSBCam.sys
            Filesize

            53KB

            MD5

            ba738127ecde978bbc9e5a07898601f8

            SHA1

            d7be3f8e02fb91f2ca75a6c783e3dc8e3ad2c10c

            SHA256

            2680bafd34a04aa9e6c220cbd75c54b945520aa66c9544274835533ed68f4a43

            SHA512

            f9d73a2fbe1d15ee23bc2aa074d62795faf0fe3ad5af57865038b19d3f279bfdef6b671bb6a4477eee843fc289e828b9e31f0b842e8642b0d15cc5658880e3cd

            Download Submit

          • C:\PROGRA~2\WEBSCA~1\TruCheck\Drivers\x64\StUSB.sys
            Filesize

            43KB

            MD5

            8da0f189cc61a7952e472a17d10fac7b

            SHA1

            cd4f3677f2abbdaf1297d79efe37f1a980663aa5

            SHA256

            9e576d0302b6e2a27b3b2e03300020c20a359b8201eb20ce5adede0a9f12675a

            SHA512

            c2179066d0a2556f05b96ab5486e01b37431750f74ad97dac17cac9787445d52e266fd3024eacdda128a8e8ba65f49a9da87ba395d373d64f28c4ecc3bedb3ea

            Download Submit

          • C:\PROGRA~2\WEBSCA~1\TruCheck\Drivers\x64\uEye_boot.sys
            Filesize

            1.6MB

            MD5

            330c321024ec9e5156392ba8b8e85a3b

            SHA1

            41c5d8a7a016d59398520da17974569e9e700aed

            SHA256

            91bff3c6164610f38a96c4fdbc5ae7315c0badbc499f1bf8bf111e7296e8e690

            SHA512

            8fb9c3ac3a56201bdba13344a2b1c7bfab11f7964ae1b39094c4d68ead2b19e8245add32be99260b9473bedf2dbee39dcb70ccd1f28085ce3a48af7db5f5c292

            Download Submit

          • C:\PROGRA~2\WEBSCA~1\TruCheck\Drivers\x64\uEye_usb.sys
            Filesize

            1.7MB

            MD5

            16b24166eb196aabe418b8d0d83aa60d

            SHA1

            8908b4ead1a791d185bc3af927ac6f194f8734d7

            SHA256

            407c590b2f222dfc9424d0d8a65a76e4ed2ad3b8ba3b302d10ebcdaff787410a

            SHA512

            1ac67c8f822a5069cb670f18d77259bd1effece7b7d326a528b1175d7df2fe3684c0eeae1393de94d309d90bb94f3472438674034277b2435db9ea6ac6eac5c3

            Download Submit

          • C:\PROGRA~2\WEBSCA~1\TruCheck\Drivers\x64\wdfcoinstaller01009.dll
            Filesize

            1.6MB

            MD5

            4da5da193e0e4f86f6f8fd43ef25329a

            SHA1

            68a44d37ff535a2c454f2440e1429833a1c6d810

            SHA256

            18487b4ff94edccc98ed59d9fca662d4a1331c5f1e14df8db3093256dd9f1c3e

            SHA512

            b3d73ed5e45d6f2908b2f3086390dd28c1631e298756cee9bdf26b185f0b77d1b8c03ad55e0495dba982c5bed4a03337b130c76f7112f3e19821127d2cf36853

            Download Submit

          • C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\InstallDriver.dll
            Filesize

            50KB

            MD5

            fd6054ccda68e02610b899cdc16d186b

            SHA1

            f23d3f737991466d758caabe1dac0fa0977384f3

            SHA256

            3e271de68ca66ec912976e347816ceecab7540e05a98b1d8d0690c662d65d2da

            SHA512

            efe63d70fd7d454b57cdd4c2fe85ccd20cd6ab68cc6f990f2436f4f7a9083a2443e7868af513c55e9f1f865395a5262787e2b588ece13ff0cd10ae1146f050ad

            Download Submit

          • C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\trucheck.inf
            Filesize

            9KB

            MD5

            2987d40e46e1c0b1701e0fac75b141a5

            SHA1

            0ec7e21728fa7d950f1107be0aa7ae30696941c5

            SHA256

            ce7d779c2671a33ede4c0313571733243b732a79330aed0ef9eabe129c38d6c0

            SHA512

            613ce470b5334d7c0658c86180b17f3a9a79256a655f41de59d60bad46176f62a882b75f97a8314b0f077ca098c985b3633d8249a3ebb06e2517bfd51b0ef22b

            Download Submit

          • C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\DIFxAPI.dll
            Filesize

            507KB

            MD5

            9495b07f33ded991c65d9b04945d44c5

            SHA1

            db9d5ec47980eb0709faba0cda283ff99d643b7c

            SHA256

            bf0798d3a4540b15f45c5b329798a2ac532ff693764948b9b4757265e145216e

            SHA512

            36ff4bd8b252f78a91a8e205bda17bd7f159a11f1616f5bf90fa08164201c272efa817c3974680603ab19a2086ce4dc3a26a504ee811d5a530ccc9e8af6d4815

            Download Submit

          • C:\Program Files (x86)\Webscan Inc\TruCheck\Drivers\x64\W64Install.exe
            Filesize

            9KB

            MD5

            f4cb6e0ad8de576f746e7121eb61c364

            SHA1

            636dbc63fc48cace097d332055cb42c190e65984

            SHA256

            1053e632d1f5e43d1db5d263e1bacc52d199f3acb3ab8ee26e7d505569de376d

            SHA512

            93cef1a63616b8b651c790d2236640c99ed9cd03de1c606345d5d8d7b2b901758459b317c1c0a0811c622d88833336d46e2c0a2ca7d1619d8614f7a2f04fb617

            Download Submit

          • C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheck.exe
            Filesize

            982KB

            MD5

            8a33495d8e72035488d6bfe0ce276202

            SHA1

            5acefd68888410407c01c72b985b973046a286ff

            SHA256

            c9af2411972dd18e6842cc37caa61d60ba1e44160668109eba99b2be72d15c72

            SHA512

            c39857654d88d047afe126da4e0ed4f29a473bde4f085f044e12fcde43e1e1d5787030a0bb761db32438133874fef5ce4c0870fe139b6efb13b8b80dd0972c05

            Download Submit

          • C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckControl.dll
            Filesize

            20.9MB

            MD5

            283aa6dc39b6b9e4267a9f5bb620ab4d

            SHA1

            9daddab44c9182d51ea886110adb41fc90854f68

            SHA256

            c3885de8c87ff9ddf33193bed64c5599ed161957f762245e6316b126b95f6d99

            SHA512

            7d9929c6fc99115945dec89cd03e1f0da9dd26302e415fe28b62420ef4ef60a2bdeaf6ba8f97c4b0286a20553a9eefb4fcffacbf17650e052020ac9bbe15eeb0

            Download Submit

          • C:\Program Files (x86)\Webscan Inc\TruCheck\TruCheckDataTypes.DLL
            Filesize

            93KB

            MD5

            1a9cc11b7e7c3ea0a8683eff665e9b54

            SHA1

            2805aed696d065093bc4b9fa9f0b980b2fdbdfcc

            SHA256

            e68a4d36e349f23cef88e00015aae8f3e896e79838a881f9d5fa2642bac7352e

            SHA512

            cc6a34a9ac4cf5cf7b7c64bc603913b09ca3ec29b6a639a559200ad58d3d4dd66c73110a2581e848f361a0917d7060ec310104ff38e36c20049522d016c7d33a

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
            Filesize

            1KB

            MD5

            fef0eb68d8155435755b8c45d6b18d8b

            SHA1

            7c672bcb826e3e6f07c8989d51e597a4921a1c69

            SHA256

            89abe5399b376c2b29551c3ea389d0bfdc4f1d0661a47f8f4f646393c483ac60

            SHA512

            5fa3cc1cbefafe64d2d675efe6f43eb49d07a789019d2dbeb45c8260217854e1b4eeb454f342299d3fa447174083a6bddf3e030ebc0cfa671b4d052bbfa86281

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
            Filesize

            1KB

            MD5

            f3934ff8d52196445395567b4429620e

            SHA1

            4c05f15c54354bceb9d8af2abf6e38c8fe83dbcc

            SHA256

            1b6e340b1fc132be8281410189dd2de422f0ed0ef44f2eb046d826b5832417a4

            SHA512

            e4ac00c30f65da63d31c9abd2ca1a4e96391a9d7353bff3be3213997b7934f57d041e490f3767ea804c05841f378f7c2f8046165fb57544f5e42225b81f557f4

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_6C354C532D063DF5607A63BA827F5164
            Filesize

            532B

            MD5

            fcaffe8520e8c4b2054818d74748678e

            SHA1

            3acd48837a2b768d2a15ee4325b3a517d1082049

            SHA256

            9a08cce5ac92f7ba103eae069eb221e05da9d80df103593fa19011e0c3820916

            SHA512

            ade41c93f9f761682b3b8e7de40b9906655334bac3738d83f13166e4717c8cb2c99e9d7ef730978b26e30bb5861f4cdbf0b20bf1f8f2b90397d86febbcf6a5e8

            Download Submit

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A1D627669EFC8CD4F21BCF387D97F9B5_B8EC29A9F6EE1252C61F50A231A186F2
            Filesize

            544B

            MD5

            4c742538538b113c0a1dfae630f2b92e

            SHA1

            e8a8197ba34177cac9735f26a55aab18939ac2c4

            SHA256

            cbbd0ab87795d92ff0b1dcdcfdd2dd0fb89068db0924f034364537f6f3b4cfb4

            SHA512

            ff57435389ce9a2f9f9a86731b276c618a5da78376c05a9c5876d85f9b868323d4cfa39b7b37db5996b8a42d345db36c251de82802415081b62a8fdb7997a56d

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\CFGFF94.tmp
            Filesize

            123B

            MD5

            17af548f88a3199aa8a63a72201f470f

            SHA1

            4e64bb20a2f54d778ed684aa21abebad63a5c2c0

            SHA256

            a558dbe555749cd3bdd62060fdbba72720c4f4a186d5870b977ed2acf9721d9e

            SHA512

            08bdbc75f5fd4d9ec85c53253e4030ce7245b20ecc95e032835609c7c43a07d6c9e7776f48c5494a788a543240c0649a9f1a34a0e514ebc4dda5730953647338

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\MSI8462.tmp
            Filesize

            221KB

            MD5

            911aa8d08b7ccab654e897b0e4439354

            SHA1

            4f4f16048deae47a2ff5b9849042f62ec51794bc

            SHA256

            ba56a2fa13e5dae48b6d74a8fa40f2f44473b386e71ba1e7ec2ded90ad56bb8b

            SHA512

            8aa11f26093e54a62c5390c64e218a8a57cd3374bbce8ecc243042dd8a2214ede1f3befa699837698c0bd42b9b4e011f95c62588b8bdd4da9aae12dabe4b46e4

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.exe
            Filesize

            384KB

            MD5

            776851d4a843a0717892e075d03f46ce

            SHA1

            71158f473006c4bbe7c0a5e969c0b346e0c57ac8

            SHA256

            3242c4e31b2158a950b66220ba6029138be0c00a4534c7e3c3c109cb882f239b

            SHA512

            57130f320b81da24c784d84b94d2968437f48a7a950944e4c5c31858741d2e31f33cd01992f36fd55b9fcd2fdd425b831da6b7a196bba4d9486d4a8f0aead7aa

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\TruCheckSetup.msi
            Filesize

            191.6MB

            MD5

            b42d32a276b782d58420ec171789ed34

            SHA1

            789505e6363e2fc9942e5b73df99884760273abf

            SHA256

            704f21dd7d649d9875b903727e232316dda3075feaf9f25efd46134af9c31839

            SHA512

            63741b75309f8f41a57bd9e1daa4f7e408a73de2d2fe19e2ef3b51dc7d0e1cc5b9d3ba2c2bc3250649992e693a206825081a6cf25badd93c12592c359ec61684

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\UpdateTool.exe
            Filesize

            59KB

            MD5

            d42b83e5e46d7cc78baf0fc96c9eb676

            SHA1

            f8749d8dcfc7e5ca8ae9c1c61cd07c69ba5179e8

            SHA256

            1d346380993baeddb1b36928497cc442415e05b761dd66296f85815b13091cb6

            SHA512

            bafd9284e3de19607cc64c2f1b4ec7d18906f49618aac246ae2ef103e36a918d7f6d0c8df7a45d11e36281dcd95da8b65add4e72228d97fd4f4c43de086b6508

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\{cd855e7b-d099-164a-afb8-e9ebde89adf5}\SET1F0A.tmp
            Filesize

            52KB

            MD5

            0bc66dacfaa51cc1836424e3bec2a3f2

            SHA1

            a4913f8b55ab23be811768bb654e3ee501c7b4ac

            SHA256

            a64efa8dbf365c9f5db260047911d47cbf75cdb39cc21adb6b569644849ba1b7

            SHA512

            f374987a8c15f901f9ec6a7b75fcc712a4313dd3c42dd05b8dc8f8b3d0e7a4c66f04bd640d90cf16078b73f8122e2ccce0d9f96ac9296842b353660a310b02ec

            Download Submit

          • C:\Users\Admin\AppData\Roaming\Microsoft\Installer\{3F408034-3680-483F-A303-286D629038CA}\_B5F8CC6E4F9FA1A6023003.exe
            Filesize

            14KB

            MD5

            07282ca770d5cc6fba8e0c1598c485f2

            SHA1

            b7bb6f83b446f73499059d2e14cafba3fc09eb81

            SHA256

            c7669bc86c8102ab2cec262de32ac4aca06e4904959c088d85440ae77b85ec36

            SHA512

            845fd16f032fd40456d74f30045e688044b5d2b4014a06ec700fd0211ed4a2b9fbe53dc89ad8bd7f2407c0ce6cb12885f06185c56065672071d682b39716903b

            Download Submit

          • C:\Windows\Installer\MSIE4C.tmp
            Filesize

            63KB

            MD5

            384a729b4093250d9786013e15e9aa31

            SHA1

            c7ebd3366e0b05b2eb0cd17a6a8354427436774c

            SHA256

            e83ddd458b0433c98f4d13853cc88cf72fada6ffce6d56fcaca8e83bd76abfad

            SHA512

            d6f70005e29e6e8b5c926d7fa4280ae1081c8c0626f74417a73fb81dd5522abab300dd7105f8842a2f41b8f036edacb4853bc6ca7be8f67e5da80ca9de9bc66e

            Download Submit

          • C:\Windows\System32\CatRoot2\dberr.txt
            Filesize

            19KB

            MD5

            e9027d5aa1ac489767470cdb9832928a

            SHA1

            caf01ae8df91c704b9ec1752a90839b46c12bbfa

            SHA256

            e6ebe531e297c6beb98418e0885b18cc148a8b26525041230f2a2cf09b964610

            SHA512

            7db67149b626f0d5fc611d3c699ad76837003b402466da91a2a8a18ee44a2ae58648eb7c3eccf6802c4a2194776b6e2a6ba443601c34eaf52c273bbdb1476289

            Download Submit

          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
            Filesize

            23.7MB

            MD5

            a76aca1b5f98f13019c9dfa0e920a0b0

            SHA1

            c37aec0019a8a6107fc8c8703ded54bdc71d497a

            SHA256

            9fb53d8391439f86f2a2d8389765f08a6979f13f31696eb0d47af3f4dc65d7aa

            SHA512

            fc2aebcc3be601b3c00dcd29721c7190bdbf9f3c602d3cd236304d1a7cf48b9593405b859ac68911a5961dc9654b55a8a98006861c1107fc33c2ea8643195cd1

            Download Submit

          • \??\Volume{2dcc6a48-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{e18bd059-aa86-44f0-9644-37c14dfee09e}_OnDiskSnapshotProp
            Filesize

            6KB

            MD5

            7db8e58e3fa677dc80c56a7ef60b1a8d

            SHA1

            430c14b2ca34e43408321ff31fd723cab1d1c0c4

            SHA256

            443eccf5834c703b2cb505dea6828b77204ff35f1ae828af086aa689d9f07bb2

            SHA512

            7b22e11a5580fd3d1db60a1e42c6193532a0b74e612deea183e7715dcaf8ddfc5a8c381cae8f07d6c8ea3dee2bfdf27d7f87b875da01732d3ec8e8049052092d

            Download Submit

          • memory/2496-522-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-524-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-523-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-528-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-529-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-530-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-532-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-531-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-533-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/2496-534-0x00000239FB9E0000-0x00000239FB9E1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3844-503-0x0000000010220000-0x0000000010A7F000-memory.dmp

            Filesize

            8.4MB

            Download

          • memory/3844-521-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3844-500-0x0000000001C70000-0x0000000001C80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3844-501-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3844-499-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/3844-502-0x0000000001C70000-0x0000000001C80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3844-505-0x0000000001C70000-0x0000000001C80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3844-506-0x00000000137B0000-0x0000000015AB5000-memory.dmp

            Filesize

            35.0MB

            Download

          • memory/3844-514-0x0000000001C70000-0x0000000001C80000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4056-539-0x0000000013220000-0x0000000015525000-memory.dmp

            Filesize

            35.0MB

            Download

          • memory/4056-535-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4056-536-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4056-537-0x00000000015F0000-0x0000000001600000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4056-538-0x00000000015F0000-0x0000000001600000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4056-547-0x00000000015F0000-0x0000000001600000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4056-554-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4128-32-0x000000001F670000-0x000000001F6D2000-memory.dmp

            Filesize

            392KB

            Download

          • memory/4128-38-0x00007FF8733A0000-0x00007FF873D41000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/4128-18-0x00007FF8733A0000-0x00007FF873D41000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/4128-19-0x0000000000E50000-0x0000000000E60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4128-28-0x000000001C1F0000-0x000000001C6BE000-memory.dmp

            Filesize

            4.8MB

            Download

          • memory/4128-29-0x000000001C760000-0x000000001C7FC000-memory.dmp

            Filesize

            624KB

            Download

          • memory/4128-30-0x0000000000DF0000-0x0000000000DF8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/4128-31-0x0000000000E50000-0x0000000000E60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4444-266-0x0000000073520000-0x0000000073AD1000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4444-264-0x0000000002D40000-0x0000000002D50000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4444-445-0x0000000073520000-0x0000000073AD1000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4824-476-0x0000000001170000-0x0000000001180000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4824-498-0x0000000001170000-0x0000000001180000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4824-473-0x00007FF8709B0000-0x00007FF871351000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/4824-470-0x000000001A5E0000-0x000000001A600000-memory.dmp

            Filesize

            128KB

            Download

          • memory/4824-472-0x0000000001170000-0x0000000001180000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4824-474-0x000000001AA20000-0x000000001ADF4000-memory.dmp

            Filesize

            3.8MB

            Download

          • memory/4824-471-0x00007FF8709B0000-0x00007FF871351000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/4824-496-0x00007FF8709B0000-0x00007FF871351000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/4824-475-0x000000001B130000-0x000000001B266000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4824-497-0x0000000001170000-0x0000000001180000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4904-449-0x00000000008B0000-0x00000000008C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4904-448-0x0000000075320000-0x00000000758D1000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4904-450-0x0000000075320000-0x00000000758D1000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/4904-466-0x0000000075320000-0x00000000758D1000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/5048-479-0x0000000001630000-0x0000000001640000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5048-469-0x0000000001630000-0x0000000001640000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5048-468-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/5048-467-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/5048-495-0x00000000753C0000-0x0000000075971000-memory.dmp

            Filesize

            5.7MB

            Download

          • memory/5048-480-0x0000000013160000-0x0000000015465000-memory.dmp

            Filesize

            35.0MB

            Download

          • memory/5048-482-0x0000000001630000-0x0000000001640000-memory.dmp

            Filesize

            64KB

            Download