Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 21:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe
-
Size
2.8MB
-
MD5
fa475fe091f7aeed7cbffd8b289ac0b5
-
SHA1
0eb6294df0b4b36fef41c8ea7b27f731147505e4
-
SHA256
c82b61d723e89dce005ca631f38166ae5b23dea6bce626c0ac8f2856163f6906
-
SHA512
84a3141ea9e2c7fbdf868c165d2bae38a59e71f78afaadfc6573626b2abd1714a36e2a5cf38f9572197592affbe06b348be35a961ee0c888c46957b6c85ecfde
-
SSDEEP
49152:D7gYRlYTvAS0+gvjCjCVQEX2YN2DhFGtXUWp1GaR8vk1bzNGl72YIqq6O:D7g2Gzqv+FEXYDhFOXDnLRrzNGoYIKO
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
tG9KFBVCktZrhQC.exeCTS.exesetup.exepid process 1648 tG9KFBVCktZrhQC.exe 2632 CTS.exe 2812 setup.exe -
Loads dropped DLL 13 IoCs
Processes:
2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exetG9KFBVCktZrhQC.exesetup.exepid process 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe 1648 tG9KFBVCktZrhQC.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe 2812 setup.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exeCTS.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe" CTS.exe -
Enumerates connected drives 3 TTPs 25 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
setup.exedescription ioc process File opened (read-only) \??\F: setup.exe File opened (read-only) \??\U: setup.exe File opened (read-only) \??\W: setup.exe File opened (read-only) \??\D: setup.exe File opened (read-only) \??\I: setup.exe File opened (read-only) \??\J: setup.exe File opened (read-only) \??\G: setup.exe File opened (read-only) \??\V: setup.exe File opened (read-only) \??\L: setup.exe File opened (read-only) \??\X: setup.exe File opened (read-only) \??\B: setup.exe File opened (read-only) \??\H: setup.exe File opened (read-only) \??\K: setup.exe File opened (read-only) \??\O: setup.exe File opened (read-only) \??\A: setup.exe File opened (read-only) \??\Q: setup.exe File opened (read-only) \??\T: setup.exe File opened (read-only) \??\Y: setup.exe File opened (read-only) \??\Z: setup.exe File opened (read-only) \??\R: setup.exe File opened (read-only) \??\E: setup.exe File opened (read-only) \??\M: setup.exe File opened (read-only) \??\N: setup.exe File opened (read-only) \??\P: setup.exe File opened (read-only) \??\S: setup.exe -
Drops file in Windows directory 12 IoCs
Processes:
2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exengen.exengen.exengen.exengen.exeCTS.exedescription ioc process File created C:\Windows\CTS.exe 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat ngen.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock ngen.exe File created C:\Windows\CTS.exe CTS.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log ngen.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log ngen.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock ngen.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier setup.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
setup.exepid process 2812 setup.exe -
Suspicious use of AdjustPrivilegeToken 41 IoCs
Processes:
2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exeCTS.exesetup.exemsiexec.exedescription pid process Token: SeDebugPrivilege 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe Token: SeDebugPrivilege 2632 CTS.exe Token: SeRestorePrivilege 2812 setup.exe Token: SeRestorePrivilege 2812 setup.exe Token: SeRestorePrivilege 2812 setup.exe Token: SeRestorePrivilege 2812 setup.exe Token: SeRestorePrivilege 2812 setup.exe Token: SeRestorePrivilege 2812 setup.exe Token: SeRestorePrivilege 2812 setup.exe Token: SeRestorePrivilege 2488 msiexec.exe Token: SeTakeOwnershipPrivilege 2488 msiexec.exe Token: SeSecurityPrivilege 2488 msiexec.exe Token: SeCreateTokenPrivilege 2812 setup.exe Token: SeAssignPrimaryTokenPrivilege 2812 setup.exe Token: SeLockMemoryPrivilege 2812 setup.exe Token: SeIncreaseQuotaPrivilege 2812 setup.exe Token: SeMachineAccountPrivilege 2812 setup.exe Token: SeTcbPrivilege 2812 setup.exe Token: SeSecurityPrivilege 2812 setup.exe Token: SeTakeOwnershipPrivilege 2812 setup.exe Token: SeLoadDriverPrivilege 2812 setup.exe Token: SeSystemProfilePrivilege 2812 setup.exe Token: SeSystemtimePrivilege 2812 setup.exe Token: SeProfSingleProcessPrivilege 2812 setup.exe Token: SeIncBasePriorityPrivilege 2812 setup.exe Token: SeCreatePagefilePrivilege 2812 setup.exe Token: SeCreatePermanentPrivilege 2812 setup.exe Token: SeBackupPrivilege 2812 setup.exe Token: SeRestorePrivilege 2812 setup.exe Token: SeShutdownPrivilege 2812 setup.exe Token: SeDebugPrivilege 2812 setup.exe Token: SeAuditPrivilege 2812 setup.exe Token: SeSystemEnvironmentPrivilege 2812 setup.exe Token: SeChangeNotifyPrivilege 2812 setup.exe Token: SeRemoteShutdownPrivilege 2812 setup.exe Token: SeUndockPrivilege 2812 setup.exe Token: SeSyncAgentPrivilege 2812 setup.exe Token: SeEnableDelegationPrivilege 2812 setup.exe Token: SeManageVolumePrivilege 2812 setup.exe Token: SeImpersonatePrivilege 2812 setup.exe Token: SeCreateGlobalPrivilege 2812 setup.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exetG9KFBVCktZrhQC.exesetup.exedescription pid process target process PID 1996 wrote to memory of 1648 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe tG9KFBVCktZrhQC.exe PID 1996 wrote to memory of 1648 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe tG9KFBVCktZrhQC.exe PID 1996 wrote to memory of 1648 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe tG9KFBVCktZrhQC.exe PID 1996 wrote to memory of 1648 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe tG9KFBVCktZrhQC.exe PID 1996 wrote to memory of 1648 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe tG9KFBVCktZrhQC.exe PID 1996 wrote to memory of 1648 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe tG9KFBVCktZrhQC.exe PID 1996 wrote to memory of 1648 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe tG9KFBVCktZrhQC.exe PID 1996 wrote to memory of 2632 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe CTS.exe PID 1996 wrote to memory of 2632 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe CTS.exe PID 1996 wrote to memory of 2632 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe CTS.exe PID 1996 wrote to memory of 2632 1996 2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe CTS.exe PID 1648 wrote to memory of 2812 1648 tG9KFBVCktZrhQC.exe setup.exe PID 1648 wrote to memory of 2812 1648 tG9KFBVCktZrhQC.exe setup.exe PID 1648 wrote to memory of 2812 1648 tG9KFBVCktZrhQC.exe setup.exe PID 1648 wrote to memory of 2812 1648 tG9KFBVCktZrhQC.exe setup.exe PID 1648 wrote to memory of 2812 1648 tG9KFBVCktZrhQC.exe setup.exe PID 1648 wrote to memory of 2812 1648 tG9KFBVCktZrhQC.exe setup.exe PID 1648 wrote to memory of 2812 1648 tG9KFBVCktZrhQC.exe setup.exe PID 2812 wrote to memory of 1636 2812 setup.exe ngen.exe PID 2812 wrote to memory of 1636 2812 setup.exe ngen.exe PID 2812 wrote to memory of 1636 2812 setup.exe ngen.exe PID 2812 wrote to memory of 1636 2812 setup.exe ngen.exe PID 2812 wrote to memory of 2852 2812 setup.exe ngen.exe PID 2812 wrote to memory of 2852 2812 setup.exe ngen.exe PID 2812 wrote to memory of 2852 2812 setup.exe ngen.exe PID 2812 wrote to memory of 2852 2812 setup.exe ngen.exe PID 2812 wrote to memory of 776 2812 setup.exe ngen.exe PID 2812 wrote to memory of 776 2812 setup.exe ngen.exe PID 2812 wrote to memory of 776 2812 setup.exe ngen.exe PID 2812 wrote to memory of 776 2812 setup.exe ngen.exe PID 2812 wrote to memory of 2420 2812 setup.exe ngen.exe PID 2812 wrote to memory of 2420 2812 setup.exe ngen.exe PID 2812 wrote to memory of 2420 2812 setup.exe ngen.exe PID 2812 wrote to memory of 2420 2812 setup.exe ngen.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-28_fa475fe091f7aeed7cbffd8b289ac0b5_bkransomware.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996 -
C:\Users\Admin\AppData\Local\Temp\tG9KFBVCktZrhQC.exeC:\Users\Admin\AppData\Local\Temp\tG9KFBVCktZrhQC.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\5057fdf5155b5801b1\setup.exec:\5057fdf5155b5801b1\setup.exe /web3⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue pause4⤵
- Drops file in Windows directory
PID:1636 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue pause4⤵
- Drops file in Windows directory
PID:2852 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue continue4⤵
- Drops file in Windows directory
PID:776 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exeC:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue continue4⤵
- Drops file in Windows directory
PID:2420 -
C:\Windows\CTS.exe"C:\Windows\CTS.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2632
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2488
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\5057fdf5155b5801b1\locdata.1055.iniFilesize
15KB
MD5afcdf8d8c96f5c695254e2e620f8d410
SHA1fe785b77e4d5a2f283fe9ecc0606d081e99552a1
SHA256370ff239e143b83ad4440ffaacc05b3750ea1fd3858ec8f1e6e208d3a72bfefe
SHA512664000953fa8aca3fca23ee41b7387ca40e68b772e252bba8974bc21df2137fc188a9c22112d593ba83b26653710d8f81845111944e05d5dc0b15c3a541b6d4d
-
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txtFilesize
473B
MD5a7a6704ff96ee0ba11559154c65b6f09
SHA119b3dd215b647acf904e3bc93dae97593e556320
SHA256b07fe287031e4573a099cd3b07b3ea737c9fe86034fd585deecefc559834b2ad
SHA5129570b69216ff573e0094bfcec388f45b47bc6ceef4dab20ce1383cc1723d885814946a4e2388ec3f72e3fb8a7f56bb40806e1b81f7ddd8031162166ba4729e98
-
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txtFilesize
2KB
MD58b503cb8c1feebafdefde139558974fc
SHA1f80e6f5c5927aa725faa9d7a0d36887f919df058
SHA25693fa89a7fdf734e7301d3644097b624f53663a769e13a1e14c2b9ef9b317a317
SHA51287b7f75a37ec2a96985e3c20a84a81524ce93b2a3dc384fbad90232994b67974fe49d9069c177d502666cf23fe4556480a9456f51368946e861210745b838dc3
-
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txtFilesize
4KB
MD5c28347b0e2848138f07270999e1601df
SHA1659713fa8257a4994b7f0bc51c446e912b4fbc30
SHA256f1fd1d325626cfaf5b3ababcf8205ccefbef5e8bbc29b10281dd8412a3d56226
SHA5123b732a672a629a13c5f02d0711cc9c60fdfbb431ed3b70c838ec1d93241e33296abba4723868b2e3ce55407ac4e0b585dc6d46611d39479c37e99f6930f49b6d
-
C:\Windows\CTS.exeFilesize
71KB
MD566df4ffab62e674af2e75b163563fc0b
SHA1dec8a197312e41eeb3cfef01cb2a443f0205cd6e
SHA256075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163
SHA5121588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.logFilesize
307KB
MD52de9fd1ee33f6d76c3802ef6ade130d2
SHA1bf4462ec9d13bd0ae28561f3f4a1df2390d6408f
SHA25690d683083d390f671b42dc5e6a18f36f3c537e6aac58a253b39b93433de6c73d
SHA512f12b1ca3521bcd026ae9bae7a4674c4ac60064afccc108403cb1199897ec062bd7925497604c623715667f5a5ed5320e9bcbb71d34f0f191ae9eadfc3b9a4437
-
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.logFilesize
307KB
MD52265c64180d26628fb4faccbed70ce33
SHA1c2d84fc9b6833fcde0f35198c388321ed3851e97
SHA256ed997c4529a1f78bffcb7bb78238e0afbd25b7623f14779d0fcd37a73febe270
SHA512227e41a482e1004966459e09ab936f1558083a84eb891efdca445d49a89541e790319297ac58044c6e4685d8eb5469c829486a3dc5fa5006d44e173e3753d944
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.logFilesize
257KB
MD5f16afcc97e8b742a9ac42d3b2e7a4a91
SHA184ed4e41162098261694b8386cbf48a1b0b1429d
SHA25617601797424bd4b4fb5a1d600e9b41d2bbdf4f03e245e7c4029f5d5f6d907cae
SHA512f5328593600f25c95761495dd66a45819fc0d666c29f93742e20d17ca44c1d3377663fbafaea47e71079d9a1dd7d199430aeb9a5f7a1112554523ddd9c0ca9d3
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.logFilesize
257KB
MD5d366fb92cc54b25a73c5d840f0f44e22
SHA19e662698aa989088d481847ff0a2ddb468dc010d
SHA256a0d6aa5a3691f9ef116b8a9ff762ec6f0daf6c8b6218e5b10b4c3e4d84a913f6
SHA512e861db06f1abf31de6a9ae8de041a7054127368aa3230ab07e01e5c9d4269a23945dacdfcae89d7b7b03a545f90899a60156ebad0e14bf584ad4ad4b3f277d17
-
\5057fdf5155b5801b1\setup.exeFilesize
262KB
MD5f9eef088eced778bd54b716b0459fa8d
SHA14e371fdea1258f508a956b9a7dd58e3aee9a67a4
SHA256ff2be9643a7df7241768e7e439524d11618f2b8a8fbe47f2e94d6453b0e04dae
SHA5127309817a3fc29892f2ce87db63b58b1c95e03bad3cfb7a987d543861ddc2766d83f3b3d6bb4bb2af8b3c3f7fa270e527d92c9ca661ff6b7fd9ff1d5658e73133
-
\??\c:\5057fdf5155b5801b1\DefFactory.datFilesize
784B
MD5b4d60c4744eaead8f042b06a71a89e15
SHA19ff4fe9922ba4306cbf7a7dbffca3d7c0be81aae
SHA2568de5a4fab48b4afaadb3b3226f26b7c8c7e202e114181aea7861352484e730c4
SHA51258e6684c3fb9c84d7ef0ae39247667a04aa9b0da32d1507ab80fc0582447590bf728e6324e8e34680bfbba9ebe1a995ed0fe3e9e161c182dd53b271fcd56a4f7
-
\??\c:\5057fdf5155b5801b1\HtmlLite.dllFilesize
173KB
MD51427f0ee7ff3ca5339f54a2b2480dfaf
SHA1f14f4beb3131b925dd958d83f5f22a53a29bd2cf
SHA256b238e8c647d2980ed5e965f484e8adadcb20832719735dd94472cfad2a27d9b6
SHA512fa8b87c3fbcc02a5c7ea18968a11b815bbf87f8cf58c766366cc6fcb80206dbf5dfa36880fe8cb17092aefcb51513dae39ed6a806f46d0055979e9ffb64e02e6
-
\??\c:\5057fdf5155b5801b1\WapRes.dllFilesize
104KB
MD5e8824670433ad8593af150b2eb6913d1
SHA103e9ab11c1f7bc1b20309da2eef3ae52ce7be90f
SHA256f8cb2735a2789d8e6b4cd1c7391ed8923466afd274490773e208d502132d1072
SHA5128cdd6ed3b7fde72c148f8f5f0a795a796ec0d3c0c863d4c8f2cbdfb70443728eb975c1cf683f8e9dcd6079619c0c4e36f97bc56d348ad8b061390f9749faf95a
-
\??\c:\5057fdf5155b5801b1\baseline.datFilesize
205KB
MD5814af5d4e24f23eb2c93145f8469d8e3
SHA1fb2f66f333b8f5ea727e70ad15e4d44ff66bec8c
SHA256e27661f825eb319c845e48b19f5a60a19eb1985b377e2ef613409880a5b7d242
SHA512580fd779e53fac57a29032211c3bbd7632407e4f0dac99f6cfca4e8a035e64ed9671623f4ddecbb56f3a31682ce55d392262c421d18a857b6bd2725280814cac
-
\??\c:\5057fdf5155b5801b1\dlmgr.dllFilesize
269KB
MD5a309fe305d44711d62f03c8bae580e40
SHA127e3d98b556ec41ead00568b5c58a35c8e226228
SHA2568d41eb260b66521b7789e7ca3cd98296b6cd309e2ca86959ceaa3a87892527ee
SHA512bdf1f674e0a1b7d192cf8001b75b301b440c1f547c2de36a33f4065f0be6a24c5f5f4fc6bc4c4693c622f5cc042263e4cfecc73394f3da81365a53d6b6491a68
-
\??\c:\5057fdf5155b5801b1\gencomp.dllFilesize
1.0MB
MD57701205cb985edbae0c1d283604e04a4
SHA12462782694a693fa1de5a0cfd32dcf66ffecfef8
SHA2564532624fd6b585c519dea8e3023a68a0b2adfa801712ca616d411078e7f4d541
SHA5126d11be23ba7f6f4009c41cd08e78dbb80ce2d5393ac754d5380be12a12c8c2d385ee891a651c608d1eb1cd46932c8c10f8cdddbfb051a62b532a51b0bdd51864
-
\??\c:\5057fdf5155b5801b1\logo.bmpFilesize
5KB
MD527d1fb0f5ffab86ee4c906b67f7e3c29
SHA16f984c1e49ecfd5c3b9916c2e4b434fb8bf6103e
SHA2560d6e46ff07901cc9d82e8fd76f8477474c3f440bf2e43ee5cea859c0095962a2
SHA512db1d703f0bf9630404f64de54fc16447dbe993b61d2978e757a6676c1ad26c3f738c1cab7d269337f314dff917183f9330d57e4becbd69dbcc3daeada4ccfa9f
-
\??\c:\5057fdf5155b5801b1\setup.sdbFilesize
71KB
MD57a94ef3b998e1098d2f4f7c66569bb9f
SHA15859e1ceff415a3613cee75f6b93dffa085ef83d
SHA25695d71e04f822cdc59cc7bc449401f6e0c378f0ed7352ae83f5db30ee2d724639
SHA51240d3d4b8930fd2d218c569be742c8640504369e66a43ec507d4c0d90e0fc61a45a58e5c96c4c5dc33b15cb2f632eae9dc796fb893c1cbd342fe9aa6e9fcfcd8e
-
\??\c:\5057fdf5155b5801b1\setupres.dllFilesize
107KB
MD596d6e171f743a7c9222e2bc524e48a52
SHA1ef1780adad57493058312967f720de1946d85a29
SHA25673faae5003cf24b7b399d46d42babd754e132112e3bac9c1249a1310a25d1c6b
SHA5124aaceb25276f5cb0c214e2141714d3044b01aad90289305bb3e211ecc53bd0cfdd41d73649bc2a31f017b04b95a69863bb3abb604f7d7bb7712c5e0a3ca36357
-
\??\c:\5057fdf5155b5801b1\sitsetup.dllFilesize
1.3MB
MD570d42b96463300dcf804e18f2f1f9db1
SHA1670e74d08090f78e63f056fa814aeb6d3c56e620
SHA25663492edb2927fb8dea57580a55901f805c4d61e10d7f097b61f0b9dbf03aedbb
SHA512b911562185e439306e04d96b3903005ca16d6506f4a8f1fa0a4e7923eec7486a3a722e093c372553a0b12c58ce133b3acdf54deae1828ef0b9c3bfe8279d5474
-
\??\c:\5057fdf5155b5801b1\vs70uimgr.dllFilesize
613KB
MD5cd272480b9a40c1743791e8618fb5541
SHA1ef1126e163b14563780ce3250408572c6966878c
SHA256c5b6d65a9667aa1231c66d72ff86fba55e50ba7f4e279cf3f267e03d90d616a0
SHA5126ecffe64826d0c3e88a2d78486800cf526891551d0edfca1e89c9f1a65d28ebc4bbe42ea141208c09ebfc7967fb1c0271bb7fc6562f17aa298518798caaaaac8
-
\??\c:\5057fdf5155b5801b1\vs_setup.dllFilesize
1021KB
MD5ea4594bfc4df5a6f16dd79ea27b93a70
SHA180b492ad344f775001d08b2023c51f5199a724b9
SHA25625b52ec5e47ec8dd0719bdc4961c926d32bb5ac1e0fc71a9d8cb5ab835da6ab1
SHA512f3f410039fb21149f40bc2d06e2734ef349a9a993537165e551ea8dd0c011386fe75ecaf4b1c7336e76eb50a6f7c36600284798a460f1d0a8783c00daecc7d2c
-
\??\c:\5057fdf5155b5801b1\vs_setup.ms_Filesize
603KB
MD58f479f91a12d4e48ecaaaa478aab1042
SHA1ee42220275f4e82986f36d4f144fc891b07008c9
SHA256b051bc37cc923fd3928a4d95ae4478d7b83f719625100ac950c6462a004399a5
SHA51239d01f80f8fbd8d83baac76179f2d6c56206f7c29d692f89c51a8e1e9ff241a3bf6c30c5a37242e9cf7abb227edc75d695cab89bb9be845b39ce2f91aa916186
-
\??\c:\5057fdf5155b5801b1\vs_setup.pdiFilesize
20KB
MD57b8966dffd15fa01d5bbdd7b312b526b
SHA1cbfd752a07b35571917820b63a7799bf6755b5d4
SHA25630ced1ffe473aa41d6968901f6a92dbe7d3f5e60a4ab5d5c82994e14b26dee91
SHA512e11b4ac10aebd0cb9ec60cbd0fc14b52b99aefd154ca16cc7f49787c0e0954121e9bfd6a9e0cb4ab4a0a1868ca24db8a45ca6cf4b4e6c57a361d79cb352d6cd7
-
\??\c:\5057fdf5155b5801b1\vsbasereqs.dllFilesize
401KB
MD5057549953160d1e3e54c14263faf885d
SHA1d3d73df0a71de5bab88932f08344ef91c7653ef4
SHA256fc5f4e4f12e3baf632a267979da96955412caa63391f1d8137332672ba35cb46
SHA51253116ad0019ea6bc8385acf3b6eb1a398e926abb4b76462771edc4e95612a527eaab42a6d4eff7d83ed562cc6a3b922a168c17525338ad560aefe7330185f381
-
\??\c:\5057fdf5155b5801b1\vsscenario.dllFilesize
671KB
MD59b44d9e919f2f89365fb197bbd505400
SHA1cd7484c2564d6f2d5baea8b5408af7715d9a3f49
SHA256ed27270ea89f0a1cfda7f6e100204ebec0641bb41cafca5a287db81e69cdc120
SHA5127cf04eb0ca2613648e21476da133716eddb6b53ba29b4dfd461a8b40295e4b928b8a57f4fc2cca4199e31eb88daf4a1899fe017afd5bfe1eddc0793119f9d517
-
\??\c:\5057fdf5155b5801b1\wapui.dllFilesize
958KB
MD5362a5e06b9aff6d147e491c13b0c3b60
SHA1c96c759c956a631413717be23d1acae76c252b89
SHA256df6ee489eba67f24812576dcd1e717029cbf80beed5c623742f7f4fa59928352
SHA512334a729948e63a35f173a8fccac525efdb2676d174097cf0bac92267c9ef5a95ffb4b9f157c8d0b0f0a31952292a08a1a87d91d6d199ad76c7523685ec348942
-
\Users\Admin\AppData\Local\Temp\tG9KFBVCktZrhQC.exeFilesize
2.7MB
MD5269f314b87e6222a20e5f745b6b89783
SHA1b0ca05c12ebb9a3610206bad7f219e02b7873cbd
SHA256c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257
SHA51234c574c78315cb83aac1b763a4f26f978d6c80d8e5bd61b601d16fdce2bccc109f8b46f03fb938a2ff2b9acb4793313f75b15539006e72b827ff7673507e5beb
-
memory/2812-142-0x00000000002C0000-0x00000000002C1000-memory.dmpFilesize
4KB