06c5f02b44b17b8232fc78f9fd710b43ebe25a5d299cd5937e097c14b4eef5fd

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 15:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe
Size

2.8MB
MD5

5b46ad97bc9df1fa82dbf7df92eccf03
SHA1

cc53c6c56cb0b4b568c82dfdf54a993532eb1b57
SHA256

06c5f02b44b17b8232fc78f9fd710b43ebe25a5d299cd5937e097c14b4eef5fd
SHA512

2a86d0f509a0f2ec860386c5d8febd7459556852178b39e747a8f54b492672c6434d131fc3fe81522a6ce7845d014c0de21f19eeee71abea326d93459989eb9b
SSDEEP

49152:D+t/9qoc8vA4gwzwvfsDs3nBm2d1RmRmLd7Rl8y8IIe4TxilGGerZa:D+19qovAiwvfFx1im7H8y8Ro0Za

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
1432	EfQdy9hTTrjmc0W.exe
2228	CTS.exe
2780	setup.exe

Loads dropped DLL 13 IoCs

pid	Process
2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe
1432	EfQdy9hTTrjmc0W.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe
2780	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\CTS = "C:\\Windows\\CTS.exe"	CTS.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	setup.exe
File opened (read-only)	\??\V:	setup.exe
File opened (read-only)	\??\A:	setup.exe
File opened (read-only)	\??\O:	setup.exe
File opened (read-only)	\??\P:	setup.exe
File opened (read-only)	\??\X:	setup.exe
File opened (read-only)	\??\K:	setup.exe
File opened (read-only)	\??\M:	setup.exe
File opened (read-only)	\??\T:	setup.exe
File opened (read-only)	\??\Y:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\E:	setup.exe
File opened (read-only)	\??\G:	setup.exe
File opened (read-only)	\??\I:	setup.exe
File opened (read-only)	\??\N:	setup.exe
File opened (read-only)	\??\Z:	setup.exe
File opened (read-only)	\??\H:	setup.exe
File opened (read-only)	\??\L:	setup.exe
File opened (read-only)	\??\Q:	setup.exe
File opened (read-only)	\??\R:	setup.exe
File opened (read-only)	\??\U:	setup.exe
File opened (read-only)	\??\W:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\B:	setup.exe
File opened (read-only)	\??\J:	setup.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File created	C:\Windows\CTS.exe	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\CTS.exe	CTS.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	setup.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2780	setup.exe

Suspicious use of AdjustPrivilegeToken 41 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe
Token: SeDebugPrivilege	2228	CTS.exe
Token: SeRestorePrivilege	2780	setup.exe
Token: SeRestorePrivilege	2780	setup.exe
Token: SeRestorePrivilege	2780	setup.exe
Token: SeRestorePrivilege	2780	setup.exe
Token: SeRestorePrivilege	2780	setup.exe
Token: SeRestorePrivilege	2780	setup.exe
Token: SeRestorePrivilege	2780	setup.exe
Token: SeRestorePrivilege	1668	msiexec.exe
Token: SeTakeOwnershipPrivilege	1668	msiexec.exe
Token: SeSecurityPrivilege	1668	msiexec.exe
Token: SeCreateTokenPrivilege	2780	setup.exe
Token: SeAssignPrimaryTokenPrivilege	2780	setup.exe
Token: SeLockMemoryPrivilege	2780	setup.exe
Token: SeIncreaseQuotaPrivilege	2780	setup.exe
Token: SeMachineAccountPrivilege	2780	setup.exe
Token: SeTcbPrivilege	2780	setup.exe
Token: SeSecurityPrivilege	2780	setup.exe
Token: SeTakeOwnershipPrivilege	2780	setup.exe
Token: SeLoadDriverPrivilege	2780	setup.exe
Token: SeSystemProfilePrivilege	2780	setup.exe
Token: SeSystemtimePrivilege	2780	setup.exe
Token: SeProfSingleProcessPrivilege	2780	setup.exe
Token: SeIncBasePriorityPrivilege	2780	setup.exe
Token: SeCreatePagefilePrivilege	2780	setup.exe
Token: SeCreatePermanentPrivilege	2780	setup.exe
Token: SeBackupPrivilege	2780	setup.exe
Token: SeRestorePrivilege	2780	setup.exe
Token: SeShutdownPrivilege	2780	setup.exe
Token: SeDebugPrivilege	2780	setup.exe
Token: SeAuditPrivilege	2780	setup.exe
Token: SeSystemEnvironmentPrivilege	2780	setup.exe
Token: SeChangeNotifyPrivilege	2780	setup.exe
Token: SeRemoteShutdownPrivilege	2780	setup.exe
Token: SeUndockPrivilege	2780	setup.exe
Token: SeSyncAgentPrivilege	2780	setup.exe
Token: SeEnableDelegationPrivilege	2780	setup.exe
Token: SeManageVolumePrivilege	2780	setup.exe
Token: SeImpersonatePrivilege	2780	setup.exe
Token: SeCreateGlobalPrivilege	2780	setup.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 1432	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	28
PID 2208 wrote to memory of 1432	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	28
PID 2208 wrote to memory of 1432	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	28
PID 2208 wrote to memory of 1432	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	28
PID 2208 wrote to memory of 1432	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	28
PID 2208 wrote to memory of 1432	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	28
PID 2208 wrote to memory of 1432	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	28
PID 2208 wrote to memory of 2228	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	29
PID 2208 wrote to memory of 2228	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	29
PID 2208 wrote to memory of 2228	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	29
PID 2208 wrote to memory of 2228	2208	2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe	29
PID 1432 wrote to memory of 2780	1432	EfQdy9hTTrjmc0W.exe	30
PID 1432 wrote to memory of 2780	1432	EfQdy9hTTrjmc0W.exe	30
PID 1432 wrote to memory of 2780	1432	EfQdy9hTTrjmc0W.exe	30
PID 1432 wrote to memory of 2780	1432	EfQdy9hTTrjmc0W.exe	30
PID 1432 wrote to memory of 2780	1432	EfQdy9hTTrjmc0W.exe	30
PID 1432 wrote to memory of 2780	1432	EfQdy9hTTrjmc0W.exe	30
PID 1432 wrote to memory of 2780	1432	EfQdy9hTTrjmc0W.exe	30
PID 2780 wrote to memory of 1808	2780	setup.exe	31
PID 2780 wrote to memory of 1808	2780	setup.exe	31
PID 2780 wrote to memory of 1808	2780	setup.exe	31
PID 2780 wrote to memory of 1808	2780	setup.exe	31
PID 2780 wrote to memory of 948	2780	setup.exe	33
PID 2780 wrote to memory of 948	2780	setup.exe	33
PID 2780 wrote to memory of 948	2780	setup.exe	33
PID 2780 wrote to memory of 948	2780	setup.exe	33
PID 2780 wrote to memory of 2004	2780	setup.exe	36
PID 2780 wrote to memory of 2004	2780	setup.exe	36
PID 2780 wrote to memory of 2004	2780	setup.exe	36
PID 2780 wrote to memory of 2004	2780	setup.exe	36
PID 2780 wrote to memory of 2704	2780	setup.exe	38
PID 2780 wrote to memory of 2704	2780	setup.exe	38
PID 2780 wrote to memory of 2704	2780	setup.exe	38
PID 2780 wrote to memory of 2704	2780	setup.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-27_5b46ad97bc9df1fa82dbf7df92eccf03_bkransomware.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Users\Admin\AppData\Local\Temp\EfQdy9hTTrjmc0W.exe
  C:\Users\Admin\AppData\Local\Temp\EfQdy9hTTrjmc0W.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1432
- - \??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\setup.exe
    c:\97ff2aa0ed3b63973268b291d9a9bb9d\setup.exe /web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue pause
      4⤵
      Drops file in Windows directory
      PID:1808
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue pause
      4⤵
      Drops file in Windows directory
      PID:948
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue continue
      4⤵
      Drops file in Windows directory
      PID:2004
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue continue
      4⤵
      Drops file in Windows directory
      PID:2704
- C:\Windows\CTS.exe
  "C:\Windows\CTS.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of AdjustPrivilegeToken
  PID:2228

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\97ff2aa0ed3b63973268b291d9a9bb9d\locdata.1055.ini

Filesize
15KB

MD5
afcdf8d8c96f5c695254e2e620f8d410

SHA1
fe785b77e4d5a2f283fe9ecc0606d081e99552a1

SHA256
370ff239e143b83ad4440ffaacc05b3750ea1fd3858ec8f1e6e208d3a72bfefe

SHA512
664000953fa8aca3fca23ee41b7387ca40e68b772e252bba8974bc21df2137fc188a9c22112d593ba83b26653710d8f81845111944e05d5dc0b15c3a541b6d4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt

Filesize
4KB

MD5
54b0d5aec26df541762d873c63360b52

SHA1
35f1f80f87cb623b4f1b5d1d78d9a27aef70d6cd

SHA256
245d935e63e5102e4301d92954bd5d317955dc9e875a4da19cdb0a12f0d31f15

SHA512
0daa9dbadc50bc265dc5b1b33aac44e27d5e42491877fa0b4e4ea9b7ae024618fbbfc54881064c2aa611a82fbc81ab6e416b6f9d12f756bc8bed046241c87ede

Download Submit
C:\Windows\CTS.exe

Filesize
71KB

MD5
66df4ffab62e674af2e75b163563fc0b

SHA1
dec8a197312e41eeb3cfef01cb2a443f0205cd6e

SHA256
075a6eecd8da1795532318f9cf880efe42461f9464d63f74deb271d33110f163

SHA512
1588dd78e6e8972013c40cdb6acfb84c8df7b081197233ce621904b645356c805d0424bb93dd46c55834dc47d9ff39ee1323cf8e670841b3fff24ab98ba87f25

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log

Filesize
306KB

MD5
cc07715b59c642a0754bbc2c2ff9978e

SHA1
b76847a4e57a5354e58ea8b303d3ac8db11f3ba0

SHA256
af1ac07457f698e274ffc7e6a4dcea88972c2a07d337aaa17f83c47cec49ea09

SHA512
add6aa74f344b0e16bd44d8c13481782b10f6410cca4187a199a5066505ba4dd6076d4ed0d0e60c0b1531ce862a1680ac211eb7cdd23993a04d33789a885e648

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log

Filesize
307KB

MD5
0563352d13e3ce3d3d6aa98777ccef99

SHA1
35a8f1654223925ca30a8680ca18218be98be7c3

SHA256
a108a7f72085434483a665120e9015dddaeed41b4759cd88cb8d32ab86c9a8c7

SHA512
ad9701d0504abb48c1734875585decdd80105b7ad2d274220c213d950f6b7361174be3c9082685f432fe8ee9e20c624caee1b64d647d97ffd2191ba0988f0d97

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
257KB

MD5
e19ec45130abbe6dea685a2d0d653284

SHA1
bc48b9373aeda2641f1cc537e4d6f3d66eabdd0b

SHA256
e52d6944fcf978747bc3bfbf44995581a48264d61fd8703bcb82b32b93d65c59

SHA512
ceb35a3ad22ae29ad38ffb0dbdc95cadc9e9d2dd7f5f0d8b68eb38d870d04e54c53c5995556f2a50ce3342b4f5ccf8276699e9dd010697402b1e54698d678d70

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
257KB

MD5
c5947dec780ba36cb874a027f63481b5

SHA1
2756aa4388fcc6b821a89f685928a233c47fd1e6

SHA256
0a766616a907a1f2f39b0c563ce6aa34d3a11159b86ad97314a78dc95088b132

SHA512
7801a5f48f14a9fe1a027b3e0f5ce5bfc125afe16ebdd8cb9d93115a35117799dbb636d14aede4a1e7b5a5e87c1b3efb14a9bd4617512fbb99062c0aa2851073

Download Submit
\97ff2aa0ed3b63973268b291d9a9bb9d\WapRes.dll

Filesize
104KB

MD5
e8824670433ad8593af150b2eb6913d1

SHA1
03e9ab11c1f7bc1b20309da2eef3ae52ce7be90f

SHA256
f8cb2735a2789d8e6b4cd1c7391ed8923466afd274490773e208d502132d1072

SHA512
8cdd6ed3b7fde72c148f8f5f0a795a796ec0d3c0c863d4c8f2cbdfb70443728eb975c1cf683f8e9dcd6079619c0c4e36f97bc56d348ad8b061390f9749faf95a

Download Submit
\97ff2aa0ed3b63973268b291d9a9bb9d\setup.exe

Filesize
262KB

MD5
f9eef088eced778bd54b716b0459fa8d

SHA1
4e371fdea1258f508a956b9a7dd58e3aee9a67a4

SHA256
ff2be9643a7df7241768e7e439524d11618f2b8a8fbe47f2e94d6453b0e04dae

SHA512
7309817a3fc29892f2ce87db63b58b1c95e03bad3cfb7a987d543861ddc2766d83f3b3d6bb4bb2af8b3c3f7fa270e527d92c9ca661ff6b7fd9ff1d5658e73133

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\DefFactory.dat

Filesize
784B

MD5
b4d60c4744eaead8f042b06a71a89e15

SHA1
9ff4fe9922ba4306cbf7a7dbffca3d7c0be81aae

SHA256
8de5a4fab48b4afaadb3b3226f26b7c8c7e202e114181aea7861352484e730c4

SHA512
58e6684c3fb9c84d7ef0ae39247667a04aa9b0da32d1507ab80fc0582447590bf728e6324e8e34680bfbba9ebe1a995ed0fe3e9e161c182dd53b271fcd56a4f7

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\HtmlLite.dll

Filesize
173KB

MD5
1427f0ee7ff3ca5339f54a2b2480dfaf

SHA1
f14f4beb3131b925dd958d83f5f22a53a29bd2cf

SHA256
b238e8c647d2980ed5e965f484e8adadcb20832719735dd94472cfad2a27d9b6

SHA512
fa8b87c3fbcc02a5c7ea18968a11b815bbf87f8cf58c766366cc6fcb80206dbf5dfa36880fe8cb17092aefcb51513dae39ed6a806f46d0055979e9ffb64e02e6

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\baseline.dat

Filesize
205KB

MD5
814af5d4e24f23eb2c93145f8469d8e3

SHA1
fb2f66f333b8f5ea727e70ad15e4d44ff66bec8c

SHA256
e27661f825eb319c845e48b19f5a60a19eb1985b377e2ef613409880a5b7d242

SHA512
580fd779e53fac57a29032211c3bbd7632407e4f0dac99f6cfca4e8a035e64ed9671623f4ddecbb56f3a31682ce55d392262c421d18a857b6bd2725280814cac

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\dlmgr.dll

Filesize
269KB

MD5
a309fe305d44711d62f03c8bae580e40

SHA1
27e3d98b556ec41ead00568b5c58a35c8e226228

SHA256
8d41eb260b66521b7789e7ca3cd98296b6cd309e2ca86959ceaa3a87892527ee

SHA512
bdf1f674e0a1b7d192cf8001b75b301b440c1f547c2de36a33f4065f0be6a24c5f5f4fc6bc4c4693c622f5cc042263e4cfecc73394f3da81365a53d6b6491a68

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\gencomp.dll

Filesize
1.0MB

MD5
7701205cb985edbae0c1d283604e04a4

SHA1
2462782694a693fa1de5a0cfd32dcf66ffecfef8

SHA256
4532624fd6b585c519dea8e3023a68a0b2adfa801712ca616d411078e7f4d541

SHA512
6d11be23ba7f6f4009c41cd08e78dbb80ce2d5393ac754d5380be12a12c8c2d385ee891a651c608d1eb1cd46932c8c10f8cdddbfb051a62b532a51b0bdd51864

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\logo.bmp

Filesize
5KB

MD5
27d1fb0f5ffab86ee4c906b67f7e3c29

SHA1
6f984c1e49ecfd5c3b9916c2e4b434fb8bf6103e

SHA256
0d6e46ff07901cc9d82e8fd76f8477474c3f440bf2e43ee5cea859c0095962a2

SHA512
db1d703f0bf9630404f64de54fc16447dbe993b61d2978e757a6676c1ad26c3f738c1cab7d269337f314dff917183f9330d57e4becbd69dbcc3daeada4ccfa9f

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\setup.sdb

Filesize
71KB

MD5
7a94ef3b998e1098d2f4f7c66569bb9f

SHA1
5859e1ceff415a3613cee75f6b93dffa085ef83d

SHA256
95d71e04f822cdc59cc7bc449401f6e0c378f0ed7352ae83f5db30ee2d724639

SHA512
40d3d4b8930fd2d218c569be742c8640504369e66a43ec507d4c0d90e0fc61a45a58e5c96c4c5dc33b15cb2f632eae9dc796fb893c1cbd342fe9aa6e9fcfcd8e

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\setupres.dll

Filesize
107KB

MD5
96d6e171f743a7c9222e2bc524e48a52

SHA1
ef1780adad57493058312967f720de1946d85a29

SHA256
73faae5003cf24b7b399d46d42babd754e132112e3bac9c1249a1310a25d1c6b

SHA512
4aaceb25276f5cb0c214e2141714d3044b01aad90289305bb3e211ecc53bd0cfdd41d73649bc2a31f017b04b95a69863bb3abb604f7d7bb7712c5e0a3ca36357

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\sitsetup.dll

Filesize
1.3MB

MD5
70d42b96463300dcf804e18f2f1f9db1

SHA1
670e74d08090f78e63f056fa814aeb6d3c56e620

SHA256
63492edb2927fb8dea57580a55901f805c4d61e10d7f097b61f0b9dbf03aedbb

SHA512
b911562185e439306e04d96b3903005ca16d6506f4a8f1fa0a4e7923eec7486a3a722e093c372553a0b12c58ce133b3acdf54deae1828ef0b9c3bfe8279d5474

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\vs70uimgr.dll

Filesize
613KB

MD5
cd272480b9a40c1743791e8618fb5541

SHA1
ef1126e163b14563780ce3250408572c6966878c

SHA256
c5b6d65a9667aa1231c66d72ff86fba55e50ba7f4e279cf3f267e03d90d616a0

SHA512
6ecffe64826d0c3e88a2d78486800cf526891551d0edfca1e89c9f1a65d28ebc4bbe42ea141208c09ebfc7967fb1c0271bb7fc6562f17aa298518798caaaaac8

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\vs_setup.dll

Filesize
1021KB

MD5
ea4594bfc4df5a6f16dd79ea27b93a70

SHA1
80b492ad344f775001d08b2023c51f5199a724b9

SHA256
25b52ec5e47ec8dd0719bdc4961c926d32bb5ac1e0fc71a9d8cb5ab835da6ab1

SHA512
f3f410039fb21149f40bc2d06e2734ef349a9a993537165e551ea8dd0c011386fe75ecaf4b1c7336e76eb50a6f7c36600284798a460f1d0a8783c00daecc7d2c

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\vs_setup.ms_

Filesize
603KB

MD5
8f479f91a12d4e48ecaaaa478aab1042

SHA1
ee42220275f4e82986f36d4f144fc891b07008c9

SHA256
b051bc37cc923fd3928a4d95ae4478d7b83f719625100ac950c6462a004399a5

SHA512
39d01f80f8fbd8d83baac76179f2d6c56206f7c29d692f89c51a8e1e9ff241a3bf6c30c5a37242e9cf7abb227edc75d695cab89bb9be845b39ce2f91aa916186

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\vs_setup.pdi

Filesize
20KB

MD5
7b8966dffd15fa01d5bbdd7b312b526b

SHA1
cbfd752a07b35571917820b63a7799bf6755b5d4

SHA256
30ced1ffe473aa41d6968901f6a92dbe7d3f5e60a4ab5d5c82994e14b26dee91

SHA512
e11b4ac10aebd0cb9ec60cbd0fc14b52b99aefd154ca16cc7f49787c0e0954121e9bfd6a9e0cb4ab4a0a1868ca24db8a45ca6cf4b4e6c57a361d79cb352d6cd7

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\vsbasereqs.dll

Filesize
401KB

MD5
057549953160d1e3e54c14263faf885d

SHA1
d3d73df0a71de5bab88932f08344ef91c7653ef4

SHA256
fc5f4e4f12e3baf632a267979da96955412caa63391f1d8137332672ba35cb46

SHA512
53116ad0019ea6bc8385acf3b6eb1a398e926abb4b76462771edc4e95612a527eaab42a6d4eff7d83ed562cc6a3b922a168c17525338ad560aefe7330185f381

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\vsscenario.dll

Filesize
671KB

MD5
9b44d9e919f2f89365fb197bbd505400

SHA1
cd7484c2564d6f2d5baea8b5408af7715d9a3f49

SHA256
ed27270ea89f0a1cfda7f6e100204ebec0641bb41cafca5a287db81e69cdc120

SHA512
7cf04eb0ca2613648e21476da133716eddb6b53ba29b4dfd461a8b40295e4b928b8a57f4fc2cca4199e31eb88daf4a1899fe017afd5bfe1eddc0793119f9d517

Download Submit
\??\c:\97ff2aa0ed3b63973268b291d9a9bb9d\wapui.dll

Filesize
958KB

MD5
362a5e06b9aff6d147e491c13b0c3b60

SHA1
c96c759c956a631413717be23d1acae76c252b89

SHA256
df6ee489eba67f24812576dcd1e717029cbf80beed5c623742f7f4fa59928352

SHA512
334a729948e63a35f173a8fccac525efdb2676d174097cf0bac92267c9ef5a95ffb4b9f157c8d0b0f0a31952292a08a1a87d91d6d199ad76c7523685ec348942

Download Submit
\Users\Admin\AppData\Local\Temp\EfQdy9hTTrjmc0W.exe

Filesize
2.7MB

MD5
269f314b87e6222a20e5f745b6b89783

SHA1
b0ca05c12ebb9a3610206bad7f219e02b7873cbd

SHA256
c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257

SHA512
34c574c78315cb83aac1b763a4f26f978d6c80d8e5bd61b601d16fdce2bccc109f8b46f03fb938a2ff2b9acb4793313f75b15539006e72b827ff7673507e5beb

Download Submit
memory/2780-144-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download