74e5e3f697d9ab2d813a7c2ba9b2e9e91956ad91af45feb6c98851946e3b096c

Analysis

max time kernel
120s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 01:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41ccd38905ec14102b3f1863e008c220N.exe
Size

2.9MB
MD5

41ccd38905ec14102b3f1863e008c220
SHA1

000abd1db229ecb30559aba3d34dc012cb680af1
SHA256

74e5e3f697d9ab2d813a7c2ba9b2e9e91956ad91af45feb6c98851946e3b096c
SHA512

bc2c3b8b99329b61b82a0622227cc9912bb0b34e129569307536f3e9423af096a593fa310148e8ab2bf832176fb95a8aa3225bed3a3e5e4ccc3b3e97cc254eea
SSDEEP

49152:tGQ1IXUtz3UXyYAtehSSJEWFU3P5F06520twrKf5gRV6Cs7esM7ELNgZkuudpvXr:wl8zkXyPterEf7520KrjYCsY0geuubXr

Score

10^/10

evasion persistence

Malware Config

Signatures

Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	svchost.exe

Executes dropped EXE 7 IoCs

pid	Process
4488	41ccd38905ec14102b3f1863e008c220n.exe
2460	setup.exe
900	icsys.icn.exe
4212	explorer.exe
4408	spoolsv.exe
3752	svchost.exe
1860	spoolsv.exe

Loads dropped DLL 13 IoCs

pid	Process
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe
2460	setup.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO"	svchost.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	setup.exe
File opened (read-only)	\??\Z:	setup.exe
File opened (read-only)	\??\B:	setup.exe
File opened (read-only)	\??\L:	setup.exe
File opened (read-only)	\??\R:	setup.exe
File opened (read-only)	\??\W:	setup.exe
File opened (read-only)	\??\A:	setup.exe
File opened (read-only)	\??\E:	setup.exe
File opened (read-only)	\??\S:	setup.exe
File opened (read-only)	\??\D:	setup.exe
File opened (read-only)	\??\G:	setup.exe
File opened (read-only)	\??\J:	setup.exe
File opened (read-only)	\??\X:	setup.exe
File opened (read-only)	\??\Y:	setup.exe
File opened (read-only)	\??\F:	setup.exe
File opened (read-only)	\??\M:	setup.exe
File opened (read-only)	\??\N:	setup.exe
File opened (read-only)	\??\O:	setup.exe
File opened (read-only)	\??\U:	setup.exe
File opened (read-only)	\??\V:	setup.exe
File opened (read-only)	\??\I:	setup.exe
File opened (read-only)	\??\Q:	setup.exe
File opened (read-only)	\??\T:	setup.exe
File opened (read-only)	\??\K:	setup.exe
File opened (read-only)	\??\P:	setup.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\explorer.exe	explorer.exe
File opened for modification	C:\Windows\SysWOW64\explorer.exe	svchost.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	\??\c:\windows\resources\spoolsv.exe	explorer.exe
File opened for modification	C:\Windows\Resources\tjud.exe	explorer.exe
File opened for modification	\??\c:\windows\resources\themes\explorer.exe	icsys.icn.exe
File opened for modification	\??\c:\windows\resources\svchost.exe	spoolsv.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	41ccd38905ec14102b3f1863e008c220N.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	ngen.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	setup.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
2460	setup.exe
2460	setup.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe
900	icsys.icn.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4212	explorer.exe
3752	svchost.exe

Suspicious use of AdjustPrivilegeToken 30 IoCs

description	pid	Process
Token: SeSecurityPrivilege	712	msiexec.exe
Token: SeCreateTokenPrivilege	2460	setup.exe
Token: SeAssignPrimaryTokenPrivilege	2460	setup.exe
Token: SeLockMemoryPrivilege	2460	setup.exe
Token: SeIncreaseQuotaPrivilege	2460	setup.exe
Token: SeMachineAccountPrivilege	2460	setup.exe
Token: SeTcbPrivilege	2460	setup.exe
Token: SeSecurityPrivilege	2460	setup.exe
Token: SeTakeOwnershipPrivilege	2460	setup.exe
Token: SeLoadDriverPrivilege	2460	setup.exe
Token: SeSystemProfilePrivilege	2460	setup.exe
Token: SeSystemtimePrivilege	2460	setup.exe
Token: SeProfSingleProcessPrivilege	2460	setup.exe
Token: SeIncBasePriorityPrivilege	2460	setup.exe
Token: SeCreatePagefilePrivilege	2460	setup.exe
Token: SeCreatePermanentPrivilege	2460	setup.exe
Token: SeBackupPrivilege	2460	setup.exe
Token: SeRestorePrivilege	2460	setup.exe
Token: SeShutdownPrivilege	2460	setup.exe
Token: SeDebugPrivilege	2460	setup.exe
Token: SeAuditPrivilege	2460	setup.exe
Token: SeSystemEnvironmentPrivilege	2460	setup.exe
Token: SeChangeNotifyPrivilege	2460	setup.exe
Token: SeRemoteShutdownPrivilege	2460	setup.exe
Token: SeUndockPrivilege	2460	setup.exe
Token: SeSyncAgentPrivilege	2460	setup.exe
Token: SeEnableDelegationPrivilege	2460	setup.exe
Token: SeManageVolumePrivilege	2460	setup.exe
Token: SeImpersonatePrivilege	2460	setup.exe
Token: SeCreateGlobalPrivilege	2460	setup.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
4000	41ccd38905ec14102b3f1863e008c220N.exe
4000	41ccd38905ec14102b3f1863e008c220N.exe
900	icsys.icn.exe
900	icsys.icn.exe
4212	explorer.exe
4212	explorer.exe
4408	spoolsv.exe
4408	spoolsv.exe
3752	svchost.exe
3752	svchost.exe
1860	spoolsv.exe
1860	spoolsv.exe

Suspicious use of WriteProcessMemory 31 IoCs

description	pid	Process	procid_target
PID 4000 wrote to memory of 4488	4000	41ccd38905ec14102b3f1863e008c220N.exe	84
PID 4000 wrote to memory of 4488	4000	41ccd38905ec14102b3f1863e008c220N.exe	84
PID 4000 wrote to memory of 4488	4000	41ccd38905ec14102b3f1863e008c220N.exe	84
PID 4488 wrote to memory of 2460	4488	41ccd38905ec14102b3f1863e008c220n.exe	87
PID 4488 wrote to memory of 2460	4488	41ccd38905ec14102b3f1863e008c220n.exe	87
PID 4488 wrote to memory of 2460	4488	41ccd38905ec14102b3f1863e008c220n.exe	87
PID 2460 wrote to memory of 4672	2460	setup.exe	89
PID 2460 wrote to memory of 4672	2460	setup.exe	89
PID 2460 wrote to memory of 4672	2460	setup.exe	89
PID 2460 wrote to memory of 3244	2460	setup.exe	91
PID 2460 wrote to memory of 3244	2460	setup.exe	91
PID 2460 wrote to memory of 1828	2460	setup.exe	102
PID 2460 wrote to memory of 1828	2460	setup.exe	102
PID 2460 wrote to memory of 1828	2460	setup.exe	102
PID 2460 wrote to memory of 1588	2460	setup.exe	104
PID 2460 wrote to memory of 1588	2460	setup.exe	104
PID 4000 wrote to memory of 900	4000	41ccd38905ec14102b3f1863e008c220N.exe	106
PID 4000 wrote to memory of 900	4000	41ccd38905ec14102b3f1863e008c220N.exe	106
PID 4000 wrote to memory of 900	4000	41ccd38905ec14102b3f1863e008c220N.exe	106
PID 900 wrote to memory of 4212	900	icsys.icn.exe	107
PID 900 wrote to memory of 4212	900	icsys.icn.exe	107
PID 900 wrote to memory of 4212	900	icsys.icn.exe	107
PID 4212 wrote to memory of 4408	4212	explorer.exe	108
PID 4212 wrote to memory of 4408	4212	explorer.exe	108
PID 4212 wrote to memory of 4408	4212	explorer.exe	108
PID 4408 wrote to memory of 3752	4408	spoolsv.exe	109
PID 4408 wrote to memory of 3752	4408	spoolsv.exe	109
PID 4408 wrote to memory of 3752	4408	spoolsv.exe	109
PID 3752 wrote to memory of 1860	3752	svchost.exe	110
PID 3752 wrote to memory of 1860	3752	svchost.exe	110
PID 3752 wrote to memory of 1860	3752	svchost.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\41ccd38905ec14102b3f1863e008c220N.exe
"C:\Users\Admin\AppData\Local\Temp\41ccd38905ec14102b3f1863e008c220N.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4000
- \??\c:\users\admin\appdata\local\temp\41ccd38905ec14102b3f1863e008c220n.exe
  c:\users\admin\appdata\local\temp\41ccd38905ec14102b3f1863e008c220n.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4488
- - \??\c:\5e46ab26b24b6490b4bfbc33fe29ff\setup.exe
    c:\5e46ab26b24b6490b4bfbc33fe29ff\setup.exe /web
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Enumerates connected drives
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue pause
      4⤵
      Drops file in Windows directory
      PID:4672
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue pause
      4⤵
      Drops file in Windows directory
      PID:3244
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe queue continue
      4⤵
      Drops file in Windows directory
      PID:1828
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe queue continue
      4⤵
      Drops file in Windows directory
      PID:1588
- C:\Windows\Resources\Themes\icsys.icn.exe
  C:\Windows\Resources\Themes\icsys.icn.exe
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:900
- - \??\c:\windows\resources\themes\explorer.exe
    c:\windows\resources\themes\explorer.exe
    3⤵
    - Modifies visiblity of hidden/system files in Explorer
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - Drops file in Windows directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - \??\c:\windows\resources\spoolsv.exe
      c:\windows\resources\spoolsv.exe SE
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4408
    - - \??\c:\windows\resources\svchost.exe
        
        c:\windows\resources\svchost.exe
        5⤵
        Modifies visiblity of hidden/system files in Explorer
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:3752
      - \??\c:\windows\resources\spoolsv.exe
        
        c:\windows\resources\spoolsv.exe PR
        6⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1860

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\5e46ab26b24b6490b4bfbc33fe29ff\gencomp.dll

Filesize
1.0MB

MD5
7701205cb985edbae0c1d283604e04a4

SHA1
2462782694a693fa1de5a0cfd32dcf66ffecfef8

SHA256
4532624fd6b585c519dea8e3023a68a0b2adfa801712ca616d411078e7f4d541

SHA512
6d11be23ba7f6f4009c41cd08e78dbb80ce2d5393ac754d5380be12a12c8c2d385ee891a651c608d1eb1cd46932c8c10f8cdddbfb051a62b532a51b0bdd51864

Download Submit
C:\5e46ab26b24b6490b4bfbc33fe29ff\locdata.1055.ini

Filesize
15KB

MD5
afcdf8d8c96f5c695254e2e620f8d410

SHA1
fe785b77e4d5a2f283fe9ecc0606d081e99552a1

SHA256
370ff239e143b83ad4440ffaacc05b3750ea1fd3858ec8f1e6e208d3a72bfefe

SHA512
664000953fa8aca3fca23ee41b7387ca40e68b772e252bba8974bc21df2137fc188a9c22112d593ba83b26653710d8f81845111944e05d5dc0b15c3a541b6d4d

Download Submit
C:\5e46ab26b24b6490b4bfbc33fe29ff\setup.exe

Filesize
262KB

MD5
f9eef088eced778bd54b716b0459fa8d

SHA1
4e371fdea1258f508a956b9a7dd58e3aee9a67a4

SHA256
ff2be9643a7df7241768e7e439524d11618f2b8a8fbe47f2e94d6453b0e04dae

SHA512
7309817a3fc29892f2ce87db63b58b1c95e03bad3cfb7a987d543861ddc2766d83f3b3d6bb4bb2af8b3c3f7fa270e527d92c9ca661ff6b7fd9ff1d5658e73133

Download Submit
C:\5e46ab26b24b6490b4bfbc33fe29ff\setupres.dll

Filesize
107KB

MD5
96d6e171f743a7c9222e2bc524e48a52

SHA1
ef1780adad57493058312967f720de1946d85a29

SHA256
73faae5003cf24b7b399d46d42babd754e132112e3bac9c1249a1310a25d1c6b

SHA512
4aaceb25276f5cb0c214e2141714d3044b01aad90289305bb3e211ecc53bd0cfdd41d73649bc2a31f017b04b95a69863bb3abb604f7d7bb7712c5e0a3ca36357

Download Submit
C:\5e46ab26b24b6490b4bfbc33fe29ff\vsbasereqs.dll

Filesize
401KB

MD5
057549953160d1e3e54c14263faf885d

SHA1
d3d73df0a71de5bab88932f08344ef91c7653ef4

SHA256
fc5f4e4f12e3baf632a267979da96955412caa63391f1d8137332672ba35cb46

SHA512
53116ad0019ea6bc8385acf3b6eb1a398e926abb4b76462771edc4e95612a527eaab42a6d4eff7d83ed562cc6a3b922a168c17525338ad560aefe7330185f381

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt

Filesize
762B

MD5
d37c7394a45cc97145f2d8f367e85d8f

SHA1
7623ec6055b75cf618859230a405852386f8678d

SHA256
1f4910fad3c9fb155c8a981d69491e63803a6575bc153d19dc67b452f354acb4

SHA512
dcdd643b7e4d5883e74bb6911e7e138f3d233aca836b2e7b5401103e114af2b47cde1c4bafae01f289f222cdaa7724e579d3aa0db38799d94ffccf6be5442a02

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt

Filesize
2KB

MD5
3bac0d5e7fdd31120b05b5f4d322055d

SHA1
89563b7e1028f6eede422d2b2428d37dee5fa44e

SHA256
1bcd508b6637bd470f962a4198e658c9a2a912dfdcad6c07f7f71adfe33534c8

SHA512
d5fbe0b4961a3239a52788d65264a732d01e8d417a3a8c3521bbf0e1e99b5d161acc28abd515a1046949907448404527ea5bda38366a0c8f647c267a52ca8d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt

Filesize
2KB

MD5
746c239e11538a00eceba4e84ac34984

SHA1
de7f14bb52bf51d2c36fbeae938280eb441d4170

SHA256
96d21c908d690587e7ea6db1049119946e445edb3b8dfa61cc1ef23e82c76d7b

SHA512
7153d06640e8fa40c6bf667973908ba89596ac599abeb963cefd45058e7fe03f6885e0ca926b321a7264864c02f24f27a87808262b6a44733f9b3dd1415f8af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt

Filesize
2KB

MD5
21b873f207b864f53a96c2b6093eb334

SHA1
0f79f382eec446ad620951b0ca888f2fd6fe03e1

SHA256
f7e3b5318cfefca2f90ab83a1070ac77fe37f64aae1323c32c7aa7e2b642ebf3

SHA512
07d5e93312398501afa168504d0dd226eb7ef5aab9a119f6cd70461ab08a7dae02b18bdc7bc763553760921df216500381d73597127d224de0ef96fe1d5005b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_depcheck_NETFX_EXP_35.txt

Filesize
4KB

MD5
55796cf3746a8f81bba4206a431cf200

SHA1
a832396c9d956282547c0dcea563fbad53d8a930

SHA256
95adb7233e182de7138e0cdc519c963a6ac675e9d11ecaf50d2c5ab23db379a1

SHA512
d834fbb7863dbf26f1e54ec233b7c0873044b07dd65077765d22a6e6294c73f4d7405089fd2dad5b1580c5b23d7da90b39f3c084e42bf669ad8fa3019438be6a

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log

Filesize
75KB

MD5
b629209ca41411424269a5ec6d632550

SHA1
ba46c79f9173e390a7278718fea9d5be1987cf84

SHA256
447015bdbda89477acee6bb18e3843f5dce4b8f4606cd0a40088224310e10f3d

SHA512
ac5c181c1a2b30cc74ba75d76156f21dc53f3e44f0c8634ae79b93ebef6bdb0888db81632bf5594993d05fcad143ac92f244afb9dbfc820e9464ab24384ac299

Download Submit
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log

Filesize
75KB

MD5
ccffcf9c20d5eb98e486db1e152a7363

SHA1
bab76168bbd43309aae733f984feeb128ea4d087

SHA256
b8e95693c26e285c52c088ce86747e136e918b4cdc87cfde9fa3953931da442d

SHA512
a14cf68885ae6908ab305334f0e2c52288c3698d34faae746cbbae963a7fb0ed6cd1071ea5760d95cc298242ee5115c6af46a6d39b771de540b90dc57d51b4bf

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
43KB

MD5
88cf0ff18ec4d3d5becc37dea5c72edf

SHA1
3f89614ebf16450e77d43aa5bee69ffdf4e32916

SHA256
c5adee6bf41dffa5bc01886bae868674b7d03911db56ebd50f6cfe5e2de9feff

SHA512
99bda7120d82b70e94714e610fffec7e984c48e2dffa8df03973625c8f438a17ba486138860381094fe7e0f65ac4f612b088c57e13541dcd563e0785f0cc9239

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log

Filesize
43KB

MD5
6906557bbc9d2f8c1bfed83b3b0d55c7

SHA1
8a204a1f16e1b47a1d2998692da19252c8161c19

SHA256
003164b743c02435a39bdbf51efd5d5bb930cc2b1e58a068208a309c8d49bb6d

SHA512
9308b451c5ade6c14fc08153e6ba5359c8851bc4322752ca69456655cb0bb520134432be917c7cfd14d99e5749830bb0ae2e53f2d8c26905c62c83f23e68ae03

Download Submit
C:\Windows\Resources\Themes\explorer.exe

Filesize
135KB

MD5
c52a89133ddb93ef49b5f83dca3f00c0

SHA1
74156bad89495540a2da891800365e23662de3e4

SHA256
61d65b98880e4f0030ee0317e37d6089f00f034cd34aaff594ad5c67d0521838

SHA512
e6fca7ce00298b522b1f6bfbaa4c0ee4760253b8489a21e7cb352929dffe8ceb22469afcd8fd8b0d3244a449e517c27925296072e55292a03b7c0043fd267bc6

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
e33ac71dfefb13b3ad6c465508651efc

SHA1
a2548fe908fd881c1efd93ad2e77aaa7e32c9d91

SHA256
a96c474b98addb7c5210774fe41eedeb35ce1548f5f9f1dbe9234b07b325ef3e

SHA512
d3fa07624ef0f0f14e7ebc15e0fcd56390145dbe718cd75e0b1867b856b6bb5268dd46bdb052c967e2b254b7ae003df507cd44a5e4a96bccacb0c03371e7762e

Download Submit
C:\Windows\Resources\spoolsv.exe

Filesize
135KB

MD5
3e4e722fdf132b6a16dd88509374b3af

SHA1
9de754e4a9b5f3ace0432ef4b63827b2d1099de4

SHA256
8d4f28fb19bfd66acf37727d1a2f400bbb0675035033ce41964b2e1c4a1db3a0

SHA512
ab3322e2065106a5f0fbd8d40fd57c449a21273bdb0e3a3f1a12b08053fc3e4eae8d32f6523e8dafd57f7f845b7de6f939537f6be29d3af3cf473f53ad9f28e6

Download Submit
C:\Windows\Resources\svchost.exe

Filesize
135KB

MD5
a1cb0c613db5d1100cf006e40c8ce709

SHA1
5e72c4838cd4ae606e64ba6e20a06ef67a6b80a2

SHA256
ec0541b79eb9eb09ce8167792b09564004e190615ffa927026ba3f9440ef8f77

SHA512
e0311387ce5aea0c3475ac684914fecb4d50c04b7ca0bf12b90ccfbc923167d782361dde77db63ea23654b811bed571b1b5150f3bbfbcbed55f6ad122006d629

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\DefFactory.dat

Filesize
784B

MD5
b4d60c4744eaead8f042b06a71a89e15

SHA1
9ff4fe9922ba4306cbf7a7dbffca3d7c0be81aae

SHA256
8de5a4fab48b4afaadb3b3226f26b7c8c7e202e114181aea7861352484e730c4

SHA512
58e6684c3fb9c84d7ef0ae39247667a04aa9b0da32d1507ab80fc0582447590bf728e6324e8e34680bfbba9ebe1a995ed0fe3e9e161c182dd53b271fcd56a4f7

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\HtmlLite.dll

Filesize
173KB

MD5
1427f0ee7ff3ca5339f54a2b2480dfaf

SHA1
f14f4beb3131b925dd958d83f5f22a53a29bd2cf

SHA256
b238e8c647d2980ed5e965f484e8adadcb20832719735dd94472cfad2a27d9b6

SHA512
fa8b87c3fbcc02a5c7ea18968a11b815bbf87f8cf58c766366cc6fcb80206dbf5dfa36880fe8cb17092aefcb51513dae39ed6a806f46d0055979e9ffb64e02e6

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\WapRes.dll

Filesize
104KB

MD5
e8824670433ad8593af150b2eb6913d1

SHA1
03e9ab11c1f7bc1b20309da2eef3ae52ce7be90f

SHA256
f8cb2735a2789d8e6b4cd1c7391ed8923466afd274490773e208d502132d1072

SHA512
8cdd6ed3b7fde72c148f8f5f0a795a796ec0d3c0c863d4c8f2cbdfb70443728eb975c1cf683f8e9dcd6079619c0c4e36f97bc56d348ad8b061390f9749faf95a

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\baseline.dat

Filesize
205KB

MD5
814af5d4e24f23eb2c93145f8469d8e3

SHA1
fb2f66f333b8f5ea727e70ad15e4d44ff66bec8c

SHA256
e27661f825eb319c845e48b19f5a60a19eb1985b377e2ef613409880a5b7d242

SHA512
580fd779e53fac57a29032211c3bbd7632407e4f0dac99f6cfca4e8a035e64ed9671623f4ddecbb56f3a31682ce55d392262c421d18a857b6bd2725280814cac

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\dlmgr.dll

Filesize
269KB

MD5
a309fe305d44711d62f03c8bae580e40

SHA1
27e3d98b556ec41ead00568b5c58a35c8e226228

SHA256
8d41eb260b66521b7789e7ca3cd98296b6cd309e2ca86959ceaa3a87892527ee

SHA512
bdf1f674e0a1b7d192cf8001b75b301b440c1f547c2de36a33f4065f0be6a24c5f5f4fc6bc4c4693c622f5cc042263e4cfecc73394f3da81365a53d6b6491a68

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\logo.bmp

Filesize
5KB

MD5
27d1fb0f5ffab86ee4c906b67f7e3c29

SHA1
6f984c1e49ecfd5c3b9916c2e4b434fb8bf6103e

SHA256
0d6e46ff07901cc9d82e8fd76f8477474c3f440bf2e43ee5cea859c0095962a2

SHA512
db1d703f0bf9630404f64de54fc16447dbe993b61d2978e757a6676c1ad26c3f738c1cab7d269337f314dff917183f9330d57e4becbd69dbcc3daeada4ccfa9f

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\setup.sdb

Filesize
71KB

MD5
7a94ef3b998e1098d2f4f7c66569bb9f

SHA1
5859e1ceff415a3613cee75f6b93dffa085ef83d

SHA256
95d71e04f822cdc59cc7bc449401f6e0c378f0ed7352ae83f5db30ee2d724639

SHA512
40d3d4b8930fd2d218c569be742c8640504369e66a43ec507d4c0d90e0fc61a45a58e5c96c4c5dc33b15cb2f632eae9dc796fb893c1cbd342fe9aa6e9fcfcd8e

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\sitsetup.dll

Filesize
1.3MB

MD5
70d42b96463300dcf804e18f2f1f9db1

SHA1
670e74d08090f78e63f056fa814aeb6d3c56e620

SHA256
63492edb2927fb8dea57580a55901f805c4d61e10d7f097b61f0b9dbf03aedbb

SHA512
b911562185e439306e04d96b3903005ca16d6506f4a8f1fa0a4e7923eec7486a3a722e093c372553a0b12c58ce133b3acdf54deae1828ef0b9c3bfe8279d5474

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\vs70uimgr.dll

Filesize
613KB

MD5
cd272480b9a40c1743791e8618fb5541

SHA1
ef1126e163b14563780ce3250408572c6966878c

SHA256
c5b6d65a9667aa1231c66d72ff86fba55e50ba7f4e279cf3f267e03d90d616a0

SHA512
6ecffe64826d0c3e88a2d78486800cf526891551d0edfca1e89c9f1a65d28ebc4bbe42ea141208c09ebfc7967fb1c0271bb7fc6562f17aa298518798caaaaac8

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\vs_setup.dll

Filesize
1021KB

MD5
ea4594bfc4df5a6f16dd79ea27b93a70

SHA1
80b492ad344f775001d08b2023c51f5199a724b9

SHA256
25b52ec5e47ec8dd0719bdc4961c926d32bb5ac1e0fc71a9d8cb5ab835da6ab1

SHA512
f3f410039fb21149f40bc2d06e2734ef349a9a993537165e551ea8dd0c011386fe75ecaf4b1c7336e76eb50a6f7c36600284798a460f1d0a8783c00daecc7d2c

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\vs_setup.ms_

Filesize
603KB

MD5
8f479f91a12d4e48ecaaaa478aab1042

SHA1
ee42220275f4e82986f36d4f144fc891b07008c9

SHA256
b051bc37cc923fd3928a4d95ae4478d7b83f719625100ac950c6462a004399a5

SHA512
39d01f80f8fbd8d83baac76179f2d6c56206f7c29d692f89c51a8e1e9ff241a3bf6c30c5a37242e9cf7abb227edc75d695cab89bb9be845b39ce2f91aa916186

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\vs_setup.pdi

Filesize
20KB

MD5
7b8966dffd15fa01d5bbdd7b312b526b

SHA1
cbfd752a07b35571917820b63a7799bf6755b5d4

SHA256
30ced1ffe473aa41d6968901f6a92dbe7d3f5e60a4ab5d5c82994e14b26dee91

SHA512
e11b4ac10aebd0cb9ec60cbd0fc14b52b99aefd154ca16cc7f49787c0e0954121e9bfd6a9e0cb4ab4a0a1868ca24db8a45ca6cf4b4e6c57a361d79cb352d6cd7

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\vsscenario.dll

Filesize
671KB

MD5
9b44d9e919f2f89365fb197bbd505400

SHA1
cd7484c2564d6f2d5baea8b5408af7715d9a3f49

SHA256
ed27270ea89f0a1cfda7f6e100204ebec0641bb41cafca5a287db81e69cdc120

SHA512
7cf04eb0ca2613648e21476da133716eddb6b53ba29b4dfd461a8b40295e4b928b8a57f4fc2cca4199e31eb88daf4a1899fe017afd5bfe1eddc0793119f9d517

Download Submit
\??\c:\5e46ab26b24b6490b4bfbc33fe29ff\wapui.dll

Filesize
958KB

MD5
362a5e06b9aff6d147e491c13b0c3b60

SHA1
c96c759c956a631413717be23d1acae76c252b89

SHA256
df6ee489eba67f24812576dcd1e717029cbf80beed5c623742f7f4fa59928352

SHA512
334a729948e63a35f173a8fccac525efdb2676d174097cf0bac92267c9ef5a95ffb4b9f157c8d0b0f0a31952292a08a1a87d91d6d199ad76c7523685ec348942

Download Submit
\??\c:\users\admin\appdata\local\temp\41ccd38905ec14102b3f1863e008c220n.exe

Filesize
2.7MB

MD5
269f314b87e6222a20e5f745b6b89783

SHA1
b0ca05c12ebb9a3610206bad7f219e02b7873cbd

SHA256
c05a019ce69c2e6973e464f381c2b0b618ad9b135ca5275b052febf64c9f9257

SHA512
34c574c78315cb83aac1b763a4f26f978d6c80d8e5bd61b601d16fdce2bccc109f8b46f03fb938a2ff2b9acb4793313f75b15539006e72b827ff7673507e5beb

Download Submit
memory/900-645-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/1860-643-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2460-136-0x00000000031C0000-0x00000000031C1000-memory.dmp

Filesize
4KB

Download
memory/4000-0-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4000-646-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/4408-644-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download