Overview

overview

8

Static

static

1

disk-drill-win.exe

windows10-2004-x64

Resubmissions

13-08-2024 07:31

240813-jcszva1cjg 8

13-08-2024 06:35

240813-hctqpsyenh 8

Analysis

  • max time kernel
    71s
  • max time network
    73s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-08-2024 06:35

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    disk-drill-win.exe

  • Size

    27.0MB

  • MD5

    db78eda8cb52e64d403890ad2201f007

  • SHA1

    174c837386ce92144bb6c8d722e4809426b2519a

  • SHA256

    97e296f77f96ea55d1e0f962f0fe980170a4e8d11464a7ca45b2976aa8ee16ee

  • SHA512

    94691338ff0b788b16eed3eb2973b2534b5c7774ceba3aba11a2f73ee4d9e754c8039d47ed3b45ab55ea3e3a6f7138c5a70a40f516397167a97a36c2773c09ad

  • SSDEEP

    786432:Ep3+DT+fEKOIYSwpcPa39JWJ2GsaZ/mCoq31/:l+MKrYSwqPa3HW7saZ/mPYJ

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Drops file in Drivers directory 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Downloads MZ/PE file
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 63 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 51 IoCs
  • Executes dropped EXE 10 IoCs
  • Loads dropped DLL 25 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 38 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\disk-drill-win.exe
    "C:\Users\Admin\AppData\Local\Temp\disk-drill-win.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:516
    • C:\Windows\Temp\{7F7F4B7B-AAD5-461D-B657-2D1165A17AB7}\.cr\disk-drill-win.exe
      "C:\Windows\Temp\{7F7F4B7B-AAD5-461D-B657-2D1165A17AB7}\.cr\disk-drill-win.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\disk-drill-win.exe" -burn.filehandle.attached=544 -burn.filehandle.self=556
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\Temp\{360B3340-2F5A-44E8-A3A8-BBBD2F7DF610}\.be\DiskDrillSetup.5.5.900.0.exe
        "C:\Windows\Temp\{360B3340-2F5A-44E8-A3A8-BBBD2F7DF610}\.be\DiskDrillSetup.5.5.900.0.exe" -q -burn.elevated BurnPipe.{7CD2ED5B-2445-4F1A-AE27-DC184A33BFA7} {FD1F3E4A-124E-4BBF-AB26-FD88E7055A2D} 4864
        3⤵
        • Adds Run key to start application
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3088
        • C:\ProgramData\Package Cache\046F00C519900FCBF2E6E955FC155B11156A733B\vc_redist.14.38.33135.x64.exe
          "C:\ProgramData\Package Cache\046F00C519900FCBF2E6E955FC155B11156A733B\vc_redist.14.38.33135.x64.exe" /norestart /q /chainingpackage ADMINDEPLOYMENT /pipe NetFxSection.{F9E96E32-C82D-4059-B2D5-E36F2DA59E4B}
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\Temp\{B3564742-A04E-4CF9-8E78-2A46624EB511}\.cr\vc_redist.14.38.33135.x64.exe
            "C:\Windows\Temp\{B3564742-A04E-4CF9-8E78-2A46624EB511}\.cr\vc_redist.14.38.33135.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\046F00C519900FCBF2E6E955FC155B11156A733B\vc_redist.14.38.33135.x64.exe" -burn.filehandle.attached=540 -burn.filehandle.self=548 /norestart /q /chainingpackage ADMINDEPLOYMENT /pipe NetFxSection.{F9E96E32-C82D-4059-B2D5-E36F2DA59E4B}
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:3768
            • C:\Windows\Temp\{A031C5CE-D156-4C22-9E15-4AB3CE9238E5}\.be\VC_redist.x64.exe
              "C:\Windows\Temp\{A031C5CE-D156-4C22-9E15-4AB3CE9238E5}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{2F977838-A2A3-4DA3-82F0-E8160590DDE0} {0094880C-67E6-4546-8726-09106010CA58} 3768
              6⤵
              • Adds Run key to start application
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:1448
              • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1080 -burn.embedded BurnPipe.{60589030-6351-4D9F-8A9F-F34B1B99CC4E} {727AC31A-77C8-4419-B4F8-934C257F89E5} 1448
                7⤵
                • System Location Discovery: System Language Discovery
                • Suspicious use of WriteProcessMemory
                PID:1052
                • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                  "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={c649ede4-f16a-4486-a117-dcc2f2a35165} -burn.filehandle.self=1080 -burn.embedded BurnPipe.{60589030-6351-4D9F-8A9F-F34B1B99CC4E} {727AC31A-77C8-4419-B4F8-934C257F89E5} 1448
                  8⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:816
                  • C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe
                    "C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{85BF82E2-A41B-4433-ACED-972665915898} {0D9CEF63-769E-4F2A-867D-FEB7C7468932} 816
                    9⤵
                    • System Location Discovery: System Language Discovery
                    • Modifies registry class
                    PID:4828
        • C:\ProgramData\Package Cache\20B1CAB9BCD5CAD52C5407D60E8556437242C730\DokanSetup.1.5.1.1000.exe
          "C:\ProgramData\Package Cache\20B1CAB9BCD5CAD52C5407D60E8556437242C730\DokanSetup.1.5.1.1000.exe" /norestart /quiet /install -burn.filehandle.self=1048 -burn.embedded BurnPipe.{37320CD3-D216-4A88-86B2-E0074800534A} {899DAB2D-5627-42D5-BAC3-01AD770127F9} 3088
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1508
          • C:\Windows\Temp\{CF706B10-56D7-4E4D-96F9-F5C3781677D9}\.cr\DokanSetup.1.5.1.1000.exe
            "C:\Windows\Temp\{CF706B10-56D7-4E4D-96F9-F5C3781677D9}\.cr\DokanSetup.1.5.1.1000.exe" -burn.clean.room="C:\ProgramData\Package Cache\20B1CAB9BCD5CAD52C5407D60E8556437242C730\DokanSetup.1.5.1.1000.exe" -burn.filehandle.attached=540 -burn.filehandle.self=648 /norestart /quiet /install -burn.filehandle.self=1048 -burn.embedded BurnPipe.{37320CD3-D216-4A88-86B2-E0074800534A} {899DAB2D-5627-42D5-BAC3-01AD770127F9} 3088
            5⤵
            • Checks computer location settings
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:4536
            • C:\Windows\Temp\{73A3666B-C577-4020-891C-6AFF550FE3E6}\.be\DokanSetup.exe
              "C:\Windows\Temp\{73A3666B-C577-4020-891C-6AFF550FE3E6}\.be\DokanSetup.exe" -q -burn.elevated BurnPipe.{4F399F79-5F0C-4C9F-A2D4-4B35CB9B6D78} {3FDAB572-463D-4280-9E18-F7A591F9FBC8} 4536
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies registry class
              PID:2796
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:2276
  • C:\Windows\system32\srtasks.exe
    C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:4248
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Blocklisted process makes network request
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 0B31162622FB93CE4A927015F8500082
      2⤵
      • Loads dropped DLL
      PID:640
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding CE636E482C514541F4DA6A6D1C7296EE E Global\MSI0000
      2⤵
      • Drops file in Drivers directory
      • Drops file in System32 directory
      • Loads dropped DLL
      • Modifies data under HKEY_USERS
      PID:3220
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding E393BBC68F5FCA78A93BF00ED1BA0B1D E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Program Files\Dokan\Dokan Library-1.5.1\dokanctl.exe
        "C:\Program Files\Dokan\Dokan Library-1.5.1\dokanctl.exe" /i n
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        PID:2668
    • C:\Windows\System32\MsiExec.exe
      C:\Windows\System32\MsiExec.exe -Embedding 23ADD5CE1D8195845E94082F29741827
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2308
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI61AC.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240673234 88 msiGaCustomAction!msiGaCustomAction.CustomActions.gaCheckInstallPathCustomAction
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        PID:4540
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI62C6.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240673515 92 msiGaCustomAction!msiGaCustomAction.CustomActions.gaCheckInstallConditionCustomAction
        3⤵
        • Drops file in Windows directory
        • Loads dropped DLL
        PID:4928
      • C:\Windows\system32\rundll32.exe
        rundll32.exe "C:\Windows\Installer\MSI6B84.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240675703 114 msiGaCustomAction!msiGaCustomAction.CustomActions.gaSuccessCustomAction
        3⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Drops file in Windows directory
        • Loads dropped DLL
        • Checks processor information in registry
        PID:1052
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 51242755E4A98DDAC09773BB31DC43F2 E Global\MSI0000
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\System32\taskkill.exe
        "C:\Windows\\System32\taskkill.exe" /F /IM DD.exe
        3⤵
        • Kills process with taskkill
        PID:2444
    • C:\Program Files\CleverFiles\Disk Drill\cfbackd.w32.exe
      "C:\Program Files\CleverFiles\Disk Drill\cfbackd.w32.exe" -i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3004
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa3910855 /state1:0x41c64e6d
    1⤵
    • Modifies data under HKEY_USERS
    • Suspicious use of SetWindowsHookEx
    PID:892

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e5828d5.rbs
    Filesize

    19KB

    MD5

    71e1268c1192a9abba4e436e78edc62b

    SHA1

    52acf8c607d36bbf375f802a2ce55e7961600c80

    SHA256

    4e36220e5688ff95b39cd1b8c0c7af693cafc6b440b943cb11f7942b10c795a0

    SHA512

    05d0ce2daae56bd268b4ba36352e865c923ff98cde45f0f3a08a6721dd5d4dc55188662f46e91cb99334e1a505893ada2f617b5d57bf2f06e9fabd34b89b5349

    Download Submit

  • C:\Config.Msi\e5828e1.rbs
    Filesize

    19KB

    MD5

    450448b2d098ffd702fec842a53df010

    SHA1

    84bc2dd7745db1e0862be77ceb7def8a5fca4c15

    SHA256

    faf8e79fb6da216de3145ec23be93ea2ad16d9b2a8ebac1daf908a37338a6dc8

    SHA512

    88572bb6c95d46c6dcd8a46d12e3b87bb0b5e891adfc56da8c5a9093cb863d688cd3d31dd29dde3387490e182907de65c335c1ca8459028bfb9437d203f9cd20

    Download Submit

  • C:\Config.Msi\e5828e8.rbs
    Filesize

    21KB

    MD5

    c6d92e39a0353118823d35b75af1e3d3

    SHA1

    9146b24ecd50e69d630109257f2126ff2803f08e

    SHA256

    78e710d9c41a47555b7816a5a7c76d70794299af8197775c4c5dd8320642dd02

    SHA512

    6b57f3d2fa673b29cd0630cf344c1f2ca8cfb24b11b5dfbc77c3f0485822a5ddd629d9a2714203cb1f3e68654ba30ab657f93281b319f12926129033b3bc966c

    Download Submit

  • C:\Config.Msi\e5828f7.rbs
    Filesize

    21KB

    MD5

    92c13808c7c7071013ec5f6c91a97342

    SHA1

    f8ea4ca1faa3b318d996000a4625fc669720bce3

    SHA256

    be5cec109b8bbd93c08b7f94ac52e5e88a3062927940dfda5b3ee530e8a2781f

    SHA512

    67f5e21ffab9e6509fe38f84da88c85566a019a7b2aa8573079f1c739cb0f621d8bbe54f02faa10937157d8eae9191e27d67e0310479ee4aa4a27161bfefcc3d

    Download Submit

  • C:\Config.Msi\e5828fc.rbs
    Filesize

    713KB

    MD5

    c81f0e83f76abfa89ed72d866344c1e9

    SHA1

    4ea35be536958d868e2d4bf9da1c687097db3ca8

    SHA256

    2371323633590f70cca50a1123f8d6935183ae2da153d2d080c87bd0d63f1229

    SHA512

    a4d73e809c90b9942ad0600cd0de3c5ef7a5fbd87fff16536fd40c332b7fe229fa096a3408f4694a843a9a6fb99b2dfc20030ad8335410f32aa0eceffac3df8a

    Download Submit

  • C:\Config.Msi\e5828ff.rbs
    Filesize

    28KB

    MD5

    904f0cb10a07459ccc49dcfccc5877cc

    SHA1

    5ce62c63c1c92d4d6ebd0735f6e535b96c31428a

    SHA256

    5f70f1a30a70b3a2fd4868f7460c8ac350fec54bad8f37d6e8c4f820bbec9de1

    SHA512

    535be1b6d81482d13364254fd78eca12f5d01dd76e9811eb385428d17f5121e9619f5b0e3877bd26d67e70995244deca0fa4a36137a38526b4d837f1e14ac49d

    Download Submit

  • C:\Program Files\CleverFiles\Disk Drill\DD.exe
    Filesize

    388KB

    MD5

    a8df446d2c364532abb3a99ff593941d

    SHA1

    99482ba7d46169c1e388c9511764349a31e43a8e

    SHA256

    f71184a0833a16f5e8eb0203fae916fee2392b58b217bd52119cfb792f2e1f04

    SHA512

    d2207758dc7c194a0ca760773e6de1e06150b83c659e048cb595164ee0cb00376f25e7c39fe857b96186225a773490085f9c64b8306c766f1216c2e025c82b78

    Download Submit

  • C:\Program Files\CleverFiles\Disk Drill\cfbackd.w32.exe
    Filesize

    301KB

    MD5

    d0fcca93ba324f657a9b17f4714f1f82

    SHA1

    a7f204f6a60f45199db94d615982c3490c506061

    SHA256

    91f79df9c86b8b7bf6bf27739fee8492bf2ae661a06c2e589257fd7c267ff993

    SHA512

    ebfded1fb5a57ea42f612dc51e7f62b1b41c50b034903e7866e9b7b6ae50941e3e6380c0baf9c0b02dbdd1f40b34ece9b8ccfb5de1cdbbb689c8df8c583f02b8

    Download Submit

  • C:\Program Files\Dokan\Dokan Library-1.5.1\dokanctl.exe
    Filesize

    141KB

    MD5

    2725dba3e6aacf3a49c9c9d493a4efec

    SHA1

    99b17c0aef3d01238b90caeb3738f1f279ab17a5

    SHA256

    03e34f788305431d0540c0fddac2d9a66dcaf2cb7e267ffbe7678334ff3995ff

    SHA512

    1bc76002e53d788d6bd8558ffb880863dcef28f8f03fda7e8ac6bf0eb46bb754e06b042cc56fd8549552320960a29e005b42f21c5acfb16e2de8e1ae05a48337

    Download Submit

  • C:\Program Files\Dokan\Dokan Library-1.5.1\driver\dokan.inf
    Filesize

    1KB

    MD5

    5eeb5aa1f9e34a6f91fa5c431a072dcc

    SHA1

    cc3268d2ff2e998d845b01e1fdb4188a749a4b9d

    SHA256

    7f03ffd6cfa3a50539c9c5c6fe6e8b207183942df0e25bed513ee5dd39f975c5

    SHA512

    b8a3e8fa80308a336be372ece7ea6ba4089a844ca7e2edf99e2601a6c69724442dc160f5df0bb6783f388ac46defd1763e33fd3acc6a70ed72749395b5f81f8a

    Download Submit

  • C:\Program Files\Dokan\Dokan Library-1.5.1\driver\dokan1.cat
    Filesize

    10KB

    MD5

    a0eb9366a5d6042030c6aec99292f406

    SHA1

    c9c23e1918e5abd45f0bafde646f163969ba20f8

    SHA256

    90839856dddc01bf2af21340a83641dc40d2d68b8c01c3dd29eb261827a0ac7a

    SHA512

    dbb636588d03010d027f15a8c1ad8e7641bbfc3f7ba2794ac6e4353f93f0da12a0bc039abdac664840d034bcdd15489d59768d829736d2b1eb725757370e590c

    Download Submit

  • C:\Program Files\Dokan\Dokan Library-1.5.1\driver\dokan1.sys
    Filesize

    377KB

    MD5

    98d68d07ed2759612018ef269f713dc8

    SHA1

    830ae5d65a2782a874d2373f883de113867a3609

    SHA256

    7a055d96a85ca1926e0f89da0bffe47e31beb0c75f756b38bdf935e5f972ded4

    SHA512

    7c6cf6126b6625fda1f76add72db7864fde9d675d3a424dee91d558b618ebd65588e2ec6ba7fedc140555450a9fe8717ae27baa4d934adef0408fc3bb3447932

    Download Submit

  • C:\Program Files\Dokan\Dokan Library-1.5.1\x86\dokan1.dll
    Filesize

    394KB

    MD5

    a60f678d0fd4524adc0eb934a1739365

    SHA1

    5dd45ab3c14a1998fec3a10fc998ab1c86f63485

    SHA256

    d3ebcc2003be13a8fe9d9b35da2a08d59521beb19591cbecf808a8b68af419a1

    SHA512

    e701a51dfb203e1483f13d75788e8d7182fc8f3c8e5807c60b492baf8dcb46c02fea90b33f56b3018737a06b8e03eaee46b8b0d3abf6c9b3facae93d6fc588bb

    Download Submit

  • C:\ProgramData\Package Cache\{bf17c798-887e-4516-8036-35d6e0649a36}\state.rsm
    Filesize

    874B

    MD5

    c71531f94d4ae216f42c422668976ec5

    SHA1

    66cb93178d4adda899c9c4ac7c6fd67b79159163

    SHA256

    ee356c60065ca500d3e2d8f6387718a3f7cc064f0a971e81a2c84bd9f04cf3a4

    SHA512

    a851cda83108e05724d988ca9bea1ff917c340413e4cb89d01726c8cd1aa4636cf60551b87c3256a3e5e1e83dbb58d92e648d61100fd2734447da2ff0b94e3d7

    Download Submit

  • C:\ProgramData\Package Cache\{c649ede4-f16a-4486-a117-dcc2f2a35165}\state.rsm
    Filesize

    1KB

    MD5

    60dacc85e0efd9963e1d7621d84c1e4a

    SHA1

    45e5727d97dccf637491d5ddf48e0eb90b93f979

    SHA256

    e4861eb65823511e6e18cd4228dc79f9a2d0cb472c13242d048e7e15826a9444

    SHA512

    795cff6ccef94690f7d7209f1e2b32f6a87ec49e90802863eadb30c549d5d0cab48815a077c97d8e2dfc7e9fa8541fea51f8caa107e3f8c53a84e724a86d136c

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log
    Filesize

    1KB

    MD5

    7eb236f10d5013e533c3322c975581ac

    SHA1

    34817692913f5648a0fc316065b5b8f6d961818d

    SHA256

    08d02396e382b80765486f922c06d8840ca63a5251eee8f870499b045e52424d

    SHA512

    6af25144233fee34d438250d8ae70d93ccab079e9f06b69c2cb8bec1a7a282fb48efe70fada5005b0b24433150a3bf62abdb89bd1a41ec95559a66aad2bd9d2f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDInstall.cpccLog.txt
    Filesize

    312B

    MD5

    21846b9f863ed86ec0c2ecf1f0442b32

    SHA1

    528214e596a21929e4028bb465ee6b67508381cd

    SHA256

    c89d4c69774227eed0d7bed828cb31c094b345150ed2367cbc0f8c02abe510aa

    SHA512

    b8f00064223a01655314e9d81c6264bcf424201183aedb10d32edfeb1c526b6cf2e1e499051c64e80238aef69711094e566d0f802403d29defeb4075966aabbf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DDInstall.cpccLog.txt
    Filesize

    1KB

    MD5

    8fd57988f9521ba8c5b2a6334219863c

    SHA1

    0e87d8734773a14850c96ed855c385467e481d2d

    SHA256

    54b81ac9829ffbda50bfe97eb64e4ff7551eee8b7604c1f0b7285367ec72d7b2

    SHA512

    27d15fc4586db21baed10c1b6d02f4b091f82d5f08d701db0414c3a769ef01f444a2dac6012f0eb27146060f6f5c826473eddc7775ca5aa24a3fd04e5c1d66d6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Disk_Drill_5.5.900.0_20240813064020_002_DD.Setup.x64.msi.log
    Filesize

    1KB

    MD5

    8d9a1344da570b95303f5f60d163a764

    SHA1

    f0c7821735a51a14ed2de12b8cb062349f49e4dd

    SHA256

    933f9d2cd94489e23ca8415adae5fd1e510fde32648a34971f583bbd5e7bf67f

    SHA512

    3e307f028b1aaaaa3dc2d63208812e8d0b766465bf9c2576de64134b1ad11d8996824e9ed25fa6a4a6ae48845ef1a7e7bf62e3797ba53e5497c52117a3092eb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Dokan_Library_1.5.1.1000_Bundle_20240813064105_000_Dokan_x64.msi.log
    Filesize

    1KB

    MD5

    a674ea890ebe61aa645f9d07946e6e76

    SHA1

    04ac8bb0e4b2c51eb73dc27672eb8568e5e9a6e0

    SHA256

    48bfeae42eb558a5d0685de2e19a3eedf1313ceeb54f07d4f5bb5f5e933cb05c

    SHA512

    95d017ecc288f3166b4c39c047d4f455e8d09c2c850981ef3106314a47d6c6b807919ae786ce4946f1a4e20fc162ae1542ba8499fa083adad28b63d03f0ec592

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240813064100_000_vcRuntimeMinimum_x64.log
    Filesize

    2KB

    MD5

    e7c1c28ee8bb323aa0a29429b0301b76

    SHA1

    b5272c235e26434a33c846aeee43ebdc5dbf1c38

    SHA256

    47c3f06e6c8df5feb305490188af23a212c2acab1fdccca2bd9938739e85aa17

    SHA512

    423c1f4631e19118e274a55d5b3ca7600faeb7195af7b65177f33f475b143fe674777f2f777fb69f1868795647a8667434e0c03e542a1e63210c2d4a84180895

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dd_vcredist_amd64_20240813064100_001_vcRuntimeAdditional_x64.log
    Filesize

    2KB

    MD5

    6037e5b3a29d553508ef7a144bd9c91e

    SHA1

    22280cdd6ed9ea3e8c48e042e633b06496a8fbc0

    SHA256

    511207cefebb9dd7eec63909e2cb66f1c0734b6f09b9a6309db59bad4aa4256f

    SHA512

    84c372c71893dc936dd58353177666f92100c44e2d1f712c0a93977fef8167c6159ea8a8b032e746d5f7591611b6995d31876e36fb4b58677045824e63d9e960

    Download Submit

  • C:\Windows\Installer\MSI40A3.tmp
    Filesize

    149KB

    MD5

    418322f7be2b68e88a93a048ac75a757

    SHA1

    09739792ff1c30f73dacafbe503630615922b561

    SHA256

    ea5d4b4c7e7be1ce24a614ae1e31a58bcae6f1694dd8bfb735cf47d35a08d59b

    SHA512

    253f62f5ce75df3e9ac3c62e2f06f30c7c6de6280fbfc830cdd15bf29cb8ee9ed878212f6df5d0ac6a5c9be0e6259f900eccee472a890f15dd3ff1f84958aeef

    Download Submit

  • C:\Windows\Installer\MSI4305.tmp
    Filesize

    690KB

    MD5

    8deb7d2f91c7392925718b3ba0aade22

    SHA1

    fc8e9b10c83e16eb0af1b6f10128f5c37b389682

    SHA256

    cb42fac1aebb6e1ac4907a38035b218b5f992d1bcd4dece11b1664a588e876e4

    SHA512

    37f2c132b632c8e5a336bdc773d953c7f39872b1bae2ba34fbaf7794a477fd0dcb9ff60a3ddb447fe76abd98e557bd5ee544876584adea152b0841b3e313054c

    Download Submit

  • C:\Windows\Installer\MSI443F.tmp
    Filesize

    113KB

    MD5

    fa0d3eb4ff2a36049eb0373e645fc16a

    SHA1

    e757a6f96303313778670e6f6fbdfd237743e7b1

    SHA256

    ee2f295eacd7d54799e2f6df191ff1da3bac490a865bb9654bd1ecbf9f2bb4d3

    SHA512

    be7508c9ca9f17ac0d2f9c656fa5eada18f345781d8ed210c23dc038394f7564b3821f4528139ae3db5067a4b2dcda1ed8d00150993f1904098c439da19dfc9f

    Download Submit

  • C:\Windows\Installer\MSI61AC.tmp
    Filesize

    615KB

    MD5

    a95da1b0805973f5becc95995e713a68

    SHA1

    2572032a0aaa9615cf20949c957ea5aeffd2c654

    SHA256

    ecb80749bf597194f61699401e6805a45c4cb6cbdf50f8b4ad5e13890f82a900

    SHA512

    95bf9485bfe43c0f387fc5741f08adbae027310b291ff8fe2343e9f5ac2c33ace365ede408f6b134f81876b35451006232f5e26638109a0b791caaa0564ab2df

    Download Submit

  • C:\Windows\Installer\MSI61AC.tmp-\msiGaCustomAction.dll
    Filesize

    28KB

    MD5

    f6fabea50d0e85ec3e0cb93794ac55d6

    SHA1

    a985999df06adc4580811380db813e2e4697ec0c

    SHA256

    26e377ee21ed4b09f1aaf241081e29c09d2e47bc0512fb7c755653b5fba5e11c

    SHA512

    be9e31350d10f6f7f60434d06a350bf659a8a301659b303b6b323e145069bc774efd6fd3dec41fa8234099f9efe32b98d455adeb97ef223c6e4ac2b3f7f178ee

    Download Submit

  • C:\Windows\Installer\MSI62C6.tmp-\CustomAction.config
    Filesize

    1KB

    MD5

    01c01d040563a55e0fd31cc8daa5f155

    SHA1

    3c1c229703198f9772d7721357f1b90281917842

    SHA256

    33d947c04a10e3aff3dca3b779393fa56ce5f02251c8cbae5076a125fdea081f

    SHA512

    9c3f0cc17868479575090e1949e31a688b8c1cdfa56ac4a08cbe661466bb40ecfc94ea512dc4b64d5ff14a563f96f1e71c03b6eeacc42992455bd4f1c91f17d5

    Download Submit

  • C:\Windows\Installer\MSI62C6.tmp-\Microsoft.Deployment.WindowsInstaller.dll
    Filesize

    179KB

    MD5

    1a5caea6734fdd07caa514c3f3fb75da

    SHA1

    f070ac0d91bd337d7952abd1ddf19a737b94510c

    SHA256

    cf06d4ed4a8baf88c82d6c9ae0efc81c469de6da8788ab35f373b350a4b4cdca

    SHA512

    a22dd3b7cf1c2edcf5b540f3daa482268d8038d468b8f00ca623d1c254affbbc1446e5bd42adc3d8e274be3ba776b0034e179faccd9ac8612ccd75186d1e3bf1

    Download Submit

  • C:\Windows\Installer\MSI645F.tmp
    Filesize

    211KB

    MD5

    a3ae5d86ecf38db9427359ea37a5f646

    SHA1

    eb4cb5ff520717038adadcc5e1ef8f7c24b27a90

    SHA256

    c8d190d5be1efd2d52f72a72ae9dfa3940ab3faceb626405959349654fe18b74

    SHA512

    96ecb3bc00848eeb2836e289ef7b7b2607d30790ffd1ae0e0acfc2e14f26a991c6e728b8dc67280426e478c70231f9e13f514e52c8ce7d956c1fad0e322d98e0

    Download Submit

  • C:\Windows\Installer\MSI6B84.tmp-\libSoftMeter.dll
    Filesize

    931KB

    MD5

    79f8f96d861c87c949cc904020a2092b

    SHA1

    75eb3505e6bef949a0778c178ec87b417482a259

    SHA256

    735006e0e39a3d38f42be4ee96434a239d2ba827ce7bc3e95d74c7cc8ce800da

    SHA512

    f73f44da61ed29e0805afcbb8b652dd1fbbc6fad60452708697b12af22ed287fce640f3451015cf0dee14a852a9209c5093a6a892bc4264a427d9baddda1c03a

    Download Submit

  • C:\Windows\System32\dokan1.dll
    Filesize

    507KB

    MD5

    3556298d25afd095b48279264d9911da

    SHA1

    a1182374dd98b0ec3c9edfa3597f2142a25fed2b

    SHA256

    e5a4d9f08f0faf571abfe0a361f5e5ad9fd80315c835f7a8ddb5d6a8f81e5b57

    SHA512

    ab2b66b366ba6c56e075e652ac8a8a30e8310488d65db7812ba9676e4c500ba21c9c0e00730998693874d33924d4e2a591ec54aa2da394578d2c6e5262b49f5c

    Download Submit

  • C:\Windows\Temp\{360B3340-2F5A-44E8-A3A8-BBBD2F7DF610}\.ba\logo.png
    Filesize

    80KB

    MD5

    bc348d03ed3d614eeb776df9c17dd0c9

    SHA1

    0d0628742f480a07e08f251d7ffa6d2c671b6811

    SHA256

    bcc352480c5bb9be1021442b5f1c948a33504d75b9c76f899eb3244e0b40c786

    SHA512

    12b12b6ccece3de9e76562ca83e078cf502e0de34747abe84f70665bd2727f4cdd62d04a1811095440c5f52fcc2b4a07f3c45b2fd3bf7d1933b596a09b5cf311

    Download Submit

  • C:\Windows\Temp\{360B3340-2F5A-44E8-A3A8-BBBD2F7DF610}\.ba\wixstdba.dll
    Filesize

    184KB

    MD5

    fe7e0bd53f52e6630473c31299a49fdd

    SHA1

    f706f45768bfb95f4c96dfa0be36df57aa863898

    SHA256

    2bea14d70943a42d344e09b7c9de5562fa7e109946e1c615dd584da30d06cc80

    SHA512

    feed48286b1e182996a3664f0facdf42aae3692d3d938ea004350c85764db7a0bea996dfddf7a77149c0d4b8b776fb544e8b1ce5e9944086a5b1ed6a8a239a3c

    Download Submit

  • C:\Windows\Temp\{360B3340-2F5A-44E8-A3A8-BBBD2F7DF610}\DD.Setup.x64.msi
    Filesize

    26.8MB

    MD5

    b0a9539ec71a5de35bc4e97332550498

    SHA1

    403a5f29a4e1cbf5a2c410586ff53324cc622ca2

    SHA256

    dc01ad88f8c85fd7436f6942fbec660fa8d9bbf5a5b69e979874cfa8b93303fa

    SHA512

    da1c87c13547af669718ef4dc69154b9f81ff0d5ada84d2a0eb36d34dc77f357bce75e533695eaf28c362e8c8649b382860269989feca761a72a38e2a5050480

    Download Submit

  • C:\Windows\Temp\{360B3340-2F5A-44E8-A3A8-BBBD2F7DF610}\DokanSetup.exe
    Filesize

    17.6MB

    MD5

    5494822f54196466a02bfbd78b91e827

    SHA1

    20b1cab9bcd5cad52c5407d60e8556437242c730

    SHA256

    48e7b21310d28bbef6961ba01d52ace8a08a937a8c9cf4f60f4fa17885eeb518

    SHA512

    bf4d243f805087d8dbe5a36e5ebcf00bb7d0456d6304ea89ae4b1cb0aece790c04f5941424a91d988604472c910e02e7fc494b5718ed091ec4e92c710c2f125d

    Download Submit

  • C:\Windows\Temp\{360B3340-2F5A-44E8-A3A8-BBBD2F7DF610}\vcredist_2019_x64.exe
    Filesize

    24.2MB

    MD5

    a8a68bcc74b5022467f12587baf1ef93

    SHA1

    046f00c519900fcbf2e6e955fc155b11156a733b

    SHA256

    1ad7988c17663cc742b01bef1a6df2ed1741173009579ad50a94434e54f56073

    SHA512

    70a05bde549e5a973397cd77fe0c6380807cae768aa98454830f321a0de64bd0da30f31615ae6b4d9f0d244483a571e46024cf51b20fe813a6304a74bd8c0cc2

    Download Submit

  • C:\Windows\Temp\{73A3666B-C577-4020-891C-6AFF550FE3E6}\.ba\logo.png
    Filesize

    4KB

    MD5

    0d1ae52cb83dc37298bd0872d1e08374

    SHA1

    d6223fe2e4834b0e10d946879a2cb645c11e6db5

    SHA256

    4e716f8dc1fdf9a803ea2441e2a6a185f7bbccd25dcb4a389742f056f9b4e74e

    SHA512

    0e2a7938cab23eeb430a677f5061b40eb2b68d5691b9cdf4ac697caab52142a79f40ccd5e52d8b1eb73a3eff3495de92161e6cced5b4478f2240eb2c10add484

    Download Submit

  • C:\Windows\Temp\{73A3666B-C577-4020-891C-6AFF550FE3E6}\Dokan_x64.msi
    Filesize

    11.9MB

    MD5

    910c2771cc11e19efecc8b79437df6f0

    SHA1

    65cf740580e4c202579aedd2ec520a9f85e68e05

    SHA256

    c7ab35e0d80d0f81a03e44cbeb7220625248d00de8c8019fc6a87ffe223db49f

    SHA512

    492f4560c1505ada9d5c79ad0c098159af473de7567048e7dc48559328c9970641cd5e2eb8f749ce04918a9a0bb1a0bd943915abd686ea8824191c0747fafe1f

    Download Submit

  • C:\Windows\Temp\{7F7F4B7B-AAD5-461D-B657-2D1165A17AB7}\.cr\disk-drill-win.exe
    Filesize

    888KB

    MD5

    ddc2103d7db9f4b5ba331ed09293a336

    SHA1

    73bd031762f1168a4d7fed65bbc1663ca6cceb3c

    SHA256

    386a38dd828a617f60d11719ad5eaa3fa21a21b46f3871f5b4553e9f6e67aced

    SHA512

    2e77b5c6d7562bd23d1372903da819c5a905f791228dc89317159e9ed2c32e7dc40bb2067de6de3b43a887d3799b58fd44505d81fae3b6348e64bedeab2effb3

    Download Submit

  • C:\Windows\Temp\{A031C5CE-D156-4C22-9E15-4AB3CE9238E5}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • C:\Windows\Temp\{A031C5CE-D156-4C22-9E15-4AB3CE9238E5}\.ba\wixstdba.dll
    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

    Download Submit

  • C:\Windows\Temp\{A031C5CE-D156-4C22-9E15-4AB3CE9238E5}\cab2C04DDC374BD96EB5C8EB8208F2C7C92
    Filesize

    5.4MB

    MD5

    d0cbbe859fbb7c25dd5158e0f45d3682

    SHA1

    9c2f0b8379976fda1b46aa8c4a4a27b6f824b659

    SHA256

    97aef328363e120e786841903bb51a17547aa84f64d5d3525940ec5a69b9a627

    SHA512

    7ad84ae54668c07033ad100bc101fd0bf0b0783a1dd1f018d241097e167328b8e87cc15e4c0b45859e1946d41ef7528f46ca3c44deccd8859f11274d9e4189b6

    Download Submit

  • C:\Windows\Temp\{A031C5CE-D156-4C22-9E15-4AB3CE9238E5}\cab5046A8AB272BF37297BB7928664C9503
    Filesize

    955KB

    MD5

    3d14b0e254ea96fef419e6da38eb25e4

    SHA1

    93341ef98a0e2ae2cccc7e467af23bcc477d9a5c

    SHA256

    8717dc81d0345d8b81aa85e776fd3e0e6010dba974bf0f5660071e6d680c4526

    SHA512

    64a656648c16aa78ed74196e327126f6a9eb5d89052cdcd8f83eb655842e41c4f42be7f61541371f36ce322d208d1d707f485e99a79aa799fad7fd2c51553811

    Download Submit

  • C:\Windows\Temp\{A031C5CE-D156-4C22-9E15-4AB3CE9238E5}\vcRuntimeAdditional_x64
    Filesize

    188KB

    MD5

    d5a907e3b279f26804af0c56b0c65d52

    SHA1

    63bf7f0afd12ef21781dc14dd3b14c59d9e66518

    SHA256

    401ffa2ef4f070e211ef3f6e4f8a2a7af2bc9ea0119bbacad040669ab6221bba

    SHA512

    8d23fed4d26f0e2d1e40d5993ab2f588be1e7873cbcbe2064351ca8ef705bf74535225e9d0c2adf93fabfd45691077c7abb3991a013c8b4b234b9751c991f327

    Download Submit

  • C:\Windows\Temp\{A031C5CE-D156-4C22-9E15-4AB3CE9238E5}\vcRuntimeMinimum_x64
    Filesize

    188KB

    MD5

    e312d6be7dee2b8f3737e0a1bc92e3aa

    SHA1

    72487572a3f8b8eff93489997c8a5041ea7a6867

    SHA256

    d48c8e848a219bceb638b2505132756cb908703fe75dee78bdf475435420dc49

    SHA512

    b39a0c18aa242887e3f9ae3d49bc9d6765ce15097718964cccd86b824d13481cbd53175105db29d17e3a08f74fe4d20dfb3f9989eca5276c3f5fbb255b80f8ae

    Download Submit

  • C:\Windows\Temp\{B3564742-A04E-4CF9-8E78-2A46624EB511}\.cr\vc_redist.14.38.33135.x64.exe
    Filesize

    635KB

    MD5

    b73be38096eddc4d427fbbfdd8cf15bd

    SHA1

    534f605fd43cc7089e448e5fa1b1a2d56de14779

    SHA256

    ab1164dcaf6c7d7d4905881f332a7b6f854be46e36b860c44d9eedc96ab6607a

    SHA512

    5af779926d344bc7c4140725f90cddad5eb778f5ca4856d5a31a6084424964d205638815eab4454e0ea34ea56fafca19fadd1eb2779dc6b7f277e4e4ce4b1603

    Download Submit

  • C:\Windows\Temp\{CF706B10-56D7-4E4D-96F9-F5C3781677D9}\.cr\DokanSetup.1.5.1.1000.exe
    Filesize

    700KB

    MD5

    a506dc305fea77b94923f210e5389968

    SHA1

    5857367e32178fff8b501b16a025ecf02ed05d24

    SHA256

    203b6c8e2d88200e290ffb83791e1953acbdd2aee21fa841c4c67081583a0d4c

    SHA512

    c7c01c018c9fa07f2e0ae5dce31a3b22004ddbca5d794c193790f0685b8f511f95f8df6b3da6d0f8bfc392460f24faf84de450f968e0cb215fb6db813c03daf2

    Download Submit

  • \??\PIPE\wkssvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit

  • memory/816-313-0x0000000000430000-0x00000000004A7000-memory.dmp

    Filesize

    476KB

    Download

  • memory/1052-314-0x0000000000430000-0x00000000004A7000-memory.dmp

    Filesize

    476KB

    Download

  • memory/4540-591-0x0000021212F90000-0x0000021212F9C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/4540-587-0x000002122B4B0000-0x000002122B4DE000-memory.dmp

    Filesize

    184KB

    Download

  • memory/4828-276-0x0000000000430000-0x00000000004A7000-memory.dmp

    Filesize

    476KB

    Download