Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/10/2024, 09:28

General

  • Target

    2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe

  • Size

    1.6MB

  • MD5

    35a39b5dab654322931ab6920106903e

  • SHA1

    d1486d4e9972a1e18322ae679c56e004ffd777ff

  • SHA256

    bb1b0ea17894b330457b93afc86b936ebc5be9f51fae6b6f128591a627db120c

  • SHA512

    c3523a8cbb9a8cf3233e05a13337686086f2c32c8aae88869060af0013cca0623b25cb5d29977afad62036275efd90da86361787c390d7ab25cfe6c7b473e60a

  • SSDEEP

    24576:TNbqRetBjNKieTnCPXybrXMfq4K6ApZpiZxKK6oanWowemBJo56K:ZbvXKikCPC4q4K7pZ8xKDwe56

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 24 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Control Panel 24 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe"
    1⤵
    • Checks computer location settings
    • Enumerates connected drives
    • Modifies Control Panel
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4668
    • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
      2⤵
      • Checks computer location settings
      • Enumerates connected drives
      • Modifies Control Panel
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
        3⤵
        • Checks computer location settings
        • Enumerates connected drives
        • Modifies Control Panel
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:5088
        • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
          "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
          4⤵
          • Checks computer location settings
          • Enumerates connected drives
          • Modifies Control Panel
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:2436
          • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
            "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
            5⤵
            • Checks computer location settings
            • Enumerates connected drives
            • Modifies Control Panel
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SendNotifyMessage
            • Suspicious use of WriteProcessMemory
            PID:2820
            • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
              "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
              6⤵
              • Checks computer location settings
              • Enumerates connected drives
              • Modifies Control Panel
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:4984
              • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                7⤵
                • Checks computer location settings
                • Enumerates connected drives
                • Modifies Control Panel
                • Suspicious use of FindShellTrayWindow
                • Suspicious use of SendNotifyMessage
                • Suspicious use of WriteProcessMemory
                PID:4236
                • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                  "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                  8⤵
                  • Checks computer location settings
                  • Enumerates connected drives
                  • Modifies Control Panel
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  • Suspicious use of WriteProcessMemory
                  PID:4196
                  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                    9⤵
                    • Checks computer location settings
                    • Enumerates connected drives
                    • Modifies Control Panel
                    • Suspicious use of FindShellTrayWindow
                    • Suspicious use of SendNotifyMessage
                    • Suspicious use of WriteProcessMemory
                    PID:4124
                    • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                      "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                      10⤵
                      • Checks computer location settings
                      • Enumerates connected drives
                      • Modifies Control Panel
                      • Suspicious use of FindShellTrayWindow
                      • Suspicious use of SendNotifyMessage
                      • Suspicious use of WriteProcessMemory
                      PID:2072
                      • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                        "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                        11⤵
                        • Checks computer location settings
                        • Enumerates connected drives
                        • Modifies Control Panel
                        • Suspicious use of FindShellTrayWindow
                        • Suspicious use of SendNotifyMessage
                        • Suspicious use of WriteProcessMemory
                        PID:1092
                        • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                          "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                          12⤵
                          • Checks computer location settings
                          • Enumerates connected drives
                          • Modifies Control Panel
                          • Suspicious use of FindShellTrayWindow
                          • Suspicious use of SendNotifyMessage
                          • Suspicious use of WriteProcessMemory
                          PID:4568
                          • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                            "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                            13⤵
                            • Checks computer location settings
                            • Enumerates connected drives
                            • Modifies Control Panel
                            • Suspicious use of FindShellTrayWindow
                            • Suspicious use of SendNotifyMessage
                            • Suspicious use of WriteProcessMemory
                            PID:2748
                            • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                              "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                              14⤵
                              • Checks computer location settings
                              • Enumerates connected drives
                              • Modifies Control Panel
                              • Suspicious use of FindShellTrayWindow
                              • Suspicious use of SendNotifyMessage
                              • Suspicious use of WriteProcessMemory
                              PID:5040
                              • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                15⤵
                                • Checks computer location settings
                                • Enumerates connected drives
                                • Modifies Control Panel
                                • Suspicious use of FindShellTrayWindow
                                • Suspicious use of SendNotifyMessage
                                • Suspicious use of WriteProcessMemory
                                PID:2248
                                • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                  "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                  16⤵
                                  • Checks computer location settings
                                  • Enumerates connected drives
                                  • Modifies Control Panel
                                  • Suspicious use of FindShellTrayWindow
                                  • Suspicious use of SendNotifyMessage
                                  • Suspicious use of WriteProcessMemory
                                  PID:3916
                                  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                    17⤵
                                    • Checks computer location settings
                                    • Enumerates connected drives
                                    • Modifies Control Panel
                                    • Suspicious use of FindShellTrayWindow
                                    • Suspicious use of SendNotifyMessage
                                    • Suspicious use of WriteProcessMemory
                                    PID:376
                                    • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                      "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                      18⤵
                                      • Checks computer location settings
                                      • Enumerates connected drives
                                      • Modifies Control Panel
                                      • Suspicious use of FindShellTrayWindow
                                      • Suspicious use of SendNotifyMessage
                                      • Suspicious use of WriteProcessMemory
                                      PID:4580
                                      • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                        "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                        19⤵
                                        • Checks computer location settings
                                        • Enumerates connected drives
                                        • Modifies Control Panel
                                        • Suspicious use of FindShellTrayWindow
                                        • Suspicious use of SendNotifyMessage
                                        • Suspicious use of WriteProcessMemory
                                        PID:4324
                                        • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                          "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                          20⤵
                                          • Checks computer location settings
                                          • Enumerates connected drives
                                          • Modifies Control Panel
                                          • Suspicious use of FindShellTrayWindow
                                          • Suspicious use of SendNotifyMessage
                                          • Suspicious use of WriteProcessMemory
                                          PID:392
                                          • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                            "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                            21⤵
                                            • Checks computer location settings
                                            • Enumerates connected drives
                                            • Modifies Control Panel
                                            • Suspicious use of FindShellTrayWindow
                                            • Suspicious use of SendNotifyMessage
                                            • Suspicious use of WriteProcessMemory
                                            PID:4400
                                            • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                              "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                              22⤵
                                              • Checks computer location settings
                                              • Enumerates connected drives
                                              • Modifies Control Panel
                                              • Suspicious use of FindShellTrayWindow
                                              • Suspicious use of SendNotifyMessage
                                              • Suspicious use of WriteProcessMemory
                                              PID:3272
                                              • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                                "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                                23⤵
                                                • Checks computer location settings
                                                • Enumerates connected drives
                                                • Modifies Control Panel
                                                • Suspicious use of WriteProcessMemory
                                                PID:3728
                                                • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                                  "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                                  24⤵
                                                  • Checks computer location settings
                                                  • Enumerates connected drives
                                                  • Modifies Control Panel
                                                  • Suspicious use of WriteProcessMemory
                                                  PID:1556
                                                  • C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\2024-10-04_35a39b5dab654322931ab6920106903e_cobalt-strike_ryuk.exe" restart norepair
                                                    25⤵
                                                      PID:3008

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      1f6a7968a6a75efc7c688e5eccfc0ffc

      SHA1

      b90ed9b0a5f4bd3c96ce2d45264d55da3ee63e27

      SHA256

      97410da32b99127cc310411fd9f7575c44264e5ab0c9921ffb9f19cd3968fe1a

      SHA512

      1b7a5e997c75b00657f7b846b0ad2349f79b369cb2d23b999b00dd039c0cb1f6d2c7ec86b24f5f6c564cbb718a5ccf777218d763b3c19b9d072e738bfc42c727

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      6a175dcf75884eee1bd04ef8b2bff6a6

      SHA1

      27cc561d016063fa9b9697079e1be215c057678f

      SHA256

      82ca28d0e3bf261826be8684f14a64878536d775a310ba73402ffa1239fe4688

      SHA512

      ba58ef4375ec4427daabae4637644171bc43f46bf93b2c75ec6f27eb1b69a7607b718ad9294c39e696fcc60fce68e655bf75f096668a47deb25bfabf36474427

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      1a1f92bf14049f2cb120d3743d9eddfa

      SHA1

      72a12c2c7288bce95c04a5f1c7a53e705d8997f9

      SHA256

      4678e31970f52f4c760ec0c9ca85de21cb1a90b57f13ed3225daea1eee23776b

      SHA512

      3b6ae35965ba534656bb56a8ac9ec6f413cf3b2565e18fc43193a4d6394fc0cd6d0a07274fbfc4d49abebc845b09ad380831cc4f1fc0109eda0ab0dec754a5a8

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      10bc52ebaea6551026f624006bdc8980

      SHA1

      1bb17f33b027c442729f4c5ca5f73ef3be62bbc6

      SHA256

      f01ce95ca326a42f476fe0c8ce7e43b8fdcdf3e2bdd863d001d395133d726f8e

      SHA512

      fc38efb650143e91d3974f2d1d3c3f559740c581f0d3dd0e651a6ce935a9a4b6c7c4a98d46d3ce6ed5c6006a31a3e0e3dd40d675f4f84ff5428ec22cc3547c58

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      cd87c99614fad8563a2b9a90fe524713

      SHA1

      72f4dd140429e418d1a34fad0dfb74921968b840

      SHA256

      22c6f815d14ef16c9bd955ab0eb33774af9194556935e10edb72214a41a5d86b

      SHA512

      e64db1eeaf69c0fb3c13bf661954dbb348ebe965ff822a5b9944924fba144ca9171fc13460bde0ba6bbb8a1c342ea8a2da65a2bebc42a5fff32cd38d2852d108

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      1bef9d68fe7cc09e6bcf8a0f33b49314

      SHA1

      8b8aef4f6930f8484a2ccbe6b1e65e6dc07c4f25

      SHA256

      06745fb372529b1aa8ff499255cb583204a6f7cfa1ff9d6239fa6afe9dcfbdcd

      SHA512

      0c303e61894841cfb6195ff59e5aa8ddbdb64f91e88ce965a38f33cc31a50e921553bab1750638b44d6e0893ed40184a1fd546935c2e46628b8f577a0fd52f20

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      969863a47648e45d3064c09bc7fc3569

      SHA1

      1040cad7437012ff7a455d8ce56a76f57d5c65bb

      SHA256

      dd8e2535b198665d726ff26582ff2b94abfa822749809ac78561050d91efd052

      SHA512

      fd62e7d010464b3b7848164e0ba7ba21fdf464159f3e11ac5986c7872aa5fb5b54d4f65aaf6fa8447143fe6683ddba2ca649ee4eb6e2ac15f9333d47a8762235

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      daac83dcbd440c6ad50f53d9c0449335

      SHA1

      f50db33b31d8b4b79f108e9279113d03234468f3

      SHA256

      c117aba9d0e86f9e7d6856ec034f13255115ae3950925e392b1354eedb4f7026

      SHA512

      b3f0da7b1feabc09142583058101b17677a5e64dacd840f5be4a328d349797322c9fbcb0c1d2eeb6f0b5c13f47910b2d746f46637e06c5fc1b5278b06810377e

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      1072af5ec3e6650170beb140e7f8198a

      SHA1

      ea44bb6bf9511f72b4d4f828bce3ac99ee64a1db

      SHA256

      6c059588cb48f087096b6971be30df5f61b476bc9df37f6011a52af403e5a067

      SHA512

      fabf24f49677d21304a8fa244329d650eebbf0442520691c38a84c301877f0820f34adf114f9f6eb9297c195fcb1b78983fe15e696341ae3b842c19d8dd35906

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      ac63f9ed32acd4c860cd10d0ba272ead

      SHA1

      72a1eb3302e5d6dfd07a9164aa04f62fb19a6a8d

      SHA256

      398ae1516cf97a2debd462a082b97bdb029f9de9276f440d9a55133793d5716c

      SHA512

      4069c1c0438420159df8a891136b910a76cd57433f47c04d34dc3910195b5aab24dbd8de3e6ba181a49b6c107096cda46a618ac6864c420c3d37cf718f760b25

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      6e9d2e7b79f3f54600065443495567b2

      SHA1

      070d9282154be106149c1bbe16077a6a74970bfa

      SHA256

      9f0acc66423e7d1c6524cf4a46b87bc3b05fe190677986af59d00df8d5fb529e

      SHA512

      b726412d48560022aa515d23fcfef3a6cd3acf6bc43ed7833da8365c1d565541c39e3d019d6b2efc80ad48dafb170a8d08bc8fb9f8234da4a77a3378903a7272

    • C:\Users\Admin\AppData\Roaming\Ventural\VM-Saga.json

      Filesize

      1KB

      MD5

      6a8d5f5208fdc1d7ae3e902f1214aa61

      SHA1

      b8e5a99da38642f0148567bd52c7f305c22f8220

      SHA256

      5af30648c20e4a086daa3de6dc9651215760de3c7211b12a59cbc550460f2f13

      SHA512

      569bbf2266de51b68b78f25f8130782e36a9e642b3a0ed7d7a4576b9b30dad3cb183317f8e5966bcda5506211e124c1e77d5868ab9595c179d75b89e2e04f5ea

    • C:\Users\Admin\AppData\Roaming\Ventural\Venmon.ini

      Filesize

      128B

      MD5

      f0891ecaf11c581af23b66b792a04572

      SHA1

      7d87c505ee620af0bbfd91c4c7ac2e69cfdb74d0

      SHA256

      e08d920430e243c941f7a38960b772ffb1bdd49443cee292789ac2b4de4f835a

      SHA512

      c487cf485160ead488ad3939b0c9dbae3de582f5c987ade9febb6db3a8595ba5a75c884f4e94198427724b9d068559135124a26ea52a52b23a239a1c369527fa

    • C:\Users\Admin\AppData\Roaming\Ventural\Venmon.ini

      Filesize

      128B

      MD5

      adc82d2e470a24c55de1b146084c9051

      SHA1

      f2161ba2168e6709d70f13d8631e55392035220a

      SHA256

      bf764d8b55eba8a1954a80d69aa5aab4be46748576168baf661a4da2370d6944

      SHA512

      dc6bc705c9c03ef79e6f0db43b9dc6eeacb6cf6eca58ce705d2756bb55eed2bceb6810ad80153a0ccc3343088d69fde3700602e81fa5eabd1affde1004b4bb9b