Overview

overview

8

Static

static

1

Let's%20Compress.exe

windows11-21h2-x64

8

Resubmissions

20/11/2024, 14:06

241120-red8gaybpq 8

28/10/2024, 13:24

241028-qnrdqaxqfm 8

Analysis

  • max time kernel
    1023s
  • max time network
    1155s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    20/11/2024, 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Let's%20Compress.exe

  • Size

    16.8MB

  • MD5

    c34118d64ca94041f56cbeba5daf9abd

  • SHA1

    14ef602cc6ea87ac0f961fc3dac25a4e56923e00

  • SHA256

    61c1c11c4054e61ab9fa8777caeaf9c84821ad1b7e773e4bc8b5d844d90e8c7d

  • SHA512

    ca6878539c9e4f590f628785794ee1fe7c0f0cb8148ef0657e57de33d37595439731b299a42008a6fc6cb282da6cca97adc48f9e52ca083d171568a9f1f3d150

  • SSDEEP

    393216:neTuAoAu6yJEULuZmyGdM90bq/5H7hifJJ8fM:nAJZcEUSG40bY1ihJ8U

Score
8/10
discoveryexecution

Malware Config

Signatures

  • Blocklisted process makes network request 5 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 40 IoCs
  • Enumerates connected drives 3 TTPs 64 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 17 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\Let's%20Compress.exe
    "C:\Users\Admin\AppData\Local\Temp\Let's%20Compress.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4264
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\DC99C02\Let's Compress 06052024.msi" AI_SETUPEXEPATH=C:\Users\Admin\AppData\Local\Temp\Let's%20Compress.exe SETUPEXEDIR=C:\Users\Admin\AppData\Local\Temp\ EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1731871069 "
      2⤵
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      PID:1232
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3756
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 9409ED3E0B991AF8AB7A4767706F5756 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:3456
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 058B8E5205E3799F52A24681E2F35139 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2160
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssC3C0.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiC3AE.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrC3AF.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrC3BF.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2696
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD4CD.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD4BA.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD4BB.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD4BC.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:2808
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssECED.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiECDB.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrECDC.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrECDD.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:544
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss51E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi50B.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr50C.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr50D.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:3492
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss1D6E.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi1D6B.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr1D6C.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr1D6D.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1668
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss839F.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi839C.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr839D.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr839E.txt" -propSep " :<->: " -testPrefix "_testValue."
        3⤵
        • Blocklisted process makes network request
        • Command and Scripting Interpreter: PowerShell
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:5060
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
        PID:3500
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 23C4FEED6DF47DEC0CA720BCC30DA21F
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1300
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pss5E89.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msi5E77.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scr5E78.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scr5E79.txt" -propSep " :<->: " -testPrefix "_testValue."
          3⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:2896
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      PID:4540
    • C:\Users\Admin\AppData\Roaming\Let's Compress\lets_compress.exe
      "C:\Users\Admin\AppData\Roaming\Let's Compress\lets_compress.exe"
      1⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of FindShellTrayWindow
      PID:3424

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58538b.rbs
      Filesize

      22KB

      MD5

      dbb58c8c24dfedcd364e350f8de2642c

      SHA1

      99bbf3fba1c44d46e44d81637aa64336265051e7

      SHA256

      005c250b2dfa693de242a7aeed5dd476e355470cfe5a4bfea67cf7e025cd838c

      SHA512

      b441548e596f185db195369525d9d6e30a09e6b07733897b0aeec197dd722194c83ed71b91cbcea440723869ee5b110394cb24cf4ced6ad0c533cb7b24f52436

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\357F04AD41BCF5FE18FCB69F60C6680F_0874219B044A8B455E064D4219E8929B
      Filesize

      1KB

      MD5

      16d4da58a3b58f4db7a95e29666c2fc2

      SHA1

      bf69db6b9eb499b1e8bb85272032340e886f1e56

      SHA256

      ba9c8afbda994c10189533e0716fe42ea22bb71438545cb780cd4f373a176d29

      SHA512

      7d358e5c114d1db1a7990e65bff450165849c53330630b525c96cfc6d27fafda56f9d1b0d9f73bc36d1d0ec6da6cae7cd323ed529557b09385fc0066b4c0ac16

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
      Filesize

      1KB

      MD5

      acbdc73e931727097753d736ee7aa15c

      SHA1

      a3942557863e6936becfcf04235f25765bb2ea06

      SHA256

      9b8c46248f3aac5ee867c2cbffa758ac8124f52bc252c86813b1addf33d9a9cf

      SHA512

      a241fee800dcda3d7806142c8bbec6a25d2453c56701917b477da8b6fac8a4fb0cd457f82a2501d16651eaf419ceb88217005b7cd2ce0396303a943f72ca6426

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\357F04AD41BCF5FE18FCB69F60C6680F_0874219B044A8B455E064D4219E8929B
      Filesize

      536B

      MD5

      6b43045b65439a4c53e556d80f204b96

      SHA1

      9cff56acb7b1b2720004cbf7a301eafaee5fd185

      SHA256

      d2cc794036a4fe011bc48633e333770c36f2ffbbfecc0b7456e17284035b07fc

      SHA512

      9dfe87db31c62ef34f4868ef7783f5b53a53101d70416005674a8dcd1a1b68036fcbbea9a4c5f725ab46e8a2ce660bdfb5bd1fc872563bb0067f8d8180c982d2

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\9CB4373A4252DE8D2212929836304EC5_1AB74AA2E3A56E1B8AD8D3FEC287554E
      Filesize

      536B

      MD5

      4aa800308094ac7df8748adb00f5a5ff

      SHA1

      8281a96304472d445983d47b476f7c0a0ff39638

      SHA256

      f914a5197f0409cdf9360e02fa045067d0a33fd9f427acebc73104161f63df54

      SHA512

      8fea0655959e1c2ac96958a922f208158f1fc48bd5a5d7134ce74edddf65c50d49dd8b8a96b522c8c893a2072d0a68437587484a3d62b1a2c009fe583c66afdf

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      92eef7ded7de5d54d39e94d63a3b4d91

      SHA1

      a8fbbe331b1aabc07b708e97546ceafe1a276e5a

      SHA256

      eb65b1cbdbb2dec85b329b7355cd0b1f896573b56799d4c31f1aa46954620249

      SHA512

      9f17a993e20c05692d78db970d08ace77a4b0eacd859dcf219a7c858d3a29cfae48a6ec6020bac7d909a6f03976d509e7341f89fcb67ae5437cac5c3bcb7b5e2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      19KB

      MD5

      2adacdfdab10a076c6c608d73f443e9a

      SHA1

      f06e427ee818fe733da5051a8e08f9357b2c2b4a

      SHA256

      883c478b6c89e57d82e74b1392029576fe0ba0592f681761b51f3aa2b3cfc173

      SHA512

      0e3e1a194257d998fd5a031fe57a0405238d56597cb4f12853530ec85f974b8f020f1cedf3c57cd9e110dd2718db42f446d9c567d8ab41adeef6564facd3b9dd

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      19KB

      MD5

      46e3310c8a85f8ee21b4cce5aeed33f9

      SHA1

      21240083683181b83e786cb0a24ef8ff2500e8d5

      SHA256

      814e21c4bee4614334a55ffc35304fe4dc3a8c268bbba9dd966a1f74d008d1e8

      SHA512

      e9f4be1824f954f436825094137ba94c46af6d4cc8816a92dac001606dcbe67b6362c27a8d54c7e8b35386d354ba82cd3787b8ea593930a320ef693c93c3ec36

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      19KB

      MD5

      116d5bf11b1633d14184f7aed8750c1a

      SHA1

      c2c0a224a8fea2cf92629102e5eecd1b4af1cbd0

      SHA256

      b372e6bc41f7cdd38b15c4bee72b250e3e8411c368982961fd5969304f803ade

      SHA512

      60d340e7692d1c89579c88abe6e65823feb88a4ada78c6c56bf4a3c76b15c2b761b90dfc336b142ceae7509ce4229d23bc1c36696ade3464d227bbc4606f640a

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      19KB

      MD5

      a1b0458c2914704c99b5b090093e5a4f

      SHA1

      8c845c2e8301733ba02e33210e3cca9404496c9a

      SHA256

      74600e8778b465a4d95b82f1c5bdded4556746690e0aeb32cd0df01501cc415d

      SHA512

      97898847dffda81c91a765aa379b95b2bb09fe4f68b02837507a9c4fb0797926513ba891b550115649e4b441312bed055a534657b9afc357234fdf7320a9aa2a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIC005.tmp
      Filesize

      386KB

      MD5

      72b1c6699ddc2baab105d32761285df2

      SHA1

      fc85e9fb190f205e6752624a5231515c4ee4e155

      SHA256

      bf7f6f7e527ab8617766bb7a21c21b2895b5275c0e808756c2aadcd66eff8a97

      SHA512

      cde1e754d8dfb2fa55db243517b5dd3d75b209ea6387ef2e4be6157875e536db2373f23434a9e66c119150301c7b7cdf97de5a5544d94c03247b4ae716cbc170

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\MSIC395.tmp
      Filesize

      670KB

      MD5

      846afe3ed676561d5f2cb293177f6c03

      SHA1

      bd31e948dca976ab54f8a01b87cbd6920659dc92

      SHA256

      d3f27a9fb0862de63db0e05de28a02c7913139c10440e0b9bff25c76a90806ed

      SHA512

      e5c10552930223fc818f5e973de482e0d9664defa3771be208be05dd944bef2ae279285a14ac0278ff4cc9d7384e4811e46434018dde314d6150855d9238457e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Pro51F.tmp
      Filesize

      25B

      MD5

      1b43037b95cb93e3ecc6b8b52d222bbb

      SHA1

      bada46a26d7531bf320308f1ec9dee2257811ec1

      SHA256

      a12412aaafbe703d3cf088a104de212bcec0b1dda826957a18a093e1fd353037

      SHA512

      ae8c4c36081e29963b8d5d05db81f4dff5dc8a877df912e14bbe2f4d594004a747a8585c962dab33ec7a2e3c5769ff62321c5f764668c4e7a052de3e73f2768c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hs3caf2u.y23.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\msiD4BA.txt
      Filesize

      202B

      MD5

      dc0deabc7403be926e4388180d04c50e

      SHA1

      1b8b9320419c3164ae1491587061d2632ff73cec

      SHA256

      884dcb3a49831d2fe08e9c6190b4821a927e5a327d0d73f6aef7cbbf6f448fc0

      SHA512

      681d991009e83844f75b9ffede5180650995acdfd935556705e8594385d3cac4109efaf4924d889e89f22cc7ac708c8f1a22ccdfbbb7baa083cf458833f9b4e5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss1D6E.ps1
      Filesize

      35KB

      MD5

      4a5e7ccc783aca1dadaf19400bb30243

      SHA1

      a65e5cab0569abe833b0201ebbc381753501a247

      SHA256

      d5660753ec720c3761c2df95279968257abed016b4aa890cb858a577cb8d5954

      SHA512

      b3e53c2ebc7f0ff8019e5afc1cd724143f1c3718a5a98c65b51da9666a3059c4836b950a9c438d45c68f8e731f4b3de27246bc22f45dd46593455ccdaa1dd931

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pss51E.ps1
      Filesize

      35KB

      MD5

      1771da38a05dbc54dedba7bb06b0c719

      SHA1

      9582f4cd02f7c17a4f30af5bb1ba94e3fc8df727

      SHA256

      e983eba5229fd09430d942005b6873aceb7910ce5378ca2ee5991be0f8905028

      SHA512

      92adec8d4837c4792f04a2c079b42a973da0a1d36da5846dbd4c24ed7286369623f16d753190c5deae945349e5b2c21b77b2a59d69d814d1b75ddc699e306aff

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pssC3C0.ps1
      Filesize

      5KB

      MD5

      8f69da7a9f4b3c2d0f423583b262ed49

      SHA1

      b6d2ceb18fe78d279f76f412e4660bff5f6a88c7

      SHA256

      dc6b6e1812f41c80ee67a72ebcb7a999488c866d805354936fb7506667005b43

      SHA512

      71782d54137e87ec8d4311adf83b9b269aadfcba55b753ce8562d0fe74cc95f00118b01f3139b8ff0a142156d6461bececfc38380e9acd0c117b2fff0e846edf

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pssD4CD.ps1
      Filesize

      35KB

      MD5

      921c1530f468a03721ad3b5778ff21c4

      SHA1

      92ec47a71e3a5dfcf4afef6a04087b50451ae46c

      SHA256

      c1fc70194720b6984284845817d40e54d51588156a0cc6a49fe888c1bba9bf0f

      SHA512

      90d33523b37014c3224312ae5a29c769eeb9505faa79e5fc286187916c8cc0e18a44c09a3b671a77972d97c473598039289764ef4beed3450b5691ebad1fd559

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\pssECED.ps1
      Filesize

      35KB

      MD5

      0791096e8b998a86a3a8d11256244059

      SHA1

      b38c9b06c02738db0182e806d766370ae5439362

      SHA256

      975cd5eb18dee3067e12bf7a0609ab53b3bb1e68c48337647b3112e20f9fb8e3

      SHA512

      5f6c7bcf95dc71d732c3bc89e37ca94795962715f8fe2d183e23f07215cf018c6a56d01dab2deab1707898385b3dc9f1b56281096132d5b927a1260b6b7ee3ae

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scr1D6C.ps1
      Filesize

      30KB

      MD5

      0aeaffae4dfae7a6881f9c4ebf793fff

      SHA1

      ce85584d4e97649681256f76b9fad523ab943eb6

      SHA256

      456620d70528f746a9d7f4dfe6de0a17b33b4f18606fb71a7dbcd2f275c63dd2

      SHA512

      0e10bff3cb045ec46ffe90b60579654970ccdfb1e333aa3372f8601bf5a8941587408b5249ba14680c4beb9e8f48f7b54db9fe85c580fd9ecaabaa4f96b3d8e4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scr50C.ps1
      Filesize

      30KB

      MD5

      849c1e53d083ba3303ffb0e452d5a3ba

      SHA1

      636df73cdc17565438fdcc1c83f412707ec6ac7b

      SHA256

      ed1db5eac86be404d164953f67c0fe49e1dbe773fcea1306a388ba9a69bde454

      SHA512

      045d22dd1a960705612b7c1c54e98dfa63e6bc47902cd21e71b911a49895f0b08540323f249c18cae152033032de83e0ba955ea21d4193899136811111c1d3dc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scrC3AF.ps1
      Filesize

      1KB

      MD5

      112071ff00de034a6d5a4738d0112015

      SHA1

      f4dadedefebb237a3da3a8d38fe7cd1890f5e999

      SHA256

      caeff8215d14706bb3de55f6fe8811f22ae36bde28a619f48480596ab93514e4

      SHA512

      a784445f14a20d5ff5cff5afc7f3bf2cc8a11dd752a728e3d09ff10282954eb0018d90ebd621b98a07ca8e022adbe63643c11a7e72455ce6b899c1d605016dcc

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scrD4BB.ps1
      Filesize

      30KB

      MD5

      293c08e42d131f47adcb654164db8691

      SHA1

      b621e8a63a9dd801cb669e5ba11bb04f0de5407a

      SHA256

      83a430db3c56e3637873f292b90cb4e643479ee9d8fff8f4f00b40e9ebd3f606

      SHA512

      9d8f9d9896badb302ced635e658ef899fed4e1dfedaf14af075691e50f2682e25b27ae8d7210eb4129ea244335e55202d82d7e727cca5ea15293f06e1e4620e7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\scrECDC.ps1
      Filesize

      30KB

      MD5

      32a9a87385259b48bb0e1abd4208047b

      SHA1

      ccbbb91ba87b695cd1a8f9d3e41e617c41d17d0e

      SHA256

      bd9de559cbc14abbd1be0f514137a908e557eacd53b660f117bbf8cae05c0988

      SHA512

      3ed049eef080021a4b6f4e40ee08e1ab5c8bc0a4b209bd2e96431db0b9f0c18627ec98603da93915927df9dfd4876944786c280181c39609c0e42947048df132

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\DC99C02\Let's Compress 06052024.msi
      Filesize

      2.9MB

      MD5

      6e0a0b2f7c7ecd3556ec495aedc3d2c3

      SHA1

      13e1b312e594a1b35602391e32334080dee68eaa

      SHA256

      f1fe9acd58595bc3c85275ac9ba790c7bee2e5d00c8e5b42298f77af00ed7e0e

      SHA512

      9513eea25c77bfa01eddb918c87234a9e1cf2fc753ff6078ea040408c7978519f896110a4b8446b3075f9390b6662bbd2a7fb794e064142006dc8238427f670b

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\DC99C02\translations\qt_ar.qm
      Filesize

      156KB

      MD5

      ced94831acb03de85d682ef997425446

      SHA1

      bdcb654b0b665e7e222343b24224c5e1620292ba

      SHA256

      eb09d3211567f7a0419738a8b29c8f8dffd33a72cc7826f8a06b04dd63e7b80d

      SHA512

      7731afa705de33543d0db78ae8a2b1368977abac302a005733be861b80f8f23acccb94c106d7f7006299689c506ea861877100647968d264225ce9c3d804b37e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Let's Compress\Let's Compress 2.3.26.0\install\decoder.dll
      Filesize

      206KB

      MD5

      9d45f2790dda55df2d99ef66dcb2019d

      SHA1

      f2a369c1b82476e2e0641f95394dd4dee8223f01

      SHA256

      9b7ff49f7e1d0a39826ec458c8004b20a65a4bd0592b083f38b01e2dbc2b510f

      SHA512

      9bef561ec6908dcd7e75f5f63cff8b1ec73e9be2b4e4aa5602182cde18d691cc28259b980c87246c5d27b4284bc783fba44d92a202f77b15f3e65c89dd3aa069

      Download Submit

    • C:\Windows\Installer\MSI5570.tmp
      Filesize

      544KB

      MD5

      40117f705bff008c3d96a73162dad044

      SHA1

      2735813836f36b5de83a745c47628053a0f61f66

      SHA256

      32211c43bcfee2ea3ae54899af178d1fc0c2b1111b2a9e3cc3fd125e1ab7daad

      SHA512

      eace1d55d479c4cf5692ec1dc98a6738e94874901bebe14a0a0a93eefd00fc4bd55a701e4629a1f7c47f72ac91fe3b698d590a8463119998852e05d6682f91a4

      Download Submit

    • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
      Filesize

      24.6MB

      MD5

      7700e771ad8ed721c0842ffcc4ea1d55

      SHA1

      60d1b50270079f29803b4e3a90a5e5337004606a

      SHA256

      f8578ad63146b8d4c06a617e67bc4fe3d3e10a65bb21b769e61a5235b68ac532

      SHA512

      7ab3359fcda127b729a267849e69695697d95087c64f32dcfce7906025169515052fcbc7e46d7ce6bba63c756aee00880427eff43d974791633f2c996f2748bb

      Download Submit

    • \??\Volume{3f575a23-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{63d8efca-6658-4ea6-99b9-e77a480b7b28}_OnDiskSnapshotProp
      Filesize

      6KB

      MD5

      d9bcdbbf1607f6681710759a5211d118

      SHA1

      13bb878262310d46747dfd59b50d9cf49012ba3c

      SHA256

      e69b629b9f19ad1cec5c0117f248e3cc2ef06aa5aca6b1345442ac0af5ba42ec

      SHA512

      82ac1435afcc99cc0de26e6430dae39add065298e66196371cfe02d62e2423d2a1e99bf8703e761fc9620de0050ca4a73c323a391426c69b5eb01ea0ea20d989

      Download Submit

    • memory/2696-94-0x0000000005E80000-0x0000000005E9E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2696-81-0x0000000005180000-0x00000000057AA000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2696-80-0x00000000029D0000-0x0000000002A06000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2696-117-0x0000000007670000-0x0000000007694000-memory.dmp

      Filesize

      144KB

      Download

    • memory/2696-118-0x000000006EE10000-0x000000006F167000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2696-116-0x0000000007640000-0x000000000766A000-memory.dmp

      Filesize

      168KB

      Download

    • memory/2696-115-0x00000000074B0000-0x00000000074BA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2696-114-0x00000000073B0000-0x0000000007454000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2696-82-0x00000000050E0000-0x0000000005102000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2696-113-0x0000000007300000-0x000000000731E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2696-104-0x000000006ECB0000-0x000000006ECFC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2696-103-0x00000000072C0000-0x00000000072F4000-memory.dmp

      Filesize

      208KB

      Download

    • memory/2696-101-0x0000000008380000-0x00000000089FA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2696-100-0x0000000007750000-0x0000000007CF6000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2696-99-0x0000000006430000-0x0000000006452000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2696-98-0x00000000063E0000-0x00000000063FA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2696-97-0x0000000006E80000-0x0000000006F16000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2696-95-0x0000000005EA0000-0x0000000005EEC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2696-93-0x0000000005A00000-0x0000000005D57000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2696-84-0x0000000005990000-0x00000000059F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2696-83-0x00000000058B0000-0x0000000005916000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2808-149-0x00000000080A0000-0x0000000008262000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2808-145-0x0000000006400000-0x000000000644C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2808-143-0x00000000059C0000-0x0000000005D17000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2896-482-0x00000000055E0000-0x0000000005937000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2896-491-0x000000006ED80000-0x000000006EDCC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2896-492-0x000000006EF70000-0x000000006F2C7000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2896-501-0x0000000007050000-0x00000000070F4000-memory.dmp

      Filesize

      656KB

      Download

    • memory/2896-502-0x00000000072E0000-0x00000000072F1000-memory.dmp

      Filesize

      68KB

      Download

    • memory/3424-517-0x00007FF83F280000-0x00007FF83F841000-memory.dmp

      Filesize

      5.8MB

      Download

    • memory/5060-526-0x0000000006220000-0x0000000006577000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5060-527-0x0000000006730000-0x000000000677C000-memory.dmp

      Filesize

      304KB

      Download