Analysis

  • max time kernel
    113s
  • max time network
    108s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-11-2024 06:11

General

  • Target

    dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe

  • Size

    1.3MB

  • MD5

    6036ccabba8a405dbc98cfa3171f4019

  • SHA1

    dfffc5f90e5c4f207f5d772a1db64b13b6e003f8

  • SHA256

    dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122

  • SHA512

    c8ceb801770756800abf2a57cd2a9e6245acbc7975ceed0adea2ce0512eb07229e452bf5e6e994ab37f7084ed0845f9308f903cba6cd82a36507897d392762bf

  • SSDEEP

    24576:XN4EfsPHd9VbyiKSnKMnsNneRWrN2jHwTxbMmgCyq3eca44zpRPtHSr:9z0/0iKSnKYsNn4WZ2LwQNGeca4aPl2

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 1 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 33 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe
    "C:\Users\Admin\AppData\Local\Temp\dac11aa9a60e91e8370a216e95c059758a3dd0f960d354f71c7975abac675122.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2632
    • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe
      "C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop MSDTC
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4376
        • C:\Windows\SysWOW64\net.exe
          net stop MSDTC
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2848
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MSDTC
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2932
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures
        3⤵
        • System Location Discovery: System Language Discovery
        PID:984
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no
        3⤵
        • System Location Discovery: System Language Discovery
        PID:4860
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2840
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4128
        • C:\Windows\SysWOW64\net.exe
          net stop SQLSERVERAGENT
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3484
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLSERVERAGENT
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4692
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Windows\SysWOW64\net.exe
          net stop MSSQLSERVER
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2772
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MSSQLSERVER
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4988
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop vds
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4232
        • C:\Windows\SysWOW64\net.exe
          net stop vds
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:3400
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop vds
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2548
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2076
        • C:\Windows\SysWOW64\netsh.exe
          netsh advfirewall set currentprofile state off
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:4204
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3460
        • C:\Windows\SysWOW64\netsh.exe
          netsh firewall set opmode mode=disable
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          • System Location Discovery: System Language Discovery
          PID:3640
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLWriter
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\SysWOW64\net.exe
          net stop SQLWriter
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3980
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLWriter
            5⤵
            • System Location Discovery: System Language Discovery
            PID:2412
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop SQLBrowser
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1064
        • C:\Windows\SysWOW64\net.exe
          net stop SQLBrowser
          4⤵
          • System Location Discovery: System Language Discovery
          PID:1228
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop SQLBrowser
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1232
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop MSSQLSERVER
        3⤵
        • System Location Discovery: System Language Discovery
        PID:1088
        • C:\Windows\SysWOW64\net.exe
          net stop MSSQLSERVER
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2188
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MSSQLSERVER
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4544
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO1
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3708
        • C:\Windows\SysWOW64\net.exe
          net stop MSSQL$CONTOSO1
          4⤵
          • System Location Discovery: System Language Discovery
          PID:2692
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop MSSQL$CONTOSO1
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4416

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d.[[email protected]][3B12106D].locked

    Filesize

    768KB

    MD5

    50e091893eec02942c29f6c49a754153

    SHA1

    c644569e16e59893a6e2d1bc36c55b7d0e956785

    SHA256

    1da77d5d2c4244b5b78af983a92ee56289d3910c77efae1db1daae77aed24135

    SHA512

    c61a7f254e5de6d88e80ff0304d7464a23003530daec45fa704d71147ee4e223aa107a3fc9196cd9a42b198c0de3305eff396c10c4fae7484a51c2d9d504962d

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Locales\vi.pak.[[email protected]][3B12106D].locked

    Filesize

    384KB

    MD5

    37b28f6df0c2d289e2e44ecf7396776f

    SHA1

    a16e5d63c1b7cf3aecedb9ae158bb258e97d8a1d

    SHA256

    beddf0c17d38d8529789a228868fbe53ecb4d99ab4b41741bbe734f18d842956

    SHA512

    5552c1906b21ee30a540617f77554bf983403ba3f4ef7939ae1a895de348d6da6883b89942ae949c8fe68b208092f8608d78e2e2e54a11d98f5a655bca7a7657

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\bn-IN.pak.DATA.[[email protected]][3B12106D].locked

    Filesize

    975KB

    MD5

    fb8ae7b2f5d1004b7877c4b1ba47ff84

    SHA1

    462684bf97c715b45ee3bc6107fa907b1c41adfc

    SHA256

    2cc2c3f09dc97420c0a25619dc396d80f8bf1bc2eedb02bec2d995b1327da927

    SHA512

    fa5cc09f861a99bc6bc6528e5a052639010250125612758ba28b5b123afcb23df47f56e20b9f21abb5cd09be15c560ba75feff1f35b6533009ca5ea0dcdca369

  • C:\Program Files\7-Zip\Lang\hu.txt.[[email protected]][3B12106D].locked

    Filesize

    10KB

    MD5

    c3d762498176ceabad71bec8643bf11a

    SHA1

    244e8cff263e1dbfd3264580e6bd300ea5ed66a6

    SHA256

    befcd539a39bf5bc41037fcea1a913e44e505d97203285d712a7891804f517ba

    SHA512

    8a38d53ba8e0d1fc2494deed1284e50716465c4f802fb4c1ee5c58f327e4be044d0ee07bded41bd03abd957a9d16710747e6c6e967f43cb956da7fa217cfa835

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe.[[email protected]][3B12106D].locked

    Filesize

    2.2MB

    MD5

    f7b9d3776eb72491f941c0598cb38061

    SHA1

    5b079baaa1d0721bcb326f7b7550e7da7504b2f9

    SHA256

    e987bf0f704585a98b7381e33505388450812b225c318485a086baba42bd6a7a

    SHA512

    11186622029d6ed9ec6ef07b7b36949eddbe82c19512705738a6e9863205b748f28b3110d66fd9c0cfbabb00abecd302c14e29cedf23329406706036920e3a12

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RCom.dll.[[email protected]][3B12106D].locked

    Filesize

    2.2MB

    MD5

    e40a10282070629c0a7579b33e7c4d88

    SHA1

    d3efe5345ea76009d25d2b52f979752ec0831b13

    SHA256

    b02dd109d66f892d98b3542e1b97b9c1a1964dbc980b397bd77e85ac42b7ea49

    SHA512

    bbd125e92aaddf726e4a9c4453a8d4aef1a9968acbcf685daed00fea4e32084d29de96ec461a6f12a96dea0709a10fc7bb4823ae2ae77482eb573fee2dcb0ec9

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\vccorlib140.dll.[[email protected]][3B12106D].locked

    Filesize

    358KB

    MD5

    f60e82c21efa661cf93fab0bd8458b3f

    SHA1

    0f89994172f20ca24be04dabaa7b60134ad96f12

    SHA256

    067270781959f9649d528de0c8c76ca6d1f6494ffb24b713708d8fe7269a0a28

    SHA512

    d11b2bcc6f8c162168208e931cf0a528142c8cceef474c872e6c5cd4681a82d638dbd3d2192fc31f87b1e9087c6415954ffc8631897fe7a922c14555f0518f11

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\fa.pak.[[email protected]][3B12106D].locked

    Filesize

    717KB

    MD5

    dc08fb1bfaf9ad3c13d9ad0c7adb673d

    SHA1

    085c0f45bc78897db31075f28d825507f56c8546

    SHA256

    7412bb81ba387dce8fe79fd6a2a3e5a8b46039b046280a8c7e16f45353a2efd5

    SHA512

    692f6cd12dbcbecffaf7b6057e2eeb92fc907f964340410a34eb719dbe6e00200c73ee171fba3c8a04d91d48a78aa7a65b09f0f1e8ac1651ad6fd7015b259583

  • C:\Program Files\Java\jdk-1.8\jre\bin\dt_socket.dll.[[email protected]][3B12106D].locked

    Filesize

    31KB

    MD5

    9de53883fb7947780a13804f15866cf0

    SHA1

    6b6c4fb8c851c4579b22dff3896f8717c408eef5

    SHA256

    223db2a5d3492502f25746a04db3e9a3a98d6d09390d5fa6d5baf25b7a195a07

    SHA512

    1df76c89d7f9f955a2741b34dbd3ba123450cb5b94d8968260d0dffc9bec6799d7af399880ad178e55cae1b3ac4686b0c0a19d95902ceaaa193ac73867db5942

  • C:\Program Files\Java\jdk-1.8\jre\lib\jfr.jar.[[email protected]][3B12106D].locked

    Filesize

    561KB

    MD5

    e06c15304917bc3dd292756081b927d3

    SHA1

    7949478ea0b9a69cb01b8f1d2ff10c409a6cc1a6

    SHA256

    ae4682cb0f5447d7d3e95030e25ebf01a13980812e392b8c93349a439a23c6f6

    SHA512

    6a2b89b799e8df77c348ac39d22539331052f2ff04e885c24eb6356c0d6994a023dbfcba6bb67051cffc05d825be35fccf3783c44d1c763e57134892f002f1b5

  • C:\Program Files\Microsoft Office\root\Document Themes 16\Organic.thmx.[[email protected]][3B12106D].locked

    Filesize

    1.3MB

    MD5

    cb90bfe5b43b99c08bb76c698ea69f75

    SHA1

    6f965734311b413818ce47ebce258448d788f4c7

    SHA256

    b55eee683b1a3c2fdccddc96997a7a3809592457e7a6dc5939693c8d6a69c161

    SHA512

    5a99d8f72d63e5d4d922525eb47a7bc5f858b58b67d173eb0b02fc53ad067fe1882e0e076ac45f6c58527fb17f6d9edbe482e2378f35a3342c3f7b32b4e03bd8

  • C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Frosted Glass.eftx.[[email protected]][3B12106D].locked

    Filesize

    326KB

    MD5

    61f277388f90b5e5f0cc694b07e9e2a1

    SHA1

    44b1690cdcd75199ba8db48216940ede520b4aa6

    SHA256

    bf0493a3892a8a5be1f5da8e31c8c62c2d6e0d589f746c1f1a3e7d1f437ffd23

    SHA512

    929f323a8d83b46c0476ff74bf5e17fb492f3f3d3a2b5d843b4d847345f950743ba78ffbce3c6791e8e721a1dd7949b91a559e5804f00b4df40f2597e716ec0b

  • C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.[[email protected]][3B12106D].locked

    Filesize

    327KB

    MD5

    7f81feef9f9a24192b43a9af524ff472

    SHA1

    a946059c83d8074f87b03d96eacd72de9d2752b5

    SHA256

    032a11478e1bc66578e754a8d945d10aa331272300090b20a15ea41a5f9769b3

    SHA512

    9905d07ffee8b04896c4df8ba63393e7215a581bce2b6caa62955a01fb522ff8f0803ab5815eb316fd72f7b47abfcf89b5e1fc3b52e4ef8113501f9451d35229

  • C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Grunge Texture.eftx.[[email protected]][3B12106D].locked

    Filesize

    344KB

    MD5

    54ad1600430e5f2d952d5fe658a42082

    SHA1

    f1518dfeab6d19528772e9f0e11ea5201f5c0476

    SHA256

    73e5b03d2b28520bfaf5557b130d8b3e5f9e4b3016095731206c3a0b1c376433

    SHA512

    5fd8073f3e60dc10beb735672239ede03726d3c6c9af5c59aaa350b3eba1a53caf4523367d3de1a77aca54e33c1cc0bb13a722b88acf4cf10648bf13cff0bc28

  • C:\Program Files\Microsoft Office\root\Integration\C2RManifest.office32ww.msi.16.x-none.xml.[[email protected]][3B12106D].locked

    Filesize

    331KB

    MD5

    bd5df1b3ce14a017e89e94f7519b3128

    SHA1

    d99a9c538002be1d6910f1f7fe7ffa58fc795444

    SHA256

    19777bd99bd7e41b030fc297e190df3f3d0f7bccce8717f6eea3896d48d522ae

    SHA512

    e982cb0c4bbdaf02e3ee4ba5f35009be31cac912d96870ee4fa21125b78cc5b3d3c5cb21a3cb5ebd4bb99fc82d8830d9a3ec9825b0a082012518421e4b2b5562

  • C:\Program Files\Microsoft Office\root\Office16\1033\offsymxl.ttf.[[email protected]][3B12106D].locked

    Filesize

    705KB

    MD5

    07f79e6ebc2d93dba4d45a61341c3768

    SHA1

    379f1b1e01f2d4b833f27e58ebd0c87482fd6d7e

    SHA256

    6c46683fdb691b5e4b3f9eb6db139e42bb21def8a308d6fd795c688e714ce07b

    SHA512

    376b78c4f302dd14acf31d00bf71c4a267ac151f58684f7f206fff83adb83f0f7e24683918a7ba2b47d3c4e598153c1e966cd096f33cb9479516f40b3ea4ec40

  • C:\Program Files\Microsoft Office\root\Office16\ADDINS\MSOSEC.XML.[[email protected]][3B12106D].locked

    Filesize

    454B

    MD5

    9c35b2ae3f9d92dc3795e5fc7b77c6bc

    SHA1

    ea948c00a43fd2d5b8c41e78aac8e8e4bd0e7da5

    SHA256

    8bb0fb916f2af3eb8b4ceba3e39fc781d3f2cbec1a86f6a9ec5117a78fc15bba

    SHA512

    f1a8b353b903ee24b7c5a3619b3b1447f9f6c9ce03a200fa0c901f3e9347a1f2b2667266232fcb95818bc26444ab33f0f585a35e2682a2d804c905343dbc3593

  • C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.[[email protected]][3B12106D].locked

    Filesize

    1.3MB

    MD5

    8915ef639dc30e0ed3d7df4fc1a051a1

    SHA1

    c16c002d60b03d1dccbfd1b2980c1e22c3991a64

    SHA256

    d102ce00c4098335f768aa64993e76726e9d8edde381675627f00f1409f35cd9

    SHA512

    d100575c8de6166d3a3324b1286962f231fb466a600d1c5ca70e346f9095cf4fb4c0ae28980c40de210e9b0216afd9c1b6e78ec60aae88e79095db9fd91d068e

  • C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.SqlServer.Types.dll.[[email protected]][3B12106D].locked

    Filesize

    68KB

    MD5

    6ad26818d7fb1a9c8a959524ee87f803

    SHA1

    92fedfdfcd1cea2778b1f2930840b4572eae3626

    SHA256

    6bac6d9a618db15498b09267efc42377739c4a0f8733ec82725e3ba47c683f4c

    SHA512

    436e409c57cdba366b39bba5a5f1b4c6cf079ffacff222f9797907f432d293a8fdc3ac48215cdfa284f1ddbf28a4f4993a700ddcfdef9d2c9aa05cf031d0070c

  • C:\Program Files\Microsoft Office\root\Office16\Interceptor.dll.[[email protected]][3B12106D].locked

    Filesize

    880KB

    MD5

    01b58221dace62d89bc7c589ee1781a0

    SHA1

    fd1fa0761ee0bcb4242022c5c38e8dc6ba12de9e

    SHA256

    e6ee7ac44510c0e893115a05110f47752f2bd7f4f3bc601d4da0d01a594e8748

    SHA512

    c8aa805e167488ebd85d01bf7ce36a7e7f98a94fd5cf137f9ddde2dec81532f172d6221ea97fd3229bfe60437b1cd6ab74d07d5cd1217d10569e2ced9e8e2e26

  • C:\Program Files\Microsoft Office\root\Office16\OFFSYMXL.TTF.[[email protected]][3B12106D].locked

    Filesize

    735KB

    MD5

    bb8e6240ebfae92807a2bd0feaeeae3e

    SHA1

    d3a37d87e90762a1aaea32c305212ea04f8a6d0a

    SHA256

    853d71f98db9426f51b2d6d6ff7caf073029bbba8df5e0ed3c12277c5094e1ba

    SHA512

    48ea759d6ae5cb5f076c7755dd9b3fb6c42772edd39b0c12fdbf72c160bcd6486d6fff9ca5d889f7c0efb27a2af2f13185ba09063d114919d278df77912edb99

  • C:\Program Files\Microsoft Office\root\rsod\powerpoint.x-none.msi.16.x-none.tree.dat.[[email protected]][3B12106D].locked

    Filesize

    128KB

    MD5

    4136a35af7f137f2f3e459df44b66441

    SHA1

    4d240051a2550804a172a6069ff530c385fe67d2

    SHA256

    38a457f21adeda1e652e4274b45b4f31eb0c5bcd4755075443bb22c2f39a6d5a

    SHA512

    1871f72cc834b9194e7a73dead6b1ed0547a550ca2941b0fe93f9b185bd817a6b8b5dfe4f1b587f091fbaee45ad3b4445b2475a360a7b66e4b89f7f995a08d3f

  • C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ANTQUAI.TTF.[[email protected]][3B12106D].locked

    Filesize

    14KB

    MD5

    4febdc56f1538fcb38e271faf0d988cc

    SHA1

    3eb83962e72a1dc276249d590f68fe82b72efe40

    SHA256

    94f0dab02f67a181541ca8966b5699db98c4b11d57e6c9b1cede155309f76829

    SHA512

    13f5d4d2f9fa996c5b4c18040f0bcb51fe465c4241ba8df38d3dda306b38c4f4f78f31b492a2623c20dacd13e18825ca18387ecdc2c0e0a39ac9b4a8d9dd9994

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ACEEXCL.DLL.[[email protected]][3B12106D].locked

    Filesize

    515KB

    MD5

    3c69e0d6a35976bbf051215665a4ddd5

    SHA1

    dba471dff0892060eae3879ee10a07ea1bcbccb9

    SHA256

    2050564d6d0a0ed86b868be49c724275d1e9d2137a142103416a4128c08c9dc0

    SHA512

    ec6cfd274f7db9692534bdc0ea613e963cba167ef2ac2511a12060ace90c95b656221fbd8ca2eedc5ab6b3a4e2a9ecf2a429f254bdec39ebaae997096b98a9e7

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\concrt140.dll.[[email protected]][3B12106D].locked

    Filesize

    320KB

    MD5

    afbaecc249d85570f37df50d87c62db9

    SHA1

    f4388897f298d148b63eba90966ad9ae53d9c1bd

    SHA256

    badc086b6544ea5940f54c98252b07f4a0c554a343cb97f072a26c10ab561be6

    SHA512

    ca55a1cb3dac8511044f1643e09b5ce283b1cb3a15407011ee959437ea25fbbb2d173e20087553fd2d124f9f19673d96d19805598dc1b83431779ea758474894

  • C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\FM20.CHM.[[email protected]][3B12106D].locked

    Filesize

    256KB

    MD5

    cf0ea9b2e8f57297cfbb7b657fd9f7c4

    SHA1

    4268c1bd078d7dd57e5d735a5c502723e66367c2

    SHA256

    668f2099973b67952fa1fb4862a9ef216472bb4a0ad91d9fadb1d63a734f4cf8

    SHA512

    591fc0c43bd95ca42a392855f7733d90712f0f8d4be9e872860c7bfa7c49ba3c88de145967d7d32ec8bc093dc3ae4bebb29b7d51c761e67006c8dbeb63a51bf2

  • C:\Program Files\Microsoft Office\root\vfs\SystemX86\mfc140u.dll.[[email protected]][3B12106D].locked

    Filesize

    832KB

    MD5

    6037787795fd36126c3cf565745f087e

    SHA1

    ede72bfbbd03bcfd1bd22291fe6fc089fe931bab

    SHA256

    99268ded385c6cb2a708b549991a88c68209335532ac98c460c9f6c6a0c89941

    SHA512

    345b095d97aa8ccdd7f50b6dec56185d41d23750371141312054fc46356afb001b73cf9b572d5bd294fb53716975b341d00342d043c83977f413c7a0127b7aa6

  • C:\Program Files\Mozilla Firefox\uninstall\helper.exe.[[email protected]][3B12106D].locked

    Filesize

    311KB

    MD5

    4e93de655aaa2758f31d7db5d9d0bfbc

    SHA1

    3076bc227fe7232cc39334fa95663f518d5a0871

    SHA256

    fe41a1fd00f0825429de4eb4e7ce1d4783509ce0687b3c9978dbad622e1dbd2b

    SHA512

    4388863afa4264d103932719578bcbff5087d7fc7a85305cf5812d9dc8ec183774e6704908112825f60579d59cec74255f6bc628c18420fb0a10ba761613532f

  • C:\Program Files\VideoLAN\VLC\plugins\plugins.dat.[[email protected]][3B12106D].locked

    Filesize

    192KB

    MD5

    35d6180ad548595824174ec35b003b5d

    SHA1

    ed836f8c30aa53e534069aeb6cec10b5727a17dd

    SHA256

    17f3a05035ac827afc7407e45056b3e9d406415f664bc7b603d7b5d30abcd668

    SHA512

    7a5a818f98c20c2f1cba5bf59ee4883d9d13d10fdbfc73dda2ae846fd3e48cbfdb3737e91465f0877ffde9c0da7f0e012f568bff3b55e0f96b7f2b0625e66f24

  • C:\Program Files\VideoLAN\VLC\plugins\video_output\libglwin32_plugin.dll.[[email protected]][3B12106D].locked

    Filesize

    21KB

    MD5

    24cf8a50bcb6d0ccd12600cd8cf8f569

    SHA1

    287d1ad3c01c658d23b92644f82da7e2e556359f

    SHA256

    480b5d7065ca79004198fa7a5ecfde594a0c602b2269fff60a97967d834af82b

    SHA512

    51a181d9736876de6d8633615edefc711f5dd8a591b72c9da62b496e93b8d3ef5fb9a171c4860e58e498818c16054bb748b7ef9670142cb710e286d47860ce98

  • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.[[email protected]][3B12106D].locked

    Filesize

    1.6MB

    MD5

    7cfd3e6b9cc5b9808658f2355cac1fdc

    SHA1

    e5357641b1b494f2c39080f4bba4916566725e57

    SHA256

    26f607ac5bfe545d7ae2bf369221924e332c5cb59d88c14a3b6a44acaee23971

    SHA512

    8fd1a69d10331cf719cc47cf14ccd3735db8cfb488fdad2fafcb98f24908790d28814888c0ac023f1c9295fbfb90493993800f381dd7d38494398423bd0f6057

  • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.TypeConverter.dll.[[email protected]][3B12106D].locked

    Filesize

    738KB

    MD5

    6c4f54c9b4691f17b3d4186123a15163

    SHA1

    1a258e2e5ce4165c0559a9b1a71a6e1ed319d6fa

    SHA256

    2c87fc38d74b35eec283485160c5c87725e370e2fe7b95497a4f0ca7300cbf26

    SHA512

    8d5dc275a73f2f0dfe54b97a277af654a8276a908d4e08787d9b3f01e1fda9a004112ba1dfbf5a1bd600dde94ec9b917925a98e5c1d20a89ff638dfaf63b3bc8

  • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.Data.Common.dll.[[email protected]][3B12106D].locked

    Filesize

    1.8MB

    MD5

    1a95a9ec8a2287a1cf53f9c64a1a7d48

    SHA1

    760d34c3eeb65b73736fe916bb7f94bb37960348

    SHA256

    3075e29aba9f2ed97e8b15f45dfd695125e3a1ccfb0647badb0b64b8078f6676

    SHA512

    7e6b7114c0d21f9079116938f3c6ff86fdbe79b15bc9ac02a504b50197e43cc3a4630dbb90edc1b6d98cb02787411f764eeb5e4c6aaeafe2298b8d00bb97da00

  • C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\clrgc.dll.[[email protected]][3B12106D].locked

    Filesize

    656KB

    MD5

    a3dedcf98e21cd98551c16573275ebd9

    SHA1

    04420c57599bf157c81500ca246b66982b160f18

    SHA256

    e70be7819f098d740923a1bb02fb63cbc1917f0a27cb1eda55cb55dea9716734

    SHA512

    8b9a7cf41c28ddff495fdb3b4f7cf72e50dc1b65f53f45c6029018a83dfde208f9e0f02d5527c8b5c67c4aa148558b5768f652d8b2ed8a3f4a274d2f34452067

  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PenImc_cor3.dll.[[email protected]][3B12106D].locked

    Filesize

    158KB

    MD5

    1a0bfc03184eb14969c8918d13f10851

    SHA1

    453b4790c3cae7d2f8336103e8d1bd87d951b2ce

    SHA256

    df67875d1e5e460fd1a2b483bdbf26d523c72089948d655213fdd45551174374

    SHA512

    3cf4a71217fc11a4a8e2d1c9c7a03f62ed218d68638e99935516e668d0a68e848e94742636b727ba5845ec85d14d88312d6cce216bd1798c537cca0f665935bb

  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.resources.dll.[[email protected]][3B12106D].locked

    Filesize

    457KB

    MD5

    dddb48d9852e77bbd9d81ec2a978ab92

    SHA1

    d0fca40f2261217378c433a70e2953f936908b4c

    SHA256

    842985c907d927752538e93d714cbaa1429bff17e6112b2fcc4a785a172e86b5

    SHA512

    a64476e997283950c37622b34cf21e68adfb544e3c3269ba2fa316094fb28dc668264132cb5a2ac97afe7e85b6a3119dec59635cd0aabb5add38d1b55c21ad41

  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationFramework.dll.[[email protected]][3B12106D].locked

    Filesize

    1.4MB

    MD5

    7699a6e6049304b6d200433d87ff9241

    SHA1

    2ca1cb0c584271dff9b117916b69748692a7281e

    SHA256

    b31ac033778b0326f922e4a4c441fb888d3ac7b95af50a706a9cd0095dcca8a8

    SHA512

    281d2035c5192bef59122242e352953dcea7904fe5a7b8afbc8483e94befb5f62a0ffdb6fe84e140ad45b279a6c3ca4f7d871a047ec01899b25472e9ea1d92b9

  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.[[email protected]][3B12106D].locked

    Filesize

    2.0MB

    MD5

    e14c9f940baa79c2f8d1cceb087f077b

    SHA1

    ac8a6bd5b9a16c706c787585eb32c02770594086

    SHA256

    48d37ce4b7233e296bc805db9e66289288bfbcc0fa626d7ce1c3f91918e02371

    SHA512

    7f67e541e4505d36edb3da58c851fa1e14bd51fe06b627df43e6cced361f786a07b2bc0287497deab64c87f0b7693542f242ac5d95dbcb34f99c8cbc353e01be

  • C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\System.Windows.Forms.resources.dll.[[email protected]][3B12106D].locked

    Filesize

    362KB

    MD5

    a1cc66aa0fb05d708e71bf52781cd975

    SHA1

    4c73a3ccc2f7233b0fb565b17fcb5e76c6f5d957

    SHA256

    b9768a69698aaa3712b24fc2e69266ce993a7351bc8f261a1a53a08a7014478d

    SHA512

    a48618bbac9e72baa3e356f22e7e97c1939ca67855100d786379329a44de73ad2a7809b9dcb485dd59a552a02ce226050501ebac1c5a6edc3b30fea0d1eade58

  • C:\ProgramData\IDk.txt

    Filesize

    8B

    MD5

    e3a43b27b5231a7cd2c976ef694ca5d7

    SHA1

    3cc2364f916846aeed7568577409c5641c2738dc

    SHA256

    19ac932d4dcb5ab66d4a1772c720cf5fddbb2cd267e7a4ac91d79feb278a1419

    SHA512

    99de210d4ed2cd5f3799ee0ca4a89f4fd147e97cf0357b3ac2a45e1b94914b6002f5a507acdbbc6a06581f94b02b3f0b1a118b8d7777541a75c626499ceb76f0

  • C:\ProgramData\pkey.txt

    Filesize

    398B

    MD5

    7640b900cd23a328d556fc8f0c1a70df

    SHA1

    97ab351a651468ca91f08a378f18d33a3b1faa61

    SHA256

    b349e94be86e29b64822353e9684893104570feb034d14a40cf46c65ec68eb0f

    SHA512

    6a46f7503bef4c1530235a75121d2c69e45f29796d697db726af9e9bc990d0274835cb5f73ba39467f66ecd12a0293db01ac94a3ffd017160fa19cf7035406b5

  • C:\Users\Admin\AppData\Local\Temp\Windows Session Manager.exe

    Filesize

    1.3MB

    MD5

    87efde0aec222a8570a8b60bb4327263

    SHA1

    2c88a8379f607f24301323427a50cea2caff2584

    SHA256

    8ca2cf319849d514ba1b56b400c682328411273847a6f88e91891ae2f8b347fa

    SHA512

    d7ca3438b5ad7cf4925f79a2cdf69d97a6bd6b104a4070c4850558142a1f7d7eb701fc59a65668d1ca7a5ac7d69a491bb143760a8f30665954b3fc6686774af8

  • C:\vcredist2010_x64.log-MSI_vc_red.msi.txt

    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

  • C:\vcredist2010_x64.log.html.[[email protected]][3B12106D].locked

    Filesize

    86KB

    MD5

    a477bc052ce389328a4493f11c448761

    SHA1

    fadfe1856f78fd396f72562e2ef1fa03e9b0eaa9

    SHA256

    23950094dcfeaac2c9d5e0e2a4f7c9d3eef688bd2b6fed9e53ede2456cd4ee96

    SHA512

    15974a6528cb40cad8400f70ee34e462b09e10da5c67ab4ed2ec3cb864048254fc35354e33eb51c9b8e79d600b462b88df4bd7258722b71efbd42e08c65b32e6

  • memory/2632-0-0x0000000000390000-0x0000000000680000-memory.dmp

    Filesize

    2.9MB