Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

08751be484...2d.dll

windows10-ltsc 2021-x64

10

0a9f79abd4...51.exe

windows10-ltsc 2021-x64

3

0di3x.exe

windows10-ltsc 2021-x64

10

2019-09-02...10.exe

windows10-ltsc 2021-x64

10

2c01b00772...eb.exe

windows10-ltsc 2021-x64

10

31.exe

windows10-ltsc 2021-x64

10

3DMark 11 ...on.exe

windows10-ltsc 2021-x64

3

42f9729255...61.exe

windows10-ltsc 2021-x64

10

5da0116af4...18.exe

windows10-ltsc 2021-x64

10

69c56d12ed...6b.exe

windows10-ltsc 2021-x64

10

905d572f23...50.exe

windows10-ltsc 2021-x64

10

948340be97...54.exe

windows10-ltsc 2021-x64

10

95560f1a46...f9.dll

windows10-ltsc 2021-x64

3

Archive.zi...3e.exe

windows10-ltsc 2021-x64

8

DiskIntern...en.exe

windows10-ltsc 2021-x64

3

ForceOp 2....ce.exe

windows10-ltsc 2021-x64

7

HYDRA.exe

windows10-ltsc 2021-x64

10

KLwC6vii.exe

windows10-ltsc 2021-x64

1

Keygen.exe

windows10-ltsc 2021-x64

10

Lonelyscre...ox.exe

windows10-ltsc 2021-x64

3

LtHv0O2KZDK4M637.exe

windows10-ltsc 2021-x64

10

Magic_File...ja.exe

windows10-ltsc 2021-x64

3

OnlineInstaller.exe

windows10-ltsc 2021-x64

8

Remouse.Mi...cg.exe

windows10-ltsc 2021-x64

3

SecuriteIn...dE.exe

windows10-ltsc 2021-x64

10

SecuriteIn...ee.dll

windows10-ltsc 2021-x64

10

SecurityTa...up.exe

windows10-ltsc 2021-x64

4

Treasure.V...ox.exe

windows10-ltsc 2021-x64

3

VyprVPN.exe

windows10-ltsc 2021-x64

10

WSHSetup[1].exe

windows10-ltsc 2021-x64

3

Yard.dll

windows10-ltsc 2021-x64

10

b2bd3de3e5...2).exe

windows10-ltsc 2021-x64

10

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

01/03/2025, 18:55

250301-xkqrcaypx7 10

Analysis

  • max time kernel
    300s
  • max time network
    308s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20250113-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    17/01/2025, 10:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe

  • Size

    669KB

  • MD5

    ead18f3a909685922d7213714ea9a183

  • SHA1

    1270bd7fd62acc00447b30f066bb23f4745869bf

  • SHA256

    5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

  • SHA512

    6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

  • SSDEEP

    6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL

Score
10/10
discoverypersistenceransomwareupx

Malware Config

Extracted

Path

C:\Users\Public\Documents\_readme.txt

Ransom Note
ATTENTION! Don't worry my friend, you can return all your files! All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key. The only method of recovering files is to purchase decrypt tool and unique key for you. This software will decrypt all your encrypted files. What guarantees you have? You can send one of your encrypted file from your PC and we decrypt it for free. But we can decrypt only 1 file for free. File must not contain valuable information. You can get and look video overview decrypt tool: https://we.tl/t-T9WE5uiVT6 Price of private key and decrypt software is $980. Discount 50% available if you contact us first 72 hours, that's price for you is $490. Please note that you'll never restore your data without payment. Check your e-mail "Spam" folder if you don't get answer more than 6 hours. To get this software you need write on our e-mail: [email protected] Reserve e-mail address to contact us: [email protected] Your personal ID: 046Sdsd3273yifhsisySD60h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
URLs

https://we.tl/t-T9WE5uiVT6

Signatures

  • Renames multiple (203) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 32 IoCs
  • Enumerates connected drives 3 TTPs 4 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Looks up external IP address via web service 10 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 40 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
    "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:4156
    • C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375" /deny *S-1-1-0:(OI)(CI)(DE,DC)
      2⤵
      • Modifies file permissions
      • System Location Discovery: System Language Discovery
      PID:2556
    • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
      "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask
      2⤵
      • Drops desktop.ini file(s)
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:5072
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 1628 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          PID:4280
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4280 -s 1100
            5⤵
            • Program crash
            PID:2176
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1628 -s 1668
          4⤵
          • Program crash
          PID:4452
      • C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
        "C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 5072 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        PID:1852
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 1852 -s 1388
          4⤵
          • Program crash
          PID:3804
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5072 -s 812
        3⤵
        • Program crash
        PID:3200
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4156 -s 1904
      2⤵
      • Program crash
      PID:4808
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4156 -ip 4156
    1⤵
      PID:3776
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4280 -ip 4280
      1⤵
        PID:2056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1628 -ip 1628
        1⤵
          PID:3424
        • C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
          "C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Task
          1⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2484
          • C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
            "C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsTask
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:920
            • C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
              "C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 920 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
              3⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4332
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -u -p 4332 -s 1100
                4⤵
                • Program crash
                PID:3924
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 920 -s 1656
              3⤵
              • Program crash
              PID:2848
          • C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
            "C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 2484 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1
            2⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:4916
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 1196
              3⤵
              • Program crash
              PID:2236
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 2484 -s 4032
            2⤵
            • Program crash
            PID:4256
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1852 -ip 1852
          1⤵
            PID:3504
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5072 -ip 5072
            1⤵
              PID:1672
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:2216
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
              • Modifies registry class
              PID:1012
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:924
            • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
              "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
              1⤵
              • Suspicious use of SetWindowsHookEx
              PID:3656
            • C:\Windows\explorer.exe
              explorer.exe
              1⤵
              • Boot or Logon Autostart Execution: Active Setup
              • Enumerates connected drives
              • Checks SCSI registry key(s)
              • Modifies registry class
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:4604
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 4916 -ip 4916
              1⤵
                PID:220
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2484 -ip 2484
                1⤵
                  PID:804
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 4332 -ip 4332
                  1⤵
                    PID:2460
                  • C:\Windows\SysWOW64\WerFault.exe
                    C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 920 -ip 920
                    1⤵
                      PID:4508
                    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                      1⤵
                      • Modifies Internet Explorer settings
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:1628
                    • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
                      "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
                      1⤵
                      • Modifies registry class
                      • Suspicious use of SetWindowsHookEx
                      PID:4188
                    • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
                      "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXk0k6mrh4r2q0ct33a9wgbez0x7v9cz5y.mca
                      1⤵
                      • Suspicious use of SetWindowsHookEx
                      PID:4344
                    • C:\Windows\explorer.exe
                      explorer.exe
                      1⤵
                      • Boot or Logon Autostart Execution: Active Setup
                      • Modifies registry class
                      PID:2456

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\ProgramData\Microsoft\Network\Downloader\edbtmp.log
                      Filesize

                      1.3MB

                      MD5

                      f782b09fd215d3d9bb898d61ea2e7a37

                      SHA1

                      a382348e9592bdf93dd10c49773b815a992fa7c7

                      SHA256

                      7bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694

                      SHA512

                      9342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606

                      Download Submit

                    • C:\ProgramData\Microsoft\Windows\Caches\cversions.2.db
                      Filesize

                      16KB

                      MD5

                      aa557d53ec8785c4fdd5213df3017607

                      SHA1

                      58b158d91d66affd2bf295b72c17bd03760c8087

                      SHA256

                      835b76f78c88fda04af347086fff416b6d3bedffb4db9cc64e01fdf1ae387fdc

                      SHA512

                      7c54956d147545b09420e5b8e2e0a3e5b26edc634e41a3373347437f4901ab55401f3e782dcab35a61b405e0b1e0492e8faaab9986cdb60ff7732e2cc1a1a206

                      Download Submit

                    • C:\ProgramData\Microsoft\Windows\Caches\{3F1BF7CA-3BB7-40E6-B1F8-515A3828A2A7}.2.ver0x0000000000000001.db
                      Filesize

                      1KB

                      MD5

                      6db250b2f099a70186acda446ce3b3f7

                      SHA1

                      c9f90aa2e9770e184b967dcd5f9db26eaa65812e

                      SHA256

                      947fe6765f2923b481fb8454f814f971d74f687d07b58e3abe4335362aa85503

                      SHA512

                      259865a501d5638fd3f952868d810c2178372ece0975f62ff9aa6dade799e224637411a04e3191d8bad14ea83de9c8d381495b07a7ed9b0aac03b5ddbf969eab

                      Download Submit

                    • C:\ProgramData\Microsoft\Windows\Caches\{3F1BF7CA-3BB7-40E6-B1F8-515A3828A2A7}.2.ver0x0000000000000001.db.kropun
                      Filesize

                      1KB

                      MD5

                      a292b75ffbfe36efe5b7ebd26521074e

                      SHA1

                      367f570013ae141870f0c471ae29ba36a8f913cd

                      SHA256

                      872b3476a8dc7c339411aee1cd1f156d862d893d5df0bd95fd5fe48d06b6f84b

                      SHA512

                      506b6bd908065054cd35254b3a5fd70c10aebee1f9e03ac0b3c607d31209b53151b76e934fcc0b0060037f4f1a2214a14a32167f2d841cde2c9c8a125b4b1275

                      Download Submit

                    • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db.kropun
                      Filesize

                      289KB

                      MD5

                      1048f5bb11ca2a10659cb704c34d392a

                      SHA1

                      a91d21799e0248b0c30cb9672055449335bbc110

                      SHA256

                      d8de03c3865b4e22c491756ed1a8ebd50f509443487edf04752c36f981deec6e

                      SHA512

                      a215560310c9fd65d211293f5031f1573f3cabbb7342ca87379fd8b15c9137ba0a3e8684ff9fd6a7ae8f0565671a23b4a73a0e11b8ed2a1586384f6f273a5e14

                      Download Submit

                    • C:\ProgramData\Microsoft\Windows\Caches\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000003.db.kropun
                      Filesize

                      289KB

                      MD5

                      76147d35a75c7f48bcd7584ee2d7c60d

                      SHA1

                      8eb1c3a43691ed7d818f8a08b6a5e215cfe63457

                      SHA256

                      03efce1d4ca56faa46576776bb1d805b8cc83ce3893d419c03340c9d6192cca0

                      SHA512

                      3c8d2bde35bdfd7b3ac5baaac44a492fa285503ae123aa9f2cb188c40ebf5913ad068c039740b573ff78bccb7e7f1d94c7dbcb7c17c2f468db172d0ffd2c5929

                      Download Submit

                    • C:\ProgramData\Microsoft\Windows\Caches\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db.kropun
                      Filesize

                      623KB

                      MD5

                      010f9d9451b9a7406773ade2d2a4b033

                      SHA1

                      c179485468fa8cf93350818c63b64b9a98ed2548

                      SHA256

                      69d93ed9278ca7b4127410fc0f20ee87d72380ab152cd4ba5b975981546446b4

                      SHA512

                      515fadba65cd2aa2b567f664c32c7fcd6265557e262e094ce448a896c87cb312ce250a18dd9389ea80ab6e465abc629855eb2d20dcab02a0a754254fe4532c21

                      Download Submit

                    • C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi
                      Filesize

                      736KB

                      MD5

                      c3c0fe1bf5f38a6c89cead208307b99c

                      SHA1

                      df5d4f184c3124d4749c778084f35a2c00066b0b

                      SHA256

                      f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf

                      SHA512

                      0f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806

                      Download Submit

                    • C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
                      Filesize

                      180KB

                      MD5

                      b2e47100abd58190e40c8b6f9f672a36

                      SHA1

                      a754a78021b16e63d9e606cacc6de4fcf6872628

                      SHA256

                      889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128

                      SHA512

                      d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9

                      Download Submit

                    • C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi
                      Filesize

                      26.0MB

                      MD5

                      078fdfc06d675c9476796f61e8d8b396

                      SHA1

                      183e0f30aad003e5443fc282813f349ebd7bb1c8

                      SHA256

                      71474bbf9ec8997bb0ec65853cb095b000f1cdd52aa3f53b486a994588a4b7f7

                      SHA512

                      ec1b7bb3993e7022b600557fb63f405cca68fa269ebf9cebb4c699c7e35ac3bdafac44c12b60b67c01987d499023a2b5cfea0bdb66684eff4d67546ec5952a68

                      Download Submit

                    • C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi
                      Filesize

                      28.5MB

                      MD5

                      01bc6dc2e63ba4656e64f83debbc1f4e

                      SHA1

                      823cb85a326995b562bd02e26996a4a841795322

                      SHA256

                      b96e7138eee33474e5ec02c855673b56f78f0773d10fb962b7c9d015597db689

                      SHA512

                      90f0a9df306c83c3c10cdc7cb03110bb75796b3462a3562743a5a4cf9366d85e157cdf7b60bf6458051a0deec9275ae30fc49d19f83aebaae01ec908b3335175

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                      Filesize

                      1KB

                      MD5

                      c9be626e9715952e9b70f92f912b9787

                      SHA1

                      aa2e946d9ad9027172d0d321917942b7562d6abe

                      SHA256

                      c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4

                      SHA512

                      7581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
                      Filesize

                      436B

                      MD5

                      971c514f84bba0785f80aa1c23edfd79

                      SHA1

                      732acea710a87530c6b08ecdf32a110d254a54c8

                      SHA256

                      f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

                      SHA512

                      43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
                      Filesize

                      174B

                      MD5

                      5123a28743cc0e1cdd56d8b30a3de551

                      SHA1

                      4913577a3d32aed22d69cd9caf068c99448615e9

                      SHA256

                      48061633359f2fdb3144382e424cfd664b4467daba6bab1eef123613c6557177

                      SHA512

                      60c20669d3028feff475a4e3d35741e8c990ef85184cd75d5ef66725d697862cea042a2ba3793dda73767c2f125de511fb51bbcbd672ecf5e1e81de2d451adc5

                      Download Submit

                    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
                      Filesize

                      170B

                      MD5

                      f10de44ca0326f2998164f932b2efe2c

                      SHA1

                      50178272e231ab286611c6c0de8994e6d5dcacf9

                      SHA256

                      d2dee4df0f22d761b802e8598605f4ce88ff837fdaad641606c7ee27d668187b

                      SHA512

                      682bfdf958925b7470ea4759e6d41646631b2eb8f942efc4e948ae3d403c11f5071ed8f1550042ecac72a9aa8cefd67805f71ff9600c1fa9a6d4868cb48567cb

                      Download Submit

                    • C:\Users\Admin\AppData\Local\7ac13036-2f91-4f68-9ae1-a5754f538375\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
                      Filesize

                      669KB

                      MD5

                      ead18f3a909685922d7213714ea9a183

                      SHA1

                      1270bd7fd62acc00447b30f066bb23f4745869bf

                      SHA256

                      5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18

                      SHA512

                      6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\1033\StructuredQuerySchema.bin
                      Filesize

                      414KB

                      MD5

                      ab79489e9704fc9cc9d8bee4f8e17ec5

                      SHA1

                      b2e19a89b43d537bb5b02ee9ca2418f027259c1e

                      SHA256

                      4d71760d6f3159849068b635ab4c39b9b747d899f03670533971a62d262c264e

                      SHA512

                      60d11ee023b9a045c4b59b88311f001fcf4856e27837a1ffd6ecab0203e5199ee077d85c5217e0f0b94e0bff93b14c3680816b6fbf9d42ee2eff5c23d9a13edd

                      Download Submit

                    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\GANWAP0Y\geo[1].json
                      Filesize

                      542B

                      MD5

                      a10a6a594eab8ff8c3534e253d8decd1

                      SHA1

                      aaec447248e1cc33a8c812f38ad6045c5ab2a51c

                      SHA256

                      3fb0544873064c132d91960afa0da483afcf60e9821506edb7adb8f94acf8766

                      SHA512

                      eb5198eb924118f34b2f2b6f86bcfe192ad6677505370b5dbadb788080b64a137d55a6e564221945617d029fca43ea197ad81f65672b7b26c18987d0f0faf8ae

                      Download Submit

                    • C:\Users\Public\Documents\_readme.txt
                      Filesize

                      1KB

                      MD5

                      d75064cfaac9c92f52aadf373dc7e463

                      SHA1

                      36ea05181d9b037694929ec81f276f13c7d2655c

                      SHA256

                      163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508

                      SHA512

                      43387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1

                      Download Submit

                    • memory/920-1113-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/920-1118-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/1628-32-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/1628-1133-0x000002F7CCA00000-0x000002F7CCA20000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/1628-1153-0x000002F7CCA40000-0x000002F7CCA60000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/1628-49-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/1628-1155-0x000002F7CCA20000-0x000002F7CCA40000-memory.dmp

                      Filesize

                      128KB

                      Download

                    • memory/1628-39-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/1628-33-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/1628-45-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/1628-1169-0x000002F7DEB70000-0x000002F7DEC70000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/1628-1124-0x000002F7CAF20000-0x000002F7CB020000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/1628-1123-0x000002F7CAF20000-0x000002F7CB020000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/1852-1078-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/1852-30-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/1852-44-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/2484-1084-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/2484-1109-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/2484-1090-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/4156-17-0x0000000000400000-0x0000000000476000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/4156-2-0x0000000000830000-0x0000000000930000-memory.dmp

                      Filesize

                      1024KB

                      Download

                    • memory/4156-0-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/4156-16-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/4156-3-0x0000000000400000-0x0000000000476000-memory.dmp

                      Filesize

                      472KB

                      Download

                    • memory/4280-47-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/4280-48-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/4332-1116-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/4332-1117-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/4604-1119-0x0000000004CA0000-0x0000000004CA1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/4916-1108-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/5072-14-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/5072-1080-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/5072-27-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/5072-29-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/5072-43-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/5072-20-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download

                    • memory/5072-19-0x0000000000400000-0x00000000004A9000-memory.dmp

                      Filesize

                      676KB

                      Download