Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

07b03eeff0...e9.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    70s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    31/01/2025, 15:41 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9.exe

  • Size

    1.7MB

  • MD5

    8919a3ebfb67cc3d12f475baa82ca476

  • SHA1

    0e6aa733c49dc293f2936b32600390cedb0767ae

  • SHA256

    07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9

  • SHA512

    eac4ba93e8f84413a4d5a4e590263c493011cdfa2a6b96dee2222930a22c30ef885d4651d0783b10c26b8b75cc1f61c32302671dcf9de9f1a3dd19a29c1d1593

  • SSDEEP

    24576:rcbD/3+3Nb8c6xUN8c/CNlSC3Af8XwYJs4nUAo3E5IuquLJlxpCp8zMgNFLtU5Vp:rcbz+3H6NXL3cYi4nUpmIm2BIG5VBj

Score
10/10
44caliberdiscoveryspywarestealer

Malware Config

Extracted

Family

44caliber

C2

https://ptb.discord.com/api/webhooks/1191727961125158913/AO3r_s05R0U-6xEmnSGeaNuYUkFwxvk1U1oYOinVZKjPH9PGr5fHvc41o-BfoHkgQRjS

Signatures

  • 44Caliber

    An open source infostealer written in C#.

    stealer44caliber
  • 44Caliber family
    44caliber
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 5 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 38 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: AddClipboardFormatListener 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 17 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 25 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9.exe
    "C:\Users\Admin\AppData\Local\Temp\07b03eeff0d15ffa67346df3c0d0aceaa18be760811579e274066f3f2c5ec9e9.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3388
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:3312
  • C:\Windows\System32\NOTEPAD.EXE
    "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\InstallUpdate.cmd
    1⤵
    • Opens file in notepad (likely ransom note)
    PID:1204
  • C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE
    "C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE"
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2852
  • C:\Windows\system32\BackgroundTransferHost.exe
    "BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
    1⤵
    • Modifies registry class
    PID:4820
  • C:\Windows\system32\control.exe
    "C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    PID:4988
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
    1⤵
    • System Location Discovery: System Language Discovery
    PID:1588
  • C:\Windows\explorer.exe
    C:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:4452
    • C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /7
      2⤵
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1236

Network

  • flag-us
    DNS
    freegeoip.app
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    freegeoip.app
    IN A
    Response
    freegeoip.app
    IN A
    104.21.96.1
    freegeoip.app
    IN A
    104.21.80.1
    freegeoip.app
    IN A
    104.21.112.1
    freegeoip.app
    IN A
    104.21.16.1
    freegeoip.app
    IN A
    104.21.48.1
    freegeoip.app
    IN A
    104.21.32.1
    freegeoip.app
    IN A
    104.21.64.1
  • flag-us
    DNS
    ipbase.com
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    ipbase.com
    IN A
    Response
    ipbase.com
    IN A
    104.21.85.189
    ipbase.com
    IN A
    172.67.209.71
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    ctldl.windowsupdate.com
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    ctldl.windowsupdate.com
    IN A
    Response
    ctldl.windowsupdate.com
    IN CNAME
    ctldl.windowsupdate.com.delivery.microsoft.com
    ctldl.windowsupdate.com.delivery.microsoft.com
    IN CNAME
    wu-b-net.trafficmanager.net
    wu-b-net.trafficmanager.net
    IN CNAME
    download.windowsupdate.com.edgesuite.net
    download.windowsupdate.com.edgesuite.net
    IN CNAME
    a767.dspw65.akamai.net
    a767.dspw65.akamai.net
    IN A
    2.16.153.11
    a767.dspw65.akamai.net
    IN A
    2.16.153.13
  • flag-us
    DNS
    167.173.78.104.in-addr.arpa
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    167.173.78.104.in-addr.arpa
    IN PTR
    Response
    167.173.78.104.in-addr.arpa
    IN PTR
    a104-78-173-167deploystaticakamaitechnologiescom
  • flag-us
    DNS
    config.edge.skype.com
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    config.edge.skype.com
    IN A
    Response
    config.edge.skype.com
    IN CNAME
    config.edge.skype.com.trafficmanager.net
    config.edge.skype.com.trafficmanager.net
    IN CNAME
    l-0007.config.skype.com
    l-0007.config.skype.com
    IN CNAME
    config-edge-skype.l-0007.l-msedge.net
    config-edge-skype.l-0007.l-msedge.net
    IN CNAME
    l-0007.l-msedge.net
    l-0007.l-msedge.net
    IN A
    13.107.42.16
  • flag-us
    DNS
    19.89.109.52.in-addr.arpa
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    19.89.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    self.events.data.microsoft.com
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    self.events.data.microsoft.com
    IN A
    Response
    self.events.data.microsoft.com
    IN CNAME
    self-events-data.trafficmanager.net
    self-events-data.trafficmanager.net
    IN CNAME
    onedscolprdcus19.centralus.cloudapp.azure.com
    onedscolprdcus19.centralus.cloudapp.azure.com
    IN A
    52.182.143.214
  • flag-us
    DNS
    ocsp.digicert.com
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.com
    IN A
    Response
    ocsp.digicert.com
    IN CNAME
    ocsp.edge.digicert.com
    ocsp.edge.digicert.com
    IN CNAME
    cac-ocsp.digicert.com.edgekey.net
    cac-ocsp.digicert.com.edgekey.net
    IN CNAME
    e3913.cd.akamaiedge.net
    e3913.cd.akamaiedge.net
    IN A
    104.78.173.167
  • flag-us
    DNS
    65.160.190.20.in-addr.arpa
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    65.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    184.143.101.95.in-addr.arpa
    CromulentLauncher.exe
    Remote address:
    8.8.8.8:53
    Request
    184.143.101.95.in-addr.arpa
    IN PTR
    Response
    184.143.101.95.in-addr.arpa
    IN PTR
    a95-101-143-184deploystaticakamaitechnologiescom
  • flag-us
    DNS
    1.96.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    1.96.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    ocsp.digicert.com
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.com
    IN A
    Response
    ocsp.digicert.com
    IN CNAME
    ocsp.edge.digicert.com
    ocsp.edge.digicert.com
    IN CNAME
    cac-ocsp.digicert.com.edgekey.net
    cac-ocsp.digicert.com.edgekey.net
    IN CNAME
    e3913.cd.akamaiedge.net
    e3913.cd.akamaiedge.net
    IN A
    104.78.173.167
  • flag-us
    DNS
    officeclient.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    officeclient.microsoft.com
    IN A
    Response
    officeclient.microsoft.com
    IN CNAME
    config.officeapps.live.com
    config.officeapps.live.com
    IN CNAME
    prod.configsvc1.live.com.akadns.net
    prod.configsvc1.live.com.akadns.net
    IN CNAME
    europe.configsvc1.live.com.akadns.net
    europe.configsvc1.live.com.akadns.net
    IN CNAME
    uks-azsc-config.officeapps.live.com
    uks-azsc-config.officeapps.live.com
    IN A
    52.109.28.46
  • flag-us
    DNS
    ocsp.digicert.com
    Remote address:
    8.8.8.8:53
    Request
    ocsp.digicert.com
    IN A
    Response
    ocsp.digicert.com
    IN CNAME
    ocsp.edge.digicert.com
    ocsp.edge.digicert.com
    IN CNAME
    cac-ocsp.digicert.com.edgekey.net
    cac-ocsp.digicert.com.edgekey.net
    IN CNAME
    e3913.cd.akamaiedge.net
    e3913.cd.akamaiedge.net
    IN A
    104.78.173.167
  • flag-us
    DNS
    fp.msedge.net
    Remote address:
    8.8.8.8:53
    Request
    fp.msedge.net
    IN A
    Response
    fp.msedge.net
    IN CNAME
    1.perf.msedge.net
    1.perf.msedge.net
    IN CNAME
    a-0019.a-msedge.net
    a-0019.a-msedge.net
    IN CNAME
    a-0019.a.dns.azurefd.net
    a-0019.a.dns.azurefd.net
    IN CNAME
    a-0019.standard.a-msedge.net
    a-0019.standard.a-msedge.net
    IN A
    204.79.197.222
  • flag-us
    DNS
    fp.msedge.net
    Remote address:
    8.8.8.8:53
    Request
    fp.msedge.net
    IN A
  • flag-us
    DNS
    189.85.21.104.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    189.85.21.104.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    11.153.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    11.153.16.2.in-addr.arpa
    IN PTR
    Response
    11.153.16.2.in-addr.arpa
    IN PTR
    a2-16-153-11deploystaticakamaitechnologiescom
  • flag-us
    DNS
    roaming.officeapps.live.com
    Remote address:
    8.8.8.8:53
    Request
    roaming.officeapps.live.com
    IN A
    Response
    roaming.officeapps.live.com
    IN CNAME
    prod.roaming1.live.com.akadns.net
    prod.roaming1.live.com.akadns.net
    IN CNAME
    eur.roaming1.live.com.akadns.net
    eur.roaming1.live.com.akadns.net
    IN CNAME
    weu-azsc-000.roaming.officeapps.live.com
    weu-azsc-000.roaming.officeapps.live.com
    IN CNAME
    osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com
    osiprod-weu-buff-azsc-000.westeurope.cloudapp.azure.com
    IN A
    52.109.89.19
  • flag-us
    DNS
    46.28.109.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    46.28.109.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    login.live.com
    Remote address:
    8.8.8.8:53
    Request
    login.live.com
    IN A
    Response
    login.live.com
    IN CNAME
    login.msa.msidentity.com
    login.msa.msidentity.com
    IN CNAME
    www.tm.lg.prod.aadmsa.trafficmanager.net
    www.tm.lg.prod.aadmsa.trafficmanager.net
    IN CNAME
    prdv4a.aadg.msidentity.com
    prdv4a.aadg.msidentity.com
    IN CNAME
    www.tm.v4.a.prd.aadg.trafficmanager.net
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    20.190.160.65
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    20.190.160.131
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    20.190.160.128
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.136
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.74
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    20.190.160.4
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    20.190.160.14
    www.tm.v4.a.prd.aadg.trafficmanager.net
    IN A
    40.126.32.138
  • flag-us
    DNS
    www.bing.com
    Remote address:
    8.8.8.8:53
    Request
    www.bing.com
    IN A
    Response
    www.bing.com
    IN CNAME
    www-www.bing.com.trafficmanager.net
    www-www.bing.com.trafficmanager.net
    IN CNAME
    www.bing.com.edgekey.net
    www.bing.com.edgekey.net
    IN CNAME
    e86303.dscx.akamaiedge.net
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.184
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.200
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.195
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.185
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.201
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.193
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.179
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.202
    e86303.dscx.akamaiedge.net
    IN A
    95.101.143.203
  • flag-us
    DNS
    214.143.182.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    214.143.182.52.in-addr.arpa
    IN PTR
    Response
  • flag-nl
    POST
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    WINWORD.EXE
    Remote address:
    52.109.89.19:443
    Request
    POST /rs/RoamingSoapService.svc HTTP/1.1
    Cache-Control: no-cache
    Connection: Keep-Alive
    Pragma: no-cache
    Content-Type: text/xml; charset=utf-8
    User-Agent: MS-WebServices/1.0
    SOAPAction: "http://tempuri.org/IRoamingSettingsService/GetConfig"
    Content-Length: 511
    Host: roaming.officeapps.live.com
    Response
    HTTP/1.1 200 OK
    Cache-Control: private
    Content-Type: text/xml; charset=utf-8
    Server: Microsoft-IIS/10.0
    X-OfficeFE: RoamingFE_IN_159
    X-OfficeVersion: 16.0.18527.30575
    X-OfficeCluster: weu-000.roaming.officeapps.live.com
    Content-Security-Policy-Report-Only: script-src 'nonce-mmdcAZKxHGBbfgHWOfz/Zb9V4gGUJo/2VFwa0yniXHfr8QkHJlbbs9zACPGe/Vhn1b45pvQl3TXbXWlRl53FvDAazi3tApGHwTyXXQoUL8G5lg9r0GiJg9qmI2dE0Ze348JhNQVi/liOQImScOcISjzT8GI+sCstbrnUtOImCgM=' 'unsafe-inline' 'unsafe-eval' 'strict-dynamic' https:; base-uri 'self'; object-src 'none'; require-trusted-types-for 'script'; report-uri https://csp.microsoft.com/report/OfficeIce-OfficeRoaming-Prod; frame-ancestors 'none';
    X-Frame-Options: Deny
    X-CorrelationId: 599e4898-470c-43aa-9f59-c31f35c68f8a
    X-Powered-By: ASP.NET
    Date: Fri, 31 Jan 2025 15:42:19 GMT
    Content-Length: 654
  • flag-us
    DNS
    222.197.79.204.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    222.197.79.204.in-addr.arpa
    IN PTR
    Response
  • 104.21.96.1:443
    freegeoip.app
    tls
    CromulentLauncher.exe
    753 B
     4.6kB
     7
    7
  • 104.21.85.189:443
    ipbase.com
    tls
    CromulentLauncher.exe
    885 B
     8.3kB
     10
    13
  • 2.18.66.48:443
    www.bing.com
    tls
    101.9kB
     2.1MB
     1591
    1531
  • 52.109.89.19:443
    https://roaming.officeapps.live.com/rs/RoamingSoapService.svc
    tls, http
    WINWORD.EXE
    1.8kB
     8.3kB
     12
    11

    HTTP Request

    POST https://roaming.officeapps.live.com/rs/RoamingSoapService.svc

    HTTP Response

    200
  • 95.101.143.184:443
    www.bing.com
    tls
    BackgroundTransferHost.exe
    21.1kB
     593.8kB
     438
    435
  • 8.8.8.8:53
    freegeoip.app
    dns
    CromulentLauncher.exe
    745 B
     1.8kB
     11
    11

    DNS Request

    freegeoip.app

    DNS Response

    104.21.96.1
    104.21.80.1
    104.21.112.1
    104.21.16.1
    104.21.48.1
    104.21.32.1
    104.21.64.1

    DNS Request

    ipbase.com

    DNS Response

    104.21.85.189
    172.67.209.71

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    ctldl.windowsupdate.com

    DNS Response

    2.16.153.11
    2.16.153.13

    DNS Request

    167.173.78.104.in-addr.arpa

    DNS Request

    config.edge.skype.com

    DNS Response

    13.107.42.16

    DNS Request

    19.89.109.52.in-addr.arpa

    DNS Request

    self.events.data.microsoft.com

    DNS Response

    52.182.143.214

    DNS Request

    ocsp.digicert.com

    DNS Response

    104.78.173.167

    DNS Request

    65.160.190.20.in-addr.arpa

    DNS Request

    184.143.101.95.in-addr.arpa

  • 8.8.8.8:53
    1.96.21.104.in-addr.arpa
    dns
    386 B
     916 B
     6
    5

    DNS Request

    1.96.21.104.in-addr.arpa

    DNS Request

    ocsp.digicert.com

    DNS Response

    104.78.173.167

    DNS Request

    officeclient.microsoft.com

    DNS Response

    52.109.28.46

    DNS Request

    ocsp.digicert.com

    DNS Response

    104.78.173.167

    DNS Request

    fp.msedge.net

    DNS Request

    fp.msedge.net

    DNS Response

    204.79.197.222

  • 8.8.8.8:53
    189.85.21.104.in-addr.arpa
    dns
    477 B
     1.5kB
     7
    7

    DNS Request

    189.85.21.104.in-addr.arpa

    DNS Request

    11.153.16.2.in-addr.arpa

    DNS Request

    roaming.officeapps.live.com

    DNS Response

    52.109.89.19

    DNS Request

    46.28.109.52.in-addr.arpa

    DNS Request

    login.live.com

    DNS Response

    20.190.160.65
    20.190.160.131
    20.190.160.128
    40.126.32.136
    40.126.32.74
    20.190.160.4
    20.190.160.14
    40.126.32.138

    DNS Request

    www.bing.com

    DNS Response

    95.101.143.184
    95.101.143.200
    95.101.143.195
    95.101.143.185
    95.101.143.201
    95.101.143.193
    95.101.143.179
    95.101.143.202
    95.101.143.203

    DNS Request

    214.143.182.52.in-addr.arpa

  • 8.8.8.8:53
    222.197.79.204.in-addr.arpa
    dns
    73 B
     143 B
     1
    1

    DNS Request

    222.197.79.204.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\44\Browsers\Firefox\Bookmarks.txt
    Filesize

    105B

    MD5

    2e9d094dda5cdc3ce6519f75943a4ff4

    SHA1

    5d989b4ac8b699781681fe75ed9ef98191a5096c

    SHA256

    c84c98bbf5e0ef9c8d0708b5d60c5bb656b7d6be5135d7f7a8d25557e08cf142

    SHA512

    d1f7eed00959e902bdb2125b91721460d3ff99f3bdfc1f2a343d4f58e8d4e5e5a06c0c6cdc0379211c94510f7c00d7a8b34fa7d0ca0c3d54cbbe878f1e9812b7

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    1KB

    MD5

    8afe145407231d996cb2efed00250273

    SHA1

    cdf1fef5a3adc11073a8e7ddf47438c914daea32

    SHA256

    49a392dbcd86684338f6cf81ca6ec18b31ab608354fe9949d1bd53d6c38d29b7

    SHA512

    6d176e90ef500994b7766345d07c27bf392b1e0fb7145bfb8ac28e8e6e0c91419f9ab64d18960729416a91a5e38ffde07fd37864b7c195db16d639b6f53789c2

    Download Submit

  • C:\ProgramData\44\Process.txt
    Filesize

    765B

    MD5

    eb8043846caf31483f3c9d2874bfe29d

    SHA1

    b903e9e075899be8dd1c10bc127f903a475fd33e

    SHA256

    b4e7f30d1c3dd31a8b97a61eaf63d8a84a25ed168f44d0980a6238ab1039a98c

    SHA512

    ee303faba59b55d9314eea30c764abebb9b9209f6dabe5f2d2d1d7226f3379c1fa04874d871079a2c2b0486eafd8f62da4af4137ecce120e655b88e67ca47327

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
    Filesize

    28KB

    MD5

    09d642aefcb8618fa681adbbc0bf75a6

    SHA1

    85814a5700b4d78364fdb781c56f0ec23844b1a2

    SHA256

    bb379f027935fae8f0e4c1768683e20675a0526f98ac4684dafca4c9501d81c5

    SHA512

    2154eb7b0c316d9542176dd98849ff83d91c16d1fa9685268f33849ff88b0ad350834a7890a094c2a33eceb68fa49b2a82111a02ce53f715a29b7ee0caa65833

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\81bcf342-e591-4493-9dcf-307a7d14a45a.down_data
    Filesize

    555KB

    MD5

    5683c0028832cae4ef93ca39c8ac5029

    SHA1

    248755e4e1db552e0b6f8651b04ca6d1b31a86fb

    SHA256

    855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

    SHA512

    aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\CromulentLauncher.exe
    Filesize

    1.2MB

    MD5

    23d86a9388b2473d0b8c8d8c75de793c

    SHA1

    d7938fb0ddaeed76d6ead3ad9ed030934603247e

    SHA256

    9633ed8a684b052247e4850948b3e8b33c428066eb1c32179c547f477c5dfaf7

    SHA512

    7115b93efbb44ab74b157d683a61bb4e8dbf6faac46516916cb95ef310b1ccb587ff638113ffbb76530a936ee5358562132475de74710ff64e27d5add68d842d

    Download Submit

  • memory/1236-190-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-187-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-186-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-179-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-185-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-189-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-180-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-178-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-188-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1236-184-0x00000141078A0000-0x00000141078A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2852-140-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-141-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-139-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-142-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-143-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-144-0x00007FFF63FE0000-0x00007FFF63FF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-145-0x00007FFF63FE0000-0x00007FFF63FF0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-168-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-169-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-170-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-167-0x00007FFF665D0000-0x00007FFF665E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3312-138-0x0000000072B20000-0x00000000732D1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3312-137-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3312-134-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3312-133-0x0000000009850000-0x00000000098B6000-memory.dmp

    Filesize

    408KB

    Download

  • memory/3312-52-0x00000000098F0000-0x0000000009E96000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/3312-41-0x00000000081B0000-0x0000000008242000-memory.dmp

    Filesize

    584KB

    Download

  • memory/3312-27-0x0000000072B20000-0x00000000732D1000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/3312-17-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3312-16-0x0000000072B2E000-0x0000000072B2F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-14-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/3312-13-0x0000000000A00000-0x0000000000A01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3312-12-0x0000000000CD0000-0x00000000010B6000-memory.dmp

    Filesize

    3.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.