Overview
overview
10Static
static
10241105-dtx...ed.zip
windows7-x64
1241105-dtx...ed.zip
windows10-2004-x64
1d91912b4b9...37.rar
windows7-x64
1d91912b4b9...37.rar
windows10-2004-x64
10di3x.exe
windows7-x64
100di3x.exe
windows10-2004-x64
10201106-9sx...ed.zip
windows7-x64
1201106-9sx...ed.zip
windows10-2004-x64
12019-09-02...10.exe
windows7-x64
102019-09-02...10.exe
windows10-2004-x64
102c01b00772...eb.exe
windows7-x64
102c01b00772...eb.exe
windows10-2004-x64
731.exe
windows7-x64
1031.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows7-x64
33DMark 11 ...on.exe
windows10-2004-x64
342f9729255...61.exe
windows7-x64
1042f9729255...61.exe
windows10-2004-x64
105da0116af4...18.exe
windows7-x64
75da0116af4...18.exe
windows10-2004-x64
106306868794.bin.zip
windows7-x64
16306868794.bin.zip
windows10-2004-x64
1CVE-2018-1...oC.swf
windows7-x64
3CVE-2018-1...oC.swf
windows10-2004-x64
3DiskIntern...en.exe
windows7-x64
3DiskIntern...en.exe
windows10-2004-x64
3E2-2020111...59.zip
windows7-x64
1E2-2020111...59.zip
windows10-2004-x64
1ForceOp 2....ce.exe
windows7-x64
7ForceOp 2....ce.exe
windows10-2004-x64
7HYDRA.exe
windows7-x64
10HYDRA.exe
windows10-2004-x64
10Resubmissions
01/04/2025, 21:24
250401-z8184awycs 10Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
25/02/2025, 23:21
Static task
static1
Behavioral task
behavioral1
Sample
241105-dtxrgatbpg_pw_infected.zip
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
241105-dtxrgatbpg_pw_infected.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral3
Sample
d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337.rar
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
d91912b4b945e88e881e54573390e6723cfc41916b6546453b59e60f9beee337.rar
Resource
win10v2004-20250217-en
Behavioral task
behavioral5
Sample
0di3x.exe
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
0di3x.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral7
Sample
201106-9sxjh7tvxj_pw_infected.zip
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
201106-9sxjh7tvxj_pw_infected.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral9
Sample
2019-09-02_22-41-10.exe
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral11
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win7-20241023-en
Behavioral task
behavioral12
Sample
2c01b007729230c415420ad641ad92eb.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral13
Sample
31.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
31.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral15
Sample
3DMark 11 Advanced Edition.exe
Resource
win7-20241010-en
Behavioral task
behavioral16
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral17
Sample
42f972925508a82236e8533567487761.exe
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
42f972925508a82236e8533567487761.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral19
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral21
Sample
6306868794.bin.zip
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
6306868794.bin.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral23
Sample
CVE-2018-15982_PoC.swf
Resource
win7-20241023-en
Behavioral task
behavioral24
Sample
CVE-2018-15982_PoC.swf
Resource
win10v2004-20250217-en
Behavioral task
behavioral25
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral27
Sample
E2-20201118_141759.zip
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
E2-20201118_141759.zip
Resource
win10v2004-20250217-en
Behavioral task
behavioral29
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win7-20241010-en
Behavioral task
behavioral30
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20250217-en
Behavioral task
behavioral31
Sample
HYDRA.exe
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
HYDRA.exe
Resource
win10v2004-20250217-en
General
-
Target
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
-
Size
669KB
-
MD5
ead18f3a909685922d7213714ea9a183
-
SHA1
1270bd7fd62acc00447b30f066bb23f4745869bf
-
SHA256
5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
-
SHA512
6e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
-
SSDEEP
6144:bLUHLyHlwFjxDi2nEZkQ4NXxp0XMgkBWPqdN/jGdfYY7SRA7j4YlvfYAAjJ:4uFi02nEZh4jp0XLuxGdgTm73vL
Malware Config
Extracted
C:\Users\Public\Documents\_readme.txt
https://we.tl/t-T9WE5uiVT6
Signatures
-
Renames multiple (154) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Modifies file permissions 1 TTPs 1 IoCs
pid Process 3596 icacls.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\7ca2b828-c01a-4920-91ef-5f782c46f6cb\\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe\" --AutoStart" 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Drops desktop.ini file(s) 25 IoCs
description ioc Process File opened for modification C:\Users\Admin\Music\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\StartUp\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Documents\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Searches\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Videos\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\System Tools\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Links\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 59 api.2ip.ua 60 api.2ip.ua 74 api.2ip.ua 27 api.2ip.ua 28 api.2ip.ua 34 api.2ip.ua -
resource yara_rule behavioral20/memory/4856-0-0x0000000000400000-0x00000000004A9000-memory.dmp upx behavioral20/files/0x000b000000023baf-11.dat upx behavioral20/memory/2740-26-0x0000000000400000-0x00000000004A9000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 5 IoCs
pid pid_target Process procid_target 3136 4856 WerFault.exe 84 1672 952 WerFault.exe 109 4644 3632 WerFault.exe 103 2068 2740 WerFault.exe 104 1148 400 WerFault.exe 95 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language icacls.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 4856 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 4856 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 400 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 400 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 2740 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 2740 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 3632 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 3632 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 952 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 952 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 4856 wrote to memory of 3596 4856 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 94 PID 4856 wrote to memory of 3596 4856 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 94 PID 4856 wrote to memory of 3596 4856 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 94 PID 4856 wrote to memory of 400 4856 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 95 PID 4856 wrote to memory of 400 4856 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 95 PID 4856 wrote to memory of 400 4856 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 95 PID 400 wrote to memory of 3632 400 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 103 PID 400 wrote to memory of 3632 400 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 103 PID 400 wrote to memory of 3632 400 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 103 PID 400 wrote to memory of 2740 400 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 104 PID 400 wrote to memory of 2740 400 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 104 PID 400 wrote to memory of 2740 400 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 104 PID 3632 wrote to memory of 952 3632 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 109 PID 3632 wrote to memory of 952 3632 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 109 PID 3632 wrote to memory of 952 3632 5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe 109
Processes
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4856 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\AppData\Local\7ca2b828-c01a-4920-91ef-5f782c46f6cb" /deny *S-1-1-0:(OI)(CI)(DE,DC)2⤵
- Modifies file permissions
- System Location Discovery: System Language Discovery
PID:3596
-
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Admin IsNotAutoStart IsNotTask2⤵
- Drops desktop.ini file(s)
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:400 -
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --ForNetRes "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt1 IsNotAutoStart IsNotTask3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 3632 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt14⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:952 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 952 -s 11045⤵
- Program crash
PID:1672
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 17804⤵
- Program crash
PID:4644
-
-
-
C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe"C:\Users\Admin\AppData\Local\Temp\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe" --Service 400 "FsnDCf1u1wJvLcqbFxxtOchBf2V2lgtk24oM5mt2" 0h7mFQcjRC3pDgsRcrWZ7K7bdAgvgDos224DmXt13⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2740 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2740 -s 18684⤵
- Program crash
PID:2068
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 400 -s 16443⤵
- Program crash
PID:1148
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 18282⤵
- Program crash
PID:3136
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4856 -ip 48561⤵PID:2684
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 952 -ip 9521⤵PID:4196
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 3632 -ip 36321⤵PID:3200
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 2740 -ip 27401⤵PID:3208
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 400 -ip 4001⤵PID:220
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5f782b09fd215d3d9bb898d61ea2e7a37
SHA1a382348e9592bdf93dd10c49773b815a992fa7c7
SHA2567bd4646090dff9875e08ea00e5727b11be19fcb850344856e66360c152835694
SHA5129342bd7a0cbabd7e699ea545897a6403371a0034e4bea067a9662dad9e492c5fa9b27efa4c850e1c001c79d6a76ffe0dacb6831010e41c8d5e2a92bd5b898606
-
C:\ProgramData\Package Cache\{3A96B93E-763F-41E7-85C7-1F3CCC37EF27}v48.108.8828\dotnet-host-6.0.27-win-x64.msi
Filesize736KB
MD5c3c0fe1bf5f38a6c89cead208307b99c
SHA1df5d4f184c3124d4749c778084f35a2c00066b0b
SHA256f4f6d008e54b5a6bac3998fc3fe8e632c347d6b598813e3524d5489b84bd2eaf
SHA5120f3e96d16c512e37025b04ff7989d60126c3d65fe868dbcfbeae4dac910ce04fc52d1089f0e41ce85c2def0182a927fdcc349094e74cdd21b45a42fde7f01806
-
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\vc_runtimeMinimum_x64.msi
Filesize180KB
MD5b2e47100abd58190e40c8b6f9f672a36
SHA1a754a78021b16e63d9e606cacc6de4fcf6872628
SHA256889217bcb971387bc3cb6d76554646d2b0822eceb102320d40adf2422c829128
SHA512d30da8c901e063df5901d011b22a01f884234ddddd44b9e81b3c43d93a51e10342074523339d155d69ff03a03a1df66c7d19e0137a16f47735b5b600616ca2a9
-
C:\ProgramData\Package Cache\{CE4D7AE0-FCBA-486F-A58F-DBA3626FBE4B}v56.64.8781\dotnet-runtime-7.0.16-win-x64.msi
Filesize4.4MB
MD5b7af2ea479a58bd4b890e81d914686a3
SHA1d7c0c7953d71f10b57565987c91760bc02c35efe
SHA256e892c71fea11ec1da76c90e6bb3f52536ca911dd1040ed960873de3dc6dad2d4
SHA5124437188b98c6734d48977084fb8ca0b2b35facab7c26f17bf6516a5835d2669b89f95fab6c5e8daae675eb6fd8dac5c527665f345de47f3d6fea1016dd59dbc6
-
C:\ProgramData\Package Cache\{E634F316-BEB6-4FB3-A612-F7102F576165}v48.108.8836\windowsdesktop-runtime-6.0.27-win-x64.msi
Filesize4.0MB
MD5710e86063b3b0da02a13b49d08cd75dc
SHA12fa1f970816a5cd62fb006dfbd66acef63653087
SHA256d5d40494d1407b2113fa9a7123ad3d32501a247bc7436505b2e015b8d713c579
SHA51265ba635a834d3891d85b1f76846434be414660781fd9b198c4bf05e29653c50bff2eed3c6bd486119046d2c53d1e30053fd5e8f6abe0359648a77613b686d724
-
Filesize
1KB
MD5c9be626e9715952e9b70f92f912b9787
SHA1aa2e946d9ad9027172d0d321917942b7562d6abe
SHA256c13e8d22800c200915f87f71c31185053e4e60ca25de2e41e160e09cd2d815d4
SHA5127581b7c593785380e9db3ae760af85c1a889f607a3cd2aa5a2695a0e5a0fe8ee751578e88f7d8c997faeda804e2fc2655d859bee2832eace526ed4379edaa3f5
-
Filesize
436B
MD5971c514f84bba0785f80aa1c23edfd79
SHA1732acea710a87530c6b08ecdf32a110d254a54c8
SHA256f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895
SHA51243dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
Filesize174B
MD5f4d4ac584bc2223192fce41a9e665c64
SHA1085bc30eca575ed7f89dbdb3390045ad1da3d7ca
SHA2567d043a480703ada642d18b78526737b0e97f06eaf8643b79b5d28c346d40fbbb
SHA5124ecc244ebdf782ca9a7df531ddd253d81f561b6831c86f822e03a339a9e7687b09a5e92cfc712fcc0af23181fe2d6fad62508e2698d7598441c59b9b126941f9
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
Filesize170B
MD5fc0b204cb74b7c0c3882d77f6f1784a0
SHA14d81230ce6d15691b67d3f5d26cdbf1502d257c0
SHA256a716437d1ff03f0265dea4744ea326ca6d6a0830dbd273188bf1593fd60696fb
SHA5125d81c55a92f19d49aae1a8d8126928c86120b3ce8c220c17aed36da8d00ed022d32d84e17d5a3c6316f66c337c7db4ad13980846c98f5e44162b4b6ee28e3d9d
-
C:\Users\Admin\AppData\Local\7ca2b828-c01a-4920-91ef-5f782c46f6cb\5da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18.exe
Filesize669KB
MD5ead18f3a909685922d7213714ea9a183
SHA11270bd7fd62acc00447b30f066bb23f4745869bf
SHA2565da0116af495e6d8af7241da9b8281d918b9ff9a98a3deab4cca1aec1e456c18
SHA5126e532d9c3d186e4dac38823ae9152056346e283613f0caf088b21a1b3e5f4f6cf3bad8c407168b1072895a386e3be0b8c11ad1cb326d3d3ff0eb8562052def91
-
Filesize
1KB
MD5d75064cfaac9c92f52aadf373dc7e463
SHA136ea05181d9b037694929ec81f276f13c7d2655c
SHA256163ec5b903b6baadd32d560c44c1ea4dce241579a7493eb32c632eae9085d508
SHA51243387299749f31c623c5dd4a53ff4d2eff5edfeb80fd4e2edd45860b5c9367d2767ae2ee9b60824b57301999dd2bd995b7d3bd5e7187e447aed76106272559d1