3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
102s
max time network
109s
platform
windows11-21h2_x64
resource
win11-20250313-en
resource tags

arch:x64arch:x86image:win11-20250313-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Size

52KB
MD5

ba9210de03de945901f02792f7994871
SHA1

20c4569cbb6f2650b02f6a5257faa8a8dfb298bd
SHA256

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d
SHA512

277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0
SSDEEP

1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\README_5442903.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: ADkTOOmai/3VrhwOMe6gxxyPK0vpJeW31RAieyF9rmHoWyqU7qoqvm80gmlQL8UQl0GFvHxwpzN2rwbkriAleQ0k/vYFS+gTRmu3iRHd8Ql6W2CrzqH1uhbyLSFGKxi2CqGzf2AWTNPa8YlKQZmK5Mt4ebOXIgURgIXHZIT+1i5ugMd87SXyn4ZIDxscj7ocKUbrYMP6O81cK1P2Mq7qrmirdAktxXu1nyJapOUFvS/cmE3yLj0AFu7LU/rXwBS2JXYQQGnatOWaG7ErwFJVG77HUe9H8a75ewyZwnvE6wIfF7UzWjjlwijQD+YG5cIjzvKrYr8lcnO/EL49Ag8dhg++ZW4tVVNfNTQ0MjkwM19BZG1pbl8zLzI1LzIwMjUgMTowOTozNSBQTV9XaW4gMTBfYmx1dDRfZWNmYjVjOTVkMGYzZDExMjY1MGVmNDA0NzkzNmU4ZmE1MjQ0YzIxYzkyMWY2YzdhNjk2M2U5MmFiYWI0OTQ5ZA To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
960	bcdedit.exe
988	bcdedit.exe

Disables Task Manager via registry modification
defense_evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Libraries\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Contacts\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Searches\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\README_5442903.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Program Files (x86)\README_5442903.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\README_5442903.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3180	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2768	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1136229799-3442283115-138161576-1000_Classes\Local Settings	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3180	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Token: SeBackupPrivilege	4452	vssvc.exe
Token: SeRestorePrivilege	4452	vssvc.exe
Token: SeAuditPrivilege	4452	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 5524 wrote to memory of 2172	5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	84
PID 5524 wrote to memory of 2172	5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	84
PID 5524 wrote to memory of 1504	5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	86
PID 5524 wrote to memory of 1504	5524	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	86
PID 2172 wrote to memory of 2768	2172	cmd.exe	88
PID 2172 wrote to memory of 2768	2172	cmd.exe	88
PID 1504 wrote to memory of 3180	1504	cmd.exe	89
PID 1504 wrote to memory of 3180	1504	cmd.exe	89
PID 2172 wrote to memory of 960	2172	cmd.exe	92
PID 2172 wrote to memory of 960	2172	cmd.exe	92
PID 2172 wrote to memory of 988	2172	cmd.exe	93
PID 2172 wrote to memory of 988	2172	cmd.exe	93

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
"C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5524
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2768
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:960
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1504
- - C:\Windows\system32\PING.EXE
    ping -n 1 -w 5000 10.10.254.254
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:3180

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\README_5442903.txt

Filesize
1KB

MD5
de1926e574a1e5697513a0c62c879012

SHA1
bd16f0fea03140e5e1609f5718b2a6a0312c8860

SHA256
11b27acb14851c901df98e53ec0118143e751bb0d8fc805f7ffc32d46d21d631

SHA512
ae405ebf08126a41aac9f0eedc13897e4c1503820b3680aa1850993ff1936befdfa4be2facc6fc09cca10a28d4cd0f18c4eee8acdcd1c4d71e225c52917473bf

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi

Filesize
728KB

MD5
aa8ab375cbc285c70ee0ed935fe26b5b

SHA1
f38e64fe805b1b163186bf50f9e830ff6432c461

SHA256
dc1c4419aa3aa028e76775bfdce709fb0091d4c08a0a95dc09b398d49198f47d

SHA512
3e878f749b790715348defdb9e167ea96f2f813cfc6102523cfcce48513178388866b7f6ec76a40f683741e29eccc387688a283bb9c5010628643e64c52deb20

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
c655eaa8db27ccc8f3211cd03729f774

SHA1
14a73ffea1677972021e50e45d8bd94f90fe088f

SHA256
43947874316c26b27a1adcad9a26ba2b57f4ecb940ce8d88fccee9553d8afa97

SHA512
93343fd7bee41196aba1c66c2bec15266860ca140d994230be4e4551f19c0354de3d1221e53ef6750cc75e73a5b7a7082f4487492e291595f63fb55db6f8fb4e

Download Submit
C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi

Filesize
26.2MB

MD5
ce950d01f6bfee0d31b3c861d4e19c58

SHA1
67facc8033c47252732c6c8b341e17d3e77d1b4d

SHA256
fb190ea0ae84d582d3bdfc4976e9115b8abf85e3daf52ef8e7d2bd9e9740c8d8

SHA512
f004dfa768f07cf3a3384cf5c5b4d6c39747c641b653974df3c71d3cdfaa394a0c45a81ecef49c456f5c01d25c96d4aa502eac65c2b10bc1b493851170db6335

Download Submit
C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi

Filesize
28.9MB

MD5
18e65e9ca6000912a6eea7fefd3cd13a

SHA1
a0ffe082551c7f2471baff43b02bd074576649f8

SHA256
1f095a3cc27584c3a89bb2584f861946011b5beae767e5d18be6af41918a70f7

SHA512
1536c16fd417771926f2f0c7972c8dc1a222f744d9d6b45bb868ad8d24f4d098e8f188d56bfefc4594ab8459cb9762a005816ac9fbed8d9b1349986859e0304a

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
167B

MD5
d1df9bb96b34b2b9cba30dc139a00ef8

SHA1
44e80d8b875f296f7087eadc0584276fb68fa323

SHA256
17bdd9c1355d56e607eae45138d64ed86ebb1369dfcdf4f7ef313124c2f098bc

SHA512
7029c53a5de207b495c512bbfc160ccb1d76fb0101ff5bef497cc0bfa570228b5d641e3fb34ee4d17585a19e4ce0b1337f7e14750c70a014d69c1d8afa4f7ec2

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
147B

MD5
2450c91afcc2d4cc3dea374820bed314

SHA1
dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

SHA256
4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

SHA512
b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

Download Submit
C:\e57d5b84f944437adbc6f39ef6c7\2010_x64.log.html

Filesize
86KB

MD5
033d478106cc005cd4927d8dd41ec2a6

SHA1
070684a76305fa02e99ca71e925531207013844a

SHA256
f7264bf80a7fecbea6fea03e078df13bf6813881131a6fef295ec191e493836c

SHA512
c7e9b2ff2317cff14c7b98de19703bb1a66c4853dbeeee141918c81baa5567307dc0abe55bb9febbf3739bca6e623c9af3c2a850f7b0c9fc812361e92ce678cf

Download Submit
memory/5524-4-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

Filesize
10.8MB

Download
memory/5524-3-0x00007FFF3E833000-0x00007FFF3E835000-memory.dmp

Filesize
8KB

Download
memory/5524-2-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

Filesize
10.8MB

Download
memory/5524-1-0x0000000000E20000-0x0000000000E34000-memory.dmp

Filesize
80KB

Download
memory/5524-0-0x00007FFF3E833000-0x00007FFF3E835000-memory.dmp

Filesize
8KB

Download
memory/5524-890-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

Filesize
10.8MB

Download
memory/5524-891-0x00007FFF3E830000-0x00007FFF3F2F2000-memory.dmp

Filesize
10.8MB

Download