3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
25s
max time network
21s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
25/03/2025, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Size

52KB
MD5

ba9210de03de945901f02792f7994871
SHA1

20c4569cbb6f2650b02f6a5257faa8a8dfb298bd
SHA256

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d
SHA512

277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0
SSDEEP

1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_6296936.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: OrrRonhSOZtRXbzBj3UjWRCgnymueZGTpEJUSHy+BxsFBralnrhPgwndxXW9LI/xMTY/TYLZOdsAMXG/utMmtEBbqJn2woiOltoNwyN9mXU/IdYSp3J+NH4aZqfIcVYl0BKbpWi25AVuzmmq+8L+lAbwhoo5QPdBRWnm5zDQCkXz0fBshfpkkz3VJ1NSyP+S3ZqvpFUinkcs6Dm4cHy81mBqLIQo3ALrn0bdb+uGXddyHER1sqFqFV4C5srol4vRgBM4PoZh3vafgZAaadPDD7itrQYltlpzTHLYt+7Qb+cLkqusYo7WUEw6bsWuTpQT1a3BwGx9U1YbStiIwp1vqw++ZW4tVVNfNjI5NjkzNl9BZG1pbl8zLzI1LzIwMjUgMTowOTozNSBQTV9XaW4gN19ibHV0NF9lY2ZiNWM5NWQwZjNkMTEyNjUwZWY0MDQ3OTM2ZThmYTUyNDRjMjFjOTIxZjZjN2E2OTYzZTkyYWJhYjQ5NDlk To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2920	bcdedit.exe
2804	bcdedit.exe

Disables Task Manager via registry modification
defense_evasion

Deletes itself 1 IoCs

pid	Process
1600	cmd.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops desktop.ini file(s) 26 IoCs

description	ioc	Process
File created	C:\Users\Admin\Contacts\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Recorded TV\Sample Media\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Videos\Sample Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Libraries\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\Links for United States\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Searches\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Music\Sample Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Recorded TV\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\README_6296936.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Program Files (x86)\README_6296936.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\README_6296936.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2616	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2356	vssadmin.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2616	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Token: SeBackupPrivilege	2472	vssvc.exe
Token: SeRestorePrivilege	2472	vssvc.exe
Token: SeAuditPrivilege	2472	vssvc.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 888	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	31
PID 1720 wrote to memory of 888	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	31
PID 1720 wrote to memory of 888	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	31
PID 1720 wrote to memory of 1600	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	33
PID 1720 wrote to memory of 1600	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	33
PID 1720 wrote to memory of 1600	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	33
PID 1720 wrote to memory of 1600	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	33
PID 1720 wrote to memory of 1600	1720	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	33
PID 888 wrote to memory of 2356	888	cmd.exe	36
PID 888 wrote to memory of 2356	888	cmd.exe	36
PID 888 wrote to memory of 2356	888	cmd.exe	36
PID 1600 wrote to memory of 2616	1600	cmd.exe	37
PID 1600 wrote to memory of 2616	1600	cmd.exe	37
PID 1600 wrote to memory of 2616	1600	cmd.exe	37
PID 888 wrote to memory of 2920	888	cmd.exe	40
PID 888 wrote to memory of 2920	888	cmd.exe	40
PID 888 wrote to memory of 2920	888	cmd.exe	40
PID 888 wrote to memory of 2804	888	cmd.exe	41
PID 888 wrote to memory of 2804	888	cmd.exe	41
PID 888 wrote to memory of 2804	888	cmd.exe	41

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
"C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2356
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2920
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2804
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  - Deletes itself
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Windows\system32\PING.EXE
    ping -n 1 -w 5000 10.10.254.254
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2616

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\README_6296936.txt

Filesize
1KB

MD5
531f9c60b5c1ee4542ffc8ea4c708a66

SHA1
efb1acb92525722e5edf5d04e0470e2d66f38ccf

SHA256
2939d586353917fea80398ff67bbe1d4e7aa63ee55ef0e9256533d2436314e86

SHA512
0426d9746e3eae1fb3cc99d0d496fe9a438ffbf9ea4285c0a4aa50e7d63cc2b9fe0f76d71bd34331ca2bbebc070017e530898107837e3b0a5cfc17bfed60419f

Download Submit
C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\branding.xml

Filesize
582KB

MD5
f1b0abf11c3fa1478768782cfd597e9b

SHA1
997a6a1dc41e9bfcb93d698c93472f84d0720dfb

SHA256
547af35a22a367cf2dfbf179cd0df60b8fe8dcc6274d7d3c6219a452b2707c0b

SHA512
9e5ab8155893b517a3eb32d9342718eccbc29d4d1b4a3829fa3a97b1b0239e87a32b9c776f57152a901b944c51b9d4b183ce26c391fa3b4353117d36fc755664

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
1d448624e5748909a1c8231c859a4d3e

SHA1
ba07938bb560829a8ced5de3d81809c685611969

SHA256
247f399fa9110c037eaeb42d877242926bc5f1332af96c74ffff63038ab9af6b

SHA512
9997ded5b00f7a32132462aeccf6b155c765fad971f0aa7023279d8b5743de3cee123f8c25947d3805c0a4ee70afb8510bac07a9f2e2776871a8071fdf302bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
167B

MD5
d1df9bb96b34b2b9cba30dc139a00ef8

SHA1
44e80d8b875f296f7087eadc0584276fb68fa323

SHA256
17bdd9c1355d56e607eae45138d64ed86ebb1369dfcdf4f7ef313124c2f098bc

SHA512
7029c53a5de207b495c512bbfc160ccb1d76fb0101ff5bef497cc0bfa570228b5d641e3fb34ee4d17585a19e4ce0b1337f7e14750c70a014d69c1d8afa4f7ec2

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
147B

MD5
2450c91afcc2d4cc3dea374820bed314

SHA1
dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

SHA256
4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

SHA512
b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

Download Submit
C:\Users\Admin\Desktop\SplitCompare.xlsx

Filesize
11KB

MD5
8b8d26e32c95045e8106c82c34c959c6

SHA1
5ee101b2d012742e792b64b5962f77b66126c0f0

SHA256
baa21e32a5880c32dff889a7719214c4d6b4df67c07ac13e8c083c059b809291

SHA512
0fb2acf4930dda734d16b0b2ffc7ab9ea81d439e8c2b23ee0e36cf99ea9e7533020a83a46a96c1beed70f1f45da2ceeca991c4a0cd9e476aa8c28172ba0e82f0

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
c62060fb77335b1362a156280edd9fd0

SHA1
2dbdf106106e81d0e965072419feac1cb513a16c

SHA256
f62354c16eaaab66c3d93f73fc9142072b50cf69f771583b752572c752b209b0

SHA512
196a1052dc767898d1ae6ce6a498ce43a72f9d632d7e4a35b56417c9a0ff5e5bb7ecf1cc459dcf3d3d6b6930361948962920fab1e423df231c3a42b90b187843

Download Submit
memory/1720-3-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/1720-4-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-2-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download
memory/1720-1-0x00000000008A0000-0x00000000008B4000-memory.dmp

Filesize
80KB

Download
memory/1720-0-0x000007FEF52A3000-0x000007FEF52A4000-memory.dmp

Filesize
4KB

Download
memory/1720-1071-0x000007FEF52A0000-0x000007FEF5C8C000-memory.dmp

Filesize
9.9MB

Download