3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
104s
max time network
115s
platform
windows10-ltsc_2021_x64
resource
win10ltsc2021-20250314-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
submitted
25/03/2025, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Size

52KB
MD5

ba9210de03de945901f02792f7994871
SHA1

20c4569cbb6f2650b02f6a5257faa8a8dfb298bd
SHA256

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d
SHA512

277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0
SSDEEP

1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\README_2081251.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: JSO+F4GXS7XFVUNpMVbqnRpC9D+g1jgJDdq3GYOQjIWG4qJCQ0Fez6S1quW0t1/ZHlCYExTsnWAainxp0omf2bKmaVq6Ms/P7zCxT706+VoG27nu8bgbJn4Pob3Y/lbdvMemQQY5/NYI46fYbqUHytxw7uNP5fzt9573C8EXVJK1gXU+xY0o2yFNe+SjYhqply4QLpoMIWM/he74Smr0xFHr3lzMW+fLviEc+nOGgf7cwOh4/aa0TubyrpSpbHFNC9TRZ5nPATnZwXka3QtAOrvH+X2+ix71dYqXTJKk0o9uqG00t+LAit8mCMZYiIwxh+MyFJf1SZszDPPjwK1vIg++ZW4tVVNfMjA4MTI1MV9BZG1pbl8zLzI1LzIwMjUgMTowOTozOSBQTV9XaW4gMTBfYmx1dDRfZWNmYjVjOTVkMGYzZDExMjY1MGVmNDA0NzkzNmU4ZmE1MjQ0YzIxYzkyMWY2YzdhNjk2M2U5MmFiYWI0OTQ5ZA To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
3356	bcdedit.exe
5916	bcdedit.exe

Disables Task Manager via registry modification
defense_evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops desktop.ini file(s) 23 IoCs

description	ioc	Process
File created	C:\Users\Admin\3D Objects\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Contacts\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Libraries\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Searches\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\README_2081251.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Program Files\README_2081251.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\README_2081251.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1736	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
3276	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\Local Settings	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
1736	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Token: SeBackupPrivilege	5352	vssvc.exe
Token: SeRestorePrivilege	5352	vssvc.exe
Token: SeAuditPrivilege	5352	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1668 wrote to memory of 2344	1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	94
PID 1668 wrote to memory of 2344	1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	94
PID 1668 wrote to memory of 732	1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	96
PID 1668 wrote to memory of 732	1668	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	96
PID 2344 wrote to memory of 3276	2344	cmd.exe	98
PID 2344 wrote to memory of 3276	2344	cmd.exe	98
PID 732 wrote to memory of 1736	732	cmd.exe	100
PID 732 wrote to memory of 1736	732	cmd.exe	100
PID 2344 wrote to memory of 3356	2344	cmd.exe	102
PID 2344 wrote to memory of 3356	2344	cmd.exe	102
PID 2344 wrote to memory of 5916	2344	cmd.exe	103
PID 2344 wrote to memory of 5916	2344	cmd.exe	103

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
"C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:3276
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3356
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:5916
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:732
- - C:\Windows\system32\PING.EXE
    ping -n 1 -w 5000 10.10.254.254
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:1736

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\README_2081251.txt

Filesize
1KB

MD5
afdd25e53dec9af165d0b3d910e0da06

SHA1
3e3eaedef6d53f740023268478aa319f04acf7c7

SHA256
dd6acf889a42a31591a3b715dc6fc10044ccd186c000982e4f3806883e703a17

SHA512
d810096905d11ee238e723762ae003b297abfc27324796f9cc932498adbddf94ed973a41a304d542bb733fd6882f13f2bf9e6d59142ab62aa528915c929d68d3

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi

Filesize
728KB

MD5
e3c126614613701a2cfd9a0325863cd4

SHA1
c908b1b94bd99df043a119a5837c404931f0e012

SHA256
6af48db9202993538d84a2e33031fcd302069fbc27e30dc00d5483851cbd1cc0

SHA512
0c3ad1ab6b86a275fc9429824882ba0798e41b443ecb0d5dca87965fee5b7c71a414acfc86292323765213f8edbf91b3452fc6d0536de9086574c516bc3fc05f

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
74c6c5927298ee29c7a75efe3ae2c30a

SHA1
daa2818119fbe9dd1843e305f15e9efecf12e96a

SHA256
06c34015340707da33b6092cd5fe0c860d049dc73f72e9276d4b4ec5729a19a2

SHA512
690263529f013f6a3a89e119091905b3c544f6f722c2b258c22f8bb84e38dc9dc66a2220861c3f9ea8b5de51a3c3f057dfc1ef3a1de6a614ed35da705b8b22e7

Download Submit
C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi

Filesize
26.2MB

MD5
1641d4790e780a180c8fde5ad5444212

SHA1
a4de318f35eeda0bef8000ca6a190f669e8038be

SHA256
27e0cc73921c3d4bea1246b61837c7c84c5165f6dc5c8236f27522dc01124580

SHA512
718f5baf98dd07b58ff87bcd037accd26e862cc7a8c853e6c872d3aea31c7720142dbad4febb68df931ef12ee7b9711953bd42e85020c355e659d4063de58cfa

Download Submit
C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi

Filesize
28.9MB

MD5
b410057c4e8c3ec47c2338f88e0446c9

SHA1
912ef33a8674e1570d19d90547b50ac51d54080c

SHA256
453c8767d921522c6687ff3e31cbf2351e8ae272bebb719dfbe9e78f937c16da

SHA512
6ff631fdb7569af8332a3d334022a2f531e91f4bffecfa29a65866393fd4adf33b67b80a87f68cf54f9c86cb310104dfa523a2ea5c568d3cfde8ae494f3d5c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
167B

MD5
d1df9bb96b34b2b9cba30dc139a00ef8

SHA1
44e80d8b875f296f7087eadc0584276fb68fa323

SHA256
17bdd9c1355d56e607eae45138d64ed86ebb1369dfcdf4f7ef313124c2f098bc

SHA512
7029c53a5de207b495c512bbfc160ccb1d76fb0101ff5bef497cc0bfa570228b5d641e3fb34ee4d17585a19e4ce0b1337f7e14750c70a014d69c1d8afa4f7ec2

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
147B

MD5
2450c91afcc2d4cc3dea374820bed314

SHA1
dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

SHA256
4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

SHA512
b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

Download Submit
C:\e78e1d0c9eae6c1f7f6a1fd778643e57\2010_x64.log.html

Filesize
86KB

MD5
5587671ae7b178d0eace23a5c73f7a97

SHA1
65792804881fab7bd1be903e07fb79b5c849cab6

SHA256
f42a043296e1f7fc79dd5b96a6348755d150a4767f8dae8e022e41194ce48a99

SHA512
9fc4ad48ac6b6c3307c50f2734b73f2c44a7891b04d616c6d5061f6bdc15109b96b3bd4c14b149ed918998e089dbac68c295e3bffab9b7038d49af77d8344dbd

Download Submit
memory/1668-263-0x00007FFCDCF90000-0x00007FFCDDA52000-memory.dmp

Filesize
10.8MB

Download
memory/1668-75-0x00007FFCDCF93000-0x00007FFCDCF95000-memory.dmp

Filesize
8KB

Download
memory/1668-0-0x00007FFCDCF93000-0x00007FFCDCF95000-memory.dmp

Filesize
8KB

Download
memory/1668-2-0x00007FFCDCF90000-0x00007FFCDDA52000-memory.dmp

Filesize
10.8MB

Download
memory/1668-1-0x0000000000440000-0x0000000000454000-memory.dmp

Filesize
80KB

Download
memory/1668-895-0x00007FFCDCF90000-0x00007FFCDDA52000-memory.dmp

Filesize
10.8MB

Download
memory/1668-897-0x00007FFCDCF90000-0x00007FFCDDA52000-memory.dmp

Filesize
10.8MB

Download