3730e9cba4a93bc985ef7cd2368ccbf5eccd4724f514b38b20e320e5553dd08d

Resubmissions

25/03/2025, 13:12

250325-qfl42aznw9 10

25/03/2025, 13:09

25/03/2025, 13:05

25/03/2025, 13:01

25/03/2025, 12:55

25/03/2025, 12:51

05/02/2025, 11:16

16/07/2024, 08:54

Analysis

max time kernel
100s
max time network
106s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
25/03/2025, 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Size

52KB
MD5

ba9210de03de945901f02792f7994871
SHA1

20c4569cbb6f2650b02f6a5257faa8a8dfb298bd
SHA256

ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d
SHA512

277d26eea627b3da26664aaa4f72a7b79cd50311e45c59333563b4f58b76e6562cbaa1d55127c69d0830864721efa890fa824e1be381cca5e84bddc98f2b44d0
SSDEEP

1536:EJJRZQJes5b0k5bbyu6hXOKJrkH6sNNW:oJRa4kLmNVOKJIasNE

Score

10^/10

defense_evasion discovery evasion execution impact persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\README_3499930.txt

Ransom Note

Hello! All your files have been encrypted... Your personal Id: IkxOr1eysYafde1iaxbpZmniXyfoRKjjlMV1+tItfDG7N4xrBsI7Nvq4wirkA38BCEBVlJ2SScuK3+a0SPYONnD/DM4zhcpkIGyApnF3TOE5coc5DvwWHkmsHKEuNxemmp+0e7ZbWNtVm2LPvkG+g/Q/5dAu1w99NSBAS6DAVeIy0X0C+8UOS3LdKJCCeLsds8zywWj3rrrr9x57E31mM/7X6SVSTKEl1/PlySlEEwP0JjHSiAcP6QW0oXQCNPZovgCAU8i9ZZoicLEH1jLQh1MS9qCKqWp6NI7MI+GbekeUpeTZZMiHNrvGI1Rsd/a9EsHyJhB1yaubtlq3pnkzGw++ZW4tVVNfMzQ5OTkzMF9BZG1pbl8zLzI1LzIwMjUgMTowOTo0MCBQTV9XaW4gMTBfYmx1dDRfZWNmYjVjOTVkMGYzZDExMjY1MGVmNDA0NzkzNmU4ZmE1MjQ0YzIxYzkyMWY2YzdhNjk2M2U5MmFiYWI0OTQ5ZA To decrypt your files, write to email: [email protected] or [email protected] In the letter, send your personal Id and 2 small encrypted files for trial decryption. If you dont get answer from [email protected] or [email protected] in 72 hours, you need to install tor browser, you can download it here: https://www.torproject.org/download/download.html.en After installation, open the tor browser to website: http://t5vj34iny72dpdu4.onion and follow the instructions. Do not try restore files without our help, this is useless, and can destroy you data permanetly. However, the files can be recovered even after the removal of our program and even after reinstalling the operating system. Download the decoding video here: https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Emails

[email protected]

URLs

http://t5vj34iny72dpdu4.onion

https://content.screencast.com/users/tywlgpwg/folders/Default/media/3c1aeb4c-5386-41df-8eee-346487877522/decryption.avi

Signatures

Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047

Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2448	bcdedit.exe
2356	bcdedit.exe

Disables Task Manager via registry modification
defense_evasion

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Adobe\\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops desktop.ini file(s) 24 IoCs

description	ioc	Process
File created	C:\Users\Admin\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\OneDrive\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Desktop\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Libraries\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Links\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Saved Games\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Searches\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Music\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\AccountPictures\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Downloads\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Contacts\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Admin\Favorites\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Documents\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Users\Public\Videos\desktop.ini	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\README_3499930.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
File created	C:\Program Files\README_3499930.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\README_3499930.txt	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4404	PING.EXE

Interacts with shadow copies 3 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

Direct Volume Access

T1006

pid	Process
2336	vssadmin.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4404	PING.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
Token: SeBackupPrivilege	2016	vssvc.exe
Token: SeRestorePrivilege	2016	vssvc.exe
Token: SeAuditPrivilege	2016	vssvc.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 6072 wrote to memory of 3748	6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	79
PID 6072 wrote to memory of 3748	6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	79
PID 6072 wrote to memory of 4912	6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	81
PID 6072 wrote to memory of 4912	6072	ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe	81
PID 3748 wrote to memory of 2336	3748	cmd.exe	83
PID 3748 wrote to memory of 2336	3748	cmd.exe	83
PID 4912 wrote to memory of 4404	4912	cmd.exe	84
PID 4912 wrote to memory of 4404	4912	cmd.exe	84
PID 3748 wrote to memory of 2448	3748	cmd.exe	87
PID 3748 wrote to memory of 2448	3748	cmd.exe	87
PID 3748 wrote to memory of 2356	3748	cmd.exe	88
PID 3748 wrote to memory of 2356	3748	cmd.exe	88

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe
"C:\Users\Admin\AppData\Local\Temp\ecfb5c95d0f3d112650ef4047936e8fa5244c21c921f6c7a6963e92abab4949d.exe"
1⤵
- Adds Run key to start application
- Drops desktop.ini file(s)
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:6072
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\delback.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3748
- - C:\Windows\system32\vssadmin.exe
    vssadmin delete shadows /all /quiet
    3⤵
    - Interacts with shadow copies
    PID:2336
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} recoveryenabled no
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2448
- - C:\Windows\system32\bcdedit.exe
    bcdedit.exe /set {default} bootstatuspolicy ignoreallfailures
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2356
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\update.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4912
- - C:\Windows\system32\PING.EXE
    ping -n 1 -w 5000 10.10.254.254
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4404

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Direct Volume Access

T1006

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\README_3499930.txt

Filesize
1KB

MD5
f82eb1a4352bbdc89c3ca41d25ea94fb

SHA1
3bb1d57f997faada8be5dc806d34663a7c95fde8

SHA256
194b41553a4f7f01cf6d6c0db3c18941b227813efdb04cad8082ade083568b39

SHA512
ccc41d518c4113b74ea64edd124ecb1aa75050cac044ec4ab7ca5ab010f96f768602b4459911a1b14bce862d8cbf8934d44f3ad4a98b9be9390b409ecf6d02d2

Download Submit
C:\ProgramData\Package Cache\{2BB73336-4F69-4141-9797-E9BD6FE3980A}v64.8.8795\dotnet-host-8.0.2-win-x64.msi

Filesize
728KB

MD5
885d8a1f72ea052d64dca58abd5b048d

SHA1
2a137c94e5a0d5a805621da5ae48406c49a4444d

SHA256
c124c179c7796f48b88ca444f99a5350b43c8b1ac5cba4bc9a1c840f4ec7ce89

SHA512
9c10e9e336b9713835f71da30fb21caf0b06c64a6057370d4139450ca28a4e3b97e33d75aa8ef8c9a03ac09878bc53755d7672a515c9c056f3f2d88b8f6605ef

Download Submit
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\vc_runtimeAdditional_x64.msi

Filesize
140KB

MD5
b5ad00efa71f00664a27c10256787dcc

SHA1
7dff71ebabe60d3f8e8afc38ec28b1028b9826b5

SHA256
06f1e765cc35b37dbe5f4e74c665a3f5006ffebbe1e26abbe2274efad711e094

SHA512
b612cf09859c4b3bb7d9a239484799e19526d62490603ae12287731789d284a10a81c07fd20c8e247417758657c4d9d01b06f15e0ff59effb16c860f9b7ddc72

Download Submit
C:\ProgramData\Package Cache\{C7B73281-AB0A-4DAD-A09F-5C30D40679AC}v64.8.8795\dotnet-runtime-8.0.2-win-x64.msi

Filesize
26.2MB

MD5
7caa94155ac53abc367901903a40321e

SHA1
9df40b9f55cedcddeea96478667ef0cdbf66f1ad

SHA256
0b79bb4052fcb6ff47d5c6be8229470fc05b46051a4cd297da7119636994b8ff

SHA512
c129ebecb5012d816b1b687d0874fb99be5dcac76037ba009a749810214c5e088bc2dad45cc9720170b2bfd3527eb9775466c2a78a1d1b7b9feb04e882b062a1

Download Submit
C:\ProgramData\Package Cache\{D46F1FD9-2FE8-4D05-B2AC-011C23B69B24}v64.8.8806\windowsdesktop-runtime-8.0.2-win-x64.msi

Filesize
28.9MB

MD5
ec7c79a503c26d502fd7947340c964b0

SHA1
a3ef496f313bb05e3e75046ade06db4911a56fcc

SHA256
2d66207bf5e08c474adf212840505992e57bb0c28329cfc8de43a0e2202ce0e7

SHA512
29d66c43825c6063afb93f2d9859baf0d7c168249536aef1742d60566d3549c03c637d47cb17834981d442b4ac35b6b21c3fb9d68d91b05d7a2cefb00beb60d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\update.bat

Filesize
167B

MD5
d1df9bb96b34b2b9cba30dc139a00ef8

SHA1
44e80d8b875f296f7087eadc0584276fb68fa323

SHA256
17bdd9c1355d56e607eae45138d64ed86ebb1369dfcdf4f7ef313124c2f098bc

SHA512
7029c53a5de207b495c512bbfc160ccb1d76fb0101ff5bef497cc0bfa570228b5d641e3fb34ee4d17585a19e4ce0b1337f7e14750c70a014d69c1d8afa4f7ec2

Download Submit
C:\Users\Admin\AppData\Roaming\delback.bat

Filesize
147B

MD5
2450c91afcc2d4cc3dea374820bed314

SHA1
dd1b61d0aa6d1769018c1d3144de9bb960a64d3c

SHA256
4f157084c6e48b547e698ed83ae9a853a4db4b7a115249db272e3eb93316f7df

SHA512
b0b21d16b7f35bfc5526ed07407ec85a221a7a036827b65dce0a449d02a31f3f6f5ce2fbf94f0af01ce4a248b27ccf5f287dd2746ee423766be8d366f78ccc91

Download Submit
C:\d9fcf17b622c76562d58\2010_x86.log.html

Filesize
80KB

MD5
997404b1b6188876626901c5b2645504

SHA1
5854a765883f6a9d6e8461a534cc3b8e649b46e9

SHA256
fb57646722e58fc2c8a17695911a49995c84aed6ac99107a21921bc14dbcb7e7

SHA512
bcafca7a8d51e5eb9f5112143d36eac627e5c58da3eafc9d415906fe53cf1b63520c5cd51f98d7ffc2f0054e2e7159c2f68b21c5c48a43ed25093df06834bcb0

Download Submit
memory/6072-4-0x00007FFA06AB0000-0x00007FFA07572000-memory.dmp

Filesize
10.8MB

Download
memory/6072-3-0x00007FFA06AB3000-0x00007FFA06AB5000-memory.dmp

Filesize
8KB

Download
memory/6072-2-0x00007FFA06AB0000-0x00007FFA07572000-memory.dmp

Filesize
10.8MB

Download
memory/6072-1-0x00000000003A0000-0x00000000003B4000-memory.dmp

Filesize
80KB

Download
memory/6072-0-0x00007FFA06AB3000-0x00007FFA06AB5000-memory.dmp

Filesize
8KB

Download
memory/6072-800-0x00007FFA06AB0000-0x00007FFA07572000-memory.dmp

Filesize
10.8MB

Download
memory/6072-801-0x00007FFA06AB0000-0x00007FFA07572000-memory.dmp

Filesize
10.8MB

Download