Analysis
-
max time kernel
45s -
max time network
48s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
19-01-2023 12:00
General
-
Target
GSecurity.exe
-
Size
851KB
-
MD5
690eee0e48261b646ac54a1866c32510
-
SHA1
ccd9ce1e952026508a233efba834b1de6b3c2490
-
SHA256
82525d214350151c4ecff9c9dd3bf18acaeee43d34834092b0849d1e96d4b9d7
-
SHA512
e5fc6039654e323b89116db02c5c98fec7f955d7c122c8c9cb801d8f917cf947a298760d71d62a259d1cced0da1b5be206066c24774d90916f531873351845d1
-
SSDEEP
24576:kddFMz0EjoWKPP92qQjKngMEPSQZsv/943JfIY6T8:kdd6z08od2bjxPPNZa943JwDI
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
Modifies firewall policy service 2 TTPs 60 IoCs
-
Modifies security service 2 TTPs 4 IoCs
-
Modifies system executable filetype association 2 TTPs 36 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 6 IoCs
-
Sets file execution options in registry 2 TTPs 44 IoCs
-
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 15 IoCs
-
Modifies powershell logging option 1 TTPs
-
Drops file in System32 directory 20 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 12 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GSecurity.exe"C:\Users\Admin\AppData\Local\Temp\GSecurity.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Setup.bat" "2⤵
- Drops file in Drivers directory
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\where.exewhere powershell3⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -EnableNetworkProtection Enabled; Set-MpPreference -EnableControlledFolderAccess Enabled; Set-MpPreference -DisableRealtimeMonitoring 0; Set-MpPreference -DisableBehaviorMonitoring 0; Set-MpPreference -DisableBlockAtFirstSeen 0; Set-MpPreference -MAPSReporting 2; Set-MpPreference -SubmitSamplesConsent 1; Set-MpPreference -DisableIOAVProtection 0; Set-MpPreference -DisableScriptScanning 0; Set-MpPreference -PUAProtection Enabled; Set-MpPreference -ScanAvgCPULoadFactor 50; Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,01443614-cd74-433a-b99e-2ecdc07bfc25,c1db55ab-c21a-4637-bb3f-a12568109d35,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,d1e49aac-8f56-4280-b9ba-993a6d77406c,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,26190899-1602-49e8-8b27-eb1d0a1ce869,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,e6db77e5-3df2-4cf1-b95a-636979351e5b,56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\assembly'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\Microsoft.NET\Framework\*\NativeImages'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\WinSxS\*\*.ni.dll'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:ProgramData'\Microsoft\Windows Defender';3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\LGPO.exelgpo /g C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\auditpol.exeC:\Windows\system32\auditpol.exe /clear /y4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\auditpol.exeC:\Windows\system32\auditpol.exe /restore /file:"C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Public\Desktop" /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Public\Desktop" /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Public\Desktop" /grant:r "Admin":(OI)(CI)F /t /l /q /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Admin\Desktop" /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\Desktop" /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\Desktop" /grant:r "Admin":(OI)(CI)F /t /l /q /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Drops file in System32 directory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Uninstall-ProvisioningPackage -AllInstalledPackages"3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all3⤵
- Modifies Windows Firewall
- Drops file in System32 directory
-
C:\Windows\SysWOW64\reg.exeReg.exe import GSecurity.reg3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies firewall policy service
- Modifies system executable filetype association
- Allows Network login with blank passwords
- Adds Run key to start application
- Drops file in System32 directory
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v SavedLegacySettings /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" /f /reg:323⤵
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\system32\bitsadmin" /reset /allusers3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxySettingsPerUser /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v HideSCAHealth /t REG_SZ /d 03⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v HideSCAHealth /t REG_SZ /d 03⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoWindowsUpdate3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\wuauserv" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /f /v DoNotAllowExceptions3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /f /v EnableFirewall /t REG_DWORD /d 0x000000013⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 0x000000003⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /f /v Start /t REG_DWORD /d 0x000000023⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /f3⤵
-
C:\Windows\system32\gpscript.exegpscript.exe /RefreshSystemParam1⤵
- Drops file in System32 directory
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "6"1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\Default.cmdFilesize
754B
MD54456b2cc70f07ca2b454f58c219a2962
SHA1f2de2afed43b7d1345f25d861e0212cbc8a7ae70
SHA256d6298067d6cf2c5ec58c652944bcdb1c907d54e799f1e9d19bf64c3962ac912f
SHA512580d780f3c1b8fd3bb4974095b007ab6f56063b5fa83e4dede875906c2f5a99dec236db2751c0858cf52797efab5a16cd9d2009d7b5f1a098f967093a4a99c6f
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\GCleaner.cmdFilesize
8KB
MD5bc47b8370d537b2a1b42db0fd8b45f52
SHA1b1ebe7e18c62114ec293d9c6d6a6a3a11c165376
SHA25669fd3d2cb5ab22aa7048c52acb3966d20418ebdb1122a8e2202401532bc2c3c4
SHA51268ac0e668a24703c39ecc4b6b479cb49b0e90b07e903ee70ee7fa96835d9a02ac21d1f7d3472ae7ad6fb0733546eed13bc106705328582677cb191705cdf4dad
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\GSecurity.cmdFilesize
17KB
MD5a58cdfed001a7ed5ef0424d065ade878
SHA1c62d2988899f47ad4e1d7dbd984686ce1895fbfe
SHA256108ca7617704d247a178639a0e5a784c4aab7ca21d9b140a613dc735c2be78c4
SHA51215993f149d582837bab39a9fd051ac320cd7493715c1268ebfa66701fe6a1ae9bb60d47fc91d5d089fdb7361d765cac66c496199c8eaf193b0ef26769766f06f
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\GSecurity.regFilesize
402KB
MD5ea863eaf37b5c2ca56b2f7b245bfe9c9
SHA146d8c13202685316b3f7e3f49d805775b5503575
SHA2567ad440b3d5be201b52970cc011010fba5240086fc5c0037349cfca64db697fb7
SHA5121f6ac0a9e99fd37a6bd066193585535e48b99513016035e59961f5f0a13fb173d1438ae2ec5459b072f34e591dcc594f664db8756acff8a2d22c1cb2fc993495
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\Windows Auto Configure.cmdFilesize
425KB
MD5481a7a7f22375dc884b6fc32303259c7
SHA1a67d3e99460417fb3209f9f138a45ac5df101560
SHA256676c02bce686b66f66dbf7bf9a80519e999c414f8abf2684e636521766e58299
SHA51224d777046dfc9b44ac7ebfd3a34248b0d59874f2cb24a81c27024b9d7b6d8b3a8a0bd036832081dacda2af4b734b8879dc68f3c72f379d729434db2741960b42
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\Backup.xmlFilesize
6KB
MD5fec543270099e8e0b511af397f5a45af
SHA15861518cfe47d31730e2d345d7cd508b345832fb
SHA2562a139ba072a192ae9d8e6a35181f451b2a555a4ab235fdc418a2eb4d5a7cda7c
SHA512bacffbd87dd2c2419b03880572fb1dbf6117815fc14bff7c1890365c9c64e4f2e2b2b8b0aba0a91645ff22821adcc4120632131d14247ca5de4d0bbe9ad21fe5
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csvFilesize
5KB
MD515f39814e8869ad9a08c76dfb0b7767a
SHA1eebc2506c8a3c7f3bda126621bccbb916b64a385
SHA256562640690a95aed2d94fed072fa4004cd6589bbaab17f2646d05d8d00dc323cd
SHA51229f11ae6b37ed3113a08b00be9b272fb8b2a368525dba5de8d09ee05e1567629b80f14bb70e324da5e4ad7260d5636a8d9122ecc7af95324a0f08a8f0e8ae6bb
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\registry.polFilesize
158KB
MD56682405d042a96b9780d5f3a7eca9696
SHA1040abfb571257c8badaac1c71634cdb20985fb1e
SHA2560ccc07817161b99c9b76eb1c76ee4cb73dc0c895b7d9f05295e109b0c5e9588e
SHA5121fa16e99206f54fb10463e2a40b582b54cb2a77f759466316c10f3990da114bd8b03d49864b29c2fd1ca9e80ac2ca6416ed8913d5b6cc21543ffdfda6bbd4469
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\User\registry.polFilesize
1KB
MD54f2f4a469381a7831bf4f399ccd62d3c
SHA169c0b8aa73718cd480776c5c6a5cb1a228c30258
SHA2565288c00c01e3f9fd0f70e5f55eaa7d3753378f296951bb041de47317ba3c669c
SHA512114e9d2497b131175c1b39a6dc9a939f54ec36ae63b152e72169d698e89b036f22272a27dfe5e1b74b9e6299c012d5db46df509a61ca5be1a72835ccd1e04c4b
-
C:\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Setup.batFilesize
751B
MD5e891627d232c5676ba3fc37cd3c1c4da
SHA190f0f18b00fc3039d183092dfc144cac15211ddc
SHA256407ae179eecd183bc8c9a938649127a63c76a5f9436e3aa8977103e23a89b0d1
SHA512a4ae767155775bf22173e3b38ab5c45d82085667c9f990bd8a4a5bd1c8b8d4effd4d0ede5652744aab9f2d9215efca95b1acf21fe23f2793a6ab51b865b8003c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD5065c6ff004def915f91c1d1329ca2d94
SHA11b6fcd797dafdd3c02dff7cfa845ae444903193e
SHA25660efa386992210c57d093acdc99323d849159964610ce322f98b416963defc81
SHA5124ffb76cad8be4b959a53c89405b3acd3d645045ecc452cb8f4528d988b030c90d827b983b8199a685e489acee0fe1876305d427d9eef669189e7062cc13d1cd0
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
2KB
MD5a0259e08a38920dca8eb6ca50a38e24b
SHA195f5767d353f3723bd0feb430889fe22381b23d3
SHA256f9f18bd92c33f8c6041b32531ede97b07f1090ede455021b4580b399792c30c1
SHA512b320f5212b8a8260fdc173929e176fe96cf8fd1cc0697cb787800353b91d84b417dc6da4435c5d6666dd0b097a65670b3b4718856f07c227b1eebcc2185d2fd3
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
3KB
MD51e6e146ef23b87a796002aefbccd690b
SHA1d9c3090e5c6b7eb3b2f99ef0a75f982b7e34cd2a
SHA2565bc689f51b800374cfe966d57f2dc636f539db44cecb44b4f39452b2ab870384
SHA512f6f01da45eae8c760a7f65d773085b614872951c3662ff002eaa8ef974aa740c629bed1b222ea4f85b11b5d777561f555463772d5ecff68efe36f7485b7d6a93
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
3KB
MD5540c9f1221b583e967cc1ce6f9c78350
SHA1cab79d7d59e7b60a1de80b9c79169ee0aa72dcfb
SHA256b7995ae074a7ab439e10919134d65373c5cae7cebd1a929868f2708ba8e686ea
SHA512ae9617cd3b2713d3eada26929132b7b69325abb11598f38bd3b05b35082d9efa590c708623ad39f068c8455394ab9d67a3c878a72edbc2b6e617882e47981d43
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
6KB
MD5aad0a51f543efee64bdd56fef5148ca1
SHA153e0443cf61a22f454b4b32f6ef5530544f7e882
SHA256055b2760b10dd8f1f74b98c614e763c2a0c22de3fd472b1b2dee16cf56ed1dc5
SHA51203f92f3c6cc6c5911ddd30a6547e74fb5c69292959102ab876da6312a43ab63641b18f815c794a39dac0fae689a784b1d2f8fa2609ea06dcd19266ead50ca5eb
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
7KB
MD5198581f2233396c30e5a9113750423ef
SHA1207602dc23ef42ad8198bd5043dc8487da214aa9
SHA256186d207e4ad389ec367b704251e2e5ac63f0a75734a86c0733fe9e52b5895609
SHA5121c3e9e7930d8cbf5d430f46262e7cfa0b0c1611d5a42c5b47ccce9f8349ce8b74452a7a98005d490e5de58ade0fefd8465ed0a748c547c3e39a935a09c5ab234
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
7KB
MD50f64e28d3a661761932229652b6d0fc7
SHA182b29ad66033bdf65c3d962bbff06f555fc0c8d4
SHA2568879d647a9f74782e1c8087c15d33c94660277f736bc2c496375d0f2058e6caf
SHA5121e75673b0d67ddd184aad958b20de89ea4a1c535dd3ebfe95e2d996a254070d724418d60c965bc4703477bc5311fb80b5001af7415fb1b7707afcdbc7a2d9dcf
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
7KB
MD5e30936fee064d4775ee350a829a92785
SHA176880ca0a1f87aef1f075f98b67d2ae3dad00861
SHA25682f28442d93bf0dac1c73e7f6446862d53dd33938bd2f33bda9b7133525f4fe9
SHA5123ada13eff75bbe34e7f10b13c3162cb93da0d4fe657ebd1f8a143300a2d9a0d85c8c3c91feb7e1c2e9e12d7b72995bb277e687ad42c2a30606f9964284f5bab6
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
27KB
MD567a1560bc708a47c51d2a7dbfa6cda49
SHA121269c88dcf646bde60e50849b52a370ff135a09
SHA25614994f4e60078f5f3ea7fc80baf3a3c8f355ff8639b5e980be09fb8c170c9f02
SHA51226f5cfec7e3b9b7060e7edb6fb3b39114c804aca659a3f0869d4a799935bb80cbabfc491a34a0603cc36f07863a696d49db463b8b0ff6c9f9200fba4492d29b9
-
C:\Windows\system32\LogFiles\SAFER.LOGFilesize
53KB
MD5c1ba86b4d0b8a5a2bf2ddb2c495aac61
SHA1d65da0924990653bbe313b85db2132e4b4bd763e
SHA2569619759f338fa29fb83eae5f118af1dcdc48830cf77b8bc5c3d52169e6800b6d
SHA51278cbe3bf17f4a922b74a72747bf90814baa5e36204b015361b050eaa503615d3e6e4d13bd3daca02ac7935b10b3fd1bec9f1b80ff3253357e55ee6077c729685
-
\Users\Admin\AppData\Local\Temp\7zSE4E4.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
memory/308-105-0x0000000000000000-mapping.dmp
-
memory/428-77-0x0000000000000000-mapping.dmp
-
memory/612-117-0x0000000000000000-mapping.dmp
-
memory/636-68-0x0000000000000000-mapping.dmp
-
memory/660-97-0x0000000000000000-mapping.dmp
-
memory/756-111-0x0000000000000000-mapping.dmp
-
memory/764-123-0x0000000000000000-mapping.dmp
-
memory/768-82-0x0000000000000000-mapping.dmp
-
memory/768-106-0x0000000000000000-mapping.dmp
-
memory/836-74-0x0000000000000000-mapping.dmp
-
memory/852-60-0x0000000000000000-mapping.dmp
-
memory/872-54-0x0000000076181000-0x0000000076183000-memory.dmpFilesize
8KB
-
memory/904-125-0x0000000000000000-mapping.dmp
-
memory/948-121-0x0000000000000000-mapping.dmp
-
memory/992-103-0x0000000000000000-mapping.dmp
-
memory/1004-55-0x0000000000000000-mapping.dmp
-
memory/1028-73-0x0000000000000000-mapping.dmp
-
memory/1028-131-0x0000000000000000-mapping.dmp
-
memory/1044-87-0x0000000000000000-mapping.dmp
-
memory/1100-78-0x0000000000000000-mapping.dmp
-
memory/1152-128-0x0000000000000000-mapping.dmp
-
memory/1156-130-0x0000000000000000-mapping.dmp
-
memory/1232-57-0x0000000000000000-mapping.dmp
-
memory/1240-118-0x0000000000000000-mapping.dmp
-
memory/1336-124-0x0000000000000000-mapping.dmp
-
memory/1348-59-0x0000000000000000-mapping.dmp
-
memory/1364-58-0x0000000000000000-mapping.dmp
-
memory/1380-64-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/1380-62-0x0000000000000000-mapping.dmp
-
memory/1380-126-0x0000000000000000-mapping.dmp
-
memory/1380-65-0x0000000074570000-0x0000000074B1B000-memory.dmpFilesize
5.7MB
-
memory/1464-116-0x0000000000000000-mapping.dmp
-
memory/1472-89-0x0000000000000000-mapping.dmp
-
memory/1472-93-0x0000000074530000-0x0000000074ADB000-memory.dmpFilesize
5.7MB
-
memory/1472-114-0x0000000000000000-mapping.dmp
-
memory/1480-108-0x0000000000000000-mapping.dmp
-
memory/1552-107-0x0000000000000000-mapping.dmp
-
memory/1560-113-0x0000000000000000-mapping.dmp
-
memory/1576-129-0x0000000000000000-mapping.dmp
-
memory/1616-119-0x0000000000000000-mapping.dmp
-
memory/1636-122-0x0000000000000000-mapping.dmp
-
memory/1704-104-0x0000000000000000-mapping.dmp
-
memory/1716-120-0x0000000000000000-mapping.dmp
-
memory/1740-127-0x0000000000000000-mapping.dmp
-
memory/1748-101-0x0000000000000000-mapping.dmp
-
memory/1756-102-0x0000000000000000-mapping.dmp
-
memory/1792-112-0x0000000000000000-mapping.dmp
-
memory/1824-94-0x0000000000000000-mapping.dmp
-
memory/1864-110-0x0000000000000000-mapping.dmp
-
memory/1884-100-0x0000000000000000-mapping.dmp
-
memory/1936-115-0x0000000000000000-mapping.dmp
-
memory/1996-80-0x0000000000000000-mapping.dmp
-
memory/2024-85-0x0000000000000000-mapping.dmp