Analysis
-
max time kernel
131s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
19-01-2023 12:00
General
-
Target
GSecurity.exe
-
Size
851KB
-
MD5
690eee0e48261b646ac54a1866c32510
-
SHA1
ccd9ce1e952026508a233efba834b1de6b3c2490
-
SHA256
82525d214350151c4ecff9c9dd3bf18acaeee43d34834092b0849d1e96d4b9d7
-
SHA512
e5fc6039654e323b89116db02c5c98fec7f955d7c122c8c9cb801d8f917cf947a298760d71d62a259d1cced0da1b5be206066c24774d90916f531873351845d1
-
SSDEEP
24576:kddFMz0EjoWKPP92qQjKngMEPSQZsv/943JfIY6T8:kdd6z08od2bjxPPNZa943JwDI
Malware Config
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Modifies Windows Defender Real-time Protection settings 3 TTPs 5 IoCs
-
Modifies firewall policy service 2 TTPs 60 IoCs
-
Modifies security service 2 TTPs 4 IoCs
-
Modifies system executable filetype association 2 TTPs 36 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Disables taskbar notifications via registry modification
-
Disables use of System Restore points 1 TTPs
-
Drops file in Drivers directory 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Possible privilege escalation attempt 6 IoCs
-
Sets file execution options in registry 2 TTPs 47 IoCs
-
Allows Network login with blank passwords 1 TTPs 1 IoCs
Allows local user accounts with blank passwords to access device from the network.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Modifies file permissions 1 TTPs 6 IoCs
-
Adds Run key to start application 2 TTPs 11 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Modifies powershell logging option 1 TTPs
-
Drops file in System32 directory 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 12 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Disables Windows logging functionality 2 TTPs
Changes registry settings to disable Windows Event logging.
-
Modifies Internet Explorer Phishing Filter 1 TTPs 3 IoCs
-
Modifies Internet Explorer settings 1 TTPs 64 IoCs
-
Modifies data under HKEY_USERS 12 IoCs
-
Modifies registry class 64 IoCs
-
Modifies registry key 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\GSecurity.exe"C:\Users\Admin\AppData\Local\Temp\GSecurity.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Setup.bat" "2⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\where.exewhere powershell3⤵
-
C:\Windows\SysWOW64\fsutil.exefsutil dirty query C:3⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\PowerShell -NonInteractive -WindowStyle hidden -command Set-MpPreference -EnableNetworkProtection Enabled; Set-MpPreference -EnableControlledFolderAccess Enabled; Set-MpPreference -DisableRealtimeMonitoring 0; Set-MpPreference -DisableBehaviorMonitoring 0; Set-MpPreference -DisableBlockAtFirstSeen 0; Set-MpPreference -MAPSReporting 2; Set-MpPreference -SubmitSamplesConsent 1; Set-MpPreference -DisableIOAVProtection 0; Set-MpPreference -DisableScriptScanning 0; Set-MpPreference -PUAProtection Enabled; Set-MpPreference -ScanAvgCPULoadFactor 50; Set-MpPreference -AttackSurfaceReductionRules_Ids BE9BA2D9-53EA-4CDC-84E5-9B1EEEE46550,D4F940AB-401B-4EFC-AADC-AD5F3C50688A,3B576869-A4EC-4529-8536-B80A7769E899,75668C1F-73B5-4CF0-BB93-3ECF5CB7CC84,D3E037E1-3EB8-44C8-A917-57927947596D,5BEB7EFE-FD9A-4556-801D-275E5FFC04CC,92E97FA1-2EDF-4476-BDD6-9DD0B4DDDC7B,01443614-cd74-433a-b99e-2ecdc07bfc25,c1db55ab-c21a-4637-bb3f-a12568109d35,9e6c4e1f-7d60-472f-ba1a-a39ef669e4b2,d1e49aac-8f56-4280-b9ba-993a6d77406c,b2b3f03d-6a65-4f7b-a9c7-1c7ef74a9ba4,26190899-1602-49e8-8b27-eb1d0a1ce869,7674ba52-37eb-4a4f-a9a1-f0f9a1619a2c,e6db77e5-3df2-4cf1-b95a-636979351e5b,56a863a9-875e-4185-98a7-b882c64b5ce5 -AttackSurfaceReductionRules_Actions Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled,Enabled; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\assembly'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\Microsoft.NET\Framework\*\NativeImages'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:SystemRoot'\WinSxS\*\*.ni.dll'; Add-MpPreference -AttackSurfaceReductionOnlyExclusions $env:ProgramData'\Microsoft\Windows Defender';3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\LGPO.exelgpo /g C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\3⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\auditpol.exeC:\Windows\system32\auditpol.exe /clear /y4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\auditpol.exeC:\Windows\system32\auditpol.exe /restore /file:"C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csv"4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Public\Desktop" /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Public\Desktop" /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Public\Desktop" /grant:r "Admin":(OI)(CI)F /t /l /q /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Users\Admin\Desktop" /r /d y3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\Desktop" /inheritance:r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\icacls.exeicacls "C:\Users\Admin\Desktop" /grant:r "Admin":(OI)(CI)F /t /l /q /c3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell.exe -NoProfile -ExecutionPolicy Bypass -Command "Uninstall-ProvisioningPackage -AllInstalledPackages"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\REG.EXE"C:\Windows\SysNative\REG.EXE" export HKLM\Software\Microsoft\Provisioning C:\Users\Admin\AppData\Local\Temp\ICD_20230119-130024-974_2940.9_2009453561.1\regBefore.txt4⤵
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall delete rule name=all3⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\reg.exeReg.exe import GSecurity.reg3⤵
- Modifies Windows Defender Real-time Protection settings
- Modifies firewall policy service
- Modifies system executable filetype association
- Allows Network login with blank passwords
- Adds Run key to start application
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyServer /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v SavedLegacySettings /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyOverride /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\REG" DELETE "HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxySettingsPerUser /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\bitsadmin.exe"C:\Windows\system32\bitsadmin" /reset /allusers3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" /f /reg:323⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\Internet Explorer" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" /f3⤵
- Sets file execution options in registry
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System" /v DisableTaskMgr /f3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WinDefend /f /v Start /t REG_DWORD /d 0x000000023⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender" /f /v DisableAntiSpyware /t REG_DWORD /d 0x000000003⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\MpsSvc" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /f /v EnableFirewall /t REG_DWORD /d 0x000000013⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete "HKLM\SOFTWARE\Policies\Microsoft\WindowsFirewall\DomainProfile" /f /v DoNotAllowExceptions3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\wuauserv" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" delete HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /f /v NoWindowsUpdate3⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 1 /f3⤵
- UAC bypass
- Modifies registry key
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SYSTEM\CurrentControlSet\services\wscsvc" /V Start /T REG_DWORD /D 2 /F3⤵
- Modifies security service
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v HideSCAHealth /t REG_SZ /d 03⤵
-
C:\Windows\SysWOW64\reg.exe"C:\Windows\system32\reg" add "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /f /v HideSCAHealth /t REG_SZ /d 03⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 396 -p 736 -ip 7361⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 736 -ip 7361⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 736 -s 10561⤵
- Program crash
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 736 -s 9721⤵
- Program crash
-
C:\Windows\system32\pacjsworker.exeC:\Windows\system32\pacjsworker.exe 78103123-300f-41a0-a7b3-7388dc4e18f7 4f65a821-2063-4578-94ca-ce445c01fac01⤵
-
C:\Windows\system32\pacjsworker.exeC:\Windows\system32\pacjsworker.exe 01876050-a953-45bd-845e-ac980afadfbc 4f65a821-2063-4578-94ca-ce445c01fac01⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Modify Existing Service
4Change Default File Association
1Registry Run Keys / Startup Folder
2Defense Evasion
Modify Registry
12Disabling Security Tools
3Bypass User Account Control
1File Permissions Modification
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD5968cb9309758126772781b83adb8a28f
SHA18da30e71accf186b2ba11da1797cf67f8f78b47c
SHA25692099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA5124bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
18KB
MD576647b9bcd9045278ae84eb955f28e61
SHA151c6e0c27e25965791335e8bec62f1535577deb7
SHA256ef1646166d7176f4750962673e392d0b2324cfd5fa845e810b1a611bd6d05661
SHA51272acec46030a81a695ddf93eb703de2e40720a146e288b726237b1c8c8722423fdf70de16ff8316389dbacde8e4555e5df1198a0036e5d6c062c4aad8df2e754
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\Default.cmdFilesize
754B
MD54456b2cc70f07ca2b454f58c219a2962
SHA1f2de2afed43b7d1345f25d861e0212cbc8a7ae70
SHA256d6298067d6cf2c5ec58c652944bcdb1c907d54e799f1e9d19bf64c3962ac912f
SHA512580d780f3c1b8fd3bb4974095b007ab6f56063b5fa83e4dede875906c2f5a99dec236db2751c0858cf52797efab5a16cd9d2009d7b5f1a098f967093a4a99c6f
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\GCleaner.cmdFilesize
8KB
MD5bc47b8370d537b2a1b42db0fd8b45f52
SHA1b1ebe7e18c62114ec293d9c6d6a6a3a11c165376
SHA25669fd3d2cb5ab22aa7048c52acb3966d20418ebdb1122a8e2202401532bc2c3c4
SHA51268ac0e668a24703c39ecc4b6b479cb49b0e90b07e903ee70ee7fa96835d9a02ac21d1f7d3472ae7ad6fb0733546eed13bc106705328582677cb191705cdf4dad
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\GSecurity.cmdFilesize
17KB
MD5a58cdfed001a7ed5ef0424d065ade878
SHA1c62d2988899f47ad4e1d7dbd984686ce1895fbfe
SHA256108ca7617704d247a178639a0e5a784c4aab7ca21d9b140a613dc735c2be78c4
SHA51215993f149d582837bab39a9fd051ac320cd7493715c1268ebfa66701fe6a1ae9bb60d47fc91d5d089fdb7361d765cac66c496199c8eaf193b0ef26769766f06f
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\GSecurity.regFilesize
402KB
MD5ea863eaf37b5c2ca56b2f7b245bfe9c9
SHA146d8c13202685316b3f7e3f49d805775b5503575
SHA2567ad440b3d5be201b52970cc011010fba5240086fc5c0037349cfca64db697fb7
SHA5121f6ac0a9e99fd37a6bd066193585535e48b99513016035e59961f5f0a13fb173d1438ae2ec5459b072f34e591dcc594f664db8756acff8a2d22c1cb2fc993495
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\LGPO.exeFilesize
469KB
MD5fdf6c1f114a0fd2a144a6a126206461c
SHA1bacfef8c102b1791ebe3229324cdf75da3171952
SHA2560c97f29543418b30340c4ff5d930d31e6196dd59c2cc74b6b890fa7b90c910c7
SHA5129d941f1bb73c999f7f3c54f20a673fc4bc0342ba1d5c43e271e70f67294a63253878f8ab412e5b6ec39468e556c37dadeff0c167b22dd1bb675eca93d4e2cbce
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\Windows Auto Configure.cmdFilesize
425KB
MD5481a7a7f22375dc884b6fc32303259c7
SHA1a67d3e99460417fb3209f9f138a45ac5df101560
SHA256676c02bce686b66f66dbf7bf9a80519e999c414f8abf2684e636521766e58299
SHA51224d777046dfc9b44ac7ebfd3a34248b0d59874f2cb24a81c27024b9d7b6d8b3a8a0bd036832081dacda2af4b734b8879dc68f3c72f379d729434db2741960b42
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\Backup.xmlFilesize
6KB
MD5fec543270099e8e0b511af397f5a45af
SHA15861518cfe47d31730e2d345d7cd508b345832fb
SHA2562a139ba072a192ae9d8e6a35181f451b2a555a4ab235fdc418a2eb4d5a7cda7c
SHA512bacffbd87dd2c2419b03880572fb1dbf6117815fc14bff7c1890365c9c64e4f2e2b2b8b0aba0a91645ff22821adcc4120632131d14247ca5de4d0bbe9ad21fe5
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\microsoft\windows nt\Audit\audit.csvFilesize
5KB
MD515f39814e8869ad9a08c76dfb0b7767a
SHA1eebc2506c8a3c7f3bda126621bccbb916b64a385
SHA256562640690a95aed2d94fed072fa4004cd6589bbaab17f2646d05d8d00dc323cd
SHA51229f11ae6b37ed3113a08b00be9b272fb8b2a368525dba5de8d09ee05e1567629b80f14bb70e324da5e4ad7260d5636a8d9122ecc7af95324a0f08a8f0e8ae6bb
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\Machine\registry.polFilesize
158KB
MD56682405d042a96b9780d5f3a7eca9696
SHA1040abfb571257c8badaac1c71634cdb20985fb1e
SHA2560ccc07817161b99c9b76eb1c76ee4cb73dc0c895b7d9f05295e109b0c5e9588e
SHA5121fa16e99206f54fb10463e2a40b582b54cb2a77f759466316c10f3990da114bd8b03d49864b29c2fd1ca9e80ac2ca6416ed8913d5b6cc21543ffdfda6bbd4469
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Bin\{2F66C256-45AE-4F0B-9682-5410727195E6}\DomainSysvol\GPO\User\registry.polFilesize
1KB
MD54f2f4a469381a7831bf4f399ccd62d3c
SHA169c0b8aa73718cd480776c5c6a5cb1a228c30258
SHA2565288c00c01e3f9fd0f70e5f55eaa7d3753378f296951bb041de47317ba3c669c
SHA512114e9d2497b131175c1b39a6dc9a939f54ec36ae63b152e72169d698e89b036f22272a27dfe5e1b74b9e6299c012d5db46df509a61ca5be1a72835ccd1e04c4b
-
C:\Users\Admin\AppData\Local\Temp\7zS7D62.tmp\Setup.batFilesize
751B
MD5e891627d232c5676ba3fc37cd3c1c4da
SHA190f0f18b00fc3039d183092dfc144cac15211ddc
SHA256407ae179eecd183bc8c9a938649127a63c76a5f9436e3aa8977103e23a89b0d1
SHA512a4ae767155775bf22173e3b38ab5c45d82085667c9f990bd8a4a5bd1c8b8d4effd4d0ede5652744aab9f2d9215efca95b1acf21fe23f2793a6ab51b865b8003c
-
C:\Users\Admin\AppData\Local\Temp\ICD_20230119-130024-974_2940.9_2009453561.1\regBefore.txtFilesize
127KB
MD545b08c896a1b303a9a97583f8da2105b
SHA1ada39d1274f57bb236a1ce296d2b3d8e59ebb705
SHA256e96b22c0eb20f6ad56f87ae2a7cd7b8aff52425584e2df7d613dcd02ec7d1b92
SHA512700f4ae2b77b6de2e97e607e7f83e6413e45a5affcaa6ce3385e3a8a44a844eb8e7cef34711d5454f5ac2f52cb0e664fa3c7ffd928b5bf002cd651263c5c8734
-
memory/312-182-0x0000000000000000-mapping.dmp
-
memory/548-204-0x0000000000000000-mapping.dmp
-
memory/548-166-0x0000000000000000-mapping.dmp
-
memory/624-134-0x0000000000000000-mapping.dmp
-
memory/628-185-0x0000000000000000-mapping.dmp
-
memory/628-135-0x0000000000000000-mapping.dmp
-
memory/884-207-0x0000000000000000-mapping.dmp
-
memory/932-184-0x0000000000000000-mapping.dmp
-
memory/1084-208-0x0000000000000000-mapping.dmp
-
memory/1092-165-0x0000000000000000-mapping.dmp
-
memory/1092-203-0x0000000000000000-mapping.dmp
-
memory/1356-209-0x0000000000000000-mapping.dmp
-
memory/1356-168-0x0000000000000000-mapping.dmp
-
memory/1400-179-0x0000000000000000-mapping.dmp
-
memory/1724-189-0x0000000000000000-mapping.dmp
-
memory/2104-199-0x0000000000000000-mapping.dmp
-
memory/2108-132-0x0000000000000000-mapping.dmp
-
memory/2164-191-0x0000000000000000-mapping.dmp
-
memory/2348-136-0x0000000000000000-mapping.dmp
-
memory/2348-188-0x0000000000000000-mapping.dmp
-
memory/2368-200-0x0000000000000000-mapping.dmp
-
memory/2656-186-0x0000000000000000-mapping.dmp
-
memory/2940-175-0x00000000072C0000-0x00000000072CC000-memory.dmpFilesize
48KB
-
memory/2940-176-0x0000000007430000-0x000000000744C000-memory.dmpFilesize
112KB
-
memory/2940-171-0x0000000000000000-mapping.dmp
-
memory/2940-174-0x000000006F5D0000-0x000000006F61C000-memory.dmpFilesize
304KB
-
memory/2984-205-0x0000000000000000-mapping.dmp
-
memory/3068-137-0x0000000000000000-mapping.dmp
-
memory/3152-190-0x0000000000000000-mapping.dmp
-
memory/3184-195-0x0000000000000000-mapping.dmp
-
memory/3380-194-0x0000000000000000-mapping.dmp
-
memory/3420-193-0x0000000000000000-mapping.dmp
-
memory/3812-202-0x0000000000000000-mapping.dmp
-
memory/3812-156-0x0000000000000000-mapping.dmp
-
memory/3856-196-0x0000000000000000-mapping.dmp
-
memory/3920-192-0x0000000000000000-mapping.dmp
-
memory/3940-180-0x0000000000000000-mapping.dmp
-
memory/4240-161-0x0000000000000000-mapping.dmp
-
memory/4304-170-0x0000000000000000-mapping.dmp
-
memory/4304-211-0x0000000000000000-mapping.dmp
-
memory/4364-201-0x0000000000000000-mapping.dmp
-
memory/4400-212-0x0000000000000000-mapping.dmp
-
memory/4484-187-0x0000000000000000-mapping.dmp
-
memory/4508-141-0x00000000052C0000-0x00000000058E8000-memory.dmpFilesize
6.2MB
-
memory/4508-151-0x00000000074F0000-0x00000000074FA000-memory.dmpFilesize
40KB
-
memory/4508-144-0x0000000005B00000-0x0000000005B66000-memory.dmpFilesize
408KB
-
memory/4508-155-0x00000000077B0000-0x00000000077B8000-memory.dmpFilesize
32KB
-
memory/4508-149-0x0000000007B30000-0x00000000081AA000-memory.dmpFilesize
6.5MB
-
memory/4508-150-0x00000000074B0000-0x00000000074CA000-memory.dmpFilesize
104KB
-
memory/4508-139-0x0000000000000000-mapping.dmp
-
memory/4508-148-0x0000000006720000-0x000000000673E000-memory.dmpFilesize
120KB
-
memory/4508-154-0x00000000077D0000-0x00000000077EA000-memory.dmpFilesize
104KB
-
memory/4508-152-0x0000000007710000-0x00000000077A6000-memory.dmpFilesize
600KB
-
memory/4508-140-0x0000000004BD0000-0x0000000004C06000-memory.dmpFilesize
216KB
-
memory/4508-142-0x00000000058F0000-0x0000000005912000-memory.dmpFilesize
136KB
-
memory/4508-153-0x00000000076D0000-0x00000000076DE000-memory.dmpFilesize
56KB
-
memory/4508-147-0x000000006F5D0000-0x000000006F61C000-memory.dmpFilesize
304KB
-
memory/4508-146-0x0000000007340000-0x0000000007372000-memory.dmpFilesize
200KB
-
memory/4508-145-0x0000000006180000-0x000000000619E000-memory.dmpFilesize
120KB
-
memory/4508-143-0x0000000005A90000-0x0000000005AF6000-memory.dmpFilesize
408KB
-
memory/4548-183-0x0000000000000000-mapping.dmp
-
memory/4600-162-0x0000000000000000-mapping.dmp
-
memory/4768-198-0x0000000000000000-mapping.dmp
-
memory/4780-197-0x0000000000000000-mapping.dmp
-
memory/4784-206-0x0000000000000000-mapping.dmp
-
memory/4784-167-0x0000000000000000-mapping.dmp
-
memory/4808-177-0x0000000000000000-mapping.dmp
-
memory/4864-210-0x0000000000000000-mapping.dmp
-
memory/4864-169-0x0000000000000000-mapping.dmp