279f70f8d613b56d7e1e54fd07d90966ea748150ec126cc0f478f98f3d820b20

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25-03-2024 17:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

W10Privacy.exe
Size

2.2MB
MD5

7c7f987c87a6835fbe52d47940a75594
SHA1

3a54bb33734dde54bb4da9c8064ddc85815de052
SHA256

e5e428cedf327f8515bd56b22e4dda38623079543665cb94e4888e9a3d3815ce
SHA512

7c2d0c93517b15b6a9dfa887864f418f22e73b862ebc77e9b511d5ee092dd0d2ddbc3bb2366a2872dd1b3bdd5897f8216da0ca09fb31b47c20406dbfcff80e35
SSDEEP

49152:rw9VH4RfLtNwHxQB4YF0yRdcHgvg3KKUQ7t1:rUgSCB4YFBnvg2Q7t1

Score

9^/10

evasion upx

Malware Config

Signatures

UPX dump on OEP (original entry point) 15 IoCs

resource	yara_rule
behavioral18/memory/4748-0-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-3072-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-4466-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-4469-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-5267-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-5388-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-5510-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-5661-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-5783-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-5905-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-6028-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-6180-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-6302-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-6423-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX
behavioral18/memory/4748-6545-0x0000000000CE0000-0x0000000001183000-memory.dmp	UPX

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2800	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	W10Privacy.exe

UPX packed file 15 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral18/memory/4748-0-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-3072-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-4466-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-4469-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-5267-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-5388-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-5510-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-5661-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-5783-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-5905-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-6028-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-6180-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-6302-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-6423-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx
behavioral18/memory/4748-6545-0x0000000000CE0000-0x0000000001183000-memory.dmp	upx

AutoIT Executable 14 IoCs

AutoIT scripts compiled to PE executables.

resource	yara_rule
behavioral18/memory/4748-3072-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-4466-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-4469-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-5267-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-5388-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-5510-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-5661-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-5783-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-5905-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-6028-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-6180-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-6302-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-6423-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe
behavioral18/memory/4748-6545-0x0000000000CE0000-0x0000000001183000-memory.dmp	autoit_exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005cf4f6141e81f6580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005cf4f6140000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809005cf4f614000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d5cf4f614000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005cf4f61400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4748	W10Privacy.exe
4748	W10Privacy.exe
4748	W10Privacy.exe
4748	W10Privacy.exe
4256	powershell.exe
4256	powershell.exe
4748	W10Privacy.exe
4748	W10Privacy.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4748	W10Privacy.exe

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	2300	whoami.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeBackupPrivilege	3152	vssvc.exe
Token: SeRestorePrivilege	3152	vssvc.exe
Token: SeAuditPrivilege	3152	vssvc.exe
Token: SeBackupPrivilege	852	wbengine.exe
Token: SeRestorePrivilege	852	wbengine.exe
Token: SeSecurityPrivilege	852	wbengine.exe
Token: SeBackupPrivilege	2596	srtasks.exe
Token: SeRestorePrivilege	2596	srtasks.exe
Token: SeSecurityPrivilege	2596	srtasks.exe
Token: SeTakeOwnershipPrivilege	2596	srtasks.exe
Token: SeBackupPrivilege	2596	srtasks.exe
Token: SeRestorePrivilege	2596	srtasks.exe
Token: SeSecurityPrivilege	2596	srtasks.exe
Token: SeTakeOwnershipPrivilege	2596	srtasks.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
4748	W10Privacy.exe
4748	W10Privacy.exe
4748	W10Privacy.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
4748	W10Privacy.exe
4748	W10Privacy.exe
4748	W10Privacy.exe

Suspicious use of WriteProcessMemory 48 IoCs

description	pid	Process	procid_target
PID 4748 wrote to memory of 4740	4748	W10Privacy.exe	85
PID 4748 wrote to memory of 4740	4748	W10Privacy.exe	85
PID 4748 wrote to memory of 4740	4748	W10Privacy.exe	85
PID 4740 wrote to memory of 2300	4740	cmd.exe	87
PID 4740 wrote to memory of 2300	4740	cmd.exe	87
PID 4740 wrote to memory of 2300	4740	cmd.exe	87
PID 4748 wrote to memory of 3852	4748	W10Privacy.exe	88
PID 4748 wrote to memory of 3852	4748	W10Privacy.exe	88
PID 4748 wrote to memory of 3852	4748	W10Privacy.exe	88
PID 4748 wrote to memory of 2228	4748	W10Privacy.exe	90
PID 4748 wrote to memory of 2228	4748	W10Privacy.exe	90
PID 4748 wrote to memory of 2228	4748	W10Privacy.exe	90
PID 2228 wrote to memory of 940	2228	cmd.exe	92
PID 2228 wrote to memory of 940	2228	cmd.exe	92
PID 2228 wrote to memory of 940	2228	cmd.exe	92
PID 4748 wrote to memory of 4252	4748	W10Privacy.exe	93
PID 4748 wrote to memory of 4252	4748	W10Privacy.exe	93
PID 4748 wrote to memory of 4252	4748	W10Privacy.exe	93
PID 4748 wrote to memory of 1748	4748	W10Privacy.exe	95
PID 4748 wrote to memory of 1748	4748	W10Privacy.exe	95
PID 1748 wrote to memory of 4256	1748	cmd.exe	97
PID 1748 wrote to memory of 4256	1748	cmd.exe	97
PID 4748 wrote to memory of 2948	4748	W10Privacy.exe	98
PID 4748 wrote to memory of 2948	4748	W10Privacy.exe	98
PID 4748 wrote to memory of 2948	4748	W10Privacy.exe	98
PID 4748 wrote to memory of 2484	4748	W10Privacy.exe	100
PID 4748 wrote to memory of 2484	4748	W10Privacy.exe	100
PID 4748 wrote to memory of 2484	4748	W10Privacy.exe	100
PID 2484 wrote to memory of 2800	2484	cmd.exe	102
PID 2484 wrote to memory of 2800	2484	cmd.exe	102
PID 2484 wrote to memory of 2800	2484	cmd.exe	102
PID 4748 wrote to memory of 3260	4748	W10Privacy.exe	103
PID 4748 wrote to memory of 3260	4748	W10Privacy.exe	103
PID 4748 wrote to memory of 3260	4748	W10Privacy.exe	103
PID 4748 wrote to memory of 3532	4748	W10Privacy.exe	105
PID 4748 wrote to memory of 3532	4748	W10Privacy.exe	105
PID 4748 wrote to memory of 3532	4748	W10Privacy.exe	105
PID 4748 wrote to memory of 1568	4748	W10Privacy.exe	107
PID 4748 wrote to memory of 1568	4748	W10Privacy.exe	107
PID 4748 wrote to memory of 1568	4748	W10Privacy.exe	107
PID 4748 wrote to memory of 4260	4748	W10Privacy.exe	113
PID 4748 wrote to memory of 4260	4748	W10Privacy.exe	113
PID 4748 wrote to memory of 4260	4748	W10Privacy.exe	113
PID 4260 wrote to memory of 208	4260	cmd.exe	115
PID 4260 wrote to memory of 208	4260	cmd.exe	115
PID 4260 wrote to memory of 208	4260	cmd.exe	115
PID 4748 wrote to memory of 3288	4748	W10Privacy.exe	125
PID 4748 wrote to memory of 3288	4748	W10Privacy.exe	125

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\W10Privacy.exe
"C:\Users\Admin\AppData\Local\Temp\W10Privacy.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C whoami /ALL > C:\Users\Admin\AppData\Local\Temp\whoami.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4740
- - C:\Windows\SysWOW64\whoami.exe
    whoami /ALL
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2300
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del /s /q "C:\Users\Admin\AppData\Local\Temp\whoami.txt"
  2⤵
  PID:3852
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C schtasks.exe /query /FO CSV > C:\Users\Admin\AppData\Local\Temp\tasks.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /query /FO CSV
    3⤵
    PID:940
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del /s /q "C:\Users\Admin\AppData\Local\Temp\tasks.txt"
  2⤵
  PID:4252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /C C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Get-AppxPackage > C:\Users\Admin\AppData\Local\Temp\benutzerapps.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Get-AppxPackage
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4256
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del /s /q "C:\Users\Admin\AppData\Local\Temp\benutzerapps.txt"
  2⤵
  PID:2948
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C "netsh advfirewall firewall show rule name=all dir=out verbose > C:\Users\Admin\AppData\Local\Temp\rules_out.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\netsh.exe
    netsh advfirewall firewall show rule name=all dir=out verbose
    3⤵
    - Modifies Windows Firewall
    PID:2800
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del /s /q "C:\Users\Admin\AppData\Local\Temp\rules_out.txt"
  2⤵
  PID:3260
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C dir "C:\Windows\SystemApps" /B > C:\Users\Admin\AppData\Local\Temp\systemapps_names.txt
  2⤵
  PID:3532
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C del /s /q "C:\Users\Admin\AppData\Local\Temp\systemapps_names.txt"
  2⤵
  PID:1568
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /C cscript //B "C:\Users\Admin\AppData\Local\Temp\Restore.vbs"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4260
- - C:\Windows\SysWOW64\cscript.exe
    cscript //B "C:\Users\Admin\AppData\Local\Temp\Restore.vbs"
    3⤵
    PID:208
- C:\Windows\System32\rstrui.exe
  "C:\Windows\System32\rstrui.exe"
  2⤵
  PID:3288

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3152

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:5676

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:5712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Restore.vbs

Filesize
135B

MD5
c8077150813613076ef8929147ba2ad9

SHA1
6efbfa0f732d09eedcc49e8990d73842b52c15ea

SHA256
e41527b362bd64d789383b9f27b097ea6cf21ab28666c104077390c84e970919

SHA512
1cdc19c699961d3239381547045eb322ff41b7ca1d528ffcd45eb030ffaf324c08850d1ab755bef0735921a25c819a39bd5e4622d33ae617cecd1eb9b628633c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lel3mznw.dlr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\benutzerapps.txt

Filesize
29KB

MD5
efd782410a0b567dbb1462464fc13172

SHA1
5ccb466595629fb886d7b418e8b99ae579c78e85

SHA256
c65cc729fb4088167f8c6ec2316b8afe5e774ccf75b2f661783f80421efbe91a

SHA512
ce3c8c34fd6f715227600add4a11a193fc6c58148041c0140550cba0410e2714ec330338162f70928def52f71fac6f04184843ea1ece6c8cacba4bbe9d65a854

Download Submit
C:\Users\Admin\AppData\Local\Temp\rules_out.txt

Filesize
179KB

MD5
e836e41e92dd65dce61e8be15b32ceae

SHA1
1e6b00c4f433ee942e165349dc54da55fb4c6ea2

SHA256
c1fcb6f1dd73ae43b931ce28274192d1f54b33391da016e309bdfd04c779af76

SHA512
09e986e15160db57e2aa157fffb6b7e9b956431d8b9e90a49d4ffd4debc7ea4e42e4ab793c6d4bde68a7a464e89d3580ca883ea98b68fb9b23ecbe2bb0c846d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\systemapps_names.txt

Filesize
1KB

MD5
cefcbb70792d5e7cd2b921575ad9806e

SHA1
4970acec4aafbd188c2a08e4ae1d0dc93ab8d663

SHA256
1b6893a67ce1c95d2f8e2131918b13d81940c2d2f9853bde67f742dec79105f5

SHA512
a7a0db7c999b257b90e3d9b85ece0ac9b750805045fe76efc8b626af4ce6ad5287ab0120457a02da8b0140ff7a6597d6028f5758138181a851f4478256478667

Download Submit
C:\Users\Admin\AppData\Local\Temp\tasks.txt

Filesize
1KB

MD5
44cb88614c4ad06078d6d0186393f61a

SHA1
63428e40ed7448d68a4670b4098d5f8819c527e0

SHA256
22813f635dad79fbb3d8ae6c72a1c4800e51ff8a2dd1f39989852769ae549eef

SHA512
839a62b1e0bf4b8848680f171637d668cc2213a3cfe230a516a03bd0a3640ebcf3b4b11b53f961b85e96c61efea7e8bdcb734ee090e2dbe0003bd2cc7165ec6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\whoami.txt

Filesize
5KB

MD5
fac237c8756b96c0a32dc81747ded1e0

SHA1
c0241c172c8da583238f309303a2ce51ea552c0f

SHA256
bda7441ad509e539445a69eb81a3ce3494cba22c3915a0d00d915093d8eff630

SHA512
9bd57fbca78467fca6d2de3230f5340b669f5cb3d4811d6e9c76318b1e2e3cd165de02f9c4ba6f00e4fec140af4c59d93eb7d704a2506207181bf02d801bc174

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\Cache.ini

Filesize
4KB

MD5
4dfc9ddbb7e98cd7a7b6b4b615c2d6d8

SHA1
6727eff661ac26371853c3069b9396998e169d44

SHA256
f45471321ea31047d5339db31bf74d4644659875b941c8b3d60871e4ae115933

SHA512
526066679419901bb7bf7b4ed77535a08c61e8378478766adc3b23c2147c978ab19287f00c92c4d8d20b8818d8e8f72c934f0a9cae91845912ec77846b9d6948

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\Languages.ini

Filesize
1.1MB

MD5
23cdaef19b920f88d5ae54d8a90d74ef

SHA1
e9f1a583e7a30fc5fdb6548608bd6c775690cbb6

SHA256
24928712761116b686323da6b014c591c1a4608e9a7cebd050d17e808ba054b4

SHA512
01deb9d382b1ff0cc21ed17ef8b36add8f585c12643a878286a12c57f94095c96bfbd993df78d63e0abe5aaf2458286d8df5cfb48e6808ceb266d901123736c3

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy.ini

Filesize
264B

MD5
d405b28d215524d0e4079a31bba036b7

SHA1
de604be41edd50a988308df1a5c882e6c94c440e

SHA256
91d2018d0489774f30f13c6ef6d8cc74a86a3d47e8961b5e1c2032f9af5b894b

SHA512
5009d738a9afaf7dc10bc3ed031244cdf0c1efb7f362726838825a925b81508f9f886eaedbbfbe41861923dd942607a763c1dd060ed2f2d268bc34388ec040fb

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy.ini

Filesize
403B

MD5
f7bf4d34b64751940f09d156783b07a0

SHA1
c5a378812c3469734e54e691710c8ba7320cc65d

SHA256
fccecda677d285653158b34746e59864814b1c25fe41245d9dc644815e09d755

SHA512
894ed6e4ab833a7cea67953f0a93ba7b9b5664a527d10ef0f389db389717cf111109faa5b0a18c02ecc0619d8c7d406a8c2c6e36870213376410e42e9c127eeb

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Hosts.txt

Filesize
9KB

MD5
651ba8cd124db920497b1fc8c2ddcda6

SHA1
fe13f616ac92f6d1d0bdf34f062fe56772144379

SHA256
e9fd5189563bb924cd24682c68fd9004243c56385c79117fa9c6a3109a4e30c4

SHA512
190e2bf35232c69e957a64c9f8318e52d95e3679e68f50f30a61584deb8aae1fff378fec7abbbd8b16c963e56ed03011783e469ee2e06095a19f6ab83c4b6b30

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Hosts_LIGHT.txt

Filesize
4KB

MD5
4d11bd7c524f99dc773ec3ad3bca1944

SHA1
c7824b9ee3eec8fa900b64e2d2eb6186c5d32273

SHA256
0ea68999329d2e542dc5c933dce7f8d57329c56d3c4326c4fb8fea0ee89e44cc

SHA512
e3032b95fa71f754755b3c2ae38774fe5aceb014077730dbddda5636c61fbc7f792f0a12ffd42d12077cf7b85d32131f3dde72eaad431bf48e9bc97591fde28c

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_IPs.txt

Filesize
185KB

MD5
dab0e50b50d9d10861b67fb60e03ba9b

SHA1
77b7feac28b7f963e5b648bb8893c1ffbd0f413a

SHA256
72023c7f1253a06f2db1529bc54a6a9f51f33fc0c075d175cb05d155ec7690c5

SHA512
8b7595c42b2d219419fb3f066bd9c70c212df613b2de1639dfee74c2dcf21f1e5896f33230bb96b68a4c5a2c5571bc50d8b073302ee6ddc946d42dee80dbb78c

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
641B

MD5
ca5e429b21c2458638fedc630a862735

SHA1
c5543209ec68e777406a958e70fb2d427a4aa0d6

SHA256
16d8d8e753cf006ae14e4b555567a7500303674ede642ff787b9f3d166a0e0ce

SHA512
44bc9198cdd6dc63be7e5412c8782cee82e1795f82deb6081cc7741ee59850eaa4957c770946b18d959bb75bb5b6a86f3eaf1e6d0e8ab0441ee1a4f3d97b19ba

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
828B

MD5
1c023d1a82c8082daec97b8d949c0269

SHA1
723da778d981f1336de7dbae2f45d71af437c89e

SHA256
3cb85a44e7845614be2b43390bc734508b27ba6cf9eaab89243b61a19d57927d

SHA512
24ba451f5c772d4a9660a6f9ea52dd9a5bebe2e982c47440ba86cb6f83b84d7a81367d07eee574db5bcdfe2f75a812722616e238435a3c33c5cb7070a1904747

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
1KB

MD5
e9b5af1fd7a764da4ec40bc61edcc3a3

SHA1
70a8c6812d81f51f4257bc89352fdbbff7555f9e

SHA256
48d535741063956fe28995f9f71a7a630586f1abbffdca054aabc78aa6b64fc1

SHA512
229a25cabc38348b6a17939ad1b1ccd598b740af546b2d72278ae5e49bee18427e7755ad3dcca2aee42aa727efcd84d89cfaed79eec094a1f18f35784c9b602f

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
1KB

MD5
ac38cce4ee4da6f012876aeba368eb9e

SHA1
18990d0a0509240480100b4993a74a636643129b

SHA256
8a2de4498a44560fe0ea2c5a9cd736576f23043e6feccbd9f545d039d9404364

SHA512
d87255b68b2c155551d065dd459da02250b5e0a5cbb30b5d3295f4ec91c03d2dbdf83da226131e73e129d8a707c191b81dd7ced52fb2b7f8a9fdb7707ad6f37f

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
1KB

MD5
4400969310feba88e5d2b50750615613

SHA1
20f4094955507e5cf12603a5e1c3993c9440e13d

SHA256
0b77b3ed6f0964e618e0545d851286577a22501ccafd203f69515945e7ef40c2

SHA512
252ba39f4ec50401aa8aef16812fa74f04cd085e6d9052585b4116c4eb718c7315e368d4fdf98580b863e61b437b9c0a84bb2908e482d73953db3146a3b39bf7

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
1KB

MD5
eb1b14c0096347e0e73d9917ea618dbd

SHA1
697081be887610acad1a6650ec653a0d6fe38efd

SHA256
b9779399fcf829b535d7df60534de0bfdb40a399aa6d18af4e7ae8bd3f3c9c87

SHA512
887c5b2f88fede6b663946a9470ccec8a6fd4e69cb3c854c42d7ae4a5cf06269fbddc3c08e1268697bb18a6f19365a2bd678beb6be167780de1680caacdd321c

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
1KB

MD5
f24b87c77f453878fe64593794a34bb2

SHA1
558ca259875ee224c7f6d540e73b3c76ddcd8016

SHA256
c435c3a160379c95c3a8245b79e93129565c987205369dcec8befe141e86e33b

SHA512
e35f597fdd1231c7cbbef1ea23110085e3efe7ee346df136bbda4593ee40713355bfa09e2c30986c670c69906c7161c5ba1711f8a3372a0260692155735fa46a

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
2KB

MD5
ea89dfbfeb39c6951ff69d556f747901

SHA1
fea6674d7c153eef00475f24fe92ed1fae78a2ae

SHA256
9edf19090b63b32da47534150deba61438a88b39826b846642837d16e0f9c823

SHA512
72414f884fe24320b204d113857e91f73c282ed49047fd96434ac27868591db5812e78afb1f079e0917304d6ff9262781ab00a895762d0101fd9a086ea2c35cd

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
1KB

MD5
2a0c09f80b5088675aa381c8415945ca

SHA1
773e07da9b54fccf5400bd89917f2632c0701876

SHA256
68756e2faafc63ae2e5e60f266d86ee16d8115da11bba5c4020f3f9b4a53b41e

SHA512
1afb27bdc181268f6c3fe5eeb5e143e2b559f041ff3084348bfea3cc43c26dd33b4630276d8f684748b682dc64babf8ddeecf76b55aa6ff2f2783df83e45f499

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
3KB

MD5
45503752b3e84955302446f4f7b866e7

SHA1
826d1a58facfed2f6c753a9ef4b8b2805bba885d

SHA256
9ecffaa77c40adca167a05b922ed8708bf539901a9d0e55957585a61f33da9a4

SHA512
21fc326243c6dd2ba7175c2bf306a37ae0f6d217874091f60cf340ef1a2c6db79309d0749f17511466a93dae624b4121febac756a528056417905ee7b43e63a0

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
3KB

MD5
578a36572969c106950014395602b173

SHA1
c25e98902da70a62f48ec11dc3b91cd1eb51d7ba

SHA256
da3113f2bc0b87e732eb6198f00015422f09516b87bd1e0174b192fbfdafc746

SHA512
9781b74a66a6ff77e102c7bac1da5e67e493b0802ce65be8a7a27e4c5fdcc39c59b73cee3c4e6a86bfab62394333e01a97b33b35fd79bbd80740a15f99a72a1f

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
8KB

MD5
86c4a45e1d01a0dec270e178c5287f41

SHA1
1db4f899d888af689e5e6d37417e0cb33c69e209

SHA256
d5160650261fc1d9ef1bc6e6172eecde04053c127163fb71ec7f8f9114a69471

SHA512
0db48cf3cbb9023abe2ac84af72a68c6e843fef04fe2b7a592364f483e9c2ea6e7017605e93f2f74ed3671b32caeda9961d716703ba57c3e701e37a85d1fe430

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
3KB

MD5
96d0ec814072f988cf3195d82da18f05

SHA1
988117d9ebe2ac63ae2c510689853c7651fec4c9

SHA256
79991c9ff3bdf54a6ffeeb6e992e2a76393b6bd37e5d4f976a2781309483df7d

SHA512
8ef9d81be3bbb0c016edb211e2171218769997fa0fd479f2cad8c31a5fbf8ccb0f3e3f77bf55fd07896fe2830ef297190ec27172d87f6ceeb71584a6edf18ee4

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
6KB

MD5
7efabf0cdb410513d66918adba87f230

SHA1
e44631cee3d7c29ba66ecd71c42ddbbf83b4ed8b

SHA256
e17236961eec027882be43bfb69f4d5112a7d8851f0d3e00d3548339b7fabc9d

SHA512
4b25157f62a844f03b49b49ecf7c6330efbe9ea1b8d1e5f629b11f1ba52143a4559e0c5f4a7b6186289a30e805fd09b0f2abe1619797ba9c5f35e1dd9a0493d6

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
7KB

MD5
e0947b86b17062c269d2c981c874485f

SHA1
b460eb5e4c62f44a3be0d4356d5a8eb0817e4732

SHA256
07b4c8eef2878ad7066d8cec19a1e8859f4dd4be2d1731a2c6254ee5e656c152

SHA512
5856674ba1c1555ce92e4524396226fbfdf04c50fd5f0305d7e8a2af43283f61ffa39d226f723816b13e84e094a330216d25251a4750197bd0f75b6e4add5d53

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
6KB

MD5
48da5ef80374871bd338673cda99e92f

SHA1
939b24e75f610f617d5420ff91e4150e65018c06

SHA256
d31779ba5d2b26e1e6c3b0417fa60f620964fb730287b78cdb4c4ca63d2e6e1a

SHA512
4238a47e9d90716994eed4239cff9bb5a483cc1f6d64f7bbf1bd5d551945441cf24935d653aca4f4595811ecdc5ce488c56816ac02a108e008ecbfccfe80471f

Download Submit
C:\Users\Admin\AppData\Roaming\W10Privacy\W10Privacy_Settings_First_Start_GAWKBMOT_Admin.ini

Filesize
7KB

MD5
6964434bf0c27ac03e24db7a0ca88af2

SHA1
26f4141f710cbd7868749d7d83426636a125ec19

SHA256
0fd85a068987b738f56ade1543d471d5ecb168d35822e0ddd984f5f00c9c3299

SHA512
fa71fc78e3f9c3fac0a1f7fc70e218d0116d25ffa84599cb486ebb419bec6742b4a013d4be28e40e155f6f33f4c596445e99e1840354ca11c157f78cbbd45c62

Download Submit
memory/4256-101-0x00000253C4FA0000-0x00000253C4FB6000-memory.dmp

Filesize
88KB

Download
memory/4256-103-0x00000253C5050000-0x00000253C5076000-memory.dmp

Filesize
152KB

Download
memory/4256-102-0x00000253C4F90000-0x00000253C4F9A000-memory.dmp

Filesize
40KB

Download
memory/4256-100-0x00000253ABBE0000-0x00000253ABBF0000-memory.dmp

Filesize
64KB

Download
memory/4256-99-0x00000253ABBE0000-0x00000253ABBF0000-memory.dmp

Filesize
64KB

Download
memory/4256-98-0x00007FFE123D0000-0x00007FFE12E91000-memory.dmp

Filesize
10.8MB

Download
memory/4256-94-0x00000253C4AF0000-0x00000253C4B12000-memory.dmp

Filesize
136KB

Download
memory/4256-107-0x00007FFE123D0000-0x00007FFE12E91000-memory.dmp

Filesize
10.8MB

Download
memory/4748-4466-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-5661-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-3072-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-4469-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-5267-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-5388-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-5510-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-0-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-5783-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-5905-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-6028-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-6180-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-6302-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-6423-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download
memory/4748-6545-0x0000000000CE0000-0x0000000001183000-memory.dmp

Filesize
4.6MB

Download