Analysis
-
max time kernel
697s -
max time network
698s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
-
submitted
19-04-2024 16:55
Errors
General
-
Target
FA Installer.bat
-
Size
42KB
-
MD5
ac48f9875234a4e5649d152672903198
-
SHA1
6795362296194a79770a385a1a81efa89c6fe203
-
SHA256
e5f0efdb833e0b8ec06d88d13039ac9ab2b46a70a26a6c9c07868a79b8f11f62
-
SHA512
b5a8cf484eca8afde45a78b6768970a3ccd9f4731f4f9a227ac22e02cb3c9c158c8221c136fef191ce9967b2b4bc8c7f4aa6a4310e04dc5e3e5b8b7fc712df44
-
SSDEEP
768:lnwnjP9zogqnrT9AHuhUcKhnuxGTBmF5p8yJVS5LTf+iA0:FI89nf9tUc+nuxGIFwyKhTf+r0
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 13 IoCs
-
Kills process with taskkill 1 IoCs
-
Modifies data under HKEY_USERS 15 IoCs
-
Modifies registry class 4 IoCs
-
NTFS ADS 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 7 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\FA Installer.bat"1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo4.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo3.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo2.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAinfo1.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAshortcutinstallerdesktop.bat"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell "$s=(New-Object -COM WScript.Shell).CreateShortcut('C:\Users\Admin\Desktop\FA Security.lnk');$s.TargetPath='C:\FA_Antivira\Fabi_Antivira_Securety.bat';$s.Save()"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\timeout.exetimeout /t 12⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAwlc.vbs"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 602⤵
- Delays execution with timeout.exe
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe"2⤵
- Checks processor information in registry
- Modifies registry class
- NTFS ADS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.0.2052635877\1622097830" -parentBuildID 20230214051806 -prefsHandle 1772 -prefMapHandle 1764 -prefsLen 22244 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e54d9ee-7ee0-4365-916f-53df822b8f96} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 1852 1810522d758 gpu3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.1.76159362\300292943" -parentBuildID 20230214051806 -prefsHandle 2412 -prefMapHandle 2408 -prefsLen 22280 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f402f48-2618-427d-836a-c05e4ee374ac} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2420 1810577a458 socket3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.2.869977666\400153086" -childID 1 -isForBrowser -prefsHandle 3016 -prefMapHandle 2820 -prefsLen 22318 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {60645fe7-9d7f-4661-9639-a682db2d5760} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2740 18107bf3d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.3.174865325\309931989" -childID 2 -isForBrowser -prefsHandle 3480 -prefMapHandle 1360 -prefsLen 27692 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf9139b2-4c75-418d-aa71-9e55d2c6f000} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 3768 1810a365658 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.4.963962890\749644247" -childID 3 -isForBrowser -prefsHandle 4888 -prefMapHandle 4864 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd50c3e5-eebc-4f94-baca-28e6da3f7f00} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 4828 1810cc86558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.5.1845527900\1414269610" -childID 4 -isForBrowser -prefsHandle 5244 -prefMapHandle 5248 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54741bf6-6264-4051-ace5-0de871294eed} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5236 1810cc87d58 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.6.116301782\1855921897" -childID 5 -isForBrowser -prefsHandle 5440 -prefMapHandle 5444 -prefsLen 27616 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e7a519bd-71ea-4102-b905-5c9ceb5ede91} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5428 1810cc89558 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.7.2024065354\1970252890" -childID 6 -isForBrowser -prefsHandle 5872 -prefMapHandle 2692 -prefsLen 27697 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f29fea3b-3e3e-4c0a-b59a-ce13b89cd610} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 5024 1810acba158 tab3⤵
-
C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1132.8.1318373792\1904729572" -childID 7 -isForBrowser -prefsHandle 6076 -prefMapHandle 6080 -prefsLen 27776 -prefMapSize 235121 -jsInitHandle 1204 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0da376a4-f7c0-4c33-a281-acffeba05f76} 1132 "\\.\pipe\gecko-crash-server-pipe.1132" 2548 1810dd5a258 tab3⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\Desktop\Endermanch@7ev3n.exe"C:\Users\Admin\Desktop\Endermanch@7ev3n.exe"1⤵
-
C:\Users\Admin\AppData\Local\system.exe"C:\Users\Admin\AppData\Local\system.exe"2⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\del.bat3⤵
-
C:\Windows\SysWOW64\SCHTASKS.exeC:\Windows\System32\SCHTASKS.exe /create /SC ONLOGON /TN uac /TR "C:\Users\Admin\AppData\Local\bcd.bat" /RL HIGHEST /f3⤵
- Creates scheduled task(s)
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v "Shell" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Modifies WinLogon for persistence
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "System" /t REG_SZ /d "C:\Users\Admin\AppData\Local\system.exe" /f /reg:644⤵
- Adds Run key to start application
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layout" /v "Scancode Map" /t REG_BINARY /d "00000000000000001700000000003800000038e000005be000005ce00000360000001d0000001de000000f000000010000001c0000003e0000003b00000044000000450000003d0000005de000000000" /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Control Panel\Accessibility\StickyKeys" /v "Flags" /t REG_SZ /d 506 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "rgd_bcd_condition" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\windows\SysWOW64\cmd.exeC:\windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t REG_DWORD /d 0 /f /reg:644⤵
- UAC bypass
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:643⤵
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion" /v "crypted" /t REG_SZ /d 1 /f /reg:644⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c shutdown -r -t 10 -f3⤵
-
C:\Windows\SysWOW64\shutdown.exeshutdown -r -t 10 -f4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\FA_Antivira\Fabi_Antivira_Securety.bat" "1⤵
- Checks computer location settings
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAwlc.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FASecLogsTxT\FAupLOG.bat"2⤵
-
C:\Windows\system32\timeout.exetimeout /t 53⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\FA_Antivira\FAvbs\FAbuttenUser.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\FA_Antivira\FAcmd.bat"2⤵
-
C:\Windows\system32\taskkill.exetaskkill /f /im cmd.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x4 /state0:0xa38f7055 /state1:0x41c64e6d1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Abuse Elevation Control Mechanism
1Bypass User Account Control
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\FA_Antivira\FASecLogsTxT\FAupLOG.batFilesize
466B
MD50ea60cedc7c561c2b3eceb58339f3bb2
SHA11c500a5b3625aec2d3f1b2a204b921b5e85c45ae
SHA256957680d4b0ac571bdf53e789855625ca7c68bad067f02b8fc9a7ab74355cfe51
SHA512c479cc265cf906b50f03a46571cb28471511f1cee4e35674ac968f73fc68bad972329a825fc1d9fce4bf11ad8cc624bcdbc0a7fe751711f1ae0ed53a8236b597
-
C:\FA_Antivira\FASecLogsTxT\FAupLOGlogFile.txtFilesize
37B
MD5ae979d24978650602269edd6a04b47a2
SHA183ab3fdb4097c51e397e822b0947929125d435fe
SHA256570fc53be64d998ddda6b74994f8a041bb678f01e80c4eb6280b6f4b5d98f97d
SHA512c8387c70bc93de262a8b236854b8817b2f710a1ed95d24d1a294554c10b36af27b0e6799c90c6797d88aed6ea604dfdf113240e055b7279d8a4e8530563168f4
-
C:\FA_Antivira\FAcmd.batFilesize
26B
MD5c4645d6e11ab471b8e0d246a285ca38f
SHA1cfb73001deb5265fd23118ea7c92b069726e0744
SHA256d3e398863bb562e0d6df0915b463e633dbb25947728fb2c5ea097c28a063491d
SHA512b0e49f720ce0738a5f77fd2e1e7383756ebcba77afb71c2d3c3962c0ef1d5a7054bed41963801fc570ec468ddf8a10c38756b9b3ed341b3c18d5a714640886ee
-
C:\FA_Antivira\FAhelp.txtFilesize
494B
MD5701f41ce7ce621d1536b42b84c048070
SHA1248b92527e022dd24022498d73f20f1d3b7b0077
SHA256ca05e47b3bc4a77687459f024fde354121d9dde33fed335c904b25bcef2dbeea
SHA512a26b9a615bef2991e9cd1d89f54552daf8a2970006b01fc4337f1e115454c3851f8306aac6c9cbafe2e523529cd04fce952d57d7db89be81ad8400a58202578d
-
C:\FA_Antivira\FAinfo.txtFilesize
86B
MD53bb958c0095d3bb7ae43fd80757f885b
SHA171be6a114f3d5ff211b14b0c434ba4ab89bf5257
SHA256457805e633ef790a62df6a11aa371b4352f4df14ac653fc5898defab01fec048
SHA512ccba11c26c45ecbd815ae4ac8de788b216f64803a9151345f359a7ff2982daa486d737e015e65929842b52a624742703bd6d4a511de32dce8918719c310cc2f6
-
C:\FA_Antivira\FAinfo1.vbsFilesize
84B
MD5fad7cd2a49837444cde4548abdf478b6
SHA1376a4ff6acc6ca44f2b660286633c5a31eddd764
SHA2569c08b7d014ab766305e4525478bf8a1bc2f8cbe4f04aedf38f7daa0660ba3cda
SHA512287223fdf6ec6347c37b51fc7913ab8931d1fe87c03fae93e1cf8bcacf1b4a2dc13605b08506a0299e5536fac5b02fc15ab387781b5b16873ea3c686daa81cc5
-
C:\FA_Antivira\FAinfo2.vbsFilesize
87B
MD55a1fc5e5db483c5926a50ee931581cd9
SHA1419644277a92e109d4ce6739a0d5e2d0ba8f2d42
SHA2560f79e391fe889e01a6ef37619023af6672e98f1551753a10021efda8dee607ab
SHA5120351928a53a5586c560e8155d99eb1838c873cbc2b554ae25c6be1433cdae41cea7508b60c016e23e0d2687d99bcc96066bc72f15c1ffb922f348f81e044c240
-
C:\FA_Antivira\FAinfo3.vbsFilesize
71B
MD5a61c87927d31edff281df2818dde924d
SHA1f076867cb0411e0c584f2f9052d4c1e550cd53b7
SHA2569220b169c1f0179caa92218990b05bc48cf75c9c36d4e45dd1c2b5f973910517
SHA512ce5c730e3dea3c9b1a565b02925ca95ee0c50abfe15a5a8a43c21b4cb7daedd1b582ebf264dba5d7dc3fad98e1014e0557a810baa111e83596ecd22fde8fc970
-
C:\FA_Antivira\FAinfo4.vbsFilesize
97B
MD5d912098669bc85cc04cccf0248617120
SHA1a817741d0ce4427cf0a0fceb7ba483972789fc60
SHA256e044130f2e60f76a963f3e903af9d077f0ff1a8437d1c7d52ff42345e7e28422
SHA512578127a4aedf65bb415602b08c16c29724a874b35a40dce0e116b4bf6daf513e8a511f3aed2cee8756efd45ee9245a34381433abbef91ab3908859f47f013a48
-
C:\FA_Antivira\FApyHlp\FAscaninfo.txtFilesize
45B
MD54e2b85aa6bf52880f38fcbf8d83e52e4
SHA1bef98ffe5e847fa96d848a3012903db0f4401475
SHA2567f42aa18673109c66a1dace36239fb98ce9f66cc8efbe8e56aeba47a1fe5d2ad
SHA512115eafbfdcb4bc30ef697331848e2771e4a21401000a768237bfc7afc8014a684ad1c68ed30359012458a39a29956cdbd8fbe9f94116ea51d361209fc60ca08f
-
C:\FA_Antivira\FApyHlp\FAstartmenuinfo.txtFilesize
121B
MD5cd506886f7c209e3fe64968e806724a2
SHA1acec50c5336fb9b157ca56f49d790cd40485e20f
SHA256123d7fdf0d6a518acfe91ddd2a518d7f55e7f02682561ddec9a9fa9e6b9515b7
SHA51260fc4c52a855fb64fc6df5a80cb345026cb4adb3614c91c25966e0485f7ffb70df263a64c21ec51c9c923e8ec42f277002b0115d0e3783f92e10eccc88876800
-
C:\FA_Antivira\FAshortcutinstallerdesktop.batFilesize
579B
MD543ac0b308354a69a243ade90d4710a48
SHA1eb13fd963da445a000a2bde81254a6165fb35ede
SHA256a66196a3237ebee214521d8a60c9747137c2abd928dd3123663ce6bf5b760bc7
SHA512e5a8f9934c72492bb7631140a6bedb0d114f8dbc9b4c1a7cf80976216db0e9acba411cf0841bfee988a3eee2639a0596919a51c6eaeced3ab1a62de2abe96ab0
-
C:\FA_Antivira\FAurlDataBank.txtFilesize
14KB
MD5db5e09a2e865744035faa37a94b0671c
SHA1a40af153926484e43f658c2a99fcf71157483446
SHA256dc13e83fb60435c3812f46b41a6eab2eca028f8c1eeed1b7b731f34a896e87ae
SHA512553289398e12fb169fe00264c5b6ae7a56140f2550a5360cf98585a2fbf4ee0917c3aae8167a6370ae5d2300c52138ae0c948c34b1beee503b6eab5cf34e893e
-
C:\FA_Antivira\FAvbs\FAbuttenUser.vbsFilesize
1KB
MD5f2f1d25a0733f5bbad7c729096e4810f
SHA188c073043fa9bc4c6660837f1f90f1a7a42a35fc
SHA25619f7da333b1ac0483d06821dbaa6640445442a06f603c9d8d3665269112abddf
SHA5120a2cdd4ff70945d1da0d88b532b0f31e4285fb4297302cc574fdde1d2dd9006d3ced8b71fecb9cc58e1792863733c64bd9c452a1c888dfb4e1e4e1340784c1e1
-
C:\FA_Antivira\FAwlc.vbsFilesize
37B
MD58af233a3816f2564fe1dd935a228eed5
SHA1e135f58494c4aa12e4c3fc1c6a5645716bac5384
SHA2569c30303185a1337fa4f8b22c5cf93bfa40b5f437bc82abd168c4aa0a85889ec0
SHA5122fce3e661e3d677848817d80567fdff464bc5c12badf3ff454576252facd49b159bd00e8da6ed96fc9748ca0c8b9d24d64a35651c29de1daaf2cc718fdbff8c2
-
C:\FA_Antivira\Fabi_Antivira_Securety.batFilesize
273B
MD5c67e9bfe1056431c086554c2206401a3
SHA17d7b11a79233fdc2c5b8dcd0e9edf5a028324453
SHA256d7b9799fdfefc9e083dc43cf74e7f8019a5f1e74c68e30ad54fdd208383cb2c4
SHA512e38c705f3cbdddc0b437459d1e9ce3b37e421da2d137f091ecd399eeed07b2d491abc39ea420546f2b68c6a6266ae99ee75ca3be656ddd5496513d7643be8b3d
-
C:\FA_Antivira\Python\FAMsh.pyFilesize
2KB
MD5ac02c7e35e75be6d744ab7a5e274de49
SHA1796d6c8a93997fc603c714a3346f42fcfa11ed13
SHA256c8c9b044439f06cf6ae2eed53230612e5960a2871779b06a1d73d56e4c528de0
SHA51228b5ee17c21093666abb11ff88afa87ea7f3aa880662809d8cf2192c8c5236b1435f6517186a4fad46c8919b063d27c9c43ccbf7bc7386ccd75197598532c195
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\activity-stream.discovery_stream.json.tmpFilesize
22KB
MD587d4cacc37cf33bd27b98d5b0223af5f
SHA1e9b1cf374d1facc3576a3fe40739a188b42e60ef
SHA25647ea0c3f7cad7ed0894eeae8d2ebc195e6bfeb95fc03db9296ede503fa9ee2ce
SHA512e288f99029f9e2af8d1f0ad661118eb30de4eba0dbf6a0e23bd97be2686f8293d559956e39b9bb619c6a1438a149b66e72dcef36c84fe9a5cb938b3259f94870
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\16396Filesize
16KB
MD59e9da9a76fb06cd1c67845ed99c3e574
SHA12c3665a1b7166bd5354828c8b7bbefb766c91b40
SHA2567654006f1078ba13e00e78794707c565a9767044f1c1e6150780c02849b81aae
SHA51284888b1603bd35930b33c38d1872e1d971c5668a13ea98fd30dce2ea46d0013be96c8b627639dfe79ce67f31a6e1cace84bd01edc48e76bff1d176bb630d15f8
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\17004Filesize
16KB
MD529eab85250c99af75bbe3cf1a361c589
SHA120c650983db846530cafb5d5b048841e1106e36c
SHA256539f003f276b6e339bced78c6017705b9a76d82d863ae307cbfad088b2276dfe
SHA5127e0b281b839f084df1de65add45d9521f965928ea56ca4f97cc487386d3f4f7a3fe710eb6b7462c3d48d7ed30fbb95e2df535bdf183aafb7c7434f72475a992e
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\17228Filesize
16KB
MD5b818a2b8a4f6b8127b7904804b70b768
SHA118e699373bdb071b4c53debc1dfd4053564c9fcb
SHA2564972f8c60141a6097b3b3a56dfdfd995a4da786b4fbc8fc48d2556c7bf8891c4
SHA512b130033af84bfd5e53d6a30c102450927ec4fc80023fa240fe7e657afdd0f8b99847847dd94bf50836214854950f5fa47d84845c4378c73e4e1dbfc486f2c42d
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\24088Filesize
15KB
MD52e13d38a2bea33b1e5e9690ccd55f768
SHA16269d8363adc38d30d48ed7a254fc89c48eb6725
SHA256e1147eec64863f47c262448b5ac7d7932457ac1eab7ddc25f47f230f1cffcb28
SHA512a0c4401eae9f05cee0983de6746a2356d75bf175b4f7b4bc7ec799c53d4e30873cd97096df858642aeeb179ad08ee4b90046239b4dba7404227522d79e8d3ce3
-
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\cache2\doomed\3110Filesize
16KB
MD5d24aaf9a6a8548e6d57e6c2d2f523368
SHA115e2444d8385f993c2a07c99aba7def31fad9781
SHA256dcb8ed610164c30221bd5315825956de688d909dd94e7cdeeadff6da3c13ea41
SHA5128a86cbd44a521c434f3ace1d92db6c477ef12f0127dadd0bbf7890ae3fd9eb4dac1e0bfd4df1dc726253ecc2d219862976ccbc222995b822017d6dcb6d1acaba
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmda4uxp.ipl.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\del.batFilesize
65B
MD55be54536acf6854d3d0217fee5092ce3
SHA1823d25753559795f3b5a53de6b019b8815abc834
SHA256076a50ec803f409306be46309faf35ddca3f7a41f6a884a0e0ce55497c10cb62
SHA512b92ff21c43b6fa1a9711e7422a328583bf304bf7e2020c466825ce9172e6a31c4b04ce4adaf14a0e72a3eab364493dbfccbfb64586deab687c900ebbe541c681
-
C:\Users\Admin\AppData\Local\system.exeFilesize
315KB
MD585f1a8765f380669390de3ce2de8a8f8
SHA1006697ee6244a06372d2540f1f64d7b2022eace2
SHA256cba24647f82eecc726c5ee0ab314306b1c565de7d0b70b692610a725714f188f
SHA5120ebf704e36c8e90274c240726a8cfc72a9bcb5918a0f8f45b721a6cbb5a4216d5c7439c8e1b33dc3bba7cfef4dc45e723d120907a37555abeb0d0f85be8fd0ad
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.jsFilesize
7KB
MD55508305bd564522b285d59f19bae9335
SHA19d3edcc3a31515f365854633a833d39a2379776b
SHA25654a912b787cb651584bd059b4f23c03adfeb0281eae11a595f96a68902eff413
SHA51248d29c2b528b1b2cd5411969638a8cc3daf3652e0a8cfc55dad09f253a66fff5a97b200c1123af28bc5a95ead43dad5659c4eded7f7f208d2c188959e2f046de
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.jsFilesize
7KB
MD557619d4ad5490ecb6a315e473b99e2af
SHA1191d45c5a9355f74d97abc82b39c16a903ccfb8e
SHA256ffd7f9dc3c4dfd537b68482d112de2b248b30fb58a0824dbb767ed95632dd5af
SHA5126b547ea34e6c210df6d3c889b12b392cb3fe8dfac60a9af7d6a843f2bd95bab1415194dc9da98b0a26c90da6b100bfabd9d0cf2e50efb9bae19a897725f8897b
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs-1.jsFilesize
6KB
MD5c682648e7c3b36078ccf597529d393e0
SHA18e6dae64af3b8d0d43d7adb7a89eab67d11a98d1
SHA2567a7e99090e02611d7187dcf5f160215abff51258b8c99d79200990aefa6c8de9
SHA512503b340da2efbb3749739346059694f5503fdb6dded29f19980776527e1896dc95cc5f41a9378fc49712d0e70b1cf311d9d0d89dc8975ef6513cfee6f8bb975a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\prefs.jsFilesize
7KB
MD5e7c196c96735923f52a5e36eb9f3fe55
SHA1afecbedf9f802ae75d421996ff89257654b43806
SHA2569ebf5f587a6ec6f64c2472886b8f5e0b528895eb4e96b0701add0c0f4e99e3aa
SHA512d669221b817efad602d9debd4335013756b5fff859345bdc01d33b7a312db9f8cd97507e168beed36e33482d71eb9671e9de8d0a4bbe04a17f0231446d8871ce
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionCheckpoints.json.tmpFilesize
259B
MD5e6c20f53d6714067f2b49d0e9ba8030e
SHA1f516dc1084cdd8302b3e7f7167b905e603b6f04f
SHA25650a670fb78ff2712aae2c16d9499e01c15fddf24e229330d02a69b0527a38092
SHA512462415b8295c1cdcac0a7cb16bb8a027ef36ae2ce0b061071074ac3209332a7eae71de843af4b96bbbd6158ca8fd5c18147bf9a79b8a7768a9a35edce8b784bf
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4Filesize
3KB
MD53618946c468e8c76eba39b00ba90fcd4
SHA19b98445621578fd85ae09aab998cb8d55f745f39
SHA2561d3f7e3644e1ee73658635df854ff70698e445613ff841089f6163803ce8dbbc
SHA512a6ed83b3aeb6375119bebf0405216fad7dbac3ccbdd338a2745dfeddf46103ba71a4362f6d81546a34983bb741c797b6bf62cff1b860c890ec8e45ea8ce4b36a
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4Filesize
8KB
MD53312767e2a127323c24d6cd44565f383
SHA1165f36aed4c7c61842f72c1d0ab04447a1f8b705
SHA256643b865de45e39c73470dc1ae31f8552b325f929ae449fb225376d5312c6cfc2
SHA512a485d1661aca1cb8f52bfd020b1490b13054ed0ee9075e3a8211a1d5ab4de08771b4a9ba16f85a2360a342908dae36cc6f7b5c8d219f358e11631ba8e01947b4
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore-backups\recovery.jsonlz4Filesize
5KB
MD55e4080b11534a806740a495a7658cdd3
SHA1c1bce0a882a76da2bc98a318bbced592d96c6d52
SHA2561ea9ffc00cdbc3b23cd585536d5b9aa6160149c1c14b265ad721487a896f0526
SHA512003c344e95e8b37dab93ca8f6369436172a3351651415d4158f0f08c34c998d440bb9c0963489b59534309cf53a889c93bd951891b57dd06ed15273aa180fded
-
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\ryfa7gh4.default-release\sessionstore.jsonlz4Filesize
8KB
MD54762241e4f6ddbcca24cab09baacd672
SHA114c16041a48925b04c5fff6846a7c87720743081
SHA25665196548070bff42a860cbca39e914fd865bee3454da1de9571e7ec72a112feb
SHA512dc3d82d181d4aa2d718e2bcf744a828385d9b58cc4160798f76d44cf17016081deee11f75b430ac5611830e8ff03f2c4e11f4ce0b4eb90f393b0b0278e190237
-
C:\Users\Admin\Downloads\7ev3n.NHqhRU4J.zip.partFilesize
31KB
MD5c686b8f6e0df311445c5feb88f3e8835
SHA10338d0093e5a8f05b04b6f601e96a714ef97d252
SHA256a917acfdf0ceed0e37f0c698a6c47655123cb97dd917e961937e833265a11308
SHA512c4b3e7d041a23c5379f2ef8f2c46581004d39fdef16c68636b51aa5832871e9b6d22d514120fb52dadeaf61613218917034d695338b3837c71f3ff34bdecfc0b
-
C:\Users\Admin\Downloads\7ev3n.zipFilesize
139KB
MD585a5c7b6d0e7b7451295278a9bb40eb0
SHA177a258417a7294cc354bc4d883f0537de8dea579
SHA256be1fd9cb06b2083b60f4878a1c6de0ae41e22b25daa2478634f9d6d8df9f92ca
SHA5123db3c96fbcacf33c75ba9dd3b2f8fb3218031d10da4acb844fe10a8115488fffbedff6c42dc15a643d07f5ce630d4c16babc0ade3bbd3d1ce94fb319e432df8c
-
memory/2244-81-0x00000182B3BE0000-0x00000182B3BF0000-memory.dmpFilesize
64KB
-
memory/2244-74-0x00000182B3BA0000-0x00000182B3BC2000-memory.dmpFilesize
136KB
-
memory/2244-80-0x00000182B3BE0000-0x00000182B3BF0000-memory.dmpFilesize
64KB
-
memory/2244-79-0x00007FF84CA60000-0x00007FF84D521000-memory.dmpFilesize
10.8MB
-
memory/2244-86-0x00007FF84CA60000-0x00007FF84D521000-memory.dmpFilesize
10.8MB