167b7192937b39e657def16ffb0fdbbab326f007747505d5c8785811d6b03ab8

Analysis

max time kernel
26s
max time network
23s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
03/09/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dfsetup222.exe
Size

7.1MB
MD5

6961ad3a4a5625db89cf901d3b48d597
SHA1

ca37e6361cedea61f167145b31ef0850c6ddcd77
SHA256

167b7192937b39e657def16ffb0fdbbab326f007747505d5c8785811d6b03ab8
SHA512

9d6b1456a60d5902650a5942dfb4137f476a2b81cdff4149117914f65b6444d1bfa0a3ce9dd29998017513ddae7eba0419da37ce054888bbd0937679eb673c55
SSDEEP

196608:Sai5Pg/CtTmdarnCCpbdjchVBqrAZgK9UBdza3qkrkzhJMZ:Saqtidarnf+VQgKorkFqZ

Score

7^/10

discovery persistence privilege_escalation spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	Defraggler64.exe

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 53 IoCs

description	ioc	Process
File created	C:\Program Files\Defraggler\Lang\lang-1036.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1063.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1071.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\df64.exe	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1038.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1027.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1051.dll	dfsetup222.exe
File opened for modification	C:\Program Files\Defraggler\portable.dat	Defraggler64.exe
File created	C:\Program Files\Defraggler\Lang\lang-1049.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1059.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-9999.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1045.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1037.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1058.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1060.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\uninst.exe	dfsetup222.exe
File created	C:\Program Files\Defraggler\DefragglerShell.dll.new	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1028.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-2052.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1067.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1041.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-2070.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1052.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1029.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1062.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1034.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1026.dll	dfsetup222.exe
File opened for modification	C:\Program Files\Defraggler\Defraggler.ini	Defraggler64.exe
File created	C:\Program Files\Defraggler\Lang\lang-1043.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-5146.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1066.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Defraggler.exe	dfsetup222.exe
File opened for modification	C:\Program Files\Defraggler\DefragglerShell64.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1065.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\DefragglerShell64.dll.new	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1030.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1032.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1025.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1055.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1048.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1050.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1057.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1046.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\df.exe	dfsetup222.exe
File created	C:\Program Files\Defraggler\Defraggler64.exe	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1031.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1040.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1035.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1079.dll	dfsetup222.exe
File opened for modification	C:\Program Files\Defraggler\DefragglerShell.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1053.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1044.dll	dfsetup222.exe
File created	C:\Program Files\Defraggler\Lang\lang-1061.dll	dfsetup222.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	dfsetup222.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	Defraggler64.exe

Loads dropped DLL 64 IoCs

pid	Process
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
4040	regsvr32.exe
1032	regsvr32.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfsetup222.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 20 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform	dfsetup222.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\Defraggler\Executable = "Defraggler64.exe"	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform	dfsetup222.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\Defraggler\Executable = "Defraggler64.exe"	dfsetup222.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133698451034524716"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Piriform\Defraggler	dfsetup222.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Piriform\Defraggler	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform\Defraggler	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-20	dfsetup222.exe
Set value (str)	\REGISTRY\USER\S-1-5-20\Software\Piriform\Defraggler\InstallPath = "C:\\Program Files\\Defraggler"	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT	dfsetup222.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Piriform\Defraggler\InstallPath = "C:\\Program Files\\Defraggler"	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-19\Software	dfsetup222.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\Defraggler\InstallPath = "C:\\Program Files\\Defraggler"	dfsetup222.exe
Set value (str)	\REGISTRY\USER\S-1-5-19\Software\Piriform\Defraggler\Executable = "Defraggler64.exe"	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-20\Software	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Piriform	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-19	dfsetup222.exe

Modifies registry class 20 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DefragglerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DefragglerShellExtension\ = "{4380C993-0C43-4E02-9A7A-0D40B6EA7590}"	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Software\Piriform	dfsetup222.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Software\Piriform\Defraggler\InstallPath = "C:\\Program Files\\Defraggler"	dfsetup222.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4380C993-0C43-4E02-9A7A-0D40B6EA7590}\ = "DefragglerShellExtension Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4380C993-0C43-4E02-9A7A-0D40B6EA7590}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DefragglerShellExtension\ = "{4380C993-0C43-4E02-9A7A-0D40B6EA7590}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DefragglerShellExtension	dfsetup222.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DefragglerShellExtension\ = "{4380C993-0C43-4E02-9A7A-0D40B6EA7590}"	dfsetup222.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4380C993-0C43-4E02-9A7A-0D40B6EA7590}\InprocServer32\ = "C:\\Program Files\\Defraggler\\DefragglerShell64.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\folder\shellex\ContextMenuHandlers\DefragglerShellExtension	dfsetup222.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Software\Piriform\Defraggler	dfsetup222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4380C993-0C43-4E02-9A7A-0D40B6EA7590}	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DefragglerShellExtension	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DefragglerShellExtension	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\DefragglerShellExtension\ = "{4380C993-0C43-4E02-9A7A-0D40B6EA7590}"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Software	dfsetup222.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3968772205-1713802336-1776639840-1000_Classes\Software\Piriform\Defraggler\Executable = "Defraggler64.exe"	dfsetup222.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4380C993-0C43-4E02-9A7A-0D40B6EA7590}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\DefragglerShellExtension	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
5076	dfsetup222.exe
212	chrome.exe
212	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2992	Defraggler64.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	5076	dfsetup222.exe
Token: SeBackupPrivilege	2992	Defraggler64.exe
Token: SeRestorePrivilege	2992	Defraggler64.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe
Token: SeShutdownPrivilege	212	chrome.exe
Token: SeCreatePagefilePrivilege	212	chrome.exe

Suspicious use of FindShellTrayWindow 30 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
2992	Defraggler64.exe
212	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
212	chrome.exe
2992	Defraggler64.exe
2992	Defraggler64.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
5076	dfsetup222.exe
5076	dfsetup222.exe
2992	Defraggler64.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5076 wrote to memory of 4040	5076	dfsetup222.exe	73
PID 5076 wrote to memory of 4040	5076	dfsetup222.exe	73
PID 5076 wrote to memory of 4040	5076	dfsetup222.exe	73
PID 4040 wrote to memory of 1032	4040	regsvr32.exe	74
PID 4040 wrote to memory of 1032	4040	regsvr32.exe	74
PID 5076 wrote to memory of 212	5076	dfsetup222.exe	77
PID 5076 wrote to memory of 212	5076	dfsetup222.exe	77
PID 212 wrote to memory of 3604	212	chrome.exe	78
PID 212 wrote to memory of 3604	212	chrome.exe	78
PID 5076 wrote to memory of 2992	5076	dfsetup222.exe	79
PID 5076 wrote to memory of 2992	5076	dfsetup222.exe	79
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4688	212	chrome.exe	81
PID 212 wrote to memory of 4408	212	chrome.exe	82
PID 212 wrote to memory of 4408	212	chrome.exe	82
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83
PID 212 wrote to memory of 2760	212	chrome.exe	83

C:\Users\Admin\AppData\Local\Temp\dfsetup222.exe
"C:\Users\Admin\AppData\Local\Temp\dfsetup222.exe"
1⤵
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\SysWOW64\regsvr32.exe
  regsvr32.exe /I "C:\Program Files\Defraggler\DefragglerShell64.dll" /s
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\regsvr32.exe
    /I "C:\Program Files\Defraggler\DefragglerShell64.dll" /s
    3⤵
    - Loads dropped DLL
    - Modifies registry class
    PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe"
  2⤵
  - Enumerates system info in registry
  - Modifies data under HKEY_USERS
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7fff9a479758,0x7fff9a479768,0x7fff9a479778
    3⤵
    PID:3604
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1524 --field-trial-handle=1756,i,15879455512740568543,15899037703072803999,131072 /prefetch:2
    3⤵
    PID:4688
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2020 --field-trial-handle=1756,i,15879455512740568543,15899037703072803999,131072 /prefetch:8
    3⤵
    PID:4408
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1728 --field-trial-handle=1756,i,15879455512740568543,15899037703072803999,131072 /prefetch:8
    3⤵
    PID:2760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2852 --field-trial-handle=1756,i,15879455512740568543,15899037703072803999,131072 /prefetch:1
    3⤵
    PID:4188
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2860 --field-trial-handle=1756,i,15879455512740568543,15899037703072803999,131072 /prefetch:1
    3⤵
    PID:5020
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4408 --field-trial-handle=1756,i,15879455512740568543,15899037703072803999,131072 /prefetch:1
    3⤵
    PID:4040
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4896 --field-trial-handle=1756,i,15879455512740568543,15899037703072803999,131072 /prefetch:8
    3⤵
    PID:760
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4952 --field-trial-handle=1756,i,15879455512740568543,15899037703072803999,131072 /prefetch:8
    3⤵
    PID:2944
- C:\Program Files\Defraggler\Defraggler64.exe
  "C:\Program Files\Defraggler\Defraggler64.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2992

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Defraggler\Defraggler64.exe

Filesize
4.9MB

MD5
ff542ff928cda6c04aa26369ba31320e

SHA1
31f8f754d2e28203b5f4d91fbdffc44b17681085

SHA256
69f39ebd53b1254d87467ea1a24a6617708794c03243944d45ef4323ff6ce00b

SHA512
42fe131cdf0a90f08da1c3b89124b7fe6c51c0020a5ae1f3c1b9d5d0fb2b2157dc08aa0789b77e4c7bc682d4c367acf19250ee8299f33cf4e5e1526bd9321f0b

Download Submit
C:\Program Files\Defraggler\DefragglerShell64.dll

Filesize
107KB

MD5
d62b22ad5badb41fd6498dd88ea2a761

SHA1
a91003f69277da305f62f568bc83cf5b304e1d7e

SHA256
b1df7beef918bdfe956de5ffd243f546530a4c73e73dd4c72adb8bd6e123b2a8

SHA512
ba5f9c2f23ea6fa652d937f0cba3bb4718e0137ab397ccd863d76c01891408838888b3fc9342ee2b50959b035a48e5a3a63cab2f930f294c70de438db616f420

Download Submit
C:\Program Files\Defraggler\lang\lang-1025.dll

Filesize
57KB

MD5
9c54e0e2cce5863c8556f1a2ab7824ab

SHA1
af664db894d46e59c69db0a45ba4fe2621bad00e

SHA256
4c85476eb812a302d922873b9752731058427acfc95a9876681318bf5dbc05c1

SHA512
010f1a4feec83b894aee76e3c8f6853d35d55345a7bc6e7d57f4ee37780669bf53bba61abb69579124b5ef0ad9d472ccb438b763610df34a08893006e72af2b6

Download Submit
C:\Program Files\Defraggler\lang\lang-1026.dll

Filesize
61KB

MD5
8e069c7e8b1aca9201360012a1cd8934

SHA1
8582a6f85284591997023dfa6bdf8450941641ae

SHA256
99bdfdf665b38405c4fc30f1a111b71a0e1bf9cf0028dce095a654b238e0049c

SHA512
fc25f6a4e39b2f3016899d8e6ce07025122a778b538dac5138d8fd349fd8a2a17022418ad323cfc1a4bb1879cf40ac1de39436685d4056d55187eb6d3427562a

Download Submit
C:\Program Files\Defraggler\lang\lang-1027.dll

Filesize
68KB

MD5
179c508bc377329990efbdcd53f3ccd0

SHA1
8d8ddcf424d6817215d1901a3f609b488e2ee5ec

SHA256
d642f0d4398e31da0f85a79311d5ea028f6f35fa9367ae7f65554df06da787c2

SHA512
6fcbfc29b2e9b86dd00c486278e5f7b5edeb8cf517e20068f3bbed5103b45148b8266dccd2b141b26696de74926b434f4327f8ade55e53e2c4e5945644cc5c81

Download Submit
C:\Program Files\Defraggler\lang\lang-1029.dll

Filesize
62KB

MD5
2c64e8e749cadfba6c59ddb65e769b65

SHA1
1f7d53ac0da6913c47440379a798ced7a16a43ad

SHA256
ae0bf8a687cee261fd115f928395abea57953404db2c48f04dbd9eb1fd9e6dcc

SHA512
ada44b5f44579a73a63db45b110cd1999d2b125dec2ff390302ff3eccd9645cd471bdc491cfd63037b6f3083f164c63122377b7bbd45d633b0ccae0a8297438c

Download Submit
C:\Program Files\Defraggler\lang\lang-1030.dll

Filesize
60KB

MD5
61eb43032eb6dcf882cbddc43c0c4dd6

SHA1
d89a6b8431a031eca5230d2d827be47ef8a3bb17

SHA256
6ecf489a2c912b890814c9d181c93358d17680eee0511186fe2e9163899dd293

SHA512
435b0c108c1c37b61f945e71a3976a5211de840d03c06ef3dba050105ab9a7cfe75a8cd51945104ae7ee5ef12c74b03a2f6b32c2564eca9d61766b3881e837db

Download Submit
C:\Program Files\Defraggler\lang\lang-1032.dll

Filesize
72KB

MD5
0abedbccbbb82750021527260dc577ed

SHA1
8a9bad01fb8dfebe762a1895512bedf32cd3c26f

SHA256
58befcef9141a7555765f2f0b5e8c6c5cf940d92ec01a6f7d64e1017730ae72b

SHA512
587dfeea0a5f28d61f8a69c106cacb15e34bc1930484e80215140369851e53071e7c5431379e77be03e844729d0036128c752d18cf41eeeddca3e3d119b873aa

Download Submit
C:\Program Files\Defraggler\lang\lang-1035.dll

Filesize
64KB

MD5
3d0eae6785592e84014b97ed27fb02d5

SHA1
50c98545a7234878962f7fd6848befcfa1feefe3

SHA256
d83732741c6c0768adccbe561bfc05103a8f09712a25f5a371474295532fdbe3

SHA512
ed5cacdc178e702135fe3b618040e37b8c30f6f5953b18db18b18d97694c0032a03cfc79d909f331ea910dcf3cfd2f7444dfe9b49bb6bacdf6d04f2dc0d7180f

Download Submit
C:\Program Files\Defraggler\lang\lang-1036.dll

Filesize
69KB

MD5
072700db29d972ab8c6f69dfb5241785

SHA1
caa3e21c2fa5543c9b539cabc2e0c85c59082806

SHA256
8ff5164d7587accf48549f248008de0063593bca596ea72536d4b2397978c225

SHA512
1659bf5e55eb0969c48979c3217be9de2edcfa40c0426b10a3a1d0a76ad5158b5a746ff3cee2ba13fd09d570a96a861ce7ca2fcefe4d5847ab8eeec0bec7e371

Download Submit
C:\Program Files\Defraggler\lang\lang-1041.dll

Filesize
42KB

MD5
488a7630c23ae5d36ed8a8acd76f55e2

SHA1
a1c8ed90e521047b7663e89f31d1c2cbd2d36cbe

SHA256
8d22d023deadd1381102db9e302bd870f19d40d868b0adf5baf6d0e3824d35fd

SHA512
485d51d3742d837e22fb3069b5f755e62a7f3f49a03037a417149ef8d6afcf71489c1ffb84fac9a7b080ebb6a78da161c60f0a12728b14a51fc6b114dee52efe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
944B

MD5
fdcd3ccd555e7d3f91f4c68acecc8ded

SHA1
8ba07b00ebe4a8ab2133d242173ecb46a7630220

SHA256
7f4b2d1f6253924f603c2259d069d2df2dcbf75778f03c53ef3ae94a0a63b8fa

SHA512
1e1ba42992de25a9995525297711a82b2a2d8c4e8178fc6c4589fcd0806822873737040385ef012d506112cc4ebec9a6bed49385dee48ce0e99660cfefd43a83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
ea80955416981a06aafca5ac1da4fd10

SHA1
276f4816133fc5a22ec3a8dda4bf288e8ffc4936

SHA256
f31e9ddc674453d3b1fd25d6161d65c52f8edb1bdf04a321769769d5ecef1e3b

SHA512
4cbb4924b2d4ca2d31e95563adfcde2e4e6198169a4644c3a092d40fde69c433e08451c754794abd9c1b9306916b1be1e291d314ab77b3c02bf0b9ba58b68f2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
56c899ce65348a4c8939614664b24c71

SHA1
af59793c919871ded1c2b2a690adb8b90a8f4ce9

SHA256
303080d0c6929466c82abc054b2e3d969cc4076ab78eedd038ef4e7d8309e3fa

SHA512
c3578b4ac433ea986f8ada675ab21de04f0b95c50072baeade917e2b588b0133c6729a119f3da1d363e2ece4d4ac48bdde2a902dad00cb28084581354abdb187

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
fa390710997405e1676a6a2a4b14c637

SHA1
3aec0f527643a396fe748ad897ed45394feed5d1

SHA256
51b34ac2dd605601096c8c2c4682d5d0df55fb856dc16e386c2af989d7122fac

SHA512
ad61b5ac4540ba265af9e27c8731204ee4b46bf76b27dc1b2e42093a976008d2631d92619249645771ad325b63013d09da88db1baa8417a6ec59a7557e7b874f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
303KB

MD5
b3dce90cea918f71317aa79e6d349a07

SHA1
fde8c8f051eac007ef1cdfbc188b39ef5ba8e88b

SHA256
640b27a78c8195ab7010b9fc1733960876c1fd707789a0baa117c9e5b34c5aa7

SHA512
45fb54ae6050b12c03a2f99b5674e6c964ca2dcc7216a4a6236c98e69e8c0c462fe4d210e4966ad54bcba3563ec24c72cf93157d119d79d73474e4891a313b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
137KB

MD5
22e554ae8c1252609e299eb2d55e014c

SHA1
2ceb230de6ef8200f3bc41e5178481f91122205c

SHA256
3b2169521b19b2bfe0c6746c25393701bc9a69cf932cad56d84af3821da7e4a4

SHA512
eed3ca993e1cd085faa8506e312f2b215b6362229d09410ea25a4075511484211a54f4819eea8d2d4522502da9b1a650b0afc9d7f73e80cb27011c25cc44707d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
794422d62f9af12f1ea5523b0060ea74

SHA1
19b1174dda41b7be3ad8b075d06d623c535c9ea4

SHA256
666b20833d3b681ca4a46bf40e7731a54c7a8bb11764f80efb743d616322e9b1

SHA512
7b216fd008bd9cd281c4da1ade88471a956805927ad7e555308a5ed93109085efa1875f8792e7b976a19dfdf22f2bf9d06cdbdaa7217c3dba59ae9985363e6cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
25.5MB

MD5
ffe9a0d753429aaf38d270cff215778f

SHA1
95f80f1514d78cdd061aeaf407814120a97ce6f5

SHA256
82dd4da439c1db7bc7ff573997ce099f61d4f7fbf24b95f83bc0c950e3e1699e

SHA512
8ba2e039c5969ce06de01a61d632b09b0388dbecd3da95793d72b48cc81e46e33be8606a4fceea832ce97e88108b80c6f1852182b62639019c8a421a936f953e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
af77e6b6bef3e1d47c8cebf4d4ab4164

SHA1
0d89d076e273d750df212cfd251f9083059ac522

SHA256
90036d58d37a45d2ab77d65532acc86368b4ceca201606211da36d9e22ee7b93

SHA512
0be845c5997b8abdd7fb32b9ebc72e8e66b17aef724be820454cab3529cb3c9b89dba5c40e6f3eab40ce9b823cc43ea6ecf731849dc3303ea41a7be7b7631d93

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\inetc.dll

Filesize
23KB

MD5
7760daf1b6a7f13f06b25b5a09137ca1

SHA1
cc5a98ea3aa582de5428c819731e1faeccfcf33a

SHA256
5233110ed8e95a4a1042f57d9b2dc72bc253e8cb5282437637a51e4e9fcb9079

SHA512
d038bea292ffa2f2f44c85305350645d504be5c45a9d1b30db6d9708bfac27e2ff1e41a76c844d9231d465f31d502a5313dfded6309326d6dfbe30e51a76fdb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\ui\res\DF_computer.png

Filesize
64KB

MD5
8cfc0caa56cfd01f0b273fef239bc025

SHA1
91460b2d5ba938aba79f9c8a234fa2a86d6b010c

SHA256
7790cc5e6105b9a35a6fb79618ccef6e035e96b5839db34ea0a15c7a1d4e56c7

SHA512
ada32570d3395c9b09b9459691c3ca1525ba0f0d2dd7353366183dce45d2310536e2ed225dca6ed23958e3789e950e08312580db8617d1c2cf9a40cf58094541

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\ui\res\Defraggler_Logo_72px.png

Filesize
10KB

MD5
6ff9fcee38d74372a5851b2e725c8912

SHA1
6f98a09548a51ba25da6b8b1316e0d010670a6d0

SHA256
41364c1fa2ca18fa9b56fdba5c04cee3af3767aaa6962f90545fca3a40cc8901

SHA512
7950a27670dfa6c66f96fb0055d2f2d1ddd62645f448094cffd669583e98d970e20ddab842f91bdd8975613d7663e8fdeae1e4145741d4404cd4bc7513304957

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\ui\res\Montserrat-Regular.otf

Filesize
44KB

MD5
27e50ffd6a14cbc8221c9dbd3b5208dc

SHA1
713c997ce002a4d8762c2dcc405213061233e4bc

SHA256
40fc1142200a5c1c18f80b6915257083c528c7f7fd2b00a552aeebc42898d428

SHA512
0a602f88cfba906b41719943465edb09917c447d746bfed5c9ce9c75d077f6aed2f8146697acd74557359f1ae267ca2a8e3a2ca40fb1633bde8e6114261abd90

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\ui\res\PF_logo.png

Filesize
3KB

MD5
079cca30760cca3c01863b6b96e87848

SHA1
98c2ca01f248bc61817db7e5faea4a3d8310db50

SHA256
8dd37d3721e25c32c5bf878b6dba9e61d04b7ce8aec45bdf703a41bc41802dfa

SHA512
3e25c10e3a5830584c608b9178ab062e93e0e9009a7d897bb5e3561180b0b0910bd4178063d982eb33806a005c93931ae2ec5be520ec0d0c9a7c452cb78fd6a8

Download Submit
\Program Files\Defraggler\Lang\lang-1028.dll

Filesize
31KB

MD5
3ed2d6f9f4a0f1aac6cc2c3d43780831

SHA1
06b06335bae6f00c10ef92a0eb92a64d3d7a6f63

SHA256
c67e7d6cba3f6bbeb9cacf7b78c895faf64de1a384d7ff36d59cb4921768ce0a

SHA512
4e426e494625f50662215a01944350e66ef82d4a5c8d9712f9bde450e5c25d31760a15d51c5ad6ff0b5bcdaa3edf2b36a9bd19836f43fd3ed72990289e869b61

Download Submit
\Program Files\Defraggler\Lang\lang-1031.dll

Filesize
62KB

MD5
633d7aedeb54842e4dbec060f45ab494

SHA1
29de3ac4f88b0daf9f50404b5c65f7b670707fc3

SHA256
73ab243b22ec38e79781d5f9d150b5d8c5a556e878b3ae9d93dbf2e555ee60a4

SHA512
9d553b1971e96d6440a1f68b35e6f72be0356b350e5cea1f4b63ce33ab6bf9a26e9d5a62192c3e97ff73f9f8a429a930238378efb2b2f1259ff4590085e3005e

Download Submit
\Program Files\Defraggler\Lang\lang-1034.dll

Filesize
70KB

MD5
42b6027739665298323a56ef07b52ba5

SHA1
a61238824bc204198a63fbaae0c17f10b3c3360d

SHA256
ef59839b629c91613e0553ac81325eab345fb7d53e3a76af25f1f8d3384d9d78

SHA512
cd62a56830f371a3288788b14f877fcccebd9a6ffafab85b772dc23c8757c7d13b6f2cd955b425eae5fc7802cb76867832cb428b44c57072c7aef8c9df7165f5

Download Submit
\Program Files\Defraggler\Lang\lang-1037.dll

Filesize
51KB

MD5
55239596d2a0c0c74f44a3cf70380db7

SHA1
69d3634d8da46f1c0ec92bc7d504902fdafa309d

SHA256
1788ea78f3d586e73e9d1cd2de8f909e92dae0d0270d8fae570cf6bdfcb5b7ca

SHA512
ec58c3e475d9d8927adbd1b7aead704bbdee6a08344db74142691054f3e9475c17d8922dffbea89ddee355893be5b52224affbed16adaff306dc2ff062b0b1d3

Download Submit
\Program Files\Defraggler\Lang\lang-1038.dll

Filesize
66KB

MD5
fee222c08ecaca8a315f79a5ab1b14b6

SHA1
78dcde840c28655c53994a48ca9f77f9954e2733

SHA256
3e7f752de1622d2aeaeeee6612bb852a91845fb60ca6b727c958833f3a77cb61

SHA512
5f62a0186ce8a2689d2c886374d99fca63205ab8ff96c39ad915353f33f686ece1053b89a79868e33471887efd2b3d1f6d665ec42de0db201b49bdcffcaa880f

Download Submit
\Program Files\Defraggler\Lang\lang-1040.dll

Filesize
64KB

MD5
d57869505e94d6f2a9ad93229dbadd5f

SHA1
65139bec7b8bfcae07342acfecb47e8bd9b625ec

SHA256
1adf9002378e3a0e4959b428fe06da4c52b863030cb23e00cc7edcbca2339c4b

SHA512
5799a337b1d4fc40adcaf67f5bc9e9a324c510f5618a7de98dd9cbdaeb2401ce7df1284e0bb834cdb85cddb9fb10cd0663d55467e286fa74fb93b84374958666

Download Submit
\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\ButtonEvent.dll

Filesize
5KB

MD5
c24568a3b0d7c8d7761e684eb77252b5

SHA1
66db7f147cbc2309d8d78fdce54660041acbc60d

SHA256
e2da6d8b73b5954d58baa89a949aacece0527dfb940ca130ac6d3fd992d0909d

SHA512
5d43e4c838fd7f4c6a4ab6cc6d63e0f81d765d9ca33d9278d082c4f75f9416907df10b003e10edc1b5ef39535f722d8dbfab114775ac67da7f9390dcc2b4b443

Download Submit
\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\System.dll

Filesize
11KB

MD5
41a3c964232edd2d7d5edea53e8245cd

SHA1
76d7e1fbf15cc3da4dd63a063d6ab2f0868a2206

SHA256
8b65fec615c7b371c23f8f7f344b12dc5085e40a556f96db318ed757494d62d5

SHA512
fa16bd9d020602e3065afd5c0638bc37775b40eb18bfa33b4ca5babcc3e6f112ae7d43457a6e9685ddbe6e94b954a1dc43d1da7af9ca7464019a3f110af549c1

Download Submit
\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\UserInfo.dll

Filesize
4KB

MD5
c1f778a6d65178d34bde4206161a98e0

SHA1
29719fffef1ab6fe2df47e5ed258a5e3b3a11cfc

SHA256
9caf7a78f750713180cf64d18967a2b803b5580e636e59279dcaaf18ba0daa87

SHA512
9c3cf25cf43f85a5f9c9ed555f12f3626ef9daeeedd4d366ada58748ead1f6e279fea977c76ae8bae1dc49bfd852e899cb137c4a006c13e9fcebf6e5e2926a4d

Download Submit
\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\g\gcapi_dll.dll

Filesize
348KB

MD5
2973af8515effd0a3bfc7a43b03b3fcc

SHA1
4209cded0caac7c5cb07bcb29f1ee0dc5ac211ee

SHA256
d0e4581210a22135ce5deb47d9df4d636a94b3813e0649aab84822c9f08af2a0

SHA512
b6f9653142ec00b2e0a5045f0f2c7ba5dbbda8ef39edf14c80a24ecab3c41f081eb466994aaf0879ac96b201ba5c02d478275710e4d08b3debc739063d177f7e

Download Submit
\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\nsDialogs.dll

Filesize
9KB

MD5
2aba8f16eca82517460013a3de7cbf67

SHA1
3812192fa7b873f426c4b0d0d822b3c9d51aa164

SHA256
60b85fad2477b8c0138067be3697290b280b9334cf408cb57894e3baae615d0d

SHA512
4e059f70ef420c22d69199557ff3eab9e51fcefc75d220b057f1508f9566cd6251f9e06a8fe3695bf7d913ebabd2519ce52f485f2de9a5e4ab3ebc553b877fb0

Download Submit
\Users\Admin\AppData\Local\Temp\nsh65FF.tmp\ui\pfUI.dll

Filesize
11.5MB

MD5
c0ca03fea89b3c51440a7ae44970f204

SHA1
a4de1132d1ded44b3939a2eee51236bc8004d8dc

SHA256
ebdaaf080f45c960e87328d15f33437fbe710eae69b7d42b4c8a64ecd9143fb3

SHA512
4212c8af0cdc69f7d781f1de61cd50fe62c3bc0e9c9be016c9b641aed02ff8d77f60761352c5043049647bf846829077ce1606b152f2fee1e2839fe81bd71e53

Download Submit
memory/5076-138-0x0000000007BD0000-0x0000000007BD8000-memory.dmp

Filesize
32KB

Download
memory/5076-136-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/5076-133-0x0000000007B70000-0x0000000007B78000-memory.dmp

Filesize
32KB

Download
memory/5076-109-0x00000000062B0000-0x00000000062C0000-memory.dmp

Filesize
64KB

Download
memory/5076-135-0x0000000007BE0000-0x0000000007BE8000-memory.dmp

Filesize
32KB

Download
memory/5076-162-0x00000000079F0000-0x00000000079F8000-memory.dmp

Filesize
32KB

Download
memory/5076-115-0x0000000006410000-0x0000000006420000-memory.dmp

Filesize
64KB

Download
memory/5076-139-0x0000000007910000-0x0000000007918000-memory.dmp

Filesize
32KB

Download
memory/5076-140-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/5076-142-0x0000000007910000-0x0000000007918000-memory.dmp

Filesize
32KB

Download
memory/5076-145-0x0000000007900000-0x0000000007908000-memory.dmp

Filesize
32KB

Download
memory/5076-148-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/5076-160-0x00000000079B0000-0x00000000079B8000-memory.dmp

Filesize
32KB

Download
memory/5076-170-0x00000000078C0000-0x00000000078C1000-memory.dmp

Filesize
4KB

Download
memory/5076-166-0x0000000007900000-0x0000000007901000-memory.dmp

Filesize
4KB

Download
memory/5076-163-0x00000000079F0000-0x00000000079F8000-memory.dmp

Filesize
32KB

Download