gcleaner | c5308205d4d84ddc2a96194fcc509522ada976c3f5ee60e4208008ede1935359

Analysis

max time kernel
148s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20250410-en
resource tags

arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2025, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32f7fa32fafc74bb0b26089e37a7fde1.exe
Size

8.0MB
MD5

32f7fa32fafc74bb0b26089e37a7fde1
SHA1

f608bb9d9ba24bc86db2436e612bb84f31be2e97
SHA256

c5308205d4d84ddc2a96194fcc509522ada976c3f5ee60e4208008ede1935359
SHA512

1f31bdced9547fe0a29357b182a9a74e951ecefa17122d978e78cde6b1ea5b1cdf58f902508869f5590955cd23501e92aa0aac216226afed08c33655e02302d7
SSDEEP

98304:IT5sez3ygCjCjSmJNb/KyVdBAJ1Jbho2a6FmI3oqmG:IyeDycSmJNb//rMJbI6P3e

Score

10^/10

gcleaner discovery execution loader

Malware Config

Extracted

Family

gcleaner

185.156.73.98

45.91.200.135

Signatures

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Gcleaner family
gcleaner

Downloads MZ/PE file 1 IoCs

flow	pid	Process
20	816	svchost015.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2362875047-775336530-2205312478-1000\Control Panel\International\Geo\Nation	fYRuwrL8cpxfy.tmp

Executes dropped EXE 5 IoCs

pid	Process
816	svchost015.exe
1440	fYRuwrL8cpxfy.exe
5156	fYRuwrL8cpxfy.tmp
4660	fYRuwrL8cpxfy.exe
4708	fYRuwrL8cpxfy.tmp

Loads dropped DLL 3 IoCs

pid	Process
4968	regsvr32.exe
5704	regsvr32.exe
4400	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to execute payload.

execution

PowerShell

T1059.001

pid	Process
1612	powershell.exe
2332	powershell.exe
2372	powershell.exe
4124	powershell.exe
388	PowerShell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4288 set thread context of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	32f7fa32fafc74bb0b26089e37a7fde1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost015.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fYRuwrL8cpxfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fYRuwrL8cpxfy.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fYRuwrL8cpxfy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fYRuwrL8cpxfy.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PowerShell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4708	fYRuwrL8cpxfy.tmp
4708	fYRuwrL8cpxfy.tmp
4968	regsvr32.exe
4968	regsvr32.exe
1612	powershell.exe
1612	powershell.exe
388	PowerShell.exe
388	PowerShell.exe
4968	regsvr32.exe
4968	regsvr32.exe
2332	powershell.exe
2332	powershell.exe
5704	regsvr32.exe
5704	regsvr32.exe
2372	powershell.exe
2372	powershell.exe
5704	regsvr32.exe
5704	regsvr32.exe
4400	regsvr32.exe
4400	regsvr32.exe
4124	powershell.exe
4124	powershell.exe
4400	regsvr32.exe
4400	regsvr32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeIncreaseQuotaPrivilege	1612	powershell.exe
Token: SeSecurityPrivilege	1612	powershell.exe
Token: SeTakeOwnershipPrivilege	1612	powershell.exe
Token: SeLoadDriverPrivilege	1612	powershell.exe
Token: SeSystemProfilePrivilege	1612	powershell.exe
Token: SeSystemtimePrivilege	1612	powershell.exe
Token: SeProfSingleProcessPrivilege	1612	powershell.exe
Token: SeIncBasePriorityPrivilege	1612	powershell.exe
Token: SeCreatePagefilePrivilege	1612	powershell.exe
Token: SeBackupPrivilege	1612	powershell.exe
Token: SeRestorePrivilege	1612	powershell.exe
Token: SeShutdownPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeSystemEnvironmentPrivilege	1612	powershell.exe
Token: SeRemoteShutdownPrivilege	1612	powershell.exe
Token: SeUndockPrivilege	1612	powershell.exe
Token: SeManageVolumePrivilege	1612	powershell.exe
Token: 33	1612	powershell.exe
Token: 34	1612	powershell.exe
Token: 35	1612	powershell.exe
Token: 36	1612	powershell.exe
Token: SeDebugPrivilege	388	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	388	PowerShell.exe
Token: SeSecurityPrivilege	388	PowerShell.exe
Token: SeTakeOwnershipPrivilege	388	PowerShell.exe
Token: SeLoadDriverPrivilege	388	PowerShell.exe
Token: SeSystemProfilePrivilege	388	PowerShell.exe
Token: SeSystemtimePrivilege	388	PowerShell.exe
Token: SeProfSingleProcessPrivilege	388	PowerShell.exe
Token: SeIncBasePriorityPrivilege	388	PowerShell.exe
Token: SeCreatePagefilePrivilege	388	PowerShell.exe
Token: SeBackupPrivilege	388	PowerShell.exe
Token: SeRestorePrivilege	388	PowerShell.exe
Token: SeShutdownPrivilege	388	PowerShell.exe
Token: SeDebugPrivilege	388	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	388	PowerShell.exe
Token: SeRemoteShutdownPrivilege	388	PowerShell.exe
Token: SeUndockPrivilege	388	PowerShell.exe
Token: SeManageVolumePrivilege	388	PowerShell.exe
Token: 33	388	PowerShell.exe
Token: 34	388	PowerShell.exe
Token: 35	388	PowerShell.exe
Token: 36	388	PowerShell.exe
Token: SeIncreaseQuotaPrivilege	388	PowerShell.exe
Token: SeSecurityPrivilege	388	PowerShell.exe
Token: SeTakeOwnershipPrivilege	388	PowerShell.exe
Token: SeLoadDriverPrivilege	388	PowerShell.exe
Token: SeSystemProfilePrivilege	388	PowerShell.exe
Token: SeSystemtimePrivilege	388	PowerShell.exe
Token: SeProfSingleProcessPrivilege	388	PowerShell.exe
Token: SeIncBasePriorityPrivilege	388	PowerShell.exe
Token: SeCreatePagefilePrivilege	388	PowerShell.exe
Token: SeBackupPrivilege	388	PowerShell.exe
Token: SeRestorePrivilege	388	PowerShell.exe
Token: SeShutdownPrivilege	388	PowerShell.exe
Token: SeDebugPrivilege	388	PowerShell.exe
Token: SeSystemEnvironmentPrivilege	388	PowerShell.exe
Token: SeRemoteShutdownPrivilege	388	PowerShell.exe
Token: SeUndockPrivilege	388	PowerShell.exe
Token: SeManageVolumePrivilege	388	PowerShell.exe
Token: 33	388	PowerShell.exe
Token: 34	388	PowerShell.exe
Token: 35	388	PowerShell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4708	fYRuwrL8cpxfy.tmp

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 4288 wrote to memory of 816	4288	32f7fa32fafc74bb0b26089e37a7fde1.exe	88
PID 816 wrote to memory of 1440	816	svchost015.exe	89
PID 816 wrote to memory of 1440	816	svchost015.exe	89
PID 816 wrote to memory of 1440	816	svchost015.exe	89
PID 1440 wrote to memory of 5156	1440	fYRuwrL8cpxfy.exe	90
PID 1440 wrote to memory of 5156	1440	fYRuwrL8cpxfy.exe	90
PID 1440 wrote to memory of 5156	1440	fYRuwrL8cpxfy.exe	90
PID 5156 wrote to memory of 4660	5156	fYRuwrL8cpxfy.tmp	91
PID 5156 wrote to memory of 4660	5156	fYRuwrL8cpxfy.tmp	91
PID 5156 wrote to memory of 4660	5156	fYRuwrL8cpxfy.tmp	91
PID 4660 wrote to memory of 4708	4660	fYRuwrL8cpxfy.exe	92
PID 4660 wrote to memory of 4708	4660	fYRuwrL8cpxfy.exe	92
PID 4660 wrote to memory of 4708	4660	fYRuwrL8cpxfy.exe	92
PID 4708 wrote to memory of 4968	4708	fYRuwrL8cpxfy.tmp	93
PID 4708 wrote to memory of 4968	4708	fYRuwrL8cpxfy.tmp	93
PID 4708 wrote to memory of 4968	4708	fYRuwrL8cpxfy.tmp	93
PID 4968 wrote to memory of 1612	4968	regsvr32.exe	94
PID 4968 wrote to memory of 1612	4968	regsvr32.exe	94
PID 4968 wrote to memory of 1612	4968	regsvr32.exe	94
PID 4968 wrote to memory of 388	4968	regsvr32.exe	97
PID 4968 wrote to memory of 388	4968	regsvr32.exe	97
PID 4968 wrote to memory of 388	4968	regsvr32.exe	97
PID 4968 wrote to memory of 2332	4968	regsvr32.exe	99
PID 4968 wrote to memory of 2332	4968	regsvr32.exe	99
PID 4968 wrote to memory of 2332	4968	regsvr32.exe	99
PID 4636 wrote to memory of 5704	4636	regsvr32.EXE	104
PID 4636 wrote to memory of 5704	4636	regsvr32.EXE	104
PID 4636 wrote to memory of 5704	4636	regsvr32.EXE	104
PID 5704 wrote to memory of 2372	5704	regsvr32.exe	105
PID 5704 wrote to memory of 2372	5704	regsvr32.exe	105
PID 5704 wrote to memory of 2372	5704	regsvr32.exe	105
PID 2692 wrote to memory of 4400	2692	regsvr32.EXE	108
PID 2692 wrote to memory of 4400	2692	regsvr32.EXE	108
PID 2692 wrote to memory of 4400	2692	regsvr32.EXE	108
PID 4400 wrote to memory of 4124	4400	regsvr32.exe	109
PID 4400 wrote to memory of 4124	4400	regsvr32.exe	109
PID 4400 wrote to memory of 4124	4400	regsvr32.exe	109

C:\Users\Admin\AppData\Local\Temp\32f7fa32fafc74bb0b26089e37a7fde1.exe
"C:\Users\Admin\AppData\Local\Temp\32f7fa32fafc74bb0b26089e37a7fde1.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4288
- C:\Users\Admin\AppData\Local\Temp\svchost015.exe
  "C:\Users\Admin\AppData\Local\Temp\32f7fa32fafc74bb0b26089e37a7fde1.exe"
  2⤵
  - Downloads MZ/PE file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Users\Admin\AppData\Roaming\4ps3muNCf7\fYRuwrL8cpxfy.exe
    "C:\Users\Admin\AppData\Roaming\4ps3muNCf7\fYRuwrL8cpxfy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1440
  - - C:\Users\Admin\AppData\Local\Temp\is-K6QQT.tmp\fYRuwrL8cpxfy.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-K6QQT.tmp\fYRuwrL8cpxfy.tmp" /SL5="$701F4,2140910,174080,C:\Users\Admin\AppData\Roaming\4ps3muNCf7\fYRuwrL8cpxfy.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:5156
    - - C:\Users\Admin\AppData\Roaming\4ps3muNCf7\fYRuwrL8cpxfy.exe
        
        "C:\Users\Admin\AppData\Roaming\4ps3muNCf7\fYRuwrL8cpxfy.exe" /VERYSILENT
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4660
      - C:\Users\Admin\AppData\Local\Temp\is-Q66S1.tmp\fYRuwrL8cpxfy.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-Q66S1.tmp\fYRuwrL8cpxfy.tmp" /SL5="$40034,2140910,174080,C:\Users\Admin\AppData\Roaming\4ps3muNCf7\fYRuwrL8cpxfy.exe" /VERYSILENT
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\SysWOW64\regsvr32.exe
        
        "regsvr32.exe" /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\\user32_8.drv"
        7⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\PowerShell.exe
        
        "PowerShell.exe" -NoProfile -NonInteractive -Command -
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"
        8⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        
        PID:2332

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\user32_8.drv"
1⤵
- Suspicious use of WriteProcessMemory
PID:4636
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\user32_8.drv"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5704
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2372

C:\Windows\system32\regsvr32.EXE
C:\Windows\system32\regsvr32.EXE /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\user32_8.drv"
1⤵
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Windows\SysWOW64\regsvr32.exe
  /s /i:INSTALL "C:\Users\Admin\AppData\Roaming\user32_8.drv"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4400
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell" -Command "if (Get-ScheduledTask | Where-Object { $_.Actions.Execute -eq 'regsvr32' -and $_.Actions.Arguments -eq '/s /i:INSTALL \"%APPDATA%\user32_8.drv\"' }) { exit 0 } else { exit 1 }"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4124

Network

MITRE ATT&CK Enterprise v16

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
9751fcb3d8dc82d33d50eebe53abe314

SHA1
7a680212700a5d9f3ca67c81e0e243834387c20c

SHA256
ad2e3139aa438f799c4a876ca3e64af772b8a5786149925a08389723e42394d7

SHA512
54907cc18684ff892b737496183ca60c788d8f5d76365586954f269dbd50ac1b9cd48c7c50bd6ca02009e6020fd77a8282c9a7ad6b824a20585c505bd7e13709

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
b1ef4755301718c82cf59e01e1f15bd4

SHA1
9627c8f3d84ddfc892d79790bbfcd455963f3db1

SHA256
698897f9a9cc40f0f660909cec5f978a35748166467666dbc5e619f749db090d

SHA512
d22a1a86e9c8dd96741254bd3e91ba2acca79b4481827638d950530e441e9f980bad31bb0207116cd7e5dc79d96fd9528de6493ed0e87c09095435c55cdc6c7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
21KB

MD5
79b1a2c6e3f82e45fe7fdaf27ee64fc8

SHA1
93cd1527d4ccfb5063c62f5e78bdf4cbd5d8e223

SHA256
9f8afc39bcb234e66ce56f49d4216d9485b93ee0d8c580ed98071c1c329ab493

SHA512
8da43f26cb521ad371a1dc85d7c4b4b5ec9e3e69d50c4d49933e1f3732a9b7f81e2daf05a01661ec90b6238d2a99da8064a6daf866c0edf42d58208ba4206a42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
21083bd2afb550d66e3e3a201a46f8c4

SHA1
3e0631da7f2a374eea6df5179d9888ac3a8f357e

SHA256
189d1656ee455d0bf842284ffc1244d2ecd3ea709605ee4d87766af6d0327ce7

SHA512
a1f26bd91890c3f39f981f623b7b97f16ca8b5e4456043e723684fec6168cfaf164b82b050a739119bbab2a37477b617f2c2a16bb9a9dca5d6c59416c65ecf2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
20KB

MD5
5942956dad32e861afcaf8e3db3f8b2d

SHA1
75a6caf19d6aac72d0d88f986739f5c2028bad65

SHA256
694cd92da2c2a924c38f3f0a14b8d82ca8fc4426a36103484e0613095472fca0

SHA512
d92932f5975975b03c00ecdc857f1ff69d8c3f57d82a1e259d6363069f05101bba56326b4be79ea5ccdf593f54d0ef1f17e72cd6efd30a6e9397719972840b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ckrpn3ji.oak.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-K6QQT.tmp\fYRuwrL8cpxfy.tmp

Filesize
1.1MB

MD5
1066651f2fdef4fb17c5a6d7f3976c0a

SHA1
60e82ff17038bc54ee67536efceecbeb328614ee

SHA256
2c1332fccdeb28998b94b7e72d493637d4ab06fafcbe6a9d5c9af90c4b1fc3b5

SHA512
3bfa992c1da646ae41c3226e6c6043b6f87c36ebb629cc4ebc4f2c195822eb60cd8c45f20937df7582f45beefce0a53a5797a51575ea4a1800ed15cdd8915721

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-QH3A3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost015.exe

Filesize
2.9MB

MD5
b826dd92d78ea2526e465a34324ebeea

SHA1
bf8a0093acfd2eb93c102e1a5745fb080575372e

SHA256
7824b50acdd144764dac7445a4067b35cf0fef619e451045ab6c1f54f5653a5b

SHA512
1ac4b731b9b31cabf3b1c43aee37206aee5326c8e786abe2ab38e031633b778f97f2d6545cf745c3066f3bd47b7aaf2ded2f9955475428100eaf271dd9aeef17

Download Submit
C:\Users\Admin\AppData\Roaming\4ps3muNCf7\fYRuwrL8cpxfy.exe

Filesize
2.4MB

MD5
ff6cabe0a00fc853f2d889075700d537

SHA1
3dc43069497a5a219703e9547a6d5663ab66ce58

SHA256
a540d143d272bd54084c9356b7c3474c0341f1abf997fd3829cd2741abebdb0e

SHA512
b1c6ea8ef725c91ddd9a860356a380a6c504a7bb12c788633ffcef4000fe52b68a96cb77979159ea7a2fcf9d1d306b3bee1393b7d52faf0f7532c56291d40057

Download Submit
C:\Users\Admin\AppData\Roaming\user32_8.drv

Filesize
8.3MB

MD5
5c59416158608163aa4270619dbc34b2

SHA1
5e4eef8dd436171651060c31b6cf32bae86e239c

SHA256
ebe3c618a48f86778313f1a1c805828e75a8ebfa4757dfd22e1fdf9238ddc4df

SHA512
1adb563eab7b1e7dcef577d9765427c20525f3394b20aeb7173ae2bdf08813063d1fea5d1da904850fc5b98d43b7fc019d3cb556ae2ed5f9bf953deb027e578a

Download Submit
memory/388-126-0x0000000006FC0000-0x0000000007063000-memory.dmp

Filesize
652KB

Download
memory/388-116-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/388-115-0x00000000062E0000-0x000000000632C000-memory.dmp

Filesize
304KB

Download
memory/388-113-0x0000000005890000-0x0000000005BE4000-memory.dmp

Filesize
3.3MB

Download
memory/388-127-0x0000000007310000-0x0000000007321000-memory.dmp

Filesize
68KB

Download
memory/816-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/816-15-0x0000000010000000-0x000000001001C000-memory.dmp

Filesize
112KB

Download
memory/816-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/816-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/816-79-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/816-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/816-97-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/816-4-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1440-42-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1440-25-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1440-23-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1612-78-0x0000000005A80000-0x0000000005ACC000-memory.dmp

Filesize
304KB

Download
memory/1612-61-0x0000000002420000-0x0000000002456000-memory.dmp

Filesize
216KB

Download
memory/1612-77-0x00000000059F0000-0x0000000005A0E000-memory.dmp

Filesize
120KB

Download
memory/1612-76-0x00000000053F0000-0x0000000005744000-memory.dmp

Filesize
3.3MB

Download
memory/1612-80-0x0000000005FC0000-0x0000000005FF2000-memory.dmp

Filesize
200KB

Download
memory/1612-81-0x00000000738C0000-0x000000007390C000-memory.dmp

Filesize
304KB

Download
memory/1612-91-0x0000000006000000-0x000000000601E000-memory.dmp

Filesize
120KB

Download
memory/1612-92-0x0000000006BE0000-0x0000000006C83000-memory.dmp

Filesize
652KB

Download
memory/1612-93-0x0000000007370000-0x00000000079EA000-memory.dmp

Filesize
6.5MB

Download
memory/1612-94-0x0000000006D30000-0x0000000006D4A000-memory.dmp

Filesize
104KB

Download
memory/1612-66-0x0000000005380000-0x00000000053E6000-memory.dmp

Filesize
408KB

Download
memory/1612-98-0x0000000006D80000-0x0000000006D8A000-memory.dmp

Filesize
40KB

Download
memory/1612-99-0x0000000006FB0000-0x0000000007046000-memory.dmp

Filesize
600KB

Download
memory/1612-100-0x0000000006F30000-0x0000000006F41000-memory.dmp

Filesize
68KB

Download
memory/1612-65-0x0000000004CC0000-0x0000000004D26000-memory.dmp

Filesize
408KB

Download
memory/1612-64-0x0000000004A20000-0x0000000004A42000-memory.dmp

Filesize
136KB

Download
memory/1612-63-0x0000000004D50000-0x0000000005378000-memory.dmp

Filesize
6.2MB

Download
memory/2332-140-0x0000000074E90000-0x0000000074EDC000-memory.dmp

Filesize
304KB

Download
memory/2372-180-0x0000000007040000-0x00000000070E3000-memory.dmp

Filesize
652KB

Download
memory/2372-170-0x0000000073AA0000-0x0000000073AEC000-memory.dmp

Filesize
304KB

Download
memory/2372-167-0x00000000058B0000-0x0000000005C04000-memory.dmp

Filesize
3.3MB

Download
memory/2372-169-0x0000000005E00000-0x0000000005E4C000-memory.dmp

Filesize
304KB

Download
memory/2372-181-0x0000000007300000-0x0000000007311000-memory.dmp

Filesize
68KB

Download
memory/4124-201-0x0000000073AA0000-0x0000000073AEC000-memory.dmp

Filesize
304KB

Download
memory/4288-3-0x0000000004FA0000-0x000000000573D000-memory.dmp

Filesize
7.6MB

Download
memory/4288-8-0x0000000000400000-0x0000000000C0E000-memory.dmp

Filesize
8.1MB

Download
memory/4288-0-0x0000000002A90000-0x0000000002A91000-memory.dmp

Filesize
4KB

Download
memory/4400-212-0x0000000073B20000-0x00000000742D9000-memory.dmp

Filesize
7.7MB

Download
memory/4660-37-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4660-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4708-57-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/4968-151-0x0000000073B20000-0x00000000742D9000-memory.dmp

Filesize
7.7MB

Download
memory/4968-152-0x0000000073B20000-0x00000000742D9000-memory.dmp

Filesize
7.7MB

Download
memory/5156-39-0x0000000000400000-0x0000000000530000-memory.dmp

Filesize
1.2MB

Download
memory/5704-183-0x0000000073B20000-0x00000000742D9000-memory.dmp

Filesize
7.7MB

Download