Malware Analysis Report

2024-12-08 00:43

Sample ID 240123-pcxwpaafg7
Target file_v9.zip
SHA256 00bf1371b9708243ecf2c205ea970197c2d54ad95a6dc7672bd23133c5d158a4
Tags
themida amadey djvu redline smokeloader stealc zgrat logsdiller cloud (telegram: @logsdillabot) pub3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan risepro
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

00bf1371b9708243ecf2c205ea970197c2d54ad95a6dc7672bd23133c5d158a4

Threat Level: Known bad

The file file_v9.zip was found to be: Known bad.

Malicious Activity Summary

themida amadey djvu redline smokeloader stealc zgrat logsdiller cloud (telegram: @logsdillabot) pub3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan risepro

Amadey

RedLine payload

SmokeLoader

RisePro

Djvu Ransomware

Detected Djvu ransomware

Stealc

Detect ZGRat V1

ZGRat

RedLine

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Stops running service(s)

Creates new service(s)

Downloads MZ/PE file

Themida packer

Modifies file permissions

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Checks BIOS information in registry

Checks computer location settings

Looks up external IP address via web service

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Program crash

Unsigned PE

Modifies system certificate store

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 12:13

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win10v2004-20231215-en

Max time kernel

154s

Max time network

177s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1808 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1808 wrote to memory of 1876 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\1.dll,#1

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 212.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win10v2004-20231215-en

Max time kernel

122s

Max time network

162s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\123.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\123.dll,#1

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win7-20231215-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\ResIL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\ResIL.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win10v2004-20231222-en

Max time kernel

143s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\lgc_api.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\lgc_api.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 6.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 167.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win7-20231215-en

Max time kernel

118s

Max time network

129s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\123.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\123.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win10v2004-20231222-en

Max time kernel

18s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\netsh.exe N/A
N/A N/A C:\Windows\System32\netsh.exe N/A
N/A N/A C:\Windows\System32\netsh.exe N/A
N/A N/A C:\Windows\System32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 141.98.234.31 N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\OeqTok3crnjqes83Oeiqup5y.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsaF8BA.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\E271.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SYSTEM32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\Documents\GuardFox\raHvPX_M18PnQ4JVL8Ke7B9I.exe

"C:\Users\Admin\Documents\GuardFox\raHvPX_M18PnQ4JVL8Ke7B9I.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 772 -ip 772

C:\Users\Admin\AppData\Local\Temp\is-JOONE.tmp\LisIvn9B0eWX39XfGBxbdtul.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JOONE.tmp\LisIvn9B0eWX39XfGBxbdtul.tmp" /SL5="$60222,4079855,54272,C:\Users\Admin\Documents\GuardFox\LisIvn9B0eWX39XfGBxbdtul.exe"

C:\Users\Admin\Documents\GuardFox\MHSgYdsltabeUcSs5kmRsv0T.exe

"C:\Users\Admin\Documents\GuardFox\MHSgYdsltabeUcSs5kmRsv0T.exe"

C:\Users\Admin\Documents\GuardFox\LIFxed9heHkZ445Vw5ffhUOd.exe

"C:\Users\Admin\Documents\GuardFox\LIFxed9heHkZ445Vw5ffhUOd.exe"

C:\Users\Admin\Documents\GuardFox\B9ZfLXHjLJO8ElGDIFov6Qgl.exe

"C:\Users\Admin\Documents\GuardFox\B9ZfLXHjLJO8ElGDIFov6Qgl.exe"

C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe

"C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe"

C:\Users\Admin\Documents\GuardFox\0JDbJzWFF1BzKfWUVTIKTIwM.exe

"C:\Users\Admin\Documents\GuardFox\0JDbJzWFF1BzKfWUVTIKTIwM.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 340

C:\Users\Admin\Documents\GuardFox\nPvDO4HoS_AqQU2l3rVMl0pH.exe

"C:\Users\Admin\Documents\GuardFox\nPvDO4HoS_AqQU2l3rVMl0pH.exe"

C:\Users\Admin\Documents\GuardFox\tzQDaFN9XwE9nJsYRLnotvlR.exe

"C:\Users\Admin\Documents\GuardFox\tzQDaFN9XwE9nJsYRLnotvlR.exe"

C:\Users\Admin\Documents\GuardFox\ckcSON1nq9KzLkUObHcFavDh.exe

"C:\Users\Admin\Documents\GuardFox\ckcSON1nq9KzLkUObHcFavDh.exe"

C:\Users\Admin\Documents\GuardFox\KK0Vvbx4i9pQ519SIuE5Ax9M.exe

"C:\Users\Admin\Documents\GuardFox\KK0Vvbx4i9pQ519SIuE5Ax9M.exe"

C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe

"C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe"

C:\Users\Admin\Documents\GuardFox\vUZBOtp6mXHWVIfMH4c0FtLr.exe

"C:\Users\Admin\Documents\GuardFox\vUZBOtp6mXHWVIfMH4c0FtLr.exe"

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -s

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Y8wSG2.CPL",

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5016 -ip 5016

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 520

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\55680516-f187-40aa-8738-24923637814b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe

"C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN jxXiOgogI8vV1byOdAIl_gx5.exe /TR "C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe" /F

C:\Users\Admin\Documents\GuardFox\qemu-ga.exe

"C:\Users\Admin\Documents\GuardFox\qemu-ga.exe"

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Y8wSG2.CPL",

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -i

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Users\Admin\Documents\GuardFox\R08uTl2rhKjiEbQkYXCuC1Dj.exe

"C:\Users\Admin\Documents\GuardFox\R08uTl2rhKjiEbQkYXCuC1Dj.exe"

C:\Users\Admin\Documents\GuardFox\XR0YIbtqmyEEIPi760UciSol.exe

"C:\Users\Admin\Documents\GuardFox\XR0YIbtqmyEEIPi760UciSol.exe"

C:\Users\Admin\Documents\GuardFox\4trEFsYYFs6Jme3QwUfvUobC.exe

"C:\Users\Admin\Documents\GuardFox\4trEFsYYFs6Jme3QwUfvUobC.exe"

C:\Users\Admin\Documents\GuardFox\OeqTok3crnjqes83Oeiqup5y.exe

"C:\Users\Admin\Documents\GuardFox\OeqTok3crnjqes83Oeiqup5y.exe"

C:\Users\Admin\Documents\GuardFox\LisIvn9B0eWX39XfGBxbdtul.exe

"C:\Users\Admin\Documents\GuardFox\LisIvn9B0eWX39XfGBxbdtul.exe"

C:\Users\Admin\Documents\GuardFox\Am8DGNpJ8zKJ3vxaxMrNPrK2.exe

"C:\Users\Admin\Documents\GuardFox\Am8DGNpJ8zKJ3vxaxMrNPrK2.exe"

C:\Users\Admin\Documents\GuardFox\QCBuhoR0_O5gO9EbQFahIqBy.exe

"C:\Users\Admin\Documents\GuardFox\QCBuhoR0_O5gO9EbQFahIqBy.exe"

C:\Users\Admin\Documents\GuardFox\3860sw0VMSmL9vdt9w4gL0z7.exe

"C:\Users\Admin\Documents\GuardFox\3860sw0VMSmL9vdt9w4gL0z7.exe"

C:\Users\Admin\Documents\GuardFox\qV9mEjhKIBcQ7TuES_j_hidT.exe

"C:\Users\Admin\Documents\GuardFox\qV9mEjhKIBcQ7TuES_j_hidT.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 372

C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5300 -ip 5300

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 376

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5300 -ip 5300

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff85d979758,0x7ff85d979768,0x7ff85d979778

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 392

C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4704 -ip 4704

C:\Windows\System\dc.exe

"C:\Windows\System\dc.exe" /D

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4704 -s 236

C:\Users\Admin\AppData\Local\Temp\nsaF8BA.tmp

C:\Users\Admin\AppData\Local\Temp\nsaF8BA.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5300 -ip 5300

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 692

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 692

C:\Users\Admin\AppData\Local\Temp\1000117001\rty27.exe

"C:\Users\Admin\AppData\Local\Temp\1000117001\rty27.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1872,i,3357587987629725365,1777621007141337373,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2012 --field-trial-handle=1872,i,3357587987629725365,1777621007141337373,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 --field-trial-handle=1872,i,3357587987629725365,1777621007141337373,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3076 --field-trial-handle=1872,i,3357587987629725365,1777621007141337373,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3068 --field-trial-handle=1872,i,3357587987629725365,1777621007141337373,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 740

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1872,i,3357587987629725365,1777621007141337373,131072 /prefetch:8

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 624

C:\Windows\SYSTEM32\schtasks.exe

schtasks /delete /TN "Timer"

C:\Windows\SYSTEM32\schtasks.exe

schtasks /create /sc minute /ED "11/02/2024" /mo 7 /tn "Timer" /tr c:\windows\system\svchost.exe /ru SYSTEM

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5300 -ip 5300

C:\Windows\System\svchost.exe

"C:\Windows\System\svchost.exe" formal

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe

"C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe

"C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 2904 -ip 2904

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 804

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2904 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 892

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\OeqTok3crnjqes83Oeiqup5y.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 2164 -ip 2164

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2164 -s 2372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 876

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 924

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=in action=allow program="C:\Windows\System\svchost.exe" enable=yes

C:\Windows\System32\netsh.exe

"C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="SvcHostX" dir=out action=allow program="C:\Windows\System\svchost.exe" enable=yes

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath c:\windows\

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath \\?\C:\Windows \

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 936

C:\Windows\System\dc.exe

"C:\Windows\System\dc.exe" /D

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 5300 -ip 5300

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5300 -s 956

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe

C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\Y8wSG2.CPL",

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Y8wSG2.CPL",

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 4856 -ip 4856

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4856 -s 656

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 1324 -ip 1324

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsaF8BA.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1324 -s 2388

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\A718.exe

C:\Users\Admin\AppData\Local\Temp\A718.exe

C:\Users\Admin\AppData\Local\Temp\AE9B.exe

C:\Users\Admin\AppData\Local\Temp\AE9B.exe

C:\Users\Admin\AppData\Local\Temp\AE9B.exe

C:\Users\Admin\AppData\Local\Temp\AE9B.exe

C:\Users\Admin\AppData\Local\Temp\B708.exe

C:\Users\Admin\AppData\Local\Temp\B708.exe

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Users\Admin\AppData\Local\Temp\BDD0.exe

C:\Users\Admin\AppData\Local\Temp\BDD0.exe

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Users\Admin\AppData\Local\Temp\is-QR2UD.tmp\BDD0.tmp

"C:\Users\Admin\AppData\Local\Temp\is-QR2UD.tmp\BDD0.tmp" /SL5="$A01D6,3501695,54272,C:\Users\Admin\AppData\Local\Temp\BDD0.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

cmd /k cmd < Dot & exit

C:\Users\Admin\AppData\Local\Temp\D466.exe

C:\Users\Admin\AppData\Local\Temp\D466.exe

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Users\Admin\AppData\Local\Temp\E271.exe

C:\Users\Admin\AppData\Local\Temp\E271.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 2860 -ip 2860

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2860 -s 348

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\EC55.dll

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\EC55.dll

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

C:\Users\Admin\AppData\Local\Temp\EFB1.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\C9.exe

C:\Users\Admin\AppData\Local\Temp\C9.exe

C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe

C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
N/A 224.0.0.251:5353 udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 130.147.105.77.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 294self-limited.sbs udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
NL 77.246.104.70:80 77.246.104.70 tcp
RU 193.233.132.117:80 tcp
FI 109.107.182.40:80 109.107.182.40 tcp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 joxy.ayazprak.com udp
US 8.8.8.8:53 ji.alie3ksggg.com udp
AT 5.42.64.33:80 5.42.64.33 tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 104.21.80.24:80 joxy.ayazprak.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.97.2:80 294self-limited.sbs tcp
US 188.114.97.2:80 294self-limited.sbs tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
RU 93.186.225.194:80 vk.com tcp
US 188.114.97.2:80 294self-limited.sbs tcp
RU 93.186.225.194:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.97.2:443 294self-limited.sbs tcp
RU 93.186.225.194:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
UZ 195.158.3.162:80 cczhk.com tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 70.104.246.77.in-addr.arpa udp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 40.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 24.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 40.13.222.173.in-addr.arpa udp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 194.225.186.93.in-addr.arpa udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 162.3.158.195.in-addr.arpa udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 udp
GB 184.31.225.194:80 x2.c.lencr.org tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
UZ 195.158.3.162:80 cczhk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-20.userapi.com udp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 1.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 0.206.142.95.in-addr.arpa udp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-23.userapi.com udp
RU 93.186.225.194:443 vk.com tcp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
NL 95.142.206.2:443 tcp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
NL 95.142.206.2:443 tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
DE 77.105.147.130:80 77.105.147.130 tcp
RU 193.233.132.117:80 193.233.132.117 tcp
US 8.8.8.8:53 iplis.ru udp
US 172.67.147.32:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
DE 185.172.128.24:80 185.172.128.24 tcp
US 8.8.8.8:53 32.147.67.172.in-addr.arpa udp
FR 194.33.191.60:44675 tcp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 24.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 60.191.33.194.in-addr.arpa udp
US 172.67.137.14:443 tcp
NL 45.15.156.229:80 tcp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 8.8.8.8:53 60.156.15.45.in-addr.arpa udp
US 172.67.175.187:443 qualifiedbehaviorrykej.site tcp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 93.186.225.194:80 vk.com tcp
RU 193.233.132.117:80 193.233.132.117 tcp
US 20.12.23.50:443 tcp
US 104.26.8.59:443 api.myip.com tcp
US 34.117.186.192:443 ipinfo.io tcp
RU 93.186.225.194:443 vk.com tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
NL 45.15.156.60:12050 tcp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 api.ip.sb udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 104.26.12.31:443 api.ip.sb tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 shitshitshitshit.net udp
US 188.114.96.2:443 shitshitshitshit.net tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
US 8.8.8.8:53 blackvlastelin.com udp
NL 91.92.245.15:80 tcp
US 104.21.16.228:443 blackvlastelin.com tcp
US 20.12.23.50:443 tcp
NL 195.20.16.45:80 tcp
HK 154.92.15.189:80 i.alie3ksgaa.com tcp
US 20.12.23.50:443 tcp
US 8.8.8.8:53 galandskiyher5.com udp
US 8.8.8.8:53 udp
HK 154.92.15.189:80 i.alie3ksgaa.com tcp
US 8.8.8.8:53 10.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
AT 5.42.64.33:80 tcp
GB 216.58.213.10:443 tcp
GB 142.250.179.238:443 tcp
GB 142.250.187.195:443 tcp
HK 154.92.15.189:80 i.alie3ksgaa.com tcp
US 188.114.97.0:443 tcp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 188.114.96.0:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 0.97.114.188.in-addr.arpa udp
RU 5.42.65.31:48396 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
RU 193.233.132.117:80 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
RU 193.233.132.117:80 193.233.132.117 tcp
US 104.21.40.14:443 tcp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 188.114.96.0:443 expenditureddisumilarwo.site tcp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
DE 185.172.128.90:80 tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 188.114.96.0:443 expenditureddisumilarwo.site tcp
RU 193.233.132.117:80 193.233.132.117 tcp
US 8.8.8.8:53 paperambiguonusphoterew.site udp
US 104.21.83.138:443 paperambiguonusphoterew.site tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 138.83.21.104.in-addr.arpa udp
US 8.8.8.8:53 tiny.ayazprak.com udp
US 172.67.173.86:80 tiny.ayazprak.com tcp
FR 62.210.123.24:443 tcp
US 8.8.8.8:53 86.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 24.123.210.62.in-addr.arpa udp
RU 93.186.225.194:80 tcp
RU 93.186.225.194:80 tcp
RU 93.186.225.194:80 tcp
N/A 20.49.150.241:443 tcp
RU 93.186.225.194:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
N/A 20.49.150.241:443 tcp
N/A 20.49.150.241:443 tcp
IT 2.233.91.176:19001 tcp
FR 146.59.232.218:1337 tcp
GR 83.212.117.37:443 tcp
US 8.8.8.8:53 218.232.59.146.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 37.117.212.83.in-addr.arpa udp
RU 93.186.225.194:443 tcp
US 8.8.8.8:53 udp
RU 93.186.225.194:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 93.186.225.194:443 tcp
US 104.21.83.138:443 paperambiguonusphoterew.site tcp
US 8.8.8.8:53 trmpc.com udp
MX 189.232.10.46:80 trmpc.com tcp
US 8.8.8.8:53 46.10.232.189.in-addr.arpa udp
FR 146.59.232.218:1337 tcp
GR 83.212.117.37:443 tcp
US 8.8.8.8:53 csgo500tr.com udp
US 8.8.8.8:53 csgo500tr.com udp
US 8.8.8.8:53 itechitalia.eu udp
US 8.8.8.8:53 itechitalia.eu udp
US 8.8.8.8:53 joinhiving.com udp
US 188.114.97.2:22 csgo500tr.com tcp
US 8.8.8.8:53 joinhiving.com udp
US 8.8.8.8:53 centrodellamusica.it udp
US 188.114.97.2:21 csgo500tr.com tcp
US 8.8.8.8:53 centrodellamusica.it udp
US 8.8.8.8:53 rubikscubetimer.com udp
US 188.114.97.2:443 csgo500tr.com tcp
US 8.8.8.8:53 rubikscubetimer.com udp
US 8.8.8.8:53 auth.services.adobe.com udp
US 8.8.8.8:53 itechitalia-eu.mail.protection.outlook.com udp
NL 51.158.154.206:22 joinhiving.com tcp
NL 51.158.154.206:21 joinhiving.com tcp
NL 51.158.154.206:443 joinhiving.com tcp
US 8.8.8.8:53 auth.services.adobe.com udp
US 8.8.8.8:53 udpaccess.com udp
US 188.114.97.2:143 csgo500tr.com tcp
US 8.8.8.8:53 udpaccess.com udp
US 8.8.8.8:53 accounts.spotify.com udp
US 188.114.97.2:80 csgo500tr.com tcp
US 188.114.97.2:465 csgo500tr.com tcp
US 8.8.8.8:53 206.154.158.51.in-addr.arpa udp
US 8.8.8.8:53 accounts.spotify.com udp
US 8.8.8.8:53 moncvparfait.fr udp
NL 51.158.154.206:143 joinhiving.com tcp
US 52.101.40.4:465 itechitalia-eu.mail.protection.outlook.com tcp
US 52.101.40.4:143 itechitalia-eu.mail.protection.outlook.com tcp
US 162.243.252.129:21 rubikscubetimer.com tcp
US 162.243.252.129:22 rubikscubetimer.com tcp
US 188.114.97.2:80 csgo500tr.com tcp
US 188.114.97.2:995 csgo500tr.com tcp
US 8.8.8.8:53 moncvparfait.fr udp
US 8.8.8.8:53 surveyhead.com udp
US 8.8.8.8:53 centrodellamusica-it.mail.protection.outlook.com udp
IT 92.245.188.55:22 centrodellamusica.it tcp
IT 92.245.188.55:21 centrodellamusica.it tcp
IT 92.245.188.55:443 centrodellamusica.it tcp
US 104.18.32.77:22 auth.services.adobe.com tcp
US 104.18.32.77:21 auth.services.adobe.com tcp
US 162.243.252.129:443 rubikscubetimer.com tcp
NL 51.158.154.206:465 joinhiving.com tcp
US 52.101.40.4:995 itechitalia-eu.mail.protection.outlook.com tcp
NL 51.158.154.206:80 joinhiving.com tcp
US 104.18.32.77:443 auth.services.adobe.com tcp
US 199.59.243.225:21 udpaccess.com tcp
US 199.59.243.225:22 udpaccess.com tcp
US 35.186.224.25:22 accounts.spotify.com tcp
US 188.114.96.2:22 csgo500tr.com tcp
US 8.8.8.8:53 surveyhead.com udp
US 8.8.8.8:53 magix-online.com udp
US 188.114.96.2:21 csgo500tr.com tcp
NL 51.158.154.206:995 joinhiving.com tcp
US 35.186.224.25:21 accounts.spotify.com tcp
US 199.59.243.225:443 udpaccess.com tcp
US 8.8.8.8:53 itechitalia.eu udp
NL 51.158.154.206:80 joinhiving.com tcp
US 8.8.8.8:53 magix-online.com udp
US 8.8.8.8:53 us04web.zoom.us udp
IE 104.47.17.74:143 centrodellamusica-it.mail.protection.outlook.com tcp
US 162.243.252.129:143 rubikscubetimer.com tcp
US 8.8.8.8:53 129.252.243.162.in-addr.arpa udp
US 8.8.8.8:53 55.188.245.92.in-addr.arpa udp
US 35.186.224.25:443 accounts.spotify.com tcp
US 8.8.8.8:53 www.centrodellamusica.net udp
FR 96.16.248.171:21 moncvparfait.fr tcp
FR 96.16.248.171:22 moncvparfait.fr tcp
US 188.114.96.2:143 csgo500tr.com tcp
IE 104.47.17.74:465 centrodellamusica-it.mail.protection.outlook.com tcp
US 162.243.252.129:465 rubikscubetimer.com tcp
US 104.18.32.77:143 auth.services.adobe.com tcp
IT 92.245.188.55:80 www.centrodellamusica.net tcp
US 162.243.252.129:80 rubikscubetimer.com tcp
US 172.64.155.179:22 auth.services.adobe.com tcp
US 8.8.8.8:53 us04web.zoom.us udp
US 8.8.8.8:53 account.nokia.com udp
US 199.59.243.225:143 udpaccess.com tcp
US 188.114.97.2:443 csgo500tr.com tcp
US 8.8.8.8:53 77.32.18.104.in-addr.arpa udp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
US 188.114.97.2:443 csgo500tr.com tcp
US 188.114.96.2:465 csgo500tr.com tcp
US 74.206.97.188:22 surveyhead.com tcp
US 52.101.9.11:143 itechitalia-eu.mail.protection.outlook.com tcp
FR 96.16.248.171:443 moncvparfait.fr tcp
US 8.8.8.8:53 account.nokia.com udp
US 8.8.8.8:53 goflac.com udp
US 52.101.9.11:465 itechitalia-eu.mail.protection.outlook.com tcp
US 188.114.96.2:995 csgo500tr.com tcp
IE 104.47.17.74:995 centrodellamusica-it.mail.protection.outlook.com tcp
US 162.243.252.129:995 rubikscubetimer.com tcp
DE 195.214.216.136:22 magix-online.com tcp
US 104.18.32.77:80 auth.services.adobe.com tcp
US 104.18.32.77:465 auth.services.adobe.com tcp
US 35.186.224.25:143 accounts.spotify.com tcp
NL 51.158.154.206:22 joinhiving.com tcp
IT 92.245.188.55:21 www.centrodellamusica.net tcp
US 199.59.243.225:465 udpaccess.com tcp
US 172.64.155.179:21 auth.services.adobe.com tcp
US 199.59.243.225:80 udpaccess.com tcp
NL 51.158.154.206:443 joinhiving.com tcp
US 74.206.97.188:21 surveyhead.com tcp
US 8.8.8.8:53 aspmx2.googlemail.com udp
US 8.8.8.8:53 inbound01.researchnow.com udp
US 8.8.8.8:53 25.224.186.35.in-addr.arpa udp
US 74.206.97.188:443 surveyhead.com tcp
DE 195.214.216.136:21 magix-online.com tcp
US 8.8.8.8:53 goflac.com udp
US 52.101.9.11:995 itechitalia-eu.mail.protection.outlook.com tcp
US 104.18.32.77:995 auth.services.adobe.com tcp
US 35.186.224.25:465 accounts.spotify.com tcp
US 104.18.32.77:80 auth.services.adobe.com tcp
US 170.114.52.4:22 us04web.zoom.us tcp
US 199.59.243.225:995 udpaccess.com tcp
US 162.243.252.129:80 rubikscubetimer.com tcp
US 8.8.8.8:53 moncvparfait.fr udp
US 8.8.8.8:53 magixonline-com01c.mail.protection.outlook.com udp
DE 195.214.216.136:443 magix-online.com tcp
IT 92.245.188.55:443 www.centrodellamusica.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 52.101.11.9:143 itechitalia-eu.mail.protection.outlook.com tcp
FR 96.16.248.159:21 moncvparfait.fr tcp
FR 96.16.248.159:22 moncvparfait.fr tcp
US 52.101.11.9:465 itechitalia-eu.mail.protection.outlook.com tcp
NL 104.47.18.74:143 centrodellamusica-it.mail.protection.outlook.com tcp
NL 104.47.18.74:465 centrodellamusica-it.mail.protection.outlook.com tcp
US 170.114.52.4:21 us04web.zoom.us tcp
US 8.8.8.8:53 login.norton.com udp
US 8.8.8.8:53 www.moncvparfait.fr udp
US 104.21.83.138:443 paperambiguonusphoterew.site tcp
US 172.64.155.179:143 auth.services.adobe.com tcp
US 8.8.8.8:53 171.248.16.96.in-addr.arpa udp
NL 51.158.154.206:443 joinhiving.com tcp
US 35.186.224.25:80 accounts.spotify.com tcp
NL 142.250.27.26:143 aspmx2.googlemail.com tcp
US 52.101.11.9:995 itechitalia-eu.mail.protection.outlook.com tcp
US 188.114.97.2:22 csgo500tr.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 login.norton.com udp
NL 104.47.18.74:995 centrodellamusica-it.mail.protection.outlook.com tcp
US 172.64.155.179:465 auth.services.adobe.com tcp
US 162.243.252.129:21 rubikscubetimer.com tcp
US 170.114.52.4:443 us04web.zoom.us tcp
US 8.8.8.8:53 exitlag.com udp
US 35.186.224.25:80 accounts.spotify.com tcp
US 199.59.243.225:80 udpaccess.com tcp
US 208.53.56.17:143 inbound01.researchnow.com tcp
US 8.8.8.8:53 4.52.114.170.in-addr.arpa udp
US 8.8.8.8:53 136.216.214.195.in-addr.arpa udp
US 35.186.224.25:995 accounts.spotify.com tcp
NL 142.250.27.26:465 aspmx2.googlemail.com tcp
US 74.206.97.188:80 surveyhead.com tcp
US 188.114.97.2:21 csgo500tr.com tcp
FR 96.16.248.171:80 moncvparfait.fr tcp
IT 92.245.188.55:443 www.centrodellamusica.net tcp
US 208.53.56.17:465 inbound01.researchnow.com tcp
IT 92.245.188.55:22 www.centrodellamusica.net tcp
US 172.64.155.179:995 auth.services.adobe.com tcp
US 188.114.97.2:80 csgo500tr.com tcp
US 104.21.35.143:443 qualifiedbehaviorrykej.site tcp
US 8.8.8.8:53 www.magix-online.com udp
US 8.8.8.8:53 exitlag.com udp
US 188.114.97.2:80 csgo500tr.com tcp
NL 142.250.27.26:995 aspmx2.googlemail.com tcp
US 208.53.56.17:995 inbound01.researchnow.com tcp
DE 195.214.216.136:80 www.magix-online.com tcp
GB 92.122.54.116:443 www.moncvparfait.fr tcp
US 162.243.252.129:22 rubikscubetimer.com tcp
US 104.18.32.77:443 auth.services.adobe.com tcp
IT 92.245.188.55:990 www.centrodellamusica.net tcp
NL 52.101.73.16:143 magixonline-com01c.mail.protection.outlook.com tcp
US 8.8.8.8:53 careers-brampton.icims.com udp
NL 52.101.73.16:465 magixonline-com01c.mail.protection.outlook.com tcp
US 188.114.97.2:143 csgo500tr.com tcp
US 8.8.8.8:53 account.nokia.com udp
US 8.8.8.8:53 goflac.com udp
IE 209.85.203.84:22 accounts.google.com tcp
US 199.59.243.225:80 udpaccess.com tcp
US 8.8.8.8:53 itechitalia-eu.mail.protection.outlook.com udp
US 8.8.8.8:53 careers-brampton.icims.com udp
US 162.243.252.129:443 rubikscubetimer.com tcp
NL 52.101.73.16:995 magixonline-com01c.mail.protection.outlook.com tcp
US 104.18.32.77:22 auth.services.adobe.com tcp
US 162.243.252.129:143 rubikscubetimer.com tcp
NL 51.158.154.206:80 joinhiving.com tcp
US 188.114.96.2:22 csgo500tr.com tcp
US 170.114.52.4:22 us04web.zoom.us tcp
US 8.8.8.8:53 accounts.snapchat.com udp
NL 52.101.73.6:143 magixonline-com01c.mail.protection.outlook.com tcp
NL 51.158.154.206:21 joinhiving.com tcp
IE 209.85.203.84:21 accounts.google.com tcp
US 8.8.8.8:53 centrodellamusica-it.mail.protection.outlook.com udp
US 13.107.246.64:22 login.norton.com tcp
NL 51.158.154.206:80 joinhiving.com tcp
US 13.107.246.64:21 login.norton.com tcp
US 13.107.246.64:443 login.norton.com tcp
US 8.8.8.8:53 accounts.snapchat.com udp
US 188.114.96.2:21 csgo500tr.com tcp
US 170.114.52.4:143 us04web.zoom.us tcp
US 104.22.79.205:22 exitlag.com tcp
US 8.8.8.8:53 proticketing.com udp
US 8.8.8.8:53 alt2.gmr-smtp-in.l.google.com udp
US 8.8.8.8:53 itechitalia.eu udp
US 8.8.8.8:53 ftp.itechitalia.eu udp
US 8.8.8.8:53 116.54.122.92.in-addr.arpa udp
US 170.114.52.4:465 us04web.zoom.us tcp
US 170.114.52.4:80 us04web.zoom.us tcp
US 188.114.97.2:995 csgo500tr.com tcp
US 170.114.52.4:21 us04web.zoom.us tcp
IT 92.245.188.55:80 www.centrodellamusica.net tcp
NL 51.158.154.206:143 joinhiving.com tcp
US 188.114.97.2:465 csgo500tr.com tcp
US 104.18.32.77:21 auth.services.adobe.com tcp
US 35.186.224.25:443 accounts.spotify.com tcp
NL 52.101.73.6:465 magixonline-com01c.mail.protection.outlook.com tcp
IE 209.85.203.84:443 accounts.google.com tcp
US 104.22.79.205:21 exitlag.com tcp
IT 92.245.188.55:443 www.centrodellamusica.net tcp
US 52.101.41.3:143 itechitalia-eu.mail.protection.outlook.com tcp
US 13.107.213.64:22 login.norton.com tcp
US 13.107.213.64:21 login.norton.com tcp
US 188.114.96.2:143 csgo500tr.com tcp
NL 51.158.154.206:465 joinhiving.com tcp
US 8.8.8.8:53 proticketing.com udp
IT 92.245.188.55:80 www.centrodellamusica.net tcp
IT 92.245.188.55:443 www.centrodellamusica.net tcp
US 170.114.52.4:995 us04web.zoom.us tcp
US 52.101.41.3:465 itechitalia-eu.mail.protection.outlook.com tcp
NL 51.158.154.206:22 joinhiving.com tcp
NL 52.101.73.6:995 magixonline-com01c.mail.protection.outlook.com tcp
US 199.59.243.225:22 udpaccess.com tcp
US 199.59.243.225:21 udpaccess.com tcp
US 35.186.224.25:22 accounts.spotify.com tcp
US 162.243.252.129:465 rubikscubetimer.com tcp
US 172.64.155.179:22 auth.services.adobe.com tcp
US 172.67.29.58:22 exitlag.com tcp
FR 96.16.248.171:22 moncvparfait.fr tcp
US 8.8.8.8:53 account.asus.com udp
US 8.8.8.8:53 account.nokia.com udp
US 8.8.8.8:53 exitlag-com.mail.protection.outlook.com udp
US 8.8.8.8:53 64.246.107.13.in-addr.arpa udp
US 188.114.96.2:995 csgo500tr.com tcp
GB 92.122.54.116:443 www.moncvparfait.fr tcp
US 52.101.41.3:995 itechitalia-eu.mail.protection.outlook.com tcp
FR 96.16.248.171:21 moncvparfait.fr tcp
NL 51.158.154.206:995 joinhiving.com tcp
US 172.64.155.179:21 auth.services.adobe.com tcp
US 172.67.29.58:21 exitlag.com tcp
GB 18.239.236.36:22 careers-brampton.icims.com tcp
US 104.22.79.205:443 exitlag.com tcp
US 52.101.40.1:143 itechitalia-eu.mail.protection.outlook.com tcp
GB 18.239.236.36:21 careers-brampton.icims.com tcp
US 8.8.8.8:53 copyrightspareddcitwew.site udp
US 8.8.8.8:53 account.asus.com udp
US 52.101.40.1:465 itechitalia-eu.mail.protection.outlook.com tcp
US 162.243.252.129:995 rubikscubetimer.com tcp
DE 195.214.216.136:22 www.magix-online.com tcp
US 104.18.32.77:143 auth.services.adobe.com tcp
US 188.114.97.2:443 csgo500tr.com tcp
US 35.186.224.25:21 accounts.spotify.com tcp
US 13.107.246.64:143 login.norton.com tcp
DE 195.214.216.136:80 www.magix-online.com tcp
NL 142.250.153.14:143 alt2.gmr-smtp-in.l.google.com tcp
US 199.59.243.225:143 udpaccess.com tcp
US 74.206.97.188:22 surveyhead.com tcp
FR 96.16.248.159:22 moncvparfait.fr tcp
US 8.8.8.8:53 login.aruba.it udp
US 104.18.32.77:465 auth.services.adobe.com tcp
US 8.8.8.8:53 84.203.85.209.in-addr.arpa udp
US 199.59.243.225:80 udpaccess.com tcp
US 52.101.40.1:995 itechitalia-eu.mail.protection.outlook.com tcp
FR 96.16.248.159:21 moncvparfait.fr tcp
GB 18.239.236.36:443 careers-brampton.icims.com tcp
US 34.149.46.130:22 accounts.snapchat.com tcp
US 34.149.46.130:21 accounts.snapchat.com tcp
US 8.8.8.8:53 magixonline-com01c.mail.protection.outlook.com udp
US 104.21.55.202:443 copyrightspareddcitwew.site tcp
US 8.8.8.8:53 login.aruba.it udp
GB 18.239.236.4:21 careers-brampton.icims.com tcp
US 172.64.155.179:143 auth.services.adobe.com tcp
US 13.107.213.64:143 login.norton.com tcp
IE 209.85.203.84:80 accounts.google.com tcp
NL 142.250.153.14:465 alt2.gmr-smtp-in.l.google.com tcp
US 74.206.97.188:80 surveyhead.com tcp
US 13.107.246.64:80 login.norton.com tcp
US 13.107.246.64:465 login.norton.com tcp
US 35.186.224.25:465 accounts.spotify.com tcp
FR 96.16.248.171:80 moncvparfait.fr tcp
US 104.18.32.77:80 auth.services.adobe.com tcp
US 104.18.32.77:995 auth.services.adobe.com tcp
DE 195.214.216.136:21 www.magix-online.com tcp
NL 51.158.154.206:443 joinhiving.com tcp
US 52.101.8.42:143 exitlag-com.mail.protection.outlook.com tcp
US 8.8.8.8:53 digitalvoice.nielsen.com udp
US 8.8.8.8:53 goflac.com udp
US 8.8.8.8:53 205.79.22.104.in-addr.arpa udp
US 170.114.52.4:80 us04web.zoom.us tcp
US 74.206.97.188:21 surveyhead.com tcp
IE 104.47.17.74:995 centrodellamusica-it.mail.protection.outlook.com tcp
US 104.18.32.77:80 auth.services.adobe.com tcp
US 172.64.155.179:465 auth.services.adobe.com tcp
US 34.149.46.130:443 accounts.snapchat.com tcp
US 188.114.97.2:80 csgo500tr.com tcp
US 35.186.224.25:80 accounts.spotify.com tcp
US 199.59.243.225:80 udpaccess.com tcp
US 104.22.13.248:21 proticketing.com tcp
US 104.22.13.248:22 proticketing.com tcp
US 8.8.8.8:53 account.nokia.com udp
US 172.64.155.179:995 auth.services.adobe.com tcp
US 104.22.12.248:21 proticketing.com tcp
IT 152.199.16.78:22 account.asus.com tcp
IT 92.245.188.55:22 www.centrodellamusica.net tcp
NL 142.250.153.14:995 alt2.gmr-smtp-in.l.google.com tcp
US 13.107.246.64:80 login.norton.com tcp
US 208.53.56.17:143 inbound01.researchnow.com tcp
US 13.107.246.64:995 login.norton.com tcp
US 52.101.8.42:465 exitlag-com.mail.protection.outlook.com tcp
US 170.114.52.4:222 us04web.zoom.us tcp
US 170.114.52.4:143 us04web.zoom.us tcp
US 162.243.252.129:80 rubikscubetimer.com tcp
NL 142.250.27.26:143 aspmx2.googlemail.com tcp
GB 18.239.236.36:143 careers-brampton.icims.com tcp
US 8.8.8.8:53 digitalvoice.nielsen.com udp
US 8.8.8.8:53 members.bitcomet.com udp
US 172.67.30.9:21 proticketing.com tcp
US 8.8.8.8:53 www.exitlag.com udp
US 8.8.8.8:53 smtp-02.servidoresdns.net udp
US 8.8.8.8:53 itechitalia.eu udp
US 8.8.8.8:53 ftp.itechitalia.eu udp
US 170.114.52.4:990 us04web.zoom.us tcp
US 170.114.52.4:465 us04web.zoom.us tcp
US 162.243.252.129:80 rubikscubetimer.com tcp
US 188.114.97.2:222 csgo500tr.com tcp
NL 142.250.27.26:995 aspmx2.googlemail.com tcp
DE 195.214.216.136:80 www.magix-online.com tcp
IT 152.199.16.78:21 account.asus.com tcp
US 104.22.13.248:443 proticketing.com tcp
NL 52.101.73.12:143 magixonline-com01c.mail.protection.outlook.com tcp
US 8.8.8.8:53 members.bitcomet.com udp
US 162.243.252.129:990 rubikscubetimer.com tcp
IT 217.61.8.49:22 login.aruba.it tcp
US 188.114.97.2:990 csgo500tr.com tcp
NL 142.250.27.26:465 aspmx2.googlemail.com tcp
US 34.149.46.130:143 accounts.snapchat.com tcp
US 104.22.79.205:80 www.exitlag.com tcp
US 35.186.224.25:995 accounts.spotify.com tcp
US 170.114.52.4:995 us04web.zoom.us tcp
US 208.53.56.17:465 inbound01.researchnow.com tcp
IE 209.85.203.84:22 accounts.google.com tcp
GB 18.239.236.36:465 careers-brampton.icims.com tcp
GB 18.239.236.36:80 careers-brampton.icims.com tcp
US 162.243.252.129:22 rubikscubetimer.com tcp
US 8.8.8.8:53 joinhoney.com udp
US 8.8.8.8:53 itechitalia-eu.mail.protection.outlook.com udp
US 8.8.8.8:53 36.236.239.18.in-addr.arpa udp
US 8.8.8.8:53 202.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 130.46.149.34.in-addr.arpa udp
US 8.8.8.8:53 goflac.com udp
US 170.114.52.4:443 us04web.zoom.us tcp
US 35.186.224.25:80 accounts.spotify.com tcp
US 188.114.97.2:587 csgo500tr.com tcp
US 162.243.252.129:993 rubikscubetimer.com tcp
US 208.53.56.17:995 inbound01.researchnow.com tcp
IT 92.245.188.55:990 www.centrodellamusica.net tcp
IT 92.245.188.55:80 www.centrodellamusica.net tcp
IT 152.199.16.78:443 account.asus.com tcp
US 8.8.8.8:53 login.norton.com udp
US 188.114.97.0:443 expenditureddisumilarwo.site tcp
US 8.8.8.8:53 centrodellamusica-it.mail.protection.outlook.com udp
US 8.8.8.8:53 moncvparfait.fr udp
US 8.8.8.8:53 auth.services.adobe.com udp
GB 96.17.179.193:80 tcp
US 52.101.8.42:995 itechitalia-eu.mail.protection.outlook.com tcp
US 34.149.46.130:80 accounts.snapchat.com tcp
US 34.149.46.130:465 accounts.snapchat.com tcp
NL 52.101.73.12:995 magixonline-com01c.mail.protection.outlook.com tcp
NL 51.158.154.206:990 joinhiving.com tcp
NL 51.158.154.206:22 joinhiving.com tcp
IE 209.85.203.84:21 accounts.google.com tcp
US 13.107.246.64:21 login.norton.com tcp
US 104.18.32.77:222 auth.services.adobe.com tcp
ES 217.76.128.139:143 smtp-02.servidoresdns.net tcp
FR 96.16.248.171:80 moncvparfait.fr tcp
DE 195.214.216.136:443 www.magix-online.com tcp
US 104.22.79.205:22 www.exitlag.com tcp
US 188.114.97.2:80 csgo500tr.com tcp
US 8.8.8.8:53 dt666.xyz udp
US 8.8.8.8:53 joinhoney.com udp
GB 18.239.236.36:995 careers-brampton.icims.com tcp
US 8.8.8.8:53 exitlag-com.mail.protection.outlook.com udp
US 188.114.97.2:110 csgo500tr.com tcp
US 8.8.8.8:53 248.13.22.104.in-addr.arpa udp
US 8.8.8.8:53 account.nokia.com udp
GB 18.239.236.36:22 careers-brampton.icims.com tcp
IE 52.49.244.108:443 digitalvoice.nielsen.com tcp
US 8.8.8.8:53 dt666.xyz udp
US 8.8.8.8:53 passport.neea.edu.cn udp
US 8.8.8.8:53 login.norton.com udp
US 104.22.13.248:80 proticketing.com tcp
IE 209.85.203.84:443 accounts.google.com tcp
NL 51.158.154.206:80 joinhiving.com tcp
US 8.8.8.8:53 goflac.com udp
US 8.8.8.8:53 78.16.199.152.in-addr.arpa udp
US 13.107.246.64:443 login.norton.com tcp
US 172.64.155.179:443 auth.services.adobe.com tcp
US 35.186.224.25:443 accounts.spotify.com tcp
US 34.149.46.130:21 accounts.snapchat.com tcp
US 8.8.8.8:53 passport.neea.edu.cn udp
US 8.8.8.8:53 visa.vfsglobal.com udp
IT 152.199.16.78:80 account.asus.com tcp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 ftp.itechitalia.eu udp
US 8.8.8.8:53 www.moncvparfait.fr udp
US 8.8.8.8:53 itechitalia.eu udp
US 8.8.8.8:53 ssh.itechitalia.eu udp
US 8.8.8.8:53 108.244.49.52.in-addr.arpa udp
US 8.8.8.8:53 ftp.centrodellamusica.it udp
RU 193.233.132.67:50505 tcp
US 199.59.243.225:80 udpaccess.com tcp
US 8.8.8.8:53 visa.vfsglobal.com udp
US 8.8.8.8:53 grabcad.com udp
US 74.206.97.188:80 surveyhead.com tcp
IT 217.61.8.49:80 login.aruba.it tcp
US 162.243.252.129:443 rubikscubetimer.com tcp
GB 18.239.236.36:443 careers-brampton.icims.com tcp
US 8.8.8.8:53 computermobilepanel.nielsen.com udp
US 8.8.8.8:53 magixonline-com01c.mail.protection.outlook.com udp
US 8.8.8.8:53 alt2.aspmx.l.google.com udp
US 8.8.8.8:53 goflac.com udp
US 8.8.8.8:53 account.nokia.com udp
US 8.8.8.8:53 179.155.64.172.in-addr.arpa udp
US 8.8.8.8:53 itechitalia-eu.mail.protection.outlook.com udp
HK 141.98.234.31:53 bhltykd.com udp
US 8.8.8.8:53 moncvparfait.fr udp
US 8.8.8.8:53 centrodellamusica-it.mail.protection.outlook.com udp
US 8.8.8.8:53 idmsa.apple.com udp

Files

memory/3408-0-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-1-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-6-0x00007FF87C320000-0x00007FF87C5E9000-memory.dmp

memory/3408-9-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-8-0x00007FF800030000-0x00007FF800031000-memory.dmp

memory/3408-10-0x00007FF87C820000-0x00007FF87C8DE000-memory.dmp

memory/3408-12-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-7-0x00007FF800000000-0x00007FF800002000-memory.dmp

memory/3408-11-0x00007FF87C320000-0x00007FF87C5E9000-memory.dmp

memory/3408-14-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-13-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-15-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-16-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-17-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-18-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-19-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/3408-20-0x00007FF87E7D0000-0x00007FF87E9C5000-memory.dmp

C:\Users\Admin\Documents\GuardFox\OeqTok3crnjqes83Oeiqup5y.exe

MD5 0fcac0e9875fc09d0d65594bd56b715e
SHA1 dda53d0d5a440d55f772c77bd6f0e8077f3422a9
SHA256 c130fe4bbec021e2df9637c5946eb484008fc25675f1a7f72860bc171a0600e6
SHA512 e82505f91288f70cdbd86a4fe90276118155529cc654eba3b984ec8223f7d51cbbf818b452850bec7cecf6b7ed8497a0b305c9545fd32fdd20fe6c6a732b605d

C:\Users\Admin\Documents\GuardFox\LisIvn9B0eWX39XfGBxbdtul.exe

MD5 6bfd54f72b847eb6e1adf1e77e42c8fd
SHA1 a2abaaeadeceede5f6bda791c7e2c2c49965e9d1
SHA256 65cb57a690db8fbc5ac285c2bb4a1011c6a2caaf092f8686d997b6baecf3371f
SHA512 1777fca108dfb1fa7907276132fa05f40d0228ebfd4922bb0556339035e638f07e09b4e6222f2b780be128d150bd93f2e9175625a4ae9c4c5596a111e29b0307

C:\Users\Admin\Documents\GuardFox\XR0YIbtqmyEEIPi760UciSol.exe

MD5 4083c3bca21212a0ca5cc3277ee41bfc
SHA1 7f4722cda9fe919744de378809cca8ac29446519
SHA256 ccd2836870acf5dc5df5cc256f9e93bc64571332f8b18a331a110597896503f5
SHA512 15d4a142d650376b87865044d626f386228538c67da6c7b0a9093f21761a3a1d005ab3b841d921028e28161b75221635aaf7436e86806b4fd7dc6a1347076e74

C:\Users\Admin\Documents\GuardFox\qV9mEjhKIBcQ7TuES_j_hidT.exe

MD5 ce6fca7d50c4276d4b05c34aeb76275f
SHA1 a231f1418a519bbe0adce787640e19af4c6851d3
SHA256 ab6a09671aeeca06971bf4318636770b59cd886d7a16e42a256996a42e84d4d4
SHA512 58042e8cb5d48c8cf7898c2f24154301d5232363a1076dd4cb97023a8c782b3a9b5b1fa4d83bc0595ef7dd5eaa2ffe4c325969d829539bcc3e53cab8e893eb1d

C:\Users\Admin\Documents\GuardFox\raHvPX_M18PnQ4JVL8Ke7B9I.exe

MD5 5de7ceda539e979fedee5868708eff04
SHA1 f891acd70eb953b4a6918f4d0c539a1bd0e2c81d
SHA256 bb4f3286524d0d5d0072f2d231553629e8e1d5e6c89fdcf35684ef2d71544505
SHA512 a579cd72f52fbd1a4b628b3f99b83267326484a6d26cb5d911716e313cfda9edf23942fca764162278c72f4316b7f9b2ef80686489e2a96316d10507ebdbf8d9

C:\Users\Admin\Documents\GuardFox\Am8DGNpJ8zKJ3vxaxMrNPrK2.exe

MD5 b204dc62b6924475292ba74e6c96a9cc
SHA1 4987093c62ddb61405ff000d75eb7a1f27a528a7
SHA256 d8e5a7d83852597fe04624f8117b9618e651d5456721232812b84c0eb77a7a14
SHA512 a11ca259ce7548059246f49520becf1782a9513fed7862292fe07569c1607382d1afe73d6af4cfe12ed8a6bce923acbbdd015c71941bc45e5a4ee8200d94a8c5

C:\Users\Admin\Documents\GuardFox\3860sw0VMSmL9vdt9w4gL0z7.exe

MD5 a1d31aa79328b3fb5e9e301c3fd2aa14
SHA1 e5def667509393420826c14a0541bbe9ed411f05
SHA256 a2b7b7a33939ac721d34984cc0849d8e438a8f3d1d4ce3ee53eb0a48f9792da8
SHA512 f262c845827f7d8858f46e16c34dff4c1dc9503cef45e086343a156bf91f6648cd7ec01b3a8b6713c92f2429c4178ab722faa02309c978b74b588482d69509b8

C:\Users\Admin\Documents\GuardFox\QCBuhoR0_O5gO9EbQFahIqBy.exe

MD5 64413707f9258d1b2c4ccb3057189ac1
SHA1 f3a515b42923a108b3157853e2de4e9e17634847
SHA256 c94fa8a0a4d7b3d5ba9dbaf5de083f99d3a605fa58db2b001de392af3a160db7
SHA512 b8c1969f5f1c6a7fbd404eac29e90654f4a2da3f6e79ff58c3d62a8babd4f8634fa8b54700eead79ee9db5efc91969f980b268e56cc7b620e63bb5ebaee96ba4

C:\Users\Admin\Documents\GuardFox\4trEFsYYFs6Jme3QwUfvUobC.exe

MD5 0ce5990ab626fa51bdd4c377a5d1f092
SHA1 23f639b72b5acb507e47b2ab80bb617e8ec7508d
SHA256 43504071da5e939999ff89fa9de07fb3af5c95522d585142ec10a6cb1ddcd050
SHA512 6518e2ea3a7ba85b592e0d02660d3194d57d62835873a20e59c0c0241d23094160af9eab9991faf5185e538ecdf41db154eb4f25ffbe335e97c559693d61f1a4

memory/3408-91-0x00007FF611E20000-0x00007FF612811000-memory.dmp

C:\Users\Admin\Documents\GuardFox\vUZBOtp6mXHWVIfMH4c0FtLr.exe

MD5 0276ffbb1c23c7f07035eac315dff1f8
SHA1 4afed717669665c86c0a7f2a101701057c6b0c31
SHA256 d0ae32eaff68ba479fc362b32ec78530b74918e7859928ba0a6edfc3a519422d
SHA512 91d765c0fb7169d3a590e6f3e106c5aecbbf6a47647d20340a504933a1f79c08071bfe7a0d3bbf428f9391e55dd9039cdfd05b32beee9bb1e4a86a804897ad9f

C:\Users\Admin\Documents\GuardFox\tzQDaFN9XwE9nJsYRLnotvlR.exe

MD5 ed0042abfee0086e98241b60106cf2c4
SHA1 57c6c404e86f9fe2214ec8dfd82d7686e9ce7370
SHA256 7820d08c75346bbbc8aba4dc411e90f09b6e30719dcfd1c8a9a7cc9bc4d67fcc
SHA512 14bd75a7ca5410a360f3633e8358797943522190fb9e2aaaa5888960a7b1b9a5fbf4af1844e3842cf6eee97483c2b41599e730bb8914a559132f0c168fca9b2d

C:\Users\Admin\Documents\GuardFox\rQNYyM1Qi3JqdaD0HEnyZkZw.exe

MD5 1007b94653a171a99a80e675f7809f43
SHA1 4b76f659b924a01e73e48f1b1640c7aade0476d7
SHA256 37165ed8d8ae85339115b8183c61c15a4ea977e6851bac19b7c9dd1622c306dd
SHA512 4d42638645ba1dc91fbcf1cbfc3a2154f46ae520e37fcb8edce8452752e5f0df59dda7cb7f993c00024211fa51a5186f1423ae053915d5b5183fd3b048a0bf43

C:\Users\Admin\Documents\GuardFox\B9ZfLXHjLJO8ElGDIFov6Qgl.exe

MD5 868795839aa02b7b31f28c7c941fbb4e
SHA1 f410bf63b204b4f8aa2692b614880a143d7168b1
SHA256 b9332c2c4ebe004e4bb8029d7bf8712bc086bd1a5ea74d8a6de2537f146d8f50
SHA512 72f68e88049a0e9e620b0fd2e84f427ce7b902081c690e82165b3e0fea00cab41a1688ab5a7a5bdd1d7600a5a3f3e677c25e024b81ae51ce11083775caa4a1f9

C:\Users\Admin\Documents\GuardFox\0JDbJzWFF1BzKfWUVTIKTIwM.exe

MD5 b85f9f9b167c3606e65f16091791a616
SHA1 2329681680cef7d978c5033c44ce3f7e48ad7971
SHA256 d58f3625f1cd3852633bd130d842f3c36dd564676fc7c547570fe4556cec35dc
SHA512 df40a06782a2a071eb0effae650513140aa5a701f86043fc1a2ac20f76b62f20662055fd7021b969ac2c1930c189d3950af3afdbb5ec69d9fc734d0b9e99f310

C:\Users\Admin\Documents\GuardFox\KK0Vvbx4i9pQ519SIuE5Ax9M.exe

MD5 160dd96448b39cab86a8286553e25e13
SHA1 bf364ce57552d52a31224a8c2d2fad618d09b861
SHA256 e7f7b49426729f6e666a3a9b66a4bd3f2b84cc8e476d33d674aedc8d7bf6753d
SHA512 71a2f651df6b9a41821002582a0110dd1669b7163510339d942fdd9ea54def17b28ab19f161c3544cb2323569fea09140aa73f761222ea6a2111586069a8dfca

C:\Users\Admin\Documents\GuardFox\ckcSON1nq9KzLkUObHcFavDh.exe

MD5 d39f4a46b0668b64a68a50710583c4db
SHA1 143218b9f115749caa5fc0d321cfeb097241ba47
SHA256 557a48d2a06a54dc099fd299d171df2616fca1d3622cb60bc679cbd3ec36dfe9
SHA512 1e8f8533234e256d39162837a49a1a82eb7d77ff65dc202e5ff2b21c7273d83a42d7690065dd0b91f73e4d540dd69c64aed96b2c2bef14a61b424fa13c47ae05

C:\Users\Admin\Documents\GuardFox\MHSgYdsltabeUcSs5kmRsv0T.exe

MD5 6105832d34bec2bfbf8d8bde3bd13742
SHA1 20c059875c2dff51cd65bc0557178feeab5d3a7f
SHA256 8905a052864f828ea495d81faea50d8ed32b0d661f92d42e193f59cfcd177acf
SHA512 5fa01879a48e0ec6f9a3541cc88a83e61eacb074457a3c50cc2344e7b742922a384f592f7920853cec5ebd473e2fd45de4d7a06ef1238a14c4740edd0e158240

C:\Users\Admin\Documents\GuardFox\LIFxed9heHkZ445Vw5ffhUOd.exe

MD5 ca43c1320591b94eb10579c9082be36f
SHA1 a4c34273278f812de0f9829ae62dcaef732ff4f6
SHA256 2f3d7b230621676e1bb38f7cdd48a8682389b6674c80a7fac5090468b320c3d0
SHA512 d6bce0dddff991231dbc38f832ed4710ecd82aa45bb20163e3b9f5002d69994445c6119ce9a85e8b960356c7d7351aaf45dae953f219f5858cdb3f715952128f

C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe

MD5 a92b40673022e3af2faf70250151260d
SHA1 4237907911dbb42151807302edf1c57094ea29ec
SHA256 6b5ea284f39998b5f221d8cc55987586b35e89e3c9125f4b700ebcfcd839ce76
SHA512 5e9947d58319c5cb7eb1f515a69e672490db34fbc0c15d3ee53b564095341baeaa07542209baea7090c5e0ad596980010135b15ec67c57f9fb350d280f766881

C:\Users\Admin\Documents\GuardFox\R08uTl2rhKjiEbQkYXCuC1Dj.exe

MD5 0d54d4df1f0cbf098a4e8a359ee8b827
SHA1 8af586e80899f39ef8dd1438efe09516521673ab
SHA256 401d3b3f4d7d7c709a697af38b80d8ddc07eabf8fd2566c38ab32f5336a113ec
SHA512 878a5fd5815b05b07b08e634e203356b629b2e51869e5a4e869e92e370935bb8e8a7d33df217135daa3ba70bc71d1599aaa671508d03c0f01752966f7f645844

C:\Users\Admin\Documents\GuardFox\k5pmcp_6X8Bmzyw6jGCAMv8o.exe

MD5 a6ce4fd74cd06e0a9868150c0bf8994f
SHA1 ccb743c9663790352c0ac047471487b31c354b0b
SHA256 2c3b85a0a0611c2814d77ef9b56260445c0fd179890301d8e2448256b2a0d6e1
SHA512 4b6db2b393b0b27c12ffcbe71a3d68f716a2c8e7f1a3709a7a969b14f2a2eea41d0399436d80e1d68b9344512eb23df01bc8387fb920683e1a143445d7d1eb97

C:\Users\Admin\Documents\GuardFox\nPvDO4HoS_AqQU2l3rVMl0pH.exe

MD5 3e692dad602bd61d72b11ff0db80903c
SHA1 ca3f95216a1fd7ba0bccdb59a952c4b5d5316a5a
SHA256 5330b96e7741b404988f6d2f261f648eebd709f40bf7bb2b59e50deb6e5c8ab5
SHA512 e3780db4be948044b2771d787e8ef12cb97d39876857c1d103239af356ace63990fd20895c08dd9fe308bc2cee79f51ea63eeead7fffd7c8e7927d6aa6e5a2b4

C:\Users\Admin\Documents\GuardFox\3rydp6Gl_RR1ITv9iCtZdFHR.exe

MD5 cb511fc87963d64fbaac9c735981df35
SHA1 03a5711cc52ae3ba938b73ab0e80ec098103a71a
SHA256 fb6686d2ff029b4e9c6e12b9b8b6ed74dc0eb3eef6610665fb2cf1c2226c43f6
SHA512 ea10449f886e161b11ffa7446f59d42b2075a2966878f64f052edf2d903ce6be20ba5f8ff3bfceabcc3167fc9c6ffeebea3448f52f26ce98207e7ede095fc886

C:\Users\Admin\Documents\GuardFox\nPvDO4HoS_AqQU2l3rVMl0pH.exe

MD5 e8bc119afb600b2652e1745866d05794
SHA1 081def6ddb4ad3aef147f370cf644ff2b49ee8d0
SHA256 8b99067d134bf00b3a59729e1d112ce7720360c1d5a15f930726386f9698313c
SHA512 21ea23c251e20e157a48cd0eba6c06bfb6ba7f0dae9e78cd4734a3ccf0381b8b419ce15a74cef631d148f2cc31800dbb9cf773ecf3bb9307503f35d46d9b7d11

C:\Users\Admin\Documents\GuardFox\raHvPX_M18PnQ4JVL8Ke7B9I.exe

MD5 6d63757085bf8c178ee4680ce824a43e
SHA1 887858b180dbd9b9f8f8561744e708b6cd0391bf
SHA256 28a15ff4beb3f46001bfbfad352149e004f6dfd1877edd15fbe14dbe2f5a6862
SHA512 9307a4d487e01cfe3a728ffdac96d645f473847c1fac07cd41d5d973a3c92a46fa748015919faba53ed57ff789f1fb6337d885322e296ab412c86ed84262ce41

C:\Users\Admin\Documents\GuardFox\3860sw0VMSmL9vdt9w4gL0z7.exe

MD5 016d3084f23ce3ae781de7d2f96064ff
SHA1 a32225c96103bac8a28253934e32738f1983e07e
SHA256 6139618e929461fae8767b868f641c1ba8ece15f8c0be38fa77ed7300207ce4a
SHA512 5e61586124650b2b22fbc09af9b154de06156eed54a02ef239e2f4296237ff2f08d9f425ad13e18c17a094dbbe2cd62f3222047a6f07b5b9dfd53dd0b7238bf9

memory/3408-736-0x00007FF800010000-0x00007FF800011000-memory.dmp

C:\Users\Admin\Documents\GuardFox\OeqTok3crnjqes83Oeiqup5y.exe

MD5 80add3828abe52aef744dc79efd26fbd
SHA1 c4fda03f5bab92a0e3eba5dfb1fed293189747bc
SHA256 7157385caef08dd14e3f591621efca34ca97d1720af4b5563004ef304f56c31d
SHA512 4814f3f565858e1a37fb88f80662a2ac3ef1c2b779d7c226d0235c312ca0935a0896d59d10147c3375e2a0ddef9697bdfb708eed436ca9bf2793df9eca020f63

memory/6000-743-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5080-742-0x00000000009F0000-0x0000000000ED3000-memory.dmp

memory/5984-746-0x0000000000590000-0x000000000059B000-memory.dmp

memory/5984-747-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JOONE.tmp\LisIvn9B0eWX39XfGBxbdtul.tmp

MD5 42cec0ee77b7982ce1e2763bb789bc7f
SHA1 fbe41d2e147e4587c934eb82f2ef8e014cd8972e
SHA256 f26eb875c4ccac333c0a1c79c0aefc832d496098721a25090f6290f04dd8a4e4
SHA512 c56709139342a1ca8963cd86ba11bd14b2a4ba99bd89b03ab9f539851fb15bf02fcdfc9beae8fbe995cbe579f19b762eca14d8bb0c1ffe1e3d6ca27353a5fd3c

memory/2164-753-0x0000000000780000-0x000000000079C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JOONE.tmp\LisIvn9B0eWX39XfGBxbdtul.tmp

MD5 e4164ca826064e2533867da0847991f0
SHA1 3e36cf6296738d35387ac00dcbdb9b10a98b6f0d
SHA256 993d53bccc04ce65913fab13783deee5b748ba904e69d69b0779c5ab54584994
SHA512 c9b4617e3d798e80ab80ec089f4af3860243afc815295362dafb55bd69e4e377b10735bf424f276300aa0694a9a732c24e3ff98ef09958b9ac9e5e72dea742cd

memory/2164-750-0x00000000009A0000-0x0000000000AA0000-memory.dmp

C:\Users\Admin\Documents\GuardFox\raHvPX_M18PnQ4JVL8Ke7B9I.exe

MD5 d3724d637795527a55f56b92d68c91bd
SHA1 bf563b36493e84b6ef5927ba6423c5f455e5b7b7
SHA256 cba8029a40c15296824087e1937330029e0562b02d44123e5221a90ff6673cd9
SHA512 ab1c482dfa6fa23f53d6be5bd4434b088f67639cf332e67e39c08566ec28bea9cb170a36dcfa36a710dc4a981515915fa22f2275101904be5403c7bf1d666b79

C:\Users\Admin\Documents\GuardFox\XR0YIbtqmyEEIPi760UciSol.exe

MD5 0ecb28c8708ba6029d9ca14b445ac7ff
SHA1 25d6c1455ed467369a03be5f22b4fbe1c8e374c1
SHA256 15fe303c5357e9f9b5d98c45041c3cab3cc15445ec41e774f2d4329cdea21ced
SHA512 3b4871a3e86a99ed8de2126f8a044a185f0f6bba024e896bba971f7bcc4a750e836275e4dfb91d12f91b040decb1b268de53423fedd03c1a2ef967e30e34f69c

C:\Users\Admin\Documents\GuardFox\4trEFsYYFs6Jme3QwUfvUobC.exe

MD5 19f7e7642c71d09a9b4eddc0bb3308ee
SHA1 43cffaaddd889ea29f532d56a158c551362b803b
SHA256 ccd87b1214789543b03615802acd8c5d22b31c122e3dd61f306784fe047c1490
SHA512 a9780552a4d7c4ffe99a3f3124f70350d3ef36c0abd0b3ad198983504960f2ec6d6baa6c14e2acd8e04f97ee75cced46f6affee526534652130a972f22f23617

C:\Users\Admin\Documents\GuardFox\OeqTok3crnjqes83Oeiqup5y.exe

MD5 471d4d3135fdf30e6965b2053f3a4736
SHA1 4884aa04d6922434fbfa58aab940f8cc3b48f475
SHA256 8b8708beab060cb3811107593022f4baaf124f7337db9ecadaee9d8ac92a044e
SHA512 a095ff32b8e946a441eeaeeebdc47babefccfedc1e777f87de9fa3e9002e09c847875752a913c6045b18597df8d0615718c13d6fc7bf51d449a88ec132318259

C:\Users\Admin\Documents\GuardFox\vUZBOtp6mXHWVIfMH4c0FtLr.exe

MD5 c4349e2b7b51db1549c227e36fceb7eb
SHA1 069adaf25a880663e9d307f19f16de03dedccb18
SHA256 b10bef2b2ff053e1f2bff7ed1a7afbb0bacc991959ff4b18ae30710a13c5b413
SHA512 11c3ade9581fa9cada008219b918435a67705ef35bc030fdf81baa57602a0df09a19c580ea15e3afff9bcb565b98093ee0930bc185a0a81e6caff2a0170dc681

memory/3408-681-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/6000-680-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5788-799-0x0000000140000000-0x0000000140218400-memory.dmp

C:\Users\Admin\Documents\GuardFox\B9ZfLXHjLJO8ElGDIFov6Qgl.exe

MD5 85028fe30acbe750aaa5b4acea2d5dfc
SHA1 973f119bf03f6449b454c2122657476b1430a872
SHA256 3b54f3c3b39aca4f4c3620840dbf347623a162dab3d6b101645c99618230fd22
SHA512 d334127c601c1c223d69633a64f7165b62d9b2ed2df1fb73ab9d221f66f7ad26523cd7f74cf8a740ffd45b310bd7fa2d9be9942c8c3c34f787b5a99a1357ffc4

C:\Users\Admin\Documents\GuardFox\0JDbJzWFF1BzKfWUVTIKTIwM.exe

MD5 1be2d416a8d02c9482669d93eb3122e3
SHA1 09b7088957fa290ae31f53d75c95eff57736e7ae
SHA256 239a7452178372fe148dd33b58009eeef4bbe7f50e666fd6905614250401504b
SHA512 ca229e1ad1a91f9d996657704639519b7e32a545c71b1485797868aeec83b974d14f92033bd00b3b1fb23c28a36b95c1583bf14878b2a20bfad9a4edce72cba4

C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe

MD5 c3b05916a5f0bd52407920341ea0ce66
SHA1 72f74ee3f8c31628070dfd5d22d909b36ed1641d
SHA256 f51660b12dba53aaea28971568d4bf5ac3f514958198055e033d5f9721fac344
SHA512 05861a8f3e2d204669e818c577fe8b2e3fd9a6f88885ff1264d3f1969e17203e40951edc1225a202f7effac106989d1f46930221dd7a5f7bedc9cbc4af41e897

C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe

MD5 8f61811b2edddd7ca9ae51d0476adff6
SHA1 0fed4b6193acc228e87712b8c2a54b322010ec93
SHA256 eb61b5fbef4910bad805532f363367ebda1210734468c1d545d6b14adcc04c46
SHA512 8a467f3b888f9b7d15eaffd747622eb7c89ed393d98d197c3bec64d3bd9a7f5eb607257e938534dd15822d569f01fa09c31063a53d796ffe7f9daad27f7583ec

memory/772-813-0x00000000004C0000-0x00000000004CB000-memory.dmp

memory/772-838-0x0000000000400000-0x000000000043C000-memory.dmp

memory/3372-858-0x0000000000F10000-0x0000000000F68000-memory.dmp

C:\Users\Admin\Documents\GuardFox\ckcSON1nq9KzLkUObHcFavDh.exe

MD5 052479899701ff6f80f624c23bcc721b
SHA1 da3e5ef60b2a64ff31199a53375e05b0dd161742
SHA256 c5c5a7efb00877062803fd7faa6ce87350f2f073fc8f791cae2fce8d5e2001fd
SHA512 bc9893c0d3d1a152b7aef7a226f0551f05f277e59297c9c23b58ab355267c63412e4683c628857602e3912fa0c1e7ffe9760cdf3debad44f0a610bb3bf43eec4

C:\Users\Admin\Documents\GuardFox\tzQDaFN9XwE9nJsYRLnotvlR.exe

MD5 a7e011d8a9b8b05ebbb7b4712bb204ae
SHA1 f3776c357378bb1ef1ad33ad05871004f0a4c6e1
SHA256 61f3fdc798d19e864c041aa10567a7bb8f450f3591e2e1d8da3f18935a9b3a93
SHA512 a3ae1cfa75d75c35a20a9d0ccab47c692da42c027cd9ed0d5ea3c09205ba0de112f472f8b87a68a80ddb60423aa8cb37f98f862af2071f7cea4bd55866f0463f

C:\Users\Admin\Documents\GuardFox\tzQDaFN9XwE9nJsYRLnotvlR.exe

MD5 1e2638300782b90e693006e81b5816b2
SHA1 824ad5d7c9ee9f8471d45f47f6dbbe1e928a857c
SHA256 d42b3085e27b55b027e38c5dd8ce41ef21dab36b27cf7cd3e637561a453af152
SHA512 7a37bcf46b87ba36e1dfb65016624b724c30c806d52edb0a5351fa16c85bb4300752444419492ab4fd9fc3d49c1ac772f6d2ca4fa8283681a283beabbd65be4e

C:\Users\Admin\Documents\GuardFox\nPvDO4HoS_AqQU2l3rVMl0pH.exe

MD5 ce4ff6b20e2f96c997b2b5e1a0ae1d98
SHA1 9630842437743879ca59443ed659e1ebb0e84af5
SHA256 947ec5627f6bf6f5f599fd82dfa27866f16bee691dd16aa31fab2a63a090184d
SHA512 8b7fba696e7ed175331aab033c66643dcd198ac9ba721907c239ff9cac4e8a36eae63c6ca254c58312747b6395eaa1124daa4777e5337eab8c64acc67f2a6293

C:\Users\Admin\Documents\GuardFox\ckcSON1nq9KzLkUObHcFavDh.exe

MD5 b1c8d83222e716cf73aa6e48183ea487
SHA1 a979488da237bc1350b425137e0b4428e7bd733b
SHA256 b873be82b1996f377d41f80af6b669fb27d3620103aeb2d06c009eb21a2df342
SHA512 3cceacf9f30a8d095788e4ea6ad628ef4beb5e0e5854232b55a48aabf910017a4437d6fae21c00bbeb50da94ee17dfeb26bdc4ee8b8ac6e450aa6deff147a6e9

C:\Users\Admin\Documents\GuardFox\KK0Vvbx4i9pQ519SIuE5Ax9M.exe

MD5 3bda5dc6bce71be629008c6d446bdc14
SHA1 389a2727c9c20822914de88ed42c875f631e75c0
SHA256 82f3596142b6cc092a427ba833c5c36918092df1c9feafae9d648caed25bc287
SHA512 124f90b570ef5d0788baa9aa45cedbd00bd4a9ebcc237faa305086f4536ac650ec7a9b8a47c90cdaad4fcc9ea3b552dfabe8d62c510e63362d00eefce6e5f35c

C:\Users\Admin\Documents\GuardFox\KK0Vvbx4i9pQ519SIuE5Ax9M.exe

MD5 cb1fcf9f8dd8233c5dfee5d6857ccda2
SHA1 807536edeacf2b58eff575bb498131d9aa04b852
SHA256 28d576e295b44f93b44462c66258299d8235ee36304b0959442aa248d2518579
SHA512 a10c1bd7b515a1e1ba385b0a08e4a9f165b180a7e5110d398b674c0f379191c04d708f0330d103d5b136d1cd59f942e0c87b98a8d0e07705e09b72733e61a2e1

C:\Users\Admin\Documents\GuardFox\LIFxed9heHkZ445Vw5ffhUOd.exe

MD5 4b2cae6eafad4a4841ff8e843aa6d117
SHA1 2c4ed129768d5cda2259096ff7a41151b0f8a275
SHA256 48db33365170b27f6711d07811c8e76b483a2c5b083a18eac2b70688b79f33a3
SHA512 99355cf97981d0a4fe23555b404ac8b6a0f2ee71552f9f8e33df60279117495faa823cdc40661b3f8edb94bd1b406f5f172d2879e99704f0d286765ea82cc334

C:\Users\Admin\AppData\Local\Temp\is-UAAQ9.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\Documents\GuardFox\R08uTl2rhKjiEbQkYXCuC1Dj.exe

MD5 238d095881f6344ad3651bf8bb8b2701
SHA1 f741b9cfe03196a3eaf1e1b1d631c936538ca738
SHA256 461aa35026cf17f75e2e9e7f3c8241600bf5e246abc21e23bbcbdea74ddf2038
SHA512 2d0e445a566342a293b6f5b1e3a413ce85e7fbd12b39b6bc6b283525885ea0aa12ee5c4043de0d5a5e16867d6c5418def8a917c124ca9eecc6a4c2dae277b109

C:\Users\Admin\Documents\GuardFox\R08uTl2rhKjiEbQkYXCuC1Dj.exe

MD5 d7767041989ba5fafac31316e8c4c0aa
SHA1 889bf716bdd96391c02e5a21d963a3f71fdf5b1b
SHA256 fbba47504cbe38b4b39f2aa53491e09fcaaa49b06f4298779681ce631153e57b
SHA512 c4704bf00a2d7927c4936558e6f0cb8958658e595dee4087e1b7d98a66c8c33aa9377c8278e499f0b4e4da65bcb048bda0a5cdd7c406b8ceb79fe2935c961441

C:\Users\Admin\Documents\GuardFox\LIFxed9heHkZ445Vw5ffhUOd.exe

MD5 97584c4b40184a66673b9a81697ae70e
SHA1 92ad032bdaf8eb872eece0a3f3eb795cf0a09111
SHA256 5251293ef8e6dfdaa4888a3e1b93bab3bdd1f814c551d008c88d6333a2b85afe
SHA512 c8ab4ab2629aa61c2c8ca594b276f53eb2f57bb0bd6387bad7fda196d13a15516256fea3a28590bbd13f009d867900ffc8fffc7ddab987bca182992dbba4f6ef

C:\Users\Admin\Documents\GuardFox\MHSgYdsltabeUcSs5kmRsv0T.exe

MD5 f34cc581ef71772fc55b4f018e55ad8d
SHA1 ca35e1bdb0301587ec289bbe0a4c5ac52b70a0ad
SHA256 bfafb934e683b5c96157616894fc0f888c1f5e39511b6935b4a4815a13121a48
SHA512 5ba0d48a1ed2c2abaa778a792d864d5c5f18f1c3876a7f7cb137ad8d8fbb5034d8b03f529f9559ac960e2f23e85a02bdbbd380fc26ee33c64aa41d64ecdbd2da

C:\Users\Admin\Documents\GuardFox\MHSgYdsltabeUcSs5kmRsv0T.exe

MD5 9d682d057eca5e85dae9e2ca7e138c0d
SHA1 649de1b0383df63875d7e7fedf04a2fc382e3de8
SHA256 a8ddb0ec97aa14ea5e40885ff2b1a55df34a36251827776ab382bea76655bd28
SHA512 431c85ff4bd5378ed5f2c13f0afdee9d96d2b83745f8999a88745385c09492170a1a3b545050abb526b22c342d661aed7b2b80d5e0a9c727c8b54a65466d7fe8

memory/2164-797-0x0000000000400000-0x000000000062E000-memory.dmp

memory/5016-991-0x0000000002000000-0x000000000208B000-memory.dmp

memory/3816-960-0x0000000000A10000-0x00000000010B4000-memory.dmp

memory/3816-1003-0x0000000005A10000-0x0000000005AAC000-memory.dmp

memory/3304-1018-0x0000000000400000-0x00000000008BB000-memory.dmp

memory/3372-1033-0x0000000005860000-0x000000000589C000-memory.dmp

C:\ProgramData\TVTunerClassic66\TVTunerClassic66.exe

MD5 80e86efb7ea642b5794b19f381e48daa
SHA1 d61b28eba1f6e97b9536eb29d4030cbc4c0d708b
SHA256 772b71a2260b1ff55b504df1522240b9118f981d04849d1ad7cf365a46dfb3a0
SHA512 ae41e367e885e35f2ffe9c745f79758876a62cdfb0ed800eedba2514ae130411ac256b960f3b905998520d99b4231dc2bc46656cf6aae0b2669b649af9ec0e18

memory/2272-1034-0x0000000000960000-0x000000000165F000-memory.dmp

memory/5236-1041-0x0000000002560000-0x000000000267B000-memory.dmp

memory/3372-1042-0x00000000058C0000-0x000000000590C000-memory.dmp

memory/5344-1055-0x0000000002FC0000-0x0000000002FC1000-memory.dmp

memory/5228-1054-0x0000000000B50000-0x0000000001464000-memory.dmp

memory/5344-1063-0x0000000000460000-0x0000000000DA7000-memory.dmp

memory/5228-1053-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/3816-1067-0x0000000072E50000-0x0000000073600000-memory.dmp

memory/3408-1084-0x00007FF611E20000-0x00007FF612811000-memory.dmp

memory/5228-1083-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/3408-1098-0x00007FF87C320000-0x00007FF87C5E9000-memory.dmp

memory/5228-1094-0x0000000005E20000-0x0000000005E2A000-memory.dmp

memory/3408-1101-0x00007FF87E7D0000-0x00007FF87E9C5000-memory.dmp

memory/5916-1102-0x0000000072E50000-0x0000000073600000-memory.dmp

memory/5916-1105-0x0000000002D10000-0x0000000002D20000-memory.dmp

memory/5916-1111-0x0000000072E50000-0x0000000073600000-memory.dmp

memory/1680-1112-0x0000000140000000-0x0000000140876000-memory.dmp

memory/772-1110-0x00000000005E3000-0x00000000005F1000-memory.dmp

memory/5228-1100-0x00000000775D4000-0x00000000775D6000-memory.dmp

memory/2272-1126-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/2272-1128-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/2272-1135-0x00000000767D0000-0x00000000768C0000-memory.dmp

C:\Users\Admin\Documents\GuardFox\0JDbJzWFF1BzKfWUVTIKTIwM.exe

MD5 d6478539fcf0e2c04cc680c4cf8a3761
SHA1 36e2822251a96ffa5f4cdde8f926ec26516ceceb
SHA256 62828171a6abc83df9e687c060394427e7f7c0cb31d21108ca7c3d2e0d137258
SHA512 5ab9dc9b0981a810154bd31dd586af16320463b6ab7ff81c425e1fe19ce91ac7a2fdfece4e4d631fb911cd2021f9de48199ec69e477f9e4c38adc3a94351865c

memory/5244-1122-0x0000000000D60000-0x0000000000D61000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Y8wSg2.cpl

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Y8wSG2.CPL

MD5 7aae2dc9dfa685d97d4a8670d2b13c34
SHA1 5e7c50aab53c0ebd3757f82bbb433a2300bce1ef
SHA256 0c4081104590f108517ce61c5dbd9241ad33956105f929d46e6b38a5896c0282
SHA512 36e470957020db1710eef9462e3be93dc0eb9365503b8fc7bf6f6e6695d491cd28f2818e8eaf32f5a518756116f091465a7d6fcf043a10f6f914e68f9c149a44

memory/3372-1144-0x00000000066C0000-0x0000000006736000-memory.dmp

memory/5200-1143-0x00000000057B0000-0x00000000057C0000-memory.dmp

memory/260-1123-0x00007FF62D1E0000-0x00007FF62D232000-memory.dmp

memory/3408-1092-0x00007FF87C820000-0x00007FF87C8DE000-memory.dmp

C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe

MD5 696e45840de3dbd2c6b00fe85651dbc6
SHA1 03ebfeb1f77b77eb43d7fc021308c261c0da10c4
SHA256 a0809d763a1b27e81c0acd8fe084ef2b888f55477dedb9ce0a48dd04c39e6855
SHA512 798b1155f08ab0989011c0ffcf63a44b5af1791e454140b13f1d01487579c3034b3f1a349abf7f7eb9fcfb6741fd1913ec3e1f9dd799a5e440fbee07189ae2c6

memory/5228-1097-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/3372-1091-0x0000000005770000-0x0000000005780000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570

MD5 e7cf9e6dd39c2a2bc1e9bfddf194f120
SHA1 b9f66ea1b54fada9bdf6f7528ccbb40dd16af1ee
SHA256 309c47c73d3577d09e93be307e0b0bd7f8615adcce283a5a493e6ed24df537ee
SHA512 fef8f1734b6b6fa936bad0a1ec669caca9d41b708fb685b1f58e2acd9e10c0baff1db3cd60037b2d286ab962bfb27ed78075db35a30cc8eee0ac6548b9af2ab1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570

MD5 116b4703ec33f2796c58c79155b2ff93
SHA1 42f55fd7cb06bb054b85e676aeb673187e261ac9
SHA256 afea62aa40641fa7ef00f6023ec004a8de6b933897d20459331853664d5a8b22
SHA512 e6ffe7e701a5f810839d2e0206e3a37772b7375524a901e474c9c27584ad84ab1cccf1dd622fa39a4b95402c37fd3159c74b7a86da63d487a2167a9178913e41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 13b292cce3409cfea88abc65c5fbda62
SHA1 a759a13e792847ece5e217958dfa56a1cb534b31
SHA256 2f9f9f22cf95eefbdf3fa2058aca5b02e8efd9fd17a8569d805acd8c7e26de05
SHA512 6abfc61211b7068e869da8eecafd6fdf28563df9399100bc647bc75d79015d44cf683481a5b80eaacb711e21188694ee3a173cc5cde9f71c3adcdf0e06578286

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 400811b05eb942a1a19f36e842e9c783
SHA1 19bdb897247294cc0f38420b8e8a653df4486f66
SHA256 f6786a03f7da751691a2ae05fc34cdedc941e05b61c924a794079aed828643ba
SHA512 ed48a6bea22a79c520dafb9b86a43e53e24be31e5e3b589abf4eb4587024025c2d386b60f58b80f44a1b37207bb6e373ebe2b02fad8162543fc3cdaa2071205e

memory/5200-1096-0x0000000000400000-0x0000000000454000-memory.dmp

memory/5228-1086-0x0000000005EA0000-0x0000000005F32000-memory.dmp

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Users\Admin\Documents\GuardFox\3WrAbCyIaBJPtDN1TKzKuNZP.exe

MD5 f741ca8d807125c58d645b96cc83d785
SHA1 8845cf33c6f86ede9e72212336e84ca8146447fd
SHA256 52f56007cff1660f366f65a877559228738dc674a3b1e17757bb6b5f6e6e40d7
SHA512 a4a1c2441081cd902ed3c9b34edc989dc25ae89715a5272cd69da49c60c3b01e82c15072e948bfba229005e2b40040ab15cd1f3b0956a8078e5e2a641c354b7a

memory/3372-1090-0x0000000005C30000-0x0000000005C96000-memory.dmp

memory/5228-1074-0x00000000063B0000-0x0000000006954000-memory.dmp

memory/5984-1071-0x00000000007C3000-0x00000000007D1000-memory.dmp

C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe

MD5 99f328d2b85466a3cb61e07fb0dacaf0
SHA1 14de39cd8b07ab2bec81891b1b3a19b933ddbc2b
SHA256 fdaa93e87e12e38fc0c96f6736a26420c8c6a7855bbef12654ab7ef35cabac47
SHA512 835bdd1626cd67e5d62343fc1a443db5bd9d2042ff16efbe01fdb66915ca4ab838862f24eec87c7622f6b2e694739d4175648b48d7edc4a78fdcfabbcba214dc

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 e99fa563f6176491cc9b2dcfc7b347ad
SHA1 e7c105903dd2f58d1f5cf31fa98c9fce0bfda46d
SHA256 f52af01736b2b4f367673071feaf88a1bfd464030d66f27f38a9806640c35edb
SHA512 2eaee8f19f6f64d609a7af69c313b18deac6dde786cc6ee2a8aaa112c5be766ca76069465f9ab1247c4dd1b73e6b2410eb23037908ce4d50c5f32a81d3522bec

memory/5228-1059-0x00000000767D0000-0x00000000768C0000-memory.dmp

C:\Users\Admin\Documents\GuardFox\jxXiOgogI8vV1byOdAIl_gx5.exe

MD5 773f0fe5c9f89d9914c61721885cc9b3
SHA1 2bfc6a9e8995c99da68a98718b2ddde9aa262048
SHA256 460f361e5c82bf12d1042ac08cc941d4e24967df53fef2d43980abf3e00823dc
SHA512 2046f77438c05c39edc1e7634bac3f1842b62a3291043b182979aba0244dad6df9695da1ea6d6d6bb3760e37c04b00da0a79ebc898f7b8446ba4698e208ca517

memory/5984-1066-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5244-1056-0x0000000000400000-0x0000000000D40000-memory.dmp

memory/3496-1051-0x00000000009C0000-0x00000000009D6000-memory.dmp

memory/5244-1048-0x0000000000D50000-0x0000000000D51000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

memory/5164-1036-0x00000000005F0000-0x00000000015A3000-memory.dmp

C:\Users\Admin\Documents\GuardFox\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/5228-1045-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/5228-1040-0x00000000767D0000-0x00000000768C0000-memory.dmp

memory/1680-1028-0x0000000140000000-0x0000000140876000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 8ee28fdd4656ec5cb0299622e2be3fec
SHA1 999a6c4245e3d33f1c6893d771608e814ec36591
SHA256 e35cdbe186ef574487f465aa5c03702d3599b5029f35a230f444b759df085815
SHA512 bef95f48a36e727db803a16996ff8a3b8c989514d107f796c373a0634987a44114addf41272e93e550a7af1a8fc561279df62a5bac33be9fffeace313d40ba9a

memory/3304-1032-0x0000000000400000-0x00000000008BB000-memory.dmp

memory/5928-1031-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\46_sXXY7I21SlDL7QjacEu88.exe

MD5 6f0e5ad311936054a33eb7287c594521
SHA1 c973d47705660081bcbce5a99832c5f035168776
SHA256 54ee98582d3733d200040666a41685a51467de8ed0f6e06bd076fb94ee7ec1a9
SHA512 a00a696feee34b30eaa3dc88878d649ea824d82abf67fbcfd058a2942d52a0092f750e3a41abc303b8b04a33b05a34b528be4e9827a272a40067e66ba8fa367d

memory/5236-1030-0x0000000000C1F000-0x0000000000CB1000-memory.dmp

memory/5228-1029-0x00000000767D0000-0x00000000768C0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 9c28fadd569657f9f7f0f72eb8108cf4
SHA1 23c407b2b06c803bd76f366eb7fd167e29355be5
SHA256 94f1c750a7264a8eec2d9c624f91a4f6734668c1d573d082773e4f0f8dfb841b
SHA512 ef4f5429dee4d410e8a85c66a9f9b2d38f4967ca3252a04c0bcef33c907da72d3854886439aa5287fd35dd5efa436cf78137060e9fcbeb626eac0fe8e78012aa

memory/3372-1025-0x0000000005930000-0x0000000005A3A000-memory.dmp

memory/5928-1024-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5788-1022-0x0000000140000000-0x0000000140218400-memory.dmp

memory/1680-1021-0x00007FF87E9D0000-0x00007FF87E9D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Y8wSg2.cpl

MD5 eb29575246840c8af35ea1c34d07ef85
SHA1 6e6e85305efafc9bcd5ab328a1881062a0ff6c86
SHA256 ce18bc401bc8d3f47ab89316a57194ed4bf53de3b5f384c4dd60271d453e736a
SHA512 c793c6512ee7d03bece854556d52998e961f63316d04d9897fd1c2936ebe7618347c99232d100c3fd714e787ad876566b1a1c0aaa74dd956a58ebbb7e9bfac31

memory/3372-1017-0x0000000005800000-0x0000000005812000-memory.dmp

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 b701b84a478eca25a6477044185a81cb
SHA1 fbf69d0711f3258f70d0727fbd02ba833a24dfe2
SHA256 389dbb9bf62f734445c8ae5d6e753943dfc7a20d53c190c5a0b8b91cd9d58a25
SHA512 6ccba5dbd6102a8a0aca7c14dc22312405b1ea297c9dd6bcb6beddeb261037217f56f1b09e48708091ecba1e99a43e71ba112b2a8349efce9421da860f81d6b7

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 f5b169d718f01a57cf589951b68a9238
SHA1 97aef25a71d56e710b942eae2d6c56ee4ca93706
SHA256 d36473fc25e32748e9192eb33e5bfcd121f1721d1599be8c4ca3986bba919feb
SHA512 b36c45bd4bf3c51a78ff6a3fea5fe0fc4631a8e4e7dda6a2db2289cfc3be0aca6ef61716a307f1b73eeefdded077e10d070c2c97022b7e950516c9fc7d4246a7

memory/3372-999-0x0000000005DA0000-0x00000000063B8000-memory.dmp

memory/4872-1014-0x0000000000540000-0x0000000000541000-memory.dmp

memory/5928-1013-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5916-997-0x0000000000980000-0x00000000009E4000-memory.dmp

memory/3408-998-0x00007FF611E20000-0x00007FF612811000-memory.dmp

C:\Users\Admin\Documents\GuardFox\XR0YIbtqmyEEIPi760UciSol.exe

MD5 ebd6f7a6cb7aa2c1f16389618828dd18
SHA1 6f0ab3eae5a5c4ed3383ac48a4ac067294c87728
SHA256 80b7f795cac71ff494d915f171bca9feca53cf6d9c6d5b87b2c773ea8266403e
SHA512 b0ab45f303c0c7051da0248713d0b672d262bafde69112e3fe021426bfce869089329b324e3355a94cea76cec4feb6a024ab74499e1f025f82eebc3da11521be

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 600cec81dc99a512b90cdc4022d0ac97
SHA1 67ebdc154c62233e9a524434a28d593b1bb6b30c
SHA256 911c0dc87caec871240258622fd0810b1cd9c04cea68f19f151e31f0e648c502
SHA512 f2b1ae5883f75df307266d7053def83ed733e754fa53a87d49cd5714186103387efdd336e0b8e7714bdf8f9a36786d21a747890d082055db95e8506d9f4352e9

C:\Users\Admin\Documents\GuardFox\B9ZfLXHjLJO8ElGDIFov6Qgl.exe

MD5 6488a8f662d69cfe625ffaa141353744
SHA1 03a1ac8316cc7f516a3df30f4770a5cc3b67ec77
SHA256 6befda2e6455913396c29dd19b72b0831a893afa294b4e3b45b422e27a625c1f
SHA512 1dc1900047ff25b681559fd2f27ed5f5f284fbe610afd258406fdd00945e80dd5776ddb25c8e1cbed8830a3b514a41e4098bc204ac373ffbe19e4c2febf892ee

memory/1028-961-0x0000000000E70000-0x00000000013DC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kb5amd3u.z3i.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5164-958-0x00000000005F0000-0x00000000015A3000-memory.dmp

C:\Users\Admin\Documents\GuardFox\LisIvn9B0eWX39XfGBxbdtul.exe

MD5 3bf41b6bc6f6dc656f0abda1dcd27e79
SHA1 0b22b556ee415d030c917f9be612a69d7f30884e
SHA256 9c6e8efc02febe5756320341610a25746eec5b1f962a71615ca20bb2c7894209
SHA512 4f814e22ecb9aca2b43113f8e433b6ee9aa0a39dfceda4b0516324f61a05b3e2426084496fb94320b22f1f5c830f2c724c8a6633e8a853502369c2c3879687e2

C:\Users\Admin\Documents\GuardFox\LisIvn9B0eWX39XfGBxbdtul.exe

MD5 5d2a0ef45593da25922e83a78ab3e7ef
SHA1 eaf0bed236b405d6822de41850639c17ddf618b1
SHA256 99997e6fcc339a7f5732f03c582b4a2be776032df232013799b7bee50258b14c
SHA512 85a71099353183005c64778a4941e87706eaaf59c01d6ac7fffa53dee56ad5a2740480a69b98214ef8ca7a1f92524fde4bf0c97f8fef6198d735ad3caec6f22f

C:\Users\Admin\Documents\GuardFox\MHSgYdsltabeUcSs5kmRsv0T.exe

MD5 638fb4e059c2b4f520140ff980acda0e
SHA1 d2c6325ba8a7cb1b1e9ccf5fe2caf2bc6307dadb
SHA256 02beae1992a5a39c7fb8a7e92e821a2b37fed61e45c05688dc71a5035163ac42
SHA512 374d4d29fe1c36ac2f41dcab96117a1b127ca1498af3a10cc46736828fd5fe98252db8e3f8884583a959c9e5c9ab29689ec3953325230b109a707f4313c8f183

C:\Users\Admin\Documents\GuardFox\QCBuhoR0_O5gO9EbQFahIqBy.exe

MD5 072932d63a4fdc222735e6f713a514ae
SHA1 cdb200e4c759600e4a83e450fbd67a7682526ea9
SHA256 eb27d4fc56e8a66e9fb47d0b73b752f963855ac169130d55a488709caa466bba
SHA512 c7512594cb7ee7d9d3b3f71ff8931441932473d25561d946f55aface0c704b01a4f7bbbc8fc53b30e1cf1be10030c91186988f0ba6183485037924bb83db8702

C:\Users\Admin\Documents\GuardFox\qV9mEjhKIBcQ7TuES_j_hidT.exe

MD5 480e0f4949b8a263d7cfa7053dc1cd75
SHA1 368a4ef1942d423d5a7c47b994b0ecb7113dc29b
SHA256 094c50d7d6bdf0ced2a67949dadd9361b259696d6721e71fb4fa69b2905525a7
SHA512 23583ccdaf5894b3bfa4130de4ea37a53478ecc64802fbb9ae37ccf80c6c39f8c797dac0e49ec6da7311c76f82d7c9e98bded5017f99dc4663df91c9eadb8002

C:\Users\Admin\Documents\GuardFox\3860sw0VMSmL9vdt9w4gL0z7.exe

MD5 c5431ed88227d6f2e201da982db63f38
SHA1 9dcf0e8327f61df9641050fa30fa8a75642a2161
SHA256 dcd703912d6ff2ccc9739b82f12fb2c861812f53bb2ca9432a99850dd172fa94
SHA512 381ec81b6822d09903c3edbdee47c2364f797a9d1f047c896cd85f2fe87ddea10839f67b0ef9d148e9cc756322e14e3f1e57dbded0a0bf53416d8006a59284be

memory/5788-638-0x0000000140000000-0x0000000140218400-memory.dmp

C:\Users\Admin\Documents\GuardFox\LIFxed9heHkZ445Vw5ffhUOd.exe

MD5 c34eeedf7da3f9878112689f4b0774f9
SHA1 18e7edacb98fbab4cb52e3b4cb31eadd1c1a8462
SHA256 ac79db8456746e785c5b02e017f7124293d571e535e56f32a2325e79a8568588
SHA512 24a2ae5cd593e2a693b277fb7c37e07342e00c44a7afdfbae8ae1c8f6ef429a1b0436d94b640e0473dc1358a4a2a5f9f5ff0b139f6008c858de6b586344ccd4c

C:\Users\Admin\Documents\GuardFox\0JDbJzWFF1BzKfWUVTIKTIwM.exe

MD5 b718734ab53f89d11581fb0046d146ec
SHA1 f8e214195fa93faa1cf4d599ec42793b5a1be038
SHA256 59a747bf1aff1136ef62e67aae711d092b36e2a81a430054bcdcc31b1f43bcd0
SHA512 b4e6c2b2b8d334a1fdcce718ddb3f8f42a6aaa5fd31afb666e50c630ed69e84a9a3473ef74da988b453d373ec64d4d2d4ac4cf41aa5b24fdac9e05c200d4d3ae

C:\Users\Admin\Documents\GuardFox\tzQDaFN9XwE9nJsYRLnotvlR.exe

MD5 c36248b86a1d970b12aac42b10563471
SHA1 fd76a48d759efe38c3273b7c6b974b0b09a94b46
SHA256 bba0942a32968ebb352ef457eface10e4c6123cddf790f4eb7e4a82e574e62cc
SHA512 920170c0c6eb859cde8855d2366794c3e3a6429ffc8d7555a65637644c34a28e865089495d65586c145f94e4e464ced1f2ea3cf8729c209a6af815b0270bfbfc

C:\Users\Admin\Documents\GuardFox\B9ZfLXHjLJO8ElGDIFov6Qgl.exe

MD5 702dbd36d711bc3c944615fc7b0c73fb
SHA1 1e91343c6864f11a9e07337076156f3842ea35d9
SHA256 7deb716daf9901835fbbb945742b7abac991582b555e48a5c8b7f73f8706e52c
SHA512 08ae8c51889f75cb3b8308106015f5f9a44b4a6414ee61948ff181357b0330bd4977fd7a078ec7c29cf0eaeddbb50937301d8566d407d2e7eb69150337fa86c3

C:\Users\Admin\Documents\GuardFox\KK0Vvbx4i9pQ519SIuE5Ax9M.exe

MD5 b889a30641c886d2be227ceca59d2617
SHA1 a7dab6c3405ba588692b71a84738bec5a513303f
SHA256 2f2b75b6b9c272bd6f198ed753585af51c500aee269286bc936e84d0c2be520f
SHA512 09c58146d116c92448a7b417b5db4ee0b13290c8fbaa256cc5574bffa0dc86700756d66a87a4669035d36f4fcfd1a03859f9e311f7b6ce262d1df77350667abb

C:\Users\Admin\Documents\GuardFox\ckcSON1nq9KzLkUObHcFavDh.exe

MD5 61156a6fa4b5d720a8a63648b3248939
SHA1 69d71e100a561ca453eed6e8055d61f219ed1241
SHA256 f57d0af1a2de98eb2e3f82b2fdd7fce7e5ca7cd9bf04176756f618c29f166d46
SHA512 71553308732b9f3828fc59f4691de6b06e228a02e705323651256379b812c5f2483b525e3b83c6bff914dc112e1c078024e387db1c92950b05a493c8d3807161

C:\Users\Admin\Documents\GuardFox\R08uTl2rhKjiEbQkYXCuC1Dj.exe

MD5 9bbb781c6b4c01e244ec053bd8d37037
SHA1 73f1a1effe15421da76306e21fbf1420764a1808
SHA256 afd27b275c1caecfd656e6a141d51e460a30b1560a48cf371d2f52e407caf8e9
SHA512 516450c9e30a24c008e56b73fe4708ef5309eead6b8018ca6eddf6e5403afdd6fa0d1f6ccb52994b8195ace1441737ca917b4ee22be004087cdcdc4209622afe

C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe

MD5 fa193a54ab90b852ec2db7e03e91934f
SHA1 48b38dfd0e3f04b395fa690600a8dd98c7319f31
SHA256 bb5759a9c70a7276c07f010d0e58854e62724d08eee6b9b8b90da507521cc671
SHA512 cf425a5a9b36c6375c0e5489018d43be79ba7bb54f05807a9b6dd36a81721e5169de6ff9368c697336491c12a759bee828dd15e2987a6eacb9d278c8ab13866e

C:\Users\Admin\AppData\Local\Temp\nsnF398.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe

MD5 440b65f6d8d2605472a027cfb14eec77
SHA1 92add272018823651443c21a925eea6d23713a7f
SHA256 09e8fc90f20ae119566ded74bf8de501f732eb5ee39e5a66bce7535494089c73
SHA512 c38f54469232ccd565bf03962ef63a6c69e76389d762917b0df5cd4ca11fb26fd8ea66bd2c36f1b24ca705f37066c41f9b9645f357925adb1fd88ede8fefd5b2

C:\Windows\System\dc.exe

MD5 49dcc4c5a00e308b4f29f280a0c413ce
SHA1 339d0f892e8b9232c08c65c7f277c382ac4eb8bb
SHA256 2b78f99ea01ecb6a5419e38113fad84e45a25b1dc5475e0be75104fe854fcd89
SHA512 765360760b53542906f0377195a5473cae3801c886774819fa5e66ae63cf8d2dd354ce862bf53710e49018a036cb80f40774615d24903e4a3551279bb2d673c7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ceoajhiemdnnjfbilpkblfjghmmbhbda\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe

MD5 11f3773b7f7d8716dc9dcab9c9b33bd4
SHA1 e124c60c5850709d028550fb5e8e77cdaefc9902
SHA256 fccf88d70d18229bb448d4e124f1b749157bfe98ac36e07834722d03016fe9e1
SHA512 5c86dcc1723bbfea92ca8df37c31331fbda95bbeb0a62da6bbe01ddfd37f7dd5204659a8170175980cd6876717b621ab3b9fddcf5a918a119e40c87d608aa52c

C:\ProgramData\mozglue.dll

MD5 4bf8abb608c2bac061415ac99d36899e
SHA1 9d4d7b680b6fcfb00c5bda6026d7ded41cf69f69
SHA256 34a7aad1f04ce9f10df8e7ecdc1cae87fb093166647803944433fb0a8ee94ea1
SHA512 629cef6e8529eb8cb9c6ea32d375262421053c13c3fda0193f5ef06f144dbbeaf17ed4f1a17693e76dbfb6961ea4d277d981e860774787e1eaebece22983c914

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ceoajhiemdnnjfbilpkblfjghmmbhbda\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 7e29139bfa626f96857f6afa0397744f
SHA1 2cb5c8335f15450dfa8d38b6a033d72a4f1fc824
SHA256 cc684925b7c61d219a05071b3b5cff8c7f71650bb2196e55b3bfeb1a128cf40f
SHA512 1583c7e55f23e0648fe0e4fcec72be85b1c5b5f9315bd866d66dc6ed20dc3398f1676dc33e9b067f860e3b38cc4050ec50035eb91c56446d3fa159c219e6aed3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 c95aeeb87b5fa01e22e239ca6d87d8e4
SHA1 3723dd08b281610511989968c2e3930e0f8d1c34
SHA256 a5342641a775d58f2c3e123a9541a1788c2e615f416b720cb7850ee5dd9871fa
SHA512 eebc0a77dd3e46b58bb59523662ff1bcf73d01192d39cc7b3290a30f3664deac3fb85011bc63b39b99aa972361b20c54021ec694f807d7e789628c6a6dbecb5b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 de7225061903ebfb2c8c53c265922071
SHA1 8c54d7a39a16039f5b1eb1eeec0f614b71db8b68
SHA256 8170c70b7505211374ff61d581bbf038618fd6092c6c5927c113e7a0866c74ef
SHA512 36a95f3b1a251a6c06eff737066b5aad8f3df3363b672497b1db3cb53031262ede0f04276f1bf9618d66a0a1a55a459a35c1c7182bcfe518eaaf2bae6dc4fb22

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5819dc.TMP

MD5 4f323e1f1ce51bea4e94fb6b07e53caf
SHA1 10877407bc82120eac36cb2061148852fb0f4bd4
SHA256 342c7ea7f3ba2c65443b5bb0570396081f2fb3dc7f34931511606a05263523e7
SHA512 6c44b7f26fad160d01cabeea9e4c8e71cf2dc56f251cd655a755301b88ddab5b38c77b602565dbff44b5f97a36193eb1a47c9e4fdf0a0478a5b92dad365bc9b1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\53f9d803-763c-44e8-a742-6c1d2cc8f7a8.tmp

MD5 61ddad320efc7e18dd25821a48d2e0a1
SHA1 376e1b99edab6e5a3c64a1ed25a269d55c3637e6
SHA256 d6e1a39327c37b1a2bdf44840b313875e14191f821841c337a981d0cc515760b
SHA512 91ff62e343edbe019d4e0d2a9d0088955e1a9e2dc0aa7285749fb356ad22b903608dad4bf897f56159b570f4ff2e3570be22e34961fc2f9b7f593ae6ee48902a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\42cf04426a7b4839528056aa9af2b559

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 24d36522614dea5c313872d9542836dc
SHA1 2c5b51abfb5dbf058d622247acbd3fe46ee3c8f2
SHA256 0bebd9325ce670c355490adad0c6c144b6488a8fc18a7dfa2d943a82a004b21f
SHA512 1e60af7f4ff55e2f2f6e998cba2bcdcd188bb529e960e67d4ab4c9fe8a1fdf293a528d055442f109b6bae4381a6a3e49b49b834f53087ee0a159b727f7db6003

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\ProgramData\FCFHJKJJ

MD5 92be7d444b8f6922a7ab205f66109c15
SHA1 25ea6a81f508348a61b7f4f668186069b00ccb8d
SHA256 89121f65705e315dd36be848aac783b0cfc307a6848392af9346f1f288e474e9
SHA512 c8c10adcc6f1dbe3d5c9022d303f2c6cc68c458949a8997f3bfcf5ca9a3620d1e7400b46ec36727b9c6d760d108ea889aa97a0ae9d505768822b6a112793bbd1

C:\ProgramData\HIIIDAKK

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\ProgramData\nss3.dll

MD5 0f365e457bfbe700535c7139339a1ad8
SHA1 57d1755226146991aa84693cdc439d86df1a8cff
SHA256 65bcac4e1e19998a4b433a8336396a5cbf650d08661e785d1a3f7eb70c08add9
SHA512 c6c63465ae0d6711c028f360a2d124b56b6a4c82d661d65043dda676f001a5c94ef62f467f511a80bda7ad69326901675d7eadf044a8175f0af99e66de32adaf

C:\Users\Admin\AppData\Local\Temp\hfcuggj

MD5 cf29453ce2eb7cf339810b155c269f5c
SHA1 87238b3106b2c32161bd3a28c342d8cb9b90879f
SHA256 1c075feda9f0271cf2b9bfca8822bdf5d221e45cd504cf327f308f09187f4a7a
SHA512 9a43b6307e917bac966db46defe4b33c2a6719456b7797e439718d58a0d32030e689ed5dce1984ceda593db7d9f4a3aa9c85c85f9aec6a7e943d7f2ac6ea5707

C:\ProgramData\PublishClear.txt

MD5 d105be27bfa6037d301571a87412a6a0
SHA1 0cc417d6f3341b48775504751a9fed09ca330bad
SHA256 75ee5bef3ed8c3e2d2e416f2c968347001e343e6edb4fa9238729e240e49490a
SHA512 dbb138b48278f45bbc185d60f9688bcc815b40f72fdbb0d086d39b4b5d4dda27c71af5ab77e108445af44eb58420c733b6273a3a8a578d138c5a66946f054c79

C:\ProgramData\ResumePush.xlsx

MD5 de48b524009e808be0c21ba5d2150a50
SHA1 6b403b3fedc998509456a27a23b23b3365dfe9ed
SHA256 1c34de0893fceafe08e79a0f344c9a0fceb38082aab6b4b7052f7593ee3a533e
SHA512 80cf3f90c529086d327d1e082ff40f341dbb762e941317cad6e2af9b5c37890bdc4d1aa518b9e3de8fae276fa50b6920c7f67737c2eb0805316680ea02977167

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 4e7d0866c2d710c0ec9d5256ecad34c5
SHA1 eac8395adbb999294708d63a56892b9b69c16eb7
SHA256 9c19f5e91aed4277bc4bb3e529e43e59af8b512e041acdbdf46754ab68b2056b
SHA512 795e36b9acc43543da0ec9e208545355fab81a6f7367567bf67a27ed93a52fbfdec205d9276b95a9eeed30d9d4c81a99904fd948ce4a5edaf5d92e497e9ddcc4

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-0IMVR.tmp

MD5 54ffd881611a92540e4c85e2759278c9
SHA1 ef0c1ec4f6efe6abdf9a23f1adcd88c4ec5b4348
SHA256 d075cbfb1b43dadcdac8cf572c18689134e59319fbe425e82c7bb7c4e7d5948c
SHA512 d9f77cacb264d080e12e765cba3e1cc69a19c186526bbcb25d093e0a83b4b4b8beef37a4acf2e803a08eb76c77d4a97a21fea74475d6d9d16a63f2137ab6253b

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-BV9MP.tmp

MD5 8f920115a9ac5904787bc4578f161a52
SHA1 941332d718cf5161881ca903b2fb125124cac68b
SHA256 f8b63fa29af4c7cff131bf14fbdaac8e6b6945444e0f13e57417fea4a3de1a6b
SHA512 b8521748d276de667e2013c697005adc45e405fee9a9970b80427cb47ba829e2f9e31fdae2bafc54cca5aeaa4c371f4d25e1ea34989eea19e732fd129abfa1c2

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-FT5C1.tmp

MD5 613ccb3ab7bc5304da08120a11bb34f2
SHA1 9e1231dc2ddc6deb2a66d494c45f0dfcf04b1d97
SHA256 565efa1b0407d221b1e6bc44811f529f98fe4d9ffb6e756b56b9525acb87ce28
SHA512 d27efae6748105c343abcdc8777d2c5065bc342569af2fd3bee92544a01ad4caefe359adf69fa56bae1fbc87f86575b797c20d821a42869d0b34ab1004b0138a

C:\Users\Admin\AppData\Local\Temp\is-3ARGJ.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 99751b3ace34fc2737b7ce2c5faaf646
SHA1 de01a4e7b38f0b4e6c29355cf7fff06c25d82f28
SHA256 5f68782baa6080150092baaf1b1d6115e8a6e9bf3daee7e80052aa1f2499fa46
SHA512 14ade9efca96d8ef96d27f3058fbb444d872a996b25251a45f9212d9f260410de2acb264ed87c5288f0a4c125a4eef46264aa8c42eec0bb3b3ccb01be8554229

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 06facd038383a22edb26be7a4ce5eb01
SHA1 6c92b66542de2fb21557266eb025761111676513
SHA256 5fbd80ac31902bc7bb7a373977860471d725b83acb02b58f2e2f53d324b627af
SHA512 1ebc70b0529aa23397542075a10995b60869825a58b371c1f40310dbe711c82b7dfe09ef782fab97fe5d592866d135e4ff5e945078bb783c5f317d7dfcb43fb8

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 2bb3ab943e6a3e95588a254d341b1c18
SHA1 8d5d0696ac98b9c168b901bb3416c9c739639c30
SHA256 ab5992ac2692fb77d820ed666e46c07c089322ec71dfa6dc88c8d724ef999300
SHA512 cccabc7bcfcac26eb1e637d764e5e88f74227aa8e8b51484635b87fda8bbe698858fb05f50001ef91cffb6f12a87253f921101d22e82868d6595cba342c3b778

Analysis: behavioral6

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win10v2004-20231222-en

Max time kernel

134s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\ResIL.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\ResIL.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 167.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

179s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\chrome_elf.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\chrome_elf.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 189.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 16.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 114.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 84.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 198.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 210.80.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\dbghelp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3132 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3132 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3132 wrote to memory of 1632 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\dbghelp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\dbghelp.dll,#1

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 78.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win7-20231129-en

Max time kernel

26s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3470981204-343661084-3367201002-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e210f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\Documents\GuardFox\fA4fWqni3Fk1dH2hcuGg5kVv.exe

"C:\Users\Admin\Documents\GuardFox\fA4fWqni3Fk1dH2hcuGg5kVv.exe"

C:\Users\Admin\Documents\GuardFox\geXdBtePYVTWVZxokBtY2RTV.exe

"C:\Users\Admin\Documents\GuardFox\geXdBtePYVTWVZxokBtY2RTV.exe"

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\Y8wSG2.CPL",

C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe

"C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\Y8wSG2.CPL",

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Users\Admin\Documents\GuardFox\NWKCi97yRPmDKNWuxjUrqCGt.exe

"C:\Users\Admin\Documents\GuardFox\NWKCi97yRPmDKNWuxjUrqCGt.exe"

C:\Users\Admin\Documents\GuardFox\iQCf_ssarPkOvbb8Rolj8DWS.exe

"C:\Users\Admin\Documents\GuardFox\iQCf_ssarPkOvbb8Rolj8DWS.exe"

C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe

"C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe"

C:\Users\Admin\Documents\GuardFox\_E4NP1BHy4Nn_koqPTx1r11x.exe

"C:\Users\Admin\Documents\GuardFox\_E4NP1BHy4Nn_koqPTx1r11x.exe"

C:\Users\Admin\Documents\GuardFox\PY0N8L8t5tIFZG93NkDisPnC.exe

"C:\Users\Admin\Documents\GuardFox\PY0N8L8t5tIFZG93NkDisPnC.exe"

C:\Users\Admin\Documents\GuardFox\MM1LQ88qGHPZpfYJCxA7SbKJ.exe

"C:\Users\Admin\Documents\GuardFox\MM1LQ88qGHPZpfYJCxA7SbKJ.exe"

C:\Users\Admin\Documents\GuardFox\HQjrm8fTPVDKwzoqs9viubak.exe

"C:\Users\Admin\Documents\GuardFox\HQjrm8fTPVDKwzoqs9viubak.exe"

C:\Users\Admin\Documents\GuardFox\zx0aWQ_xz45fidj5kGmRSAlJ.exe

"C:\Users\Admin\Documents\GuardFox\zx0aWQ_xz45fidj5kGmRSAlJ.exe"

C:\Users\Admin\Documents\GuardFox\4EC9IqjKczl0bbmOaciB5eaC.exe

"C:\Users\Admin\Documents\GuardFox\4EC9IqjKczl0bbmOaciB5eaC.exe"

C:\Users\Admin\Documents\GuardFox\NjWsxPZVyYqpDbbfJ8fvgfVA.exe

"C:\Users\Admin\Documents\GuardFox\NjWsxPZVyYqpDbbfJ8fvgfVA.exe"

C:\Users\Admin\Documents\GuardFox\iEkV5AkWBmFGq5fXIdHbqzU4.exe

"C:\Users\Admin\Documents\GuardFox\iEkV5AkWBmFGq5fXIdHbqzU4.exe"

C:\Users\Admin\Documents\GuardFox\CEbkUTW8hyrrDT6Rf1t8zVr1.exe

"C:\Users\Admin\Documents\GuardFox\CEbkUTW8hyrrDT6Rf1t8zVr1.exe"

C:\Users\Admin\Documents\GuardFox\uJ96kzoVFq4ADEaCTcabRPLJ.exe

"C:\Users\Admin\Documents\GuardFox\uJ96kzoVFq4ADEaCTcabRPLJ.exe"

C:\Users\Admin\Documents\GuardFox\Dlt1iZAcoIqBH7K_dVKde64Q.exe

"C:\Users\Admin\Documents\GuardFox\Dlt1iZAcoIqBH7K_dVKde64Q.exe"

C:\Users\Admin\Documents\GuardFox\vK0PPAPmUAE0hE8jS7enXAKZ.exe

"C:\Users\Admin\Documents\GuardFox\vK0PPAPmUAE0hE8jS7enXAKZ.exe"

C:\Users\Admin\Documents\GuardFox\8H60W6oRZV_8Y7HtUXjpfc1c.exe

"C:\Users\Admin\Documents\GuardFox\8H60W6oRZV_8Y7HtUXjpfc1c.exe"

C:\Users\Admin\Documents\GuardFox\MiiGeJSIQRhtCha_s6H3_4T5.exe

"C:\Users\Admin\Documents\GuardFox\MiiGeJSIQRhtCha_s6H3_4T5.exe"

C:\Users\Admin\Documents\GuardFox\rP3VVvbHIAJXsDRWtvhHL16n.exe

"C:\Users\Admin\Documents\GuardFox\rP3VVvbHIAJXsDRWtvhHL16n.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Users\Admin\AppData\Local\Temp\DE6D.exe

C:\Users\Admin\AppData\Local\Temp\DE6D.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 92

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3008 -s 120

C:\Users\Admin\AppData\Local\Temp\916.exe

C:\Users\Admin\AppData\Local\Temp\916.exe

C:\Users\Admin\AppData\Local\Temp\916.exe

C:\Users\Admin\AppData\Local\Temp\916.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef71d9758,0x7fef71d9768,0x7fef71d9778

C:\Users\Admin\Documents\GuardFox\gqGHRUK4EKmIkZQQtGKxKg0h.exe

"C:\Users\Admin\Documents\GuardFox\gqGHRUK4EKmIkZQQtGKxKg0h.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN gqGHRUK4EKmIkZQQtGKxKg0h.exe /TR "C:\Users\Admin\Documents\GuardFox\gqGHRUK4EKmIkZQQtGKxKg0h.exe" /F

C:\Users\Admin\AppData\Local\Temp\36AC.exe

C:\Users\Admin\AppData\Local\Temp\36AC.exe

Network

Country Destination Domain Proto
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 joxy.ayazprak.com udp
US 8.8.8.8:53 ji.alie3ksggg.com udp
US 8.8.8.8:53 294self-limited.sbs udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
NL 77.246.104.70:80 77.246.104.70 tcp
RU 193.233.132.117:80 193.233.132.117 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
FI 109.107.182.40:80 109.107.182.40 tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 104.21.80.24:80 joxy.ayazprak.com tcp
US 188.114.96.2:80 294self-limited.sbs tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
SA 178.86.104.54:80 cczhk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.96.2:80 294self-limited.sbs tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
SA 178.86.104.54:80 cczhk.com tcp
US 188.114.96.2:80 294self-limited.sbs tcp
US 188.114.96.2:80 294self-limited.sbs tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.96.2:443 294self-limited.sbs tcp
US 8.8.8.8:53 apps.identrust.com udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
GB 96.17.179.184:80 tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-22.userapi.com udp
NL 95.142.206.2:443 sun6-22.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-23.userapi.com udp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 sun6-20.userapi.com udp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
RU 193.233.132.67:50505 tcp
NL 45.15.156.229:80 45.15.156.229 tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 8.8.8.8:53 i.alie3ksgaa.com udp
US 34.117.186.192:443 ipinfo.io tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 34.117.186.192:443 ipinfo.io tcp
RU 193.233.132.117:80 tcp
US 104.26.8.59:443 api.myip.com tcp
NL 91.92.245.15:80 tcp
FR 194.33.191.60:44675 tcp
US 172.67.147.32:443 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
DE 185.172.128.24:80 185.172.128.24 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
NL 195.20.16.45:80 195.20.16.45 tcp
NL 45.15.156.229:80 45.15.156.229 tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
RU 193.233.132.117:80 193.233.132.117 tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
NL 195.20.16.45:80 195.20.16.45 tcp
RU 5.42.65.31:48396 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 vk.com udp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
US 8.8.8.8:53 iplis.ru udp
US 104.21.63.150:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
RU 193.233.132.117:80 193.233.132.117 tcp
NL 185.142.239.49:4444 tcp
NL 45.15.156.229:80 45.15.156.229 tcp
DE 193.23.244.244:443 tcp
RU 193.233.132.117:80 tcp

Files

memory/2352-0-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-1-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-6-0x000007FEFDCD0000-0x000007FEFDD3C000-memory.dmp

memory/2352-7-0x000007FEFDCD0000-0x000007FEFDD3C000-memory.dmp

memory/2352-8-0x000007FEFDCD0000-0x000007FEFDD3C000-memory.dmp

memory/2352-10-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-12-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-14-0x0000000000070000-0x0000000000071000-memory.dmp

memory/2352-15-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-13-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-11-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/2352-9-0x0000000077C20000-0x0000000077DC9000-memory.dmp

memory/2352-16-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-17-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-18-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-19-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-20-0x000000013F7C0000-0x00000001401B1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar2CEF.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\Documents\GuardFox\Dlt1iZAcoIqBH7K_dVKde64Q.exe

MD5 471d4d3135fdf30e6965b2053f3a4736
SHA1 4884aa04d6922434fbfa58aab940f8cc3b48f475
SHA256 8b8708beab060cb3811107593022f4baaf124f7337db9ecadaee9d8ac92a044e
SHA512 a095ff32b8e946a441eeaeeebdc47babefccfedc1e777f87de9fa3e9002e09c847875752a913c6045b18597df8d0615718c13d6fc7bf51d449a88ec132318259

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8edbe7230efbe5d102c77491219c7157
SHA1 50b19a5441d7977311f4cfb915cedf2b56e2720b
SHA256 cd29a0f2736d092099ad219b3f0bf25912436145f76bb6e5ca4c6c210b6d1a82
SHA512 78faa311b19e9aa437de7393d60bf41fcfc4bd0f233e6fe8bd207df9c1a18dcd56db1525f03202989a86895930baa4e89de322c82773972d48310535bc728084

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a0e67c2766afea1b859438342fd3f141
SHA1 96d44e4ec71877bc0167bb259b8a1818b83fdc4b
SHA256 be70bc1a6262ffa236486cc0ef0d1f1c99e007df2a3c58b761ab88ee1bbb4ec4
SHA512 34d168ddad6169e71d59ad127d3a111c90835a6c5ed9e44e59c623af65cde83520068466329a1567da41f83fcf42a3aca08029b70ea738677ad63c932fb4fa1f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c532cff186870217573cf91a40d4df9
SHA1 bf8f3c2ccd3bf4fcff5eebd037eba1a7efbc8799
SHA256 4acbde3d5103d103e9aa53e00f5f518f4558cb4b9436c79337f868100235cb5b
SHA512 99a5220a3b1ea5e18b3afb58a4042bddbba82f2f42bc205a3972164b653c276ec8a54561043b8df72f024564e602e8d5a2f40adbb4ee34cf6c2598ec1a8b1939

C:\Users\Admin\Documents\GuardFox\CEbkUTW8hyrrDT6Rf1t8zVr1.exe

MD5 f2ccc652745a2e84a4d7c4d8be67e18e
SHA1 8ccdac3b2510653b997ab9bd75ba10fe0cd29f43
SHA256 133f982d29df172974ecbe604431022f982b7e3de0470f298583e22aa0aabb92
SHA512 b551b3fc28d51312abed28242fc1c6ecea493f010689a7ed876e90f170eafe95a2d3b0aba589fb7e6b106dba02f9b1bd24e521f15766888a74ad11661fc10c66

C:\Users\Admin\Documents\GuardFox\fA4fWqni3Fk1dH2hcuGg5kVv.exe

MD5 ebd6f7a6cb7aa2c1f16389618828dd18
SHA1 6f0ab3eae5a5c4ed3383ac48a4ac067294c87728
SHA256 80b7f795cac71ff494d915f171bca9feca53cf6d9c6d5b87b2c773ea8266403e
SHA512 b0ab45f303c0c7051da0248713d0b672d262bafde69112e3fe021426bfce869089329b324e3355a94cea76cec4feb6a024ab74499e1f025f82eebc3da11521be

C:\Users\Admin\Documents\GuardFox\rP3VVvbHIAJXsDRWtvhHL16n.exe

MD5 94a6fd6302973d54f756944690160558
SHA1 0a343afe01024a318baefff31b46da0674ef0c76
SHA256 6478b937acfadb2cf4ae042cb375287cc38e43683325834124f75db746239343
SHA512 0496085a219ca9904980b329e9e9f461d3913d7b1ea1389c31ac0adf63674ad18aee31b816f49ca8b4555b1d83cf7385583f4c3cf8464cb289d226f58c8c4e76

C:\Users\Admin\Documents\GuardFox\NjWsxPZVyYqpDbbfJ8fvgfVA.exe

MD5 40c8bb2d2562e5812be3498ce5879232
SHA1 b6a6ca6ebfaf12f2b006a22c2a6114b33fdebc7e
SHA256 be5c4d682a132a55db8913117fc8af5cf8fcba7de7fce282b71254d38fb17261
SHA512 50d27f49625877979087fd24110554b865cf23e51ee9ef5f9ec6540ff96fc7b5a054181d5cca4ebef256daac1d45d8af8dbf6499821fa553eef9471e192bd01b

C:\Users\Admin\Documents\GuardFox\uJ96kzoVFq4ADEaCTcabRPLJ.exe

MD5 c5431ed88227d6f2e201da982db63f38
SHA1 9dcf0e8327f61df9641050fa30fa8a75642a2161
SHA256 dcd703912d6ff2ccc9739b82f12fb2c861812f53bb2ca9432a99850dd172fa94
SHA512 381ec81b6822d09903c3edbdee47c2364f797a9d1f047c896cd85f2fe87ddea10839f67b0ef9d148e9cc756322e14e3f1e57dbded0a0bf53416d8006a59284be

C:\Users\Admin\Documents\GuardFox\8H60W6oRZV_8Y7HtUXjpfc1c.exe

MD5 19f7e7642c71d09a9b4eddc0bb3308ee
SHA1 43cffaaddd889ea29f532d56a158c551362b803b
SHA256 ccd87b1214789543b03615802acd8c5d22b31c122e3dd61f306784fe047c1490
SHA512 a9780552a4d7c4ffe99a3f3124f70350d3ef36c0abd0b3ad198983504960f2ec6d6baa6c14e2acd8e04f97ee75cced46f6affee526534652130a972f22f23617

C:\Users\Admin\Documents\GuardFox\4EC9IqjKczl0bbmOaciB5eaC.exe

MD5 072932d63a4fdc222735e6f713a514ae
SHA1 cdb200e4c759600e4a83e450fbd67a7682526ea9
SHA256 eb27d4fc56e8a66e9fb47d0b73b752f963855ac169130d55a488709caa466bba
SHA512 c7512594cb7ee7d9d3b3f71ff8931441932473d25561d946f55aface0c704b01a4f7bbbc8fc53b30e1cf1be10030c91186988f0ba6183485037924bb83db8702

memory/2352-243-0x000000013F7C0000-0x00000001401B1000-memory.dmp

C:\Users\Admin\Documents\GuardFox\MiiGeJSIQRhtCha_s6H3_4T5.exe

MD5 b204dc62b6924475292ba74e6c96a9cc
SHA1 4987093c62ddb61405ff000d75eb7a1f27a528a7
SHA256 d8e5a7d83852597fe04624f8117b9618e651d5456721232812b84c0eb77a7a14
SHA512 a11ca259ce7548059246f49520becf1782a9513fed7862292fe07569c1607382d1afe73d6af4cfe12ed8a6bce923acbbdd015c71941bc45e5a4ee8200d94a8c5

memory/2352-250-0x000000013F7C0000-0x00000001401B1000-memory.dmp

C:\Users\Admin\Documents\GuardFox\WkS88mGqjeLIRosqYicguQUu.exe

MD5 ca07b75277283f377270bc46c360e2ea
SHA1 4c38388c98efa5e5a482d1a4c6b4a30e60c0aa66
SHA256 15c19a7a6e5fe8a6ef4e1babdc767945a2886dd7273d59887bb0d609247b50e4
SHA512 4e87cb89eea6ce3f025f615e4aeec3bbc0869e69c499f972a38b772fcced7411ad5728734bdf243c73eb8f11a07bb0e53452d6a7908d314b50fe1c420e6a5901

C:\Users\Admin\Documents\GuardFox\PY0N8L8t5tIFZG93NkDisPnC.exe

MD5 fdaf18ad50873b8af3b9a3d64ebc4725
SHA1 1dcc524f89330c0f63e4aa73c7b46d3517f3254e
SHA256 89c525dc1bcaa15dd25e947b853a553dffb2d585b3b514cdbc698b5ddd6542e9
SHA512 96b28769f98c4b8578d2532bbb2a552e76df69e0adeaa56534250f508d3e1cbe740aa9f60ea76b78e535fa62f65909e6d443241eff2103a9638c3c3f0cdf5ec8

memory/2352-302-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/2352-303-0x000007FEFDCD0000-0x000007FEFDD3C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\iEkV5AkWBmFGq5fXIdHbqzU4.exe

MD5 390bbf84ba2296ee074c5ad57ce047fd
SHA1 487e9e793d440a0b94dbbce9a3b08acb3c7253fd
SHA256 47f0b7106ac30cfe9b3f59b8c4e25d6bebcfb8a6510753d632e66d419e896d62
SHA512 2cf6120ee3f6d42185dbb44926b7d39447ae3710ceff49328ab6941dff11296ad17d96cc48d4bdc159687e5a452dfbfefec0f40e82fb551488f3ed12ad6ebe4d

C:\Users\Admin\Documents\GuardFox\HQjrm8fTPVDKwzoqs9viubak.exe

MD5 5fa878455587d484dba37e41a46b9343
SHA1 82f4dd3a18554bda4425a897433b31f2d783587a
SHA256 e63841c08999245e9c424161cca81afbecb2c9e20b53aa2eb988a923cddbe6a4
SHA512 60e23805e4a72ed423a65d2a3b19c2f6f4c16587f74499f78478180e0964dc9a80a584fb3a607c7a61ddf8085cd3ae23a5bf6a0d25aff78b96b808007d7e1654

C:\Users\Admin\Documents\GuardFox\vK0PPAPmUAE0hE8jS7enXAKZ.exe

MD5 8c02f1916a3b64e4ecdd78cf79481f3a
SHA1 95da0e0e4d40cf62bea86007ed3f1c6280893a74
SHA256 da991b7f2d1f57616b9920f4993c2621624216939521e480f0a114a08b8d189d
SHA512 048eabafe9cef7aed029ca4c03a312f9d9464e88f892c565dcf9972646b3ce56a656e5a97f9bed90e698e80569a857ac8e0b9f6511e0b6575ad128930f7eeeaf

memory/2352-333-0x000007FEFDCD0000-0x000007FEFDD3C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\zx0aWQ_xz45fidj5kGmRSAlJ.exe

MD5 ec29442cc879d4a86c49c91bb941da3a
SHA1 e5f13e0fe3fa421ecd0bbd3b5e0b5a12507c1b1e
SHA256 929d0e5de764e3182854e19c5f8d5fa0a7efc1c48f16eef9d3c2a4fc95235aa3
SHA512 d4a48c41379c24cb876061817201b802ca35acee71b06cba5afd750cbce4275932b4b44de2127c9a10a25337a4174d1d118bf0358783179d71a539bd0a3755e4

C:\Users\Admin\Documents\GuardFox\iQCf_ssarPkOvbb8Rolj8DWS.exe

MD5 77c6776c9a4ace2ed42074e36a213a5f
SHA1 4d06ffcbf65610980446729acd595e90d0c9c142
SHA256 d8bde0015001a1843724b8690aa1c44bdeb2160a481bbaf6cd084ad316b75d72
SHA512 b1094e8f7bbcef954925ff90ebb6be07aef552ac7de486b7effef4278a63d57e9874db1270346b3dbdfc8c1f5011249265aa546d044178b6fa7b244e8bbd5e7d

C:\Users\Admin\Documents\GuardFox\MM1LQ88qGHPZpfYJCxA7SbKJ.exe

MD5 afd6c7b2c8ce4194802315f8eb45e2f9
SHA1 1fb7fe91b14d2876a38b9b90647e5a96a6262faa
SHA256 e9a75e1f50cebf3aef100e090cf2c90b4eca714196ea28647739ae857d7a9755
SHA512 29415c59c8a2d1236c8e853ddfd5d345ce08d72e2102717ba3c1c1cdeaf08d3de7710794de73e3f7d608192307b2ebc7832fc00fbfdd8c24e8d8c494496c4d50

C:\Users\Admin\Documents\GuardFox\NWKCi97yRPmDKNWuxjUrqCGt.exe

MD5 cf1e376b88640c0bc6fe1fd4ccbc2ada
SHA1 b7f3a390a5b192da371cc2e600e355d7afc19d4d
SHA256 34dd8098fe4e16aa6f9e8ae276c6033a925c080825621632988dc97ef6cc449b
SHA512 ceb391bf0f5d9e97f03ac29d68205b02599fdf4d8fd3f3aeafcdcfae47acae8507a4478a4d5f1e141ccb88f7c4262e7a5f961ecddc6af8745256ffea3dd90f3c

C:\Users\Admin\Documents\GuardFox\ChG3xrcXGlbanim48QvyJDKr.exe

MD5 45c3d9289d4f3fc915adf7efd379e00d
SHA1 0fce3561336238b5e1a2ec2531edaad95e5b937b
SHA256 73ac0b454fb69dd46815d3ba38230c59779650f29cd0bfc45756dad96c9c8cc1
SHA512 4b1a5b7061abba2bb94388e7b62983b120538ad5428a5d72eb75d1f0936f122d0b5cace92f8bd83c0426baee3c87687f9a17aad98e4ce976bcdf89757fd372e8

C:\Users\Admin\Documents\GuardFox\geXdBtePYVTWVZxokBtY2RTV.exe

MD5 a26c00350d62e5c05d9e17151290dd53
SHA1 6d49f07421e99476c7f5345fc172127475328041
SHA256 c91b18f4000825841740903c5b3a7205422b394d89cd36b787886587cab551cd
SHA512 9925d4d482fa2a72b1e2e94570440a26819b9d6971fbd1420845220c3df364534d2e6f249905a5a383706c62241f47c6a2b811897f7b294ce3ec5e2b91d2e2c9

C:\Users\Admin\Documents\GuardFox\hZZvgTGnq8NMGceiw3wFX6tE.exe

MD5 ef83b4bf99fd9e510923fd27f8788e55
SHA1 fd0eb91fccb0bc9719f464897833156b7d32a133
SHA256 b27d9c26f17e6a2ecd1d1fef684ee7dad99ec7160d4b5de11425679e16cc5620
SHA512 5239ac94411b2529c2f969b1be71347f07b56a60245a38648a568c65f43b79e85b7440da8e77f181004eb73fd6824d8725eaf1d462dc69c36e5aaca392d32bdf

memory/2352-397-0x0000000077C20000-0x0000000077DC9000-memory.dmp

C:\Users\Admin\Documents\GuardFox\_E4NP1BHy4Nn_koqPTx1r11x.exe

MD5 c4349e2b7b51db1549c227e36fceb7eb
SHA1 069adaf25a880663e9d307f19f16de03dedccb18
SHA256 b10bef2b2ff053e1f2bff7ed1a7afbb0bacc991959ff4b18ae30710a13c5b413
SHA512 11c3ade9581fa9cada008219b918435a67705ef35bc030fdf81baa57602a0df09a19c580ea15e3afff9bcb565b98093ee0930bc185a0a81e6caff2a0170dc681

C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe

MD5 18c5e9d9c29043e29cc05f115d2b99df
SHA1 4cc72541404c6ad1c9973645a0722c93ec26edcf
SHA256 a37ea3b6fea1c37a84ce7717f5f9e4f222032515b3d03b60b5649ee4324cf492
SHA512 91708be80f05ece83a7e5ed6afe30dcc63e299c281eb76100e01cee28377e1ea41d224b7bb9059f9972d36ea80cc59336eef462d027f878e1f1ef3bbc4e27999

C:\Users\Admin\Documents\GuardFox\4EC9IqjKczl0bbmOaciB5eaC.exe

MD5 cc59feb080187df0bdcb4e142fae16eb
SHA1 e03fed5d07fa9005e6e921bf6e848d1bd625630b
SHA256 0a0f644eb17650f93e0b0ece9e596132c77c294175c26f60fad08facd33ec039
SHA512 0a5a16b742edc322b0b318040ab83716d879f92ad48e0c27fd920ad0240f6064f67a9c6a894d6721905a5bd3be1ef8ccf2ae865bf597c2d6de4de2de5afaf584

C:\Users\Admin\Documents\GuardFox\NjWsxPZVyYqpDbbfJ8fvgfVA.exe

MD5 68570d0f53e871f4124cc3a4efad2eec
SHA1 27e089a0245be1f617a107e4c476e9754c0d586b
SHA256 65c8e27909e41cdbcdec340125e9a708393b31666b78da6c2a16c7974380d39a
SHA512 c2eb1f04a5636184ce969f8c59091b29a0d41f93e1098982709e99593ec01cc97d75b4cfded790d19404ef053210f4fe86cb8aea5f44e9895b276836e891118e

C:\Users\Admin\Documents\GuardFox\HQjrm8fTPVDKwzoqs9viubak.exe

MD5 b516a36e64f78e7c5bc2fadf807cbbff
SHA1 6b8d27288e24d93d8fba280ca3251d0b54066122
SHA256 28e81485bbcaa2b55215efd34bafc183cdd2464a4ff2b33b93acb5f79157be3e
SHA512 68933eefd10dafab407c7d68f5c4000808c9aebaef809e403d572aefd6423f491e4e048f674f14679369737e80805647741a0088458d45413a42e27644acf083

C:\Users\Admin\Documents\GuardFox\geXdBtePYVTWVZxokBtY2RTV.exe

MD5 ae6e516adaf2f1e00fb70254de26a547
SHA1 6d3ff141c2ffab04e2cb153586c80d7760f8e442
SHA256 53fdd6d8f0d5c099db112b21e643d12fdbe2347759986796193f286fb058fb7c
SHA512 23c711808c0086dbd573eb7287e96c9706aebf0afb016bd053ef3469bb0d32226fb60ca8d696a078551dd24f3f52798aa63c2a1185f3ded6586fa44cf877e64b

C:\Users\Admin\Documents\GuardFox\_E4NP1BHy4Nn_koqPTx1r11x.exe

MD5 75dce86ca80f65901108fe3b0c0709a2
SHA1 4f2614ae8e07d43da4bd22e4a82ca3aa499c3d74
SHA256 a3bdeb4b37b3ee8d6e855090604514b6f7a21fd9699d82722bd2c7916e3e2a2a
SHA512 0f8e6f6d064c9f0b8c965bb4413983d3d3e69dfc172e724362d853492fc19b00dbb1874a9f3bbc90d59b6b93db1bdd42a30d256ab5dcf78db35a6b6ce6fbcc98

memory/2236-524-0x00000000003F0000-0x00000000010EF000-memory.dmp

C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe

MD5 83d515fdc662f7632b7710ec25efc588
SHA1 adb1e55d936a4f9c4138d6c88c64bccd00fb9044
SHA256 0960506c34e548618660b76800c4dec5084541636533dfa76ed63fc6c9e7dd0e
SHA512 5790cfc71fcf76ffbdbb687ba80c684dc5c4b1e8bc5faa74ca2826113ef5d41ab2f2cedcb36517bd7d1cdfa212108f7c0ea208cd317bbf64bbf01b4158fde2c8

C:\Users\Admin\Documents\GuardFox\iQCf_ssarPkOvbb8Rolj8DWS.exe

MD5 dc3a4946e3fc77cafd9cd6bde74343dd
SHA1 b9337bdd6b0b3b8ab7df3cac6716727436229029
SHA256 6bd5aa1b616e83799296e5a5f7b1cb81e1ddcae7e755ade4611602be9ae26749
SHA512 f8b99ff5f8386e97e6b64fd99eca69bc6dd54cde63d659daaa57c609166fd381bf71f6913d713d6ce692c89e225a7a6d14f9bf43c7ce66c460719de106bf8cf5

memory/2056-533-0x00000000009D0000-0x00000000009D1000-memory.dmp

C:\Users\Admin\Documents\GuardFox\geXdBtePYVTWVZxokBtY2RTV.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2056-540-0x00000000009D0000-0x00000000009D1000-memory.dmp

memory/2280-542-0x0000000000220000-0x000000000023C000-memory.dmp

memory/2056-539-0x0000000000060000-0x00000000009A7000-memory.dmp

memory/2056-545-0x00000000009D0000-0x00000000009D1000-memory.dmp

C:\Users\Admin\Documents\GuardFox\geXdBtePYVTWVZxokBtY2RTV.exe

MD5 3e84ae40801cddc38677e6177d67ce67
SHA1 7728f1a57836e372c5dade3b55f7efce9b51dcf0
SHA256 ab898bc728e2465e78dc31f0ddd60af9a63fcd76575aed7e09fe141dbbb0681f
SHA512 182dbf53807b54e77feb970e2eaec85655de03d8972eae66f8c848bdab72ef8e18cd19e6aa5cbc8a7ecaa23676b433354a52bcfb28aab8975f62acac32a9c458

memory/1624-549-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

memory/1648-558-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe

MD5 0da1e9050a150c5765b2ae6973d86db4
SHA1 6f8d9f491c1a0e3c117cb258c09dd92f10f1e56d
SHA256 4d497fe82c6469fb83a8e6dab52b1cb4c39afcf73aeb89eec730cd3e7238b95f
SHA512 8382aaf3da0c663fed8ac2c755a82a25c4bc4efb4c3e7777a7f52101ea89b6a1f93b44cd7ab1acf2de30d52081f6957b6466d0690bc91f60a14b109f05bba10f

memory/1624-564-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

memory/1624-566-0x0000000140000000-0x0000000140876000-memory.dmp

memory/2652-567-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe

MD5 013daae3a59a6db035e98f3b4cc64515
SHA1 e22b2a54dd429c79641753c72f1d5a83965563f2
SHA256 867867195d2404c1ec8985606c40b0dfc0e8244fbe8cc00c242e7d5851704968
SHA512 aeff0f7ffc9584d22d041125e1ed38d050b7937b13ab3cb737a65b5a7d4d7b7e9624dd37252f07bf5ab1cf7511e7061de502efc069501a1b3c49ab197bc595f9

memory/2652-562-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2004-576-0x0000000003000000-0x0000000003400000-memory.dmp

\Users\Admin\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe

MD5 595718b19aeb84a8ef0e29e1dcb9cfa8
SHA1 06da6604cdc10118a295d9eb9549d7a3504a32c6
SHA256 66d4ca3eea7cf095f3807db3684602bde5d4184fa827357a1c955a2c287f0391
SHA512 bdcbf2ab6e0407b53c684ffe302b261a2ced22fee971619aadeaa7c6159b09fcec7eae3361aee3e09c6d7600245e84b7ec7706e75912d0ad2f55bedcd22b4908

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/2004-578-0x0000000077C20000-0x0000000077DC9000-memory.dmp

memory/3032-577-0x0000000000200000-0x0000000000B14000-memory.dmp

memory/812-593-0x0000000000A40000-0x00000000019F3000-memory.dmp

memory/2004-575-0x0000000003000000-0x0000000003400000-memory.dmp

memory/1624-555-0x0000000077DD0000-0x0000000077DD2000-memory.dmp

memory/2756-548-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/812-534-0x0000000000A40000-0x00000000019F3000-memory.dmp

memory/1060-538-0x0000000000900000-0x0000000000958000-memory.dmp

memory/1732-596-0x0000000000220000-0x0000000000221000-memory.dmp

memory/812-595-0x0000000000A40000-0x00000000019F3000-memory.dmp

memory/1592-535-0x00000000002F0000-0x00000000003F0000-memory.dmp

memory/812-598-0x0000000000A40000-0x00000000019F3000-memory.dmp

memory/1476-532-0x0000000140000000-0x0000000140218400-memory.dmp

C:\Users\Admin\Documents\GuardFox\NWKCi97yRPmDKNWuxjUrqCGt.exe

MD5 271a170d132fd26f59117652244b9bde
SHA1 4a525966a741b5bf8486bf3ba227f01d5a737b51
SHA256 954c0bf525cc7099301a0dd63bc7ff594a31a63d9c6941bc41c430f790f5ae1f
SHA512 76a0eab7b5771f8591183307498976b2e44132eb83cb4f9ff83bc674239987c87be4da5f4550ba40d20e4b3c8bd3898ae9b38936f6c528973eb1f075e1cc21ee

memory/3032-607-0x0000000077640000-0x0000000077750000-memory.dmp

C:\Users\Admin\Documents\GuardFox\NWKCi97yRPmDKNWuxjUrqCGt.exe

MD5 b6497470a3bfe60a2e55cd8c44fe312f
SHA1 9803569365c8300fc9b13e4f001cd81f22834cae
SHA256 9e0d2cbc6a3b2933f919f374dcb7086ba66e270c58f6470d1151a27d9b1e9f60
SHA512 1e164de848900e3c0fad5324ccb465ff0477582951987477044f05ca37abb1b741a6c869916a92fe1233dd1d6d53cf9074cd2fc79e5cf581126c30c64907d8c2

C:\Users\Admin\Documents\GuardFox\iQCf_ssarPkOvbb8Rolj8DWS.exe

MD5 74f242925227f8be2902ebc146b35ebb
SHA1 7efb019a44ab567d47e7f23d8ee4f6c0b9c0ab32
SHA256 b8e8e054c6a1ba1a284acde3126cc65121366b567071f49e6cff2d2e5d3e18f8
SHA512 6776a32e8a7ee30edafafdb90d0e40d3f2ded2ba1b43b016fda76ab62925a7914905b809400730e2d50d252121af4d9e5d5b78fe882991ef786d4c3dead5489a

memory/3032-614-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-616-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-618-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-620-0x0000000077640000-0x0000000077750000-memory.dmp

C:\Users\Admin\Documents\GuardFox\_E4NP1BHy4Nn_koqPTx1r11x.exe

MD5 25fa641589f7ceeda1251369dc6b2ed2
SHA1 f245e45bc6ee30f78b6de8fd75f4e0b304e9aa69
SHA256 7707e796e58f63ac42e33142f832a8940b9890a9579c8e68a2b215d3a2a61b47
SHA512 fa2a5e1077081f8be9c7107446dfb7fffbe4cf18ecc15cbe2b08ccab926882f7bdd81e2d583d8c4c90d544ec40bda81da256efdf5942dbd3cbddee2750a356fe

memory/1592-625-0x00000000001B0000-0x00000000001BB000-memory.dmp

memory/3032-626-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-628-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-631-0x0000000077640000-0x0000000077750000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

memory/3032-630-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-640-0x00000000769A0000-0x00000000769E7000-memory.dmp

memory/3032-643-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-645-0x00000000769A0000-0x00000000769E7000-memory.dmp

memory/3032-646-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-650-0x00000000769A0000-0x00000000769E7000-memory.dmp

memory/3032-652-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-654-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-653-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-655-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-657-0x0000000077640000-0x0000000077750000-memory.dmp

memory/2756-659-0x00000000002C0000-0x0000000000352000-memory.dmp

memory/3032-658-0x0000000077640000-0x0000000077750000-memory.dmp

C:\Users\Admin\Documents\GuardFox\NWKCi97yRPmDKNWuxjUrqCGt.exe

MD5 205b637e6b17f2c8bacf9f71bd94689f
SHA1 254458a8b3b15aa689728f89b471dae43b27b3bb
SHA256 e5e4d4b9ed7d70ef04c3a5e73cb3c09820b50e2798dbaca828c7bdaaf7efdc39
SHA512 c745b807be8b0b184188ff9138d793e99b6cc790372cb7a28013d66a12e14613fad033c94575a3dfdac632358b9e9c216445b10fe6102e11c0b4c001d08261d6

memory/960-624-0x0000000001080000-0x00000000010E4000-memory.dmp

memory/3032-622-0x0000000077640000-0x0000000077750000-memory.dmp

memory/1256-619-0x0000000000A00000-0x0000000000F6C000-memory.dmp

memory/1648-666-0x0000000000530000-0x000000000053E000-memory.dmp

memory/1648-668-0x0000000000220000-0x000000000022B000-memory.dmp

memory/1028-665-0x0000000000EE0000-0x0000000001584000-memory.dmp

memory/2756-664-0x0000000000A70000-0x0000000000B8B000-memory.dmp

memory/3032-662-0x0000000077640000-0x0000000077750000-memory.dmp

memory/3032-610-0x0000000077640000-0x0000000077750000-memory.dmp

C:\Users\Admin\Documents\GuardFox\iQCf_ssarPkOvbb8Rolj8DWS.exe

MD5 96d44d6210432166687654c0b0593257
SHA1 a6e28553d7eb5b691f76cf665b88e101a2ecaad2
SHA256 ebc4e1065332fc30c080e4564d1f2a448eee0b14402f7d254a2f18f608df0b5f
SHA512 184ea25c73a5f24077f361232a8c650fe6b20b70480b0e343ae4bd5b373e819984c6b97548a29f849239bb7cc8e415760579f0c9a1c6ae39ee0c16efb0006eea

C:\Users\Admin\Documents\GuardFox\zHyWT4B7ksNcb40vwcW_8jt5.exe

MD5 6f0e5ad311936054a33eb7287c594521
SHA1 c973d47705660081bcbce5a99832c5f035168776
SHA256 54ee98582d3733d200040666a41685a51467de8ed0f6e06bd076fb94ee7ec1a9
SHA512 a00a696feee34b30eaa3dc88878d649ea824d82abf67fbcfd058a2942d52a0092f750e3a41abc303b8b04a33b05a34b528be4e9827a272a40067e66ba8fa367d

\Users\Admin\Documents\GuardFox\PY0N8L8t5tIFZG93NkDisPnC.exe

MD5 a1872c530ca0237690ccc3acff92490d
SHA1 5817701ac507f8e32b655f9df6042a02e5297445
SHA256 32ac4415139d5be9a50f547917cbc58fffa48773909a99018435ae8519cec9f8
SHA512 f059d2a8123c52e025f2cf5a7e64c5ffb3da7b7523f8135d5473884d572ffd69b43570420067c1fc764ea6025197dfe1ed7c5f202d261e9ee2445c850569defb

C:\Users\Admin\Documents\GuardFox\PY0N8L8t5tIFZG93NkDisPnC.exe

MD5 2383c297d48a62360c40b0dbb80c9d27
SHA1 691c79368f3d3a7aa069930ec7269eb6b12fc0f0
SHA256 6572241c494bf0489ce8783d86464059934bdac8a5b9b6cfe2b2681b58ff0f2c
SHA512 3a758873428faac6b237288dfc509652dbeff846378040e843d52ef7357e953a5f5c6bffaadec711494c74793e4dc4fbcd57b669e9c3294f0d141840a52e4763

C:\Users\Admin\Documents\GuardFox\PY0N8L8t5tIFZG93NkDisPnC.exe

MD5 2ae70aebe249251e4cb44d8571556348
SHA1 30fdcfdd06c13239e6473d0bd7db06f4b3d6a123
SHA256 91a98ab018c472bf5be706a3156660448bba140a2e002274b772e5370c7e419b
SHA512 ef510d9c2ec347766d718582388521e9f182d4ff03987e1005e9512d23fdec07bbc1b856798c08d37136ca5c8297509e85f221583bacd16b55a06bc0057610d9

memory/2280-501-0x00000000006F0000-0x00000000007F0000-memory.dmp

memory/1476-500-0x0000000140000000-0x0000000140218400-memory.dmp

C:\Users\Admin\Documents\GuardFox\MM1LQ88qGHPZpfYJCxA7SbKJ.exe

MD5 9b536edff4fdaaf279f8fe28f8702f75
SHA1 4fe0efe99f7e74067a0616449edce08a06ff9f7d
SHA256 14bedee6d52a54b4a09eea373df71291fab8ac111b6f3939a1b1807f3145bfae
SHA512 7aff9eb78075f73cecb74123a7712825fa4b3c074e5c16173d71d0f996aaf3a36d1d25955e614b83583fd4854aa34f300f47dce6c7590460b193e8aa5212c828

C:\Users\Admin\Documents\GuardFox\MM1LQ88qGHPZpfYJCxA7SbKJ.exe

MD5 0114a3bde2b4dd8e3ca4f4ceb5a9c701
SHA1 0cab697271ec413947a658dcbbb1f1fb81818005
SHA256 542ba1eedf7b5d223e05ace41b24b934eae71ca05f8e57afcce6a7c300a2e943
SHA512 de6e1bdf75d9d6507fef6f8ceeaa4a0a49f5a6724998b21438faf498f4e9aa0884785fe04faa991e584dcc7d0fb669d081e0c9fdc51322e0dc904c4928cad050

memory/812-491-0x0000000000A40000-0x00000000019F3000-memory.dmp

memory/2004-490-0x0000000000320000-0x00000000003AB000-memory.dmp

C:\Users\Admin\Documents\GuardFox\zx0aWQ_xz45fidj5kGmRSAlJ.exe

MD5 70e7175ca85838725c4cb6b5cfd97fd4
SHA1 63f3d956f5f23bea28315974d57692502eee7c2a
SHA256 816883e81febb183f0d0e1e22d883a75b7469c6f5f877ebac636fc09279a0d47
SHA512 81eef7ad15a0844d03d9b4d2c4ac71e72c354eea45e86bed49c08d58ca086a0625b2cd5c249fdd44f1970f233553b8fe2ad98cf34662edf317337436dc23503b

C:\Users\Admin\Documents\GuardFox\zx0aWQ_xz45fidj5kGmRSAlJ.exe

MD5 b293bca1faac67a48e05b3dd3953bf40
SHA1 a25a52969bd93031a23a36698c3a01c3b90b686f
SHA256 30b479729189903253e8f216439b8b21131d2d18477937fdd3b7310910fb6a42
SHA512 a7f3e65fd8da13c6e6dd3d7488c170a41b846ec8f27b765606ff3bdbbd3140e27a8b61ffae1c08a2d6b3b0c2ca8292ab9c02914a40ad06fa395d7bb448e33772

C:\Users\Admin\Documents\GuardFox\iEkV5AkWBmFGq5fXIdHbqzU4.exe

MD5 823e2596249193c66e3e906a0a09b3c5
SHA1 94ed013d8897de05f61a06e475c5f3d9214a4431
SHA256 b2ae68cbbb3476554506a2bc4fa81301faf64f28b32b722401c670a66a24b549
SHA512 549bfbd3c105ecac254a0c5099bdb0922da4689cd52e096b692dbab18339e331f7e530d52ce18c1483d8e8c48b2bf551d23dc64bfddce0fb1b3d9d453d3054b9

C:\Users\Admin\Documents\GuardFox\NjWsxPZVyYqpDbbfJ8fvgfVA.exe

MD5 229e9ae78b03e94dea9e50c1849f6aa2
SHA1 c28be214a8f6e100c04d8998a78f9079f62b706c
SHA256 5474782ca31234fd571bb60243c7e5c1300276a279e38f39d64b9f530960c761
SHA512 9b0ab6eabf9380cfacd270ec9344ced6c9bcfaa66a3e5702aeb94fc8fea176e44a40bc58327547ec651777ca02141d294cb9d8ce9a3f166e0dfa70ea477fccda

memory/1632-470-0x0000000001230000-0x0000000001713000-memory.dmp

C:\Users\Admin\Documents\GuardFox\vK0PPAPmUAE0hE8jS7enXAKZ.exe

MD5 6ef9dd6bf5754d705a1354e585562083
SHA1 8c00f491cd4501dff68a3ad8ce130f3a86d62f70
SHA256 054401eaaa275001109a614dd93d1e3a5fb265ddf0d14f5c2f479eba902ccb99
SHA512 0254170bb8a680daff80e8ec7309f200167100f9601b014f28d5ba6125c2200c45c03d5158a343e2d9055e657d5ea5cc2f5d0d5f65b85c1a4cbef93c357988f9

C:\Users\Admin\Documents\GuardFox\iEkV5AkWBmFGq5fXIdHbqzU4.exe

MD5 e818911f2f4c5dcec996bd45d112abdc
SHA1 6488de55e9a4dc0878301f8d7884d569c4cf29be
SHA256 8f7ec80f776b4d15e960ec94960d922ecc42c5a3f67ca9a0c869a4fdbfd9af1c
SHA512 a3bcb2f4798a8ef4ca6d3c43d59df63ec259d883d4c9ebc98f82ac7efe852879ea170dff076972b746916ec19cfc653b52c57f97382f1d62d66fb6e77e66cbd5

memory/1964-466-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\CEbkUTW8hyrrDT6Rf1t8zVr1.exe

MD5 4efbd7dc1a916f5b4b8d333b678084f2
SHA1 eb6baf3de9171a72eca2056c567ce3677f422b07
SHA256 0413126f8560c07a9aa2653512baea4284f5879cc2592e80b08d6ba4fd21ea45
SHA512 7bfdaa3d505144030f555c847b25d45ea9a424d12cf76a2d6354d5b537816591e0c8381406520eda10accfeaaf9a92c4f7060912da819d5d5e66bdff688c7306

C:\Users\Admin\Documents\GuardFox\vK0PPAPmUAE0hE8jS7enXAKZ.exe

MD5 660fd6c484537af5c24819b081f8c29e
SHA1 9bd6a5446af7d9070770c2660279935ddbf7a991
SHA256 be6e7d067a54d216f42a2bca2245ba24e5441e4c258eefb0b1dd3f9315a2da2e
SHA512 c81f014aaf611b02c684c03f3ccc9c2d12705f03dbb4f8359fa69724ff8b48c4549a2682796a8c1f453ac430586ab7d4cf8fe8037fb2dc4a1c590c5f0e831a48

memory/2352-448-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Users\Admin\Documents\GuardFox\rP3VVvbHIAJXsDRWtvhHL16n.exe

MD5 480e0f4949b8a263d7cfa7053dc1cd75
SHA1 368a4ef1942d423d5a7c47b994b0ecb7113dc29b
SHA256 094c50d7d6bdf0ced2a67949dadd9361b259696d6721e71fb4fa69b2905525a7
SHA512 23583ccdaf5894b3bfa4130de4ea37a53478ecc64802fbb9ae37ccf80c6c39f8c797dac0e49ec6da7311c76f82d7c9e98bded5017f99dc4663df91c9eadb8002

C:\Users\Admin\Documents\GuardFox\vK0PPAPmUAE0hE8jS7enXAKZ.exe

MD5 b7090b42b049bebd4263be2ef8146743
SHA1 971900cd0fc32f991874bcaf30fe2356db4feb44
SHA256 69979b126b7eee985d461ad190f8bcc3ff94b106641b4a75dc6211bca58a4402
SHA512 0e5db583afee9fc1230017a62aa9c9c025e8de45ed0b4aa41ced48f185a37696fbb5c709b9314f54db078f1444dc4b20d0db085f3e51b645dce0c8e090c1246e

memory/1732-698-0x0000000000400000-0x0000000000D40000-memory.dmp

memory/3032-701-0x00000000769A0000-0x00000000769E7000-memory.dmp

memory/1592-671-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\MM1LQ88qGHPZpfYJCxA7SbKJ.exe

MD5 f45d3baaa2791787d60e01674d51b6f6
SHA1 45198af0f45668acbaa6c725f18560bc5466ae63
SHA256 b74a1106ccba8c3da76e0e4a4a65f8ce52913b2e8eab9e8b98558db3700d537d
SHA512 7682710885e59f26891aeee1a4795e01eeaf75a74cedd63821d3262514a3ee1fa9f6dd82f08c21a3dc276b6d93067ada14fb73d02f0bb54995008e68b9b6174a

C:\Users\Admin\Documents\GuardFox\zx0aWQ_xz45fidj5kGmRSAlJ.exe

MD5 1c54648e1004a95b99710010006cc041
SHA1 c7de6c2670628713b72dc6ecb830958131dde8b2
SHA256 34eabb5bb6d2763bcf0dfe4a82c3ab38100f729886bb5a8bcc2b7153962cd960
SHA512 8664bf20eceb9e465518ebc1920bc0152953f635f440b1f906ec192bb6754d259407a8898138334c744f137508a85ac6795015654ebd109c77f6066b6e5a8c2e

C:\Users\Admin\Documents\GuardFox\iEkV5AkWBmFGq5fXIdHbqzU4.exe

MD5 61130501ff2a40cd8856945b04f39c26
SHA1 67c1d30cdbed6f0a973ae300288450abc3e56508
SHA256 82471e8691af3e8bee563e70705c8336752df749fd86ab847ad7d19e43321c71
SHA512 75dd513e86eb1606af2b90622215c62f21014d950188f1c668943093193b7bfdb2b9b318761dc58e66c509b75abd75e8bd20f2f3f2cba3236d2cba3eaf340636

C:\Users\Admin\Documents\GuardFox\fA4fWqni3Fk1dH2hcuGg5kVv.exe

MD5 accfb15c204558f43321664dc978e9de
SHA1 1865f689d93d52da28bceac7c91892cd5a5ad47d
SHA256 da397cdb9ad4e487a5caa93a644213784049175283cc5af98846d8c9588b0a27
SHA512 6a0744d364d721d883b812ed0b3d0ddaa7f4bd46b3f79b6d5a64fbc4782af35641ae0c6ed024ae820b79300a84d53108f774d4e798109e09b029d349f68bbdbf

C:\Users\Admin\Documents\GuardFox\CEbkUTW8hyrrDT6Rf1t8zVr1.exe

MD5 5a55ca850a83e85f0c353e43cc559d09
SHA1 7c14c5e63813cb81a36754059c9946870730ff32
SHA256 f6265ca55f4bb2ca73265b3be8ef741393775ed3f3d4f54f3a1127c5899ce59e
SHA512 737a60aed77e65271a6a99419fcc6ee3724c9ad6a75219240d17b49a14825a12d9222931d7f635a58a7232e818a95594732f88fffa6fe248350d580c2c6ba4ec

C:\Users\Admin\Documents\GuardFox\uJ96kzoVFq4ADEaCTcabRPLJ.exe

MD5 1067a2133245c0825cdb291c8b66ff5f
SHA1 ef9d22b8890723e3e58cc71125fb06199597723c
SHA256 c8f9a85b42dbf953f8a438c85ce0f821ce7f09757ae5db0bd7cd18cbe1f94dd9
SHA512 458f0f88a4ebd168471540303b3c0fd5d3dd7096b3bb22616dce2a66e1287ab12db781f1e2cc2d962dcf273a0c2cd23aa64513d9a30697ad6de0d31a09f3ffc5

C:\Users\Admin\Documents\GuardFox\Dlt1iZAcoIqBH7K_dVKde64Q.exe

MD5 a98439ba177d1d3f371663743b6afcf5
SHA1 f3eb6b31134fe62530f3e472e96570c4d214004d
SHA256 48f150a7f567fbc1bd4745f21a995f5c208c3467a89ce4a04731035cfb8b21a9
SHA512 e86765d47f63cb3ed2b2b2b3c383dda3a2da4d0e9035c9ef41da224e4a18e90f859596022e348eb26cca418f7a5c7f65da88efc9afc6e6321748dc406a9fbfe6

C:\Users\Admin\Documents\GuardFox\rP3VVvbHIAJXsDRWtvhHL16n.exe

MD5 8d1af7fd74ef8f48d5451aa5e0f1aeb2
SHA1 f863b2416a0fc3d0be2aa63ebcdad36d505464ee
SHA256 7222e7d6b67b876008ed763e77905fb1edb6cbd24e65617b777a5e7f70520cf0
SHA512 830d63a3354eb184bd4ac9e2f93c77613a0a1875525f782c2936870658d4958bd564305f22411f65ec344f544a19f8257fdf841b364809d94b6d18710b48c9aa

C:\Users\Admin\Documents\GuardFox\4EC9IqjKczl0bbmOaciB5eaC.exe

MD5 fd542770caa785b5ac67cc5515b7e98a
SHA1 64d9fb05ec4bbbb8f8fc22f378a4cd9c5fcc0b63
SHA256 7f9f5ce9757b6d7dbd1b853dafd7066ac9497a93fe5aa047e95f196d4eff8768
SHA512 e6a06a17d7b5dbb771bbed1a2500f8ff0c7625d16b1e13b0805146869141f0ddd34baf1fcdaff4cd71e2d327dd788c3bed4f7bb4cbb4805822eacc4436864975

C:\Users\Admin\AppData\Local\Temp\Y8wSG2.CPL

MD5 3c06ce67cae8baa081c8b55ff9b9905e
SHA1 9cabf1250bb795fbe7a595febe6bb38ec25e511f
SHA256 1b72e08391178e7b6daa2a298bb940d2ddba5d11c0ba14487fd8fa63980f9752
SHA512 58c6b1207b5cf506a0b95533a34e8076cea22485b2be959e416f6cdec319af258a1e564a6f80ea4a82c8729a8c257efe60162bcb1ef449fbc128cf198a5d72b4

\Users\Admin\AppData\Local\Temp\Y8wSg2.cpl

MD5 5b18147e15cc2e65a95e965fef1d1fc8
SHA1 c704ace88ba674f31c302b405a7f66132ffd4ec2
SHA256 513c2336d643129a32c699e34f075586237f39d98f3b09c627bc336fb5fc0dc8
SHA512 5074ee967e222d4ba7b6a1a7c5b18575d23236e6c8daa793bf6b597139f3cb28b26c6512866cf3746cb54af73f129b1a40cb8396c4fbc37aa155f6613e4ce07a

\Users\Admin\AppData\Local\Temp\Y8wSg2.cpl

MD5 aa43b4141349558ef1024343c73c33af
SHA1 fcc50975889515f12415d2ebb46bbdc017597e2e
SHA256 6aa19ddbb6628d1ef61d7691478413b0b51bcaf6685a6794d22acb7ff2e5132b
SHA512 bfbc81513f2d5eac566da2607c99e875f9e8c31f4e58b2af8ac69290dc48def994151f255de1d4478b90630e5801c9c918b4fe822559f8e6f2e763b6be494bfb

\Users\Admin\AppData\Local\Temp\Y8wSg2.cpl

MD5 712990cad9aada58c2f8ac76805984ee
SHA1 d136f75ada0cd285e2fc072788cc0980c2d5770a
SHA256 2b7b5cff5b465748e0a8b69246cb40a90e561db7a54cb5dde4220b983b41fbfe
SHA512 4818e1f022c98c075a8b288f64c843582e026ddf3a3002ef580952a4f9da7cc10d9870290b701c04dc80854b7a7ea3c42d7f790fccca8b3600d0af7e533affe8

\Users\Admin\AppData\Local\Temp\Y8wSg2.cpl

MD5 8b4a0ca04935272552f3ed07be1cc56a
SHA1 63efa9aaaa7da14452237d639402369898e8ecd5
SHA256 38410d267c741c6aea1a5a1e1695d2e5870eb1bf4234dee9d944d1c8c45b7280
SHA512 2b13b8015161584858e0bc4ab9192d0896052367b93d5db17abf336499f03867a999de2b4b9a3af8511cffce8b27b076feb138be350e5fd4f74e33cf51e7b240

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c17c8a8335b7a92858b6ed5e04980a22
SHA1 7a0b17b558b2c5a3a23fecd3ddcefc4b1b4ac514
SHA256 4bc9b677ce7154d0ba6c654962bfe9037f61ed77d84bcb214be9be5151cd69da
SHA512 5033a96221cc8b6d09de87dc542e1276e0f05f541b2936097f4c1fec9fd6aebcaf6b2ed9e33cd1556d347f2f61966fd8daf3960124c3ab1421a23ffebe38f66b

memory/2004-733-0x0000000003000000-0x000000000300F000-memory.dmp

memory/2352-745-0x000007FEFDCD0000-0x000007FEFDD3C000-memory.dmp

memory/1028-748-0x0000000005950000-0x0000000005B6C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 55fa6d692b0c1faed5ed05739a5bb278
SHA1 c93d060a09615f31554035c369e2a0c6c841f3a9
SHA256 c9d9860f3b766b4445db3647bee2e792c578d76e1447f12abee6c100ebcc1e5c
SHA512 bd51d894d59027f9698144bd0566eabe96b760297ab187537a64f7e05c591d481c0625fe3457d8f1c09c194fe3ebecb785556ab457f27e1161ef6048bada9d69

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

memory/2352-751-0x000000013F7C0000-0x00000001401B1000-memory.dmp

memory/1028-755-0x0000000006CA0000-0x0000000006E32000-memory.dmp

memory/1256-753-0x0000000005810000-0x0000000005A18000-memory.dmp

memory/2352-756-0x0000000077C20000-0x0000000077DC9000-memory.dmp

memory/1028-761-0x0000000000400000-0x0000000000410000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DE6D.exe

MD5 ae4f5ce1ad9e5c3ab6d68dd71454a6e0
SHA1 fd286c24292d9b0b16daad5434d805ea8da07454
SHA256 49a5f5ba13441e7ec1c7da639aa7c01da4054a46eb408d0f0aa85128b22e470f
SHA512 285848061e8901eec19ce2b21bbbfc41f8a646779ec517476730cb96159b68f09ddf9a72bd13e19b91f491cf0ac3dbfa5608dea2cf8062c5d953854b4962c18d

\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

C:\Users\Admin\AppData\Local\Temp\916.exe

MD5 b27c3d053e7c1fd220ee8cb46467b19b
SHA1 65c17b4976651991a6449b7d3efccff8fe27c38a
SHA256 f081e07c6ca98bf4eceefe5168e3e3fedbf92631faa7d138a87f663571e9e128
SHA512 db9becbaf9c6d7f267071fc77369096f8fa6fc61558418ae04e13feb06e8284d844f816620c8c50f39452c8079ab6dcddd9a8c6877d4ad692ffc1fc8b53dc80d

C:\Users\Admin\Documents\GuardFox\gqGHRUK4EKmIkZQQtGKxKg0h.exe

MD5 b13aee5c46f8d950374cd79e13017840
SHA1 3c5044dfcd0d60a4ed432d8807760b595812f16a
SHA256 eff45717fe8b9dda514c52e34af5a3f155fd38006d64573f2fe9712f10db1f7a
SHA512 11acb0379e5102df0ce19ce90f43f78b78882e6a2e53a5d3c224f4f2f444acad9c1127bcfa43b3e77e12e9fa9ae18018a7e0bb19bd6ff3b7f186827b1b370ead

C:\Users\Admin\Documents\GuardFox\RUyFRVJRB6VNLF8TthnG27Vv.exe

MD5 1f195b584b23d49494a6cfde05d07a6b
SHA1 fa6b46d8940634e05418f63e264ae4b64875121e
SHA256 3b122da6dac3218165926190fe6880ca3a4965d734a5b464b4672f649c5f1b53
SHA512 30a1e7c1bf9c4e41204a8f8a870f57f076f99d92c676747972f1467a4fc0d6ab97f78b56b5d1cda197ba98baca6e9bafa8c26879f30edbd9e927c9711f4d813a

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win7-20231129-en

Max time kernel

121s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\1.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2988 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2908 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\1.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\1.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win7-20231215-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\chrome_elf.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1972 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1972 wrote to memory of 1880 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\chrome_elf.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1972 -s 84

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win7-20231215-en

Max time kernel

121s

Max time network

130s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\dbghelp.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2648 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2648 wrote to memory of 2872 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\dbghelp.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\dbghelp.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-01-23 12:11

Reported

2024-01-23 12:18

Platform

win7-20231215-en

Max time kernel

117s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\lgc_api.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1192 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1192 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe
PID 1192 wrote to memory of 2228 N/A C:\Windows\system32\rundll32.exe C:\Windows\system32\WerFault.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\prom\lgc_api.dll,#1

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 1192 -s 152

Network

N/A

Files

N/A