Malware Analysis Report

2024-12-08 00:42

Sample ID 240123-t1hh5acdcr
Target SecuriteInfo.com.Win64.Evo-gen.16085.20859
SHA256 07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
Tags
themida redline risepro smokeloader zgrat pub3 backdoor evasion infostealer rat stealer trojan amadey djvu stealc 24k logsdiller cloud (telegram: @logsdillabot) discovery persistence ransomware spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820

Threat Level: Known bad

The file SecuriteInfo.com.Win64.Evo-gen.16085.20859 was found to be: Known bad.

Malicious Activity Summary

themida redline risepro smokeloader zgrat pub3 backdoor evasion infostealer rat stealer trojan amadey djvu stealc 24k logsdiller cloud (telegram: @logsdillabot) discovery persistence ransomware spyware

SmokeLoader

Stealc

Djvu Ransomware

Amadey

RedLine payload

Detect ZGRat V1

Detected Djvu ransomware

RedLine

ZGRat

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Creates new service(s)

Downloads MZ/PE file

Stops running service(s)

Modifies Windows Firewall

Modifies file permissions

Reads user/profile data of web browsers

Checks BIOS information in registry

.NET Reactor proctector

Themida packer

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks whether UAC is enabled

Looks up external IP address via web service

Checks installed software on the system

Legitimate hosting services abused for malware hosting/C2

Suspicious use of SetThreadContext

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of FindShellTrayWindow

Modifies registry class

Suspicious use of SetWindowsHookEx

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Enumerates processes with tasklist

Creates scheduled task(s)

Checks SCSI registry key(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 16:31

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 16:31

Reported

2024-01-23 16:33

Platform

win7-20231129-en

Max time kernel

2s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe"

C:\Users\Admin\Documents\GuardFox\5MlvVudCqNrrtq9_lBlRWeAM.exe

"C:\Users\Admin\Documents\GuardFox\5MlvVudCqNrrtq9_lBlRWeAM.exe"

C:\Users\Admin\Documents\GuardFox\Mc9tVzF6IkkHASMBailK8TBz.exe

"C:\Users\Admin\Documents\GuardFox\Mc9tVzF6IkkHASMBailK8TBz.exe"

C:\Users\Admin\Documents\GuardFox\gRfOp2VODxVQ1Ra8buliycgB.exe

"C:\Users\Admin\Documents\GuardFox\gRfOp2VODxVQ1Ra8buliycgB.exe"

C:\Users\Admin\Documents\GuardFox\Ry560CQesuA0VRPoNaLZeuUf.exe

"C:\Users\Admin\Documents\GuardFox\Ry560CQesuA0VRPoNaLZeuUf.exe"

C:\Users\Admin\Documents\GuardFox\SGuv35g7kNHTsHxPR5QGrGHQ.exe

"C:\Users\Admin\Documents\GuardFox\SGuv35g7kNHTsHxPR5QGrGHQ.exe"

C:\Users\Admin\Documents\GuardFox\dLst4LLS3y0KPsF_Zrqew6hL.exe

"C:\Users\Admin\Documents\GuardFox\dLst4LLS3y0KPsF_Zrqew6hL.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\is-V9L5D.tmp\QT6kRHTOlSZnVIstIr7gKrvg.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V9L5D.tmp\QT6kRHTOlSZnVIstIr7gKrvg.tmp" /SL5="$90142,3515248,54272,C:\Users\Admin\Documents\GuardFox\QT6kRHTOlSZnVIstIr7gKrvg.exe"

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -i

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Users\Admin\Documents\GuardFox\k1kI5wggSG37w69OU4wZuaJX.exe

"C:\Users\Admin\Documents\GuardFox\k1kI5wggSG37w69OU4wZuaJX.exe"

C:\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

"C:\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe"

C:\Users\Admin\Documents\GuardFox\e5Bd6wsLjXnztjdrdizZDslm.exe

"C:\Users\Admin\Documents\GuardFox\e5Bd6wsLjXnztjdrdizZDslm.exe"

C:\Users\Admin\Documents\GuardFox\k1kI5wggSG37w69OU4wZuaJX.exe

"C:\Users\Admin\Documents\GuardFox\k1kI5wggSG37w69OU4wZuaJX.exe"

C:\Users\Admin\Documents\GuardFox\THZlFKHWyHhQ3PnSm1WV6COo.exe

"C:\Users\Admin\Documents\GuardFox\THZlFKHWyHhQ3PnSm1WV6COo.exe"

C:\Users\Admin\Documents\GuardFox\K09rhbtbGrLuLpGU5YfvkldM.exe

"C:\Users\Admin\Documents\GuardFox\K09rhbtbGrLuLpGU5YfvkldM.exe"

C:\Users\Admin\Documents\GuardFox\nv2rwNUJBhCnCdF2vk8KOPS5.exe

"C:\Users\Admin\Documents\GuardFox\nv2rwNUJBhCnCdF2vk8KOPS5.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\Documents\GuardFox\yPjaS7wR7iTJKevxHiHrOPVV.exe

"C:\Users\Admin\Documents\GuardFox\yPjaS7wR7iTJKevxHiHrOPVV.exe"

C:\Users\Admin\Documents\GuardFox\aPnwp2xAhAjL8RYsu5HT29v8.exe

"C:\Users\Admin\Documents\GuardFox\aPnwp2xAhAjL8RYsu5HT29v8.exe"

C:\Users\Admin\Documents\GuardFox\BVFd1OtMFGKept1621C47Y4b.exe

"C:\Users\Admin\Documents\GuardFox\BVFd1OtMFGKept1621C47Y4b.exe"

C:\Users\Admin\Documents\GuardFox\zGSMKJ3gVV1X6YpG4gBi2Dx_.exe

"C:\Users\Admin\Documents\GuardFox\zGSMKJ3gVV1X6YpG4gBi2Dx_.exe"

C:\Users\Admin\Documents\GuardFox\QT6kRHTOlSZnVIstIr7gKrvg.exe

"C:\Users\Admin\Documents\GuardFox\QT6kRHTOlSZnVIstIr7gKrvg.exe"

C:\Users\Admin\Documents\GuardFox\lrBYQ9ApVOtdrHYt0x5LB2Ew.exe

"C:\Users\Admin\Documents\GuardFox\lrBYQ9ApVOtdrHYt0x5LB2Ew.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2200 -s 592

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6b79758,0x7fef6b79768,0x7fef6b79778

C:\Users\Admin\AppData\Local\Temp\533E.exe

C:\Users\Admin\AppData\Local\Temp\533E.exe

C:\Users\Admin\AppData\Local\Temp\76C6.exe

C:\Users\Admin\AppData\Local\Temp\76C6.exe

C:\Users\Admin\Documents\GuardFox\Hp9viQc7L56anzcJX9MtnffW.exe

"C:\Users\Admin\Documents\GuardFox\Hp9viQc7L56anzcJX9MtnffW.exe"

C:\Users\Admin\AppData\Local\Temp\84CB.exe

C:\Users\Admin\AppData\Local\Temp\84CB.exe

C:\Users\Admin\AppData\Local\Temp\is-DI7MS.tmp\84CB.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DI7MS.tmp\84CB.tmp" /SL5="$701F6,3501695,54272,C:\Users\Admin\AppData\Local\Temp\84CB.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN Hp9viQc7L56anzcJX9MtnffW.exe /TR "C:\Users\Admin\Documents\GuardFox\Hp9viQc7L56anzcJX9MtnffW.exe" /F

C:\Users\Admin\AppData\Local\Temp\BA4D.exe

C:\Users\Admin\AppData\Local\Temp\BA4D.exe

C:\Users\Admin\AppData\Local\Temp\CD32.exe

C:\Users\Admin\AppData\Local\Temp\CD32.exe

C:\Windows\SysWOW64\cmd.exe

cmd /k cmd < Dot & exit

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\E323.dll

C:\Users\Admin\AppData\Local\Temp\EBCC.exe

C:\Users\Admin\AppData\Local\Temp\EBCC.exe

C:\Users\Admin\AppData\Local\Temp\FBA5.exe

C:\Users\Admin\AppData\Local\Temp\FBA5.exe

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\E323.dll

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\23DE.exe

C:\Users\Admin\AppData\Local\Temp\23DE.exe

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

Network

Country Destination Domain Proto
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 ji.alie3ksggg.com udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 8.8.8.8:53 joxy.ayazprak.com udp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 294self-limited.sbs udp
NL 77.246.104.70:80 77.246.104.70 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
FI 109.107.182.40:80 109.107.182.40 tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 172.67.173.86:80 joxy.ayazprak.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 172.67.189.229:80 294self-limited.sbs tcp
KR 175.119.10.231:80 cczhk.com tcp
KR 175.119.10.231:80 cczhk.com tcp
US 172.67.189.229:80 294self-limited.sbs tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 172.67.189.229:80 294self-limited.sbs tcp
US 172.67.189.229:80 294self-limited.sbs tcp
US 172.67.189.229:443 294self-limited.sbs tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 173.222.13.40:80 tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
GB 173.222.13.40:80 tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
NL 95.142.206.0:443 tcp
NL 95.142.206.1:443 tcp
RU 87.240.137.164:443 vk.com tcp
NL 95.142.206.1:443 tcp
NL 95.142.206.3:443 tcp
RU 87.240.137.164:443 vk.com tcp
NL 95.142.206.3:443 tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 sun6-22.userapi.com udp
NL 95.142.206.2:443 sun6-22.userapi.com tcp
US 34.117.186.192:443 ipinfo.io tcp
NL 45.15.156.229:80 45.15.156.229 tcp
DE 185.172.128.24:80 185.172.128.24 tcp
NL 195.20.16.45:80 tcp
NL 195.20.16.45:80 tcp
NL 91.92.245.15:80 tcp
US 8.8.8.8:53 vk.com udp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 87.240.129.133:80 vk.com tcp
RU 87.240.129.133:80 vk.com tcp
RU 87.240.129.133:80 vk.com tcp
US 172.67.132.113:443 tcp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
HK 154.92.15.189:443 ji.alie3ksggg.com tcp
RU 87.240.129.133:443 vk.com tcp
US 104.26.8.59:443 api.myip.com tcp
NL 195.20.16.45:80 tcp
US 104.21.63.150:443 tcp
US 8.8.8.8:53 tiny.ayazprak.com udp
US 104.26.12.31:443 tcp
US 104.21.80.24:80 tiny.ayazprak.com tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
NL 45.15.156.229:80 tcp
US 8.8.8.8:53 trmpc.com udp
KR 211.40.39.251:80 trmpc.com tcp
US 104.26.8.59:443 api.myip.com tcp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 193.233.132.67:50505 tcp

Files

memory/1872-0-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-1-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-6-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

memory/1872-7-0x000007FEFDA70000-0x000007FEFDADC000-memory.dmp

memory/1872-9-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-11-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-12-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-13-0x00000000002F0000-0x00000000002F1000-memory.dmp

memory/1872-10-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/1872-14-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-8-0x0000000077970000-0x0000000077B19000-memory.dmp

memory/1872-15-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-16-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-18-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-19-0x000000013FB50000-0x0000000140594000-memory.dmp

memory/1872-17-0x000000013FB50000-0x0000000140594000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\TarF61.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\Documents\GuardFox\zGSMKJ3gVV1X6YpG4gBi2Dx_.exe

MD5 76536960f5a580eed758d395e41f3f7a
SHA1 54f57e4a3c4380206374f9e848094637122e8a8f
SHA256 9305ed7a91452a8e4d7302640a24262917988d1d5b94696a06b9ea929a8ade8a
SHA512 b9733370b241273a604d52ac83b99ad147873f30a071add87240661c17aa7586f3b9ac7addeef82a71dccdfd2b3b62819cc1f526a44d80fa950e50fe4e761144

C:\Users\Admin\Documents\GuardFox\Mc9tVzF6IkkHASMBailK8TBz.exe

MD5 976d8e116833a3378620eb6dc6191766
SHA1 6fc3c456ae59cdee80ff4d7fd1877fc83e984c1f
SHA256 b6ed3874da4408da9449d63696c7f9f5c276ed3c80a137ad75f6d5e8fdc8b8ed
SHA512 40833677a52269133ec3b648302b4d92ed9401324b07315df08e1438eecd5bff550897a9d1677d58248de09daf30aabb66a1f7da540f937968cb90effc1f1a52

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d44e723293704bc9ac5719cc135ac4c2
SHA1 01b8a1cf58ad40ffff4b20a5aca6c94f61a22691
SHA256 b9ed95e4f0b4752ae7eb7630de096b01d49bd609df5a77d5d040f28ee215f261
SHA512 2ba09de74c37c1d7666acdfee70b24de766906c94ebe09a240fb55fcb0f6873d9a1e8d3f7e43a1279ed018a5f1f49dd2fa2d598280bf38c4e9bb3cf99c2c77ab

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 f6cbcb1bb92e2933343b5db249cf8f23
SHA1 468797cb70efa8ce09f671dcfea601325eda1fda
SHA256 6a15fe81a4dae9cdb03d7d16dad5a402b113120a716825efe5192c677b9bbcd9
SHA512 17b61dbe1361eb3964a955085e1c7611bf7295dc8c309d452bff8d5481dcf18b9ebabf9e6b2891df6489db1ce074a889f207c8787dc3698f67788f825d3afef4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6ef5826153e69fc197e31cc0b936b4bc
SHA1 7b6ea1fd8816d3c1a5cecc67aa726be2ca75d683
SHA256 402e4475666b63ae2c6673a0afdb25587fa9275fc419150738cbe7611f95789c
SHA512 7895bfe2cf454d83b722b324ec3dd39753331e0d45103e1390777ce543a934a8d1fecd84293b87ddf653e1d8c366c0fd50cc276f1700b298182c185d7e9cc568

C:\Users\Admin\Documents\GuardFox\QT6kRHTOlSZnVIstIr7gKrvg.exe

MD5 e83185e896bb98af1f06752b366f86c9
SHA1 54e32d539513a8d0adf158a59415409e71f39ce4
SHA256 b7204e07564c32e4bb3c764a01039183bf97485885b97fd21b3887b10281c498
SHA512 05086d74a31d5cb7fffb3094b07ae4f799c86af087a0d5f31e135e356825f2ad003e49f345023ba819683d7ba914f2d37b98f535aa801195aa049ee349916f4c

C:\Users\Admin\Documents\GuardFox\Ry560CQesuA0VRPoNaLZeuUf.exe

MD5 5e3082f7bfd0ccebbb408436e224d2f0
SHA1 0ef10f3b6be643d5f70b9d58cdb939bd012a8a27
SHA256 8f3ce634a515c95c69be639e4ded14bb7ec8810db33f81ef64eb706b59d52311
SHA512 22f0bb24ed942d146a6502912f695d1ef95147019fd96afb901919597b7e9ce0c9724df498caf9dce23d866ab4d40afd4664f535731566b7d29265535bd18be3

C:\Users\Admin\Documents\GuardFox\gRfOp2VODxVQ1Ra8buliycgB.exe

MD5 ba7aea4c0b1817d3f74310600ca8ef2f
SHA1 18c377a0a82186427f0411e90b325b125ad4a33d
SHA256 b40810b8d93ce3fdb40cd1bc11690a3ec2bdaf69795e68a282a923634bcafe35
SHA512 2a24cdd9c6b44fa158f30922cf80ed1515ce0344aeff2d5ba607d1f05ff316b77f2a28df336539589c8be2a955a7ae710733e5e46f956354078dbf9d11fe1958

C:\Users\Admin\Documents\GuardFox\aPnwp2xAhAjL8RYsu5HT29v8.exe

MD5 42a421e3c2ac04fcbbb47f62a4ced01d
SHA1 6e15d7aa6f7e9a802b1355f64de1fb31da1e69b6
SHA256 79be2ae251ec24a9cb2528e438958dc60eb7de958b03111c026c0c4083117b47
SHA512 ebf07b6f30eaee76355e20fc9530eebb1fd302074cb7bcabc34801e389c2d50909bb823563a0c94a2a543c9ab928c66aa9efeaad9d4383254589b418845daa4e

memory/1872-222-0x000000013FB50000-0x0000000140594000-memory.dmp

C:\Users\Admin\Documents\GuardFox\5MlvVudCqNrrtq9_lBlRWeAM.exe

MD5 026b54bd791198d7aa545eb5092fb0c4
SHA1 2e9a7a83409cb60f33d52a61d4c2f3d99309f8ec
SHA256 2ff793e576e492b7222f63ba277a60378f532e6ce89e05d9183856e3374210e2
SHA512 731388658450966999931219f0ea5b3b2740696b2059faa4ded7a17460cf7a0f98b8409abd471f5886fe5437ee3ec4a378f481b64e33054bbed75cbdac4832c7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6823f08d3496de8636341d9d3e2b265
SHA1 bed7ded9e8037b49dcf7851ea64d552526c790f0
SHA256 51f110c809d2b75cd1a7e6f97aa0b05ebd844ff86cb90eca862e62e80b9acd85
SHA512 3687c5f9c016ea4fe03d9759f529102e99168c1c768b2f6530a48964051528246c9385d799e5b6aed8a112d01bc5ca777f5de7d067c657328808f2e438080f0b

C:\Users\Admin\Documents\GuardFox\k1kI5wggSG37w69OU4wZuaJX.exe

MD5 7f90654f05490b63d4660f5a02331e2f
SHA1 82879d7d9e4010bf6e27742a88a5daf0430cfc09
SHA256 93cd41f13b802da5d3d06eba69c27b4d065809890b81025a6679277492ddf417
SHA512 f19991dabf6bc5710f2bf36e20f704d0cf67c6aa09585e6aaea4d98f4c55cd248d2a2e4bf46b2c160bffc7fd87458c401c1ba1e6b43d7a8209e4333238d9371b

C:\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

MD5 d2d32e1bd9fb0c80785caf523a4208a8
SHA1 f642d6f7fea0cc766dc46df42093fdc552ee3776
SHA256 c8788e5c2b8d333ad69f1f4a6db59edf430ea7827d70cf16f1530c71decc555f
SHA512 86cb9b271396d5d22b12b41fa63bcf4aa243c8ff0b02ae9d5076e1c1409aad2a82fdb9d8d720628c229bff63e98ab6b0e98e6817192e4685ce5140fbc950e767

C:\Users\Admin\Documents\GuardFox\c4ici3bsNgIIKKfG3tAO6NKJ.exe

MD5 35e24eea9a7079816fc2d02be011456f
SHA1 5bf869bc25d79a6318bfd3b9df7bd39f10381fc9
SHA256 32abb10c78bbc85556fcb5114a3ebd5ede37fa7a2ca267b582ff48c661f7c86a
SHA512 9af249925647917767dcfd8adb1c46bd3c513d49399462ecc491a9ec68ab50cd8ea1a2813496bb04e2c644a5af81b9784b863a8fcbe469cbf7c39906452634aa

C:\Users\Admin\Documents\GuardFox\BVFd1OtMFGKept1621C47Y4b.exe

MD5 9a19d296dcae5af72bcdcd0287b52dea
SHA1 c50e8f2205b1b87403d52f3d94613b4c56ca5407
SHA256 4d7946c16ab2396f76dd730628dfb66469defcc19bd65502d2785c474832a97a
SHA512 6292f24f055da98bea37e9b0cf265c6086f2717b4e82b3d7eee383751ce691376323ffec2eb1e12009c7874fe0e8482675946fe44eb696d6181c364a9a221dbe

C:\Users\Admin\Documents\GuardFox\yPjaS7wR7iTJKevxHiHrOPVV.exe

MD5 c1a9891d5e97b9cc5bde08862c94c18c
SHA1 2706d02e789d2700b7a9d488f947fbffd1e35b53
SHA256 12f485676d36fe2de2f5b40f02c452672376e850151b60e812e221b97f631020
SHA512 b4f98e2e1489791889f40a04bcb2e87deaca1e4569396141ca660d7cc04c8414241e97c6e525d1849aed84181da2c9f3acc050fbabed193f8c1d758427ad4680

C:\Users\Admin\Documents\GuardFox\SGuv35g7kNHTsHxPR5QGrGHQ.exe

MD5 b54ff385df7de4b4e3fda62e20a23241
SHA1 afdc1cd3636d17b71fa145df44413c56cf70b01a
SHA256 989783c2a91c9c8a24b1b1705fa21e7f8112f2162488e30250d09136726f73dc
SHA512 b81834f7078d7ebc2e24f198a2b1a52bf529510db2107c05b0c78f22e59d705f7544461a45d171ad7399619419d2edf0a2e8e50454302d59832ab7684e83756f

C:\Users\Admin\Documents\GuardFox\dLst4LLS3y0KPsF_Zrqew6hL.exe

MD5 4255014417777fa008db5661696188fa
SHA1 962d35498cde4e5f1fd44294c1ba61e302b61604
SHA256 ea2d1c60010358d48d8d4f64cd42e01e7ddb94c91de785961ad46492fda21b2c
SHA512 8cb6bc24e848be18896f3a3955052f323930f0dd7ae6b9fda332c0e2c9d0787ab19d1308b0777f8d2b29848c67eebc30a836fe408652363013cbededb1a02ab3

C:\Users\Admin\Documents\GuardFox\e5Bd6wsLjXnztjdrdizZDslm.exe

MD5 72504f6fc7f6f493c6fc96e0fe86cb58
SHA1 671c4b8f2f04900c071baf00882b92cd885034de
SHA256 bd46838fc60faa15f3578a972106d251be913619e76da18e135458bc764a7872
SHA512 701fcdcdcaa6eb7036d209920a39408a5a58c6d9d4cf19b3c6012f45a7d0e4f834b1ff4ae4122ac77c03832840792f2d3b7e0bf321abcfe227006a3f7c1740fa

C:\Users\Admin\Documents\GuardFox\K09rhbtbGrLuLpGU5YfvkldM.exe

MD5 582feccd13ccc4b729f8604a5307fd76
SHA1 e646921a2dcf2bb7b69b688ab64a991e72c45df3
SHA256 c8a2b5e0b95026f992fac7299b8161fac1766eb398947aae87adf1ef4563e4c1
SHA512 098d40d88e426b96583cecc2dc1c3e696d6a0c2b24da27563c31fbe102a63c37c9be1f93337469eb165c79c70c21d2fb7240ba0bd184bfd382bb00e623cfb457

C:\Users\Admin\Documents\GuardFox\nv2rwNUJBhCnCdF2vk8KOPS5.exe

MD5 f112d0d135fa1570bf7a34e384e0743b
SHA1 2052a72ac52b98e76b4e76d5290434d517dfd03e
SHA256 2742cd38e1e1c40dc900d993f92ae8cff0b6cb0a781855816428e83d26e976c6
SHA512 c34b5f04b286d564b8327edb284b41041248e1183cac81bd9d43d1b1036b0e88211c14c945d898282ca44e7a9a8ba93d25a8ffdccbb6af3e424fd3d2a1e2326f

C:\Users\Admin\Documents\GuardFox\FQXNnh5JAH5lWw_yK891ynAb.exe

MD5 6d0288805145773e1acb980eb3211f76
SHA1 e562336c90c2e8385db8a0e736337e1c3f8ce10e
SHA256 4e311523ced1537da8eb6c66366be8632cc82c2429413974a86c8dfd43d8f9b8
SHA512 d336faf93a4ba2b6e1dc76c61c262254595130f167b406c78f6eda504e0f773c19143a2d7097bf80c051ddcbe745750ebf138b4c63073cdd201cb21565c29b02

C:\Users\Admin\Documents\GuardFox\lrBYQ9ApVOtdrHYt0x5LB2Ew.exe

MD5 8bd45d098c4b0fe155ab178a1e35f4fe
SHA1 551af806c33ea580c66f7c07b10e122290966941
SHA256 b9573e267323caf7ec30b92d51c1a0cbbef263a69d50dbfbf0942d2d5a9f9d6d
SHA512 1d952b691eab6a9e4fb3bd2947a42e5b56e8e97db145cdf3314c5401a940908b40689bbe8d7c4fa8b3acf366951d0e8344be7e024946b7f77c56fc0745029d4d

C:\Users\Admin\Documents\GuardFox\THZlFKHWyHhQ3PnSm1WV6COo.exe

MD5 7e4d05cb0157c1658b71ac6f29bf479c
SHA1 20933c24e962e91c87a0e8480a48d6f137818296
SHA256 544f218f1a6875b97a18726d263eba5b71fcbab11791cebfea4b4a7da1fd194d
SHA512 9ef407da44e7d1807d9426bd5f021dd1bd5c3a6fc84cb072f13b28f9bb2b274c99778b410b99a4b10d524ca80809c42bbad9f1d7b75ad599b422f1a60acdd8ec

C:\Users\Admin\Documents\GuardFox\5MlvVudCqNrrtq9_lBlRWeAM.exe

MD5 5373721eba16b7c52d1f53b02ca95302
SHA1 8b945293d135a1afd888babf4738971dbd607475
SHA256 8dcc8b0423941480f2dc4fcaca1811ea61164b8f8f213396b18ad32a20833b88
SHA512 c5d0c13f0d6036a54de22eb2996333bd7d908664879509699fa03a234b4b4e9fa62c8396b07cda534edf2102f3df5fa633b1e70265d536d9dfcefa28256ea4e4

C:\Users\Admin\Documents\GuardFox\yPjaS7wR7iTJKevxHiHrOPVV.exe

MD5 e7963ab29bb42794b0fa03e3f1ff95fe
SHA1 21c73d1a55a791b54f057df9b46bda2b1d9d502e
SHA256 20ce88d868cd3defed20a12ad18e4779a31fd9a3141f36fe074c9e8b69f1a9c8
SHA512 ddd77982d48373816b20adfeccb594be1bb247300e8bba677db14a312d3d69097446f47d36702e2ee315002a71d9a0c6fbefb08dec16a8a7066cdda204ee88b1

C:\Users\Admin\Documents\GuardFox\nv2rwNUJBhCnCdF2vk8KOPS5.exe

MD5 0b6bea10fda71291b8896cbddf4f845f
SHA1 4c69b2d240952e1fcb7cdf76753b279e5fb76dad
SHA256 6fc2c127db0d65242758efdc38213d2cf558e3c57ec1dbefa5ce33db6df55d0d
SHA512 f4713c736ea677174b1edb202346ec20c7d3fe2a45de96e339fc8365cb88059441d8d9157be1f85b405f010caa497fb9679663f3018d356aec27357bda20fee0

C:\Users\Admin\Documents\GuardFox\Ry560CQesuA0VRPoNaLZeuUf.exe

MD5 3707e1a56cb1fe0b8620a75dd2576709
SHA1 b452b04425cdc06144f1c3bf4c99849491ba3fd0
SHA256 01ce45349d7e234e212bf13dbb16d608592634dd12ed15f214434ffec18d76bb
SHA512 1168a1265b9bc010049a95e2420176eba971845c8f95d7a63d50b386cb9c5116c87739a46b9f621796ffa8f8ee992f61aecad24d64aa076fbbc483ffc37344dc

C:\Users\Admin\Documents\GuardFox\SGuv35g7kNHTsHxPR5QGrGHQ.exe

MD5 02b91da694cb7e36bd54f250687b1680
SHA1 fcae643793caf318f864e03bf7c533b6686c6c48
SHA256 78f6f3f8e79e52d8d7bc1049c7e5e88f7081b722f7ae0890a142cab6e242a939
SHA512 f492fe96c39487949dff63187306e99fd3b7e25afd17afac9ea7faf5c37ce51c05da112fc9becb9e9a43be20c2bf1acf455a035f061625344db593af81b16e2b

memory/1872-501-0x000007FEFBA60000-0x000007FEFBA95000-memory.dmp

C:\Users\Admin\Documents\GuardFox\SGuv35g7kNHTsHxPR5QGrGHQ.exe

MD5 419545759145221eaa9fceb28e67fa3c
SHA1 09bf72aef9b610d32ba9af4a5da14379b67e8feb
SHA256 e5a79aeeee826bd611474a5a0fefc640393fb984ebd3a295d2a4b08496907591
SHA512 7b3437b03178359df2bc459e9e6fe2b09e93ac307bbf5f51d4315d123de3fa7f61ecd73b5af1159b605eed8b10e64e599c83b124f78db339ac6705cfe3038095

C:\Users\Admin\Documents\GuardFox\QT6kRHTOlSZnVIstIr7gKrvg.exe

MD5 260601331d9fc53c49bc5c39ced14988
SHA1 ee868a07c3609731fe96767e8064ddabdf102f49
SHA256 a581d7a33239792c0e5815f7adff34a1115329bed44efe80236e007ed5eb2e37
SHA512 d43750d974a3b6fd5d7b6afedcfc65f765bfcaa3bbb0d51da52a13a5b5569b42d214db974026428a10bb522f1d5c004ae797b58520fd9caf52240a9b682ca7e4

C:\Users\Admin\Documents\GuardFox\nv2rwNUJBhCnCdF2vk8KOPS5.exe

MD5 94e79a5f75724d0f7ff2e78a6c0f9a29
SHA1 4fb26d895b43aca7dd94f92bc3fff7e110391743
SHA256 d6e9c537d80c7e4f485368797f3ac42ad19736965eaaec5bd7e5be94e5409a3f
SHA512 bab69e4a94320cd45cb61a0d95e3b1e65f86cf697308bd61fe95c9fe57f071c881e0980512e397778dc4c3329e0797605a8c23f35fff1cb8b9a71d601d19484c

C:\Users\Admin\Documents\GuardFox\Ry560CQesuA0VRPoNaLZeuUf.exe

MD5 bb308afc478c723c3eb71cf2fc5e6445
SHA1 ecdf8e9c0693f0e011df3a2c835f82ba822ccc75
SHA256 77dd8ef8f218d9d6043785bb85b6f378d930c631c55979f26872368bf1ebfc37
SHA512 92c606e6a3e898c0706f49a2d9fd3396396cdd65f39b4e0fb6c843a35a29dfbdaa73404e964f048a6cb8d7b323060dc7abb279fb1083fd0bcac90dda109c3243

C:\Users\Admin\Documents\GuardFox\nv2rwNUJBhCnCdF2vk8KOPS5.exe

MD5 9e2345d46af917853eb2722b116ebd1d
SHA1 f4707e1626427229e1be53ae062985512442ab2f
SHA256 35476e9aea1ee178e2d33781918a82a0b6163886f566747b268c0df20db7ec3c
SHA512 ed7b8bfbc12de43c3b1abecc724881c27bcd3a9e94a92ec390c5bf7a58430db6b25bf6417d086b4cf0889f3ddc9c1fc3a53ce2deb4e26b4f3980d4489c7eb468

memory/1304-507-0x0000000077B20000-0x0000000077B22000-memory.dmp

C:\Users\Admin\Documents\GuardFox\k1kI5wggSG37w69OU4wZuaJX.exe

MD5 fc5c91ac3698dd7591cd3b19278830cf
SHA1 72dbeb647c54e16f7432782d39bd1360c957de41
SHA256 ec865cee2525fe556d6d2ed1c96599a069ccb28a2cc05a7195cce9593e7e813c
SHA512 734b29f0d0cde789556473dba1e50b802838d574e8930814d618f3f500c341b07333f7566ca7de976e70b34b381e2a08771a16795d95b57814d544bf0764e6c3

C:\Users\Admin\Documents\GuardFox\dLst4LLS3y0KPsF_Zrqew6hL.exe

MD5 310f953b85f34f62d31465a552b8ef6f
SHA1 372c3a234c2f89b762003d2b3217763ac3d8b652
SHA256 f673ba91650bdecebcb80a42307447c05c59bae51f19e60a43173e4d230426a1
SHA512 e49b043607e738c1a1d67f541a93c700de7cb3b3036c382d8592091252a4cc438804ed8dbfbce8de5e4b5ed31f3413946bee386cc6ddc8abfc8037da5eceddc7

C:\Users\Admin\Documents\GuardFox\dLst4LLS3y0KPsF_Zrqew6hL.exe

MD5 c4b2aaf81d161c3cf06f79faa4ee3c88
SHA1 8b3e22d1bd1c4cc24d5b5133760183558bbb65df
SHA256 fe9a978a32efb873079816909aad97f8a1662d023093a4c6c986afed6c50ba6b
SHA512 2e1d1ab370ce4992852fd27cc123351b5f9a7d5bd3ac9dc56dc5193219a328263a7f8d3a04d11498d5e8a94e22182ff9640464be588196ab38b0750ab5d4aeb0

memory/1072-545-0x0000000000220000-0x00000000002B2000-memory.dmp

memory/2244-551-0x0000000000050000-0x00000000005BC000-memory.dmp

memory/2352-560-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-V9L5D.tmp\QT6kRHTOlSZnVIstIr7gKrvg.tmp

MD5 082c089b0e376db7691ef83d76ea36d9
SHA1 44b511858514747fb77c18265c2505ec23db1aaf
SHA256 7c47990aa00b7203196a46d1d95ab43d26a9fc8a7f7fbdf57add211c888d1553
SHA512 4700310f8bfe0ed1e89a83fb3f1ad30daee19a97d780fa542f4b4c42802ac197601eff7cfdb66d426a20c29dba4239e77754f1ff7ba65d9c54041bd6ef20097f

memory/604-563-0x0000000000330000-0x00000000003BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-DOK9E.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/1452-586-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1452-596-0x0000000000640000-0x000000000064E000-memory.dmp

memory/1452-597-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2620-598-0x0000000000240000-0x0000000000B54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-V9L5D.tmp\QT6kRHTOlSZnVIstIr7gKrvg.tmp

MD5 dc00ef336750d2c7bdab03a98b11a838
SHA1 c65b1ab33589a61170ea65fb5c826c6c2a8cea88
SHA256 9c8ced213ee42497b9d8cd33104dcae19c029aaa1a25c1a27e63f5dac80c6a14
SHA512 4b8e0267d88c6b14a334b609fe8c2173811eac0a01bd4533b27d99941bea1463e15a3f9e207512aa714b0afa86c94743bf1f1dd8ab9efdd6f415655c7db83705

memory/1036-601-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1036-604-0x0000000000FA0000-0x00000000018E7000-memory.dmp

\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 aa44ade483d1d6df61271fdb70af868f
SHA1 1ed7f151a55b399c197512d0a91d408d5a79fed2
SHA256 b5096550f2dabc2a89b0db8098841a89d9c059e1799455a65ff6896bc73d6876
SHA512 d319ade8ad0d7233e62e200ee9d95d2811e0202f4b9bfa039d673df0475126f5632db42710ba7c8a564f207870feed23b6ae6e3731019dfefedc2cb2ad5ff511

memory/1448-642-0x0000000001120000-0x0000000001E1F000-memory.dmp

\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 4651f5aac63d7d9096115afd4b39c78c
SHA1 14fe7fa0d0e761842e7b2dd21a89a85dfcc9bf33
SHA256 c04a95ab4b9e9fed16a1ef6aa319a5e24ac23ced660e669f594d6e3f9b64f5ee
SHA512 bf636c0bf6aff4d3625fca523fdbceb93d420db002b7185e1e32d2e3a68c46d08d64ec7b11011ee9bdc90d6e0e0576d5c3789f92baf02018b244367fa269477f

memory/2400-665-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/2912-702-0x0000000010000000-0x0000000010242000-memory.dmp

memory/2400-703-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2376-683-0x0000000000AF0000-0x0000000001AA3000-memory.dmp

memory/2400-736-0x0000000000400000-0x0000000000D40000-memory.dmp

memory/2400-743-0x0000000000400000-0x0000000000D40000-memory.dmp

\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 1ab43459e2375ad2a5ab3a3bbbe3a2b8
SHA1 608bf4b4a1a3c6d7a47f1ec1e2be06995c02cebf
SHA256 dafd71f61fcc5cf84adac195232255bbed7c9b4cb05899bc7f10a47ea318abcd
SHA512 b33136d9bc9e56502c9b98aa96ba4f5880eddc865a227462dade589b66ba136ff99c9ecc2b22b39e666fb8430ab915fda300e8dfe9949f64e7693c7f47bc1002

\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 0e254386817ed3b10fbab1a0b146952c
SHA1 3bd871d81bd7e0be22f4f0d5db8ce4c54314956b
SHA256 458c723594cbecca0dec8f958688044353a69d1adc7a6cfe71eed198034fe563
SHA512 c71f0209f92d11cab26b499f362b6d8a31247e659d1bee1e76ff31eb8c109574cac354134763989f2ce7f5016a59d6d58330ce95f2e929c82b98aeca742890fc

C:\Users\Admin\AppData\Local\Temp\7eDL.CPL

MD5 f186a83c75d11800e6411ee4779f2bb6
SHA1 99024f480caab933d5b491aa4d061d75a60acb9d
SHA256 459b2f7e074688a0209c5268b1c0c9bc87758efc205afa234f29d75619b04a67
SHA512 62c7a584fd73e6ae5bc0ae8fe515ea22c4cce1d83f8cf41d3711e18f16641e6bf64fd97e86dbb6d3fb0c3fc401e19c3782095b861023123d150639ccddc5f8a4

\Users\Admin\AppData\Local\Temp\is-DOK9E.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

memory/1036-569-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1036-555-0x0000000000130000-0x0000000000131000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-V9L5D.tmp\QT6kRHTOlSZnVIstIr7gKrvg.tmp

MD5 9e04607a47e4ba20b4a378e4613c5433
SHA1 48ab5d640e8ebe5b1943aedb3c64d31382fdd03e
SHA256 23d8ffe080ecb5f9d5675753a24cd4a4153b6c9ff46526a551573fbc2cad5499
SHA512 2a339e508d899cbdb6a4fb19ae263ec4863d730ec8e3b93e2d010922f3bad7bd26821cc7efc95a8e5810815e5c41a4830cf7d84057458a091f700ed7af40753e

memory/2200-554-0x0000000002070000-0x00000000020D4000-memory.dmp

memory/1304-553-0x0000000140000000-0x0000000140876000-memory.dmp

C:\Users\Admin\Documents\GuardFox\k1kI5wggSG37w69OU4wZuaJX.exe

MD5 113a928ae3f60140850ce7684e195f10
SHA1 ec473ab396aba28e7adefbda6f7aad6b5c9ecd47
SHA256 19c8cbfe0080352927396c8b1877542824e6ae54bef79911bcaca31f7e92424d
SHA512 6fb31a311cbb20d00697c5023789d74d73fa4fc795e57595707161250c70d1fed75f22c6c1903c59707b4e81a6e6e4a3e412b7e260e476904e629ec7d49aa195

\Users\Admin\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe

MD5 d8d3c854edcc0fd25fbb5ff5ac766912
SHA1 f9a54db883ac292d1972da3175ab21d1a5fb8f51
SHA256 87ca94d4a773c540bc60b0fae48115e4baf78127543d1e30282d547f9d62ee42
SHA512 560704a5c70f1c5223badd86e5f3e4fac322a332439d1c708c181b46d7ca9e33aec6e17416b95a33bbcda9b11e2da8b9b159303d091c6c8cdfb9763c1beb10a6

memory/1304-550-0x0000000077B20000-0x0000000077B22000-memory.dmp

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 81dd8e86fe0cf52bfaf39ae45f3877eb
SHA1 f18efe4f6855ad43893f923cecde0e2ead2cc96e
SHA256 3fbcfc6b631892274d9d1665c62835fa9e2a1bc642b83566eadcad65008ef4eb
SHA512 b2f5927e9dcbab075c644240b29c603dcd0cbbf4a55787b09181b9bb50f0a61994a409d954d0d1db327a50622aa7f3fc9ac28b76827d3dae8e71ab351e30b81c

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 c15184b6ab944092f8a6259dba4ae797
SHA1 bc5b0892762d170543a8782bb9691e7395d7d47c
SHA256 3d915a89e01fbdaf32b1fc9d740715b850e04ea875a9e7a699d847abd93cb40a
SHA512 ba6e2fa1bf120eb92925a790f19cd27c279bd893a4ca1a57bed5a35002392743e768ffe53acf7d242e9b6fc25449eeada78e525a4ffbdf6f9617af440a02c20b

\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 ffb2a440d94960ebd085823ce9160c5a
SHA1 d5961b9e9444a3be812fbfeb130c5b6ad4f12aa9
SHA256 2df1b98b13864b340924cd94c9b397c2db9cbbc1c549c589a99d85f4f880f1c4
SHA512 961b871e18ce0bd4ea32032896c3372034eaf6ec0b1716302779a4d666fba758914f82add996e093b97ccbad420fe8e8e9b54d1266a8dacee23655013d98a387

C:\Users\Admin\Documents\GuardFox\K09rhbtbGrLuLpGU5YfvkldM.exe

MD5 959217bee9872cd0a4b81355e474bc83
SHA1 580e93a519b24463ff23d5294387b8b3138493dd
SHA256 e6f6a390ccdb070e742ed83d1abd4572f62b5bf36be845b9b6a8b24ecfaab4d9
SHA512 edf8f0a5cd3ab1454cb73a8b995d8634903c0c5a049831358d3487918bb696e81f6ee88b9b1d4962cea57d4c59637ff00c8d00f7cab027d67f461a46e16a50ed

memory/2680-769-0x0000000000530000-0x000000000053E000-memory.dmp

C:\Users\Admin\Documents\GuardFox\dLst4LLS3y0KPsF_Zrqew6hL.exe

MD5 1b1c1f229b0c53e361c1561044ad6de1
SHA1 d0ece1e1d45ed0a0430c94b24a116b874f8a0dba
SHA256 39c81ec1ec0679c1e81c62138c68ba51aeba5049791f35f19c7902dab31b3e1f
SHA512 1c03811e4be888bc1025c984eead1b6b18834e9b6e4a05199e2a94f96e748e27e8f66bfa106dcbf7385a6e493e4d602f1714e2fa92c05acc28abacacf8105ea2

memory/2680-772-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2680-775-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\Documents\GuardFox\e5Bd6wsLjXnztjdrdizZDslm.exe

MD5 e02f67f2ae2f25816b37a6aed1b382b4
SHA1 2026bfc843f5c6cc8a6d822455053472b8a83971
SHA256 99e272abbcebc929642212509283dcaf8768a28452cf641af4b58bb03183c850
SHA512 588932b70bb3c57adb0d29cde81e4b97675dbb09dd66bf90be715229b2cfb42daf6d2c2e1f797a8b7e21d69f66c8b7024af0a1503c6f7bde69ad45f17d28fcea

C:\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

MD5 f69b9c43fa8798fb09ccf9800901f845
SHA1 d01f37fdd0d34c34060091fdd20635baf3f79918
SHA256 da0bc5457f495c50efa1a5523ca3fd77061ca7d8571c7c177d52cb0368764483
SHA512 22bb6be4c0f6626fbcb0ff39d5b0ec7cbf2aede4faf64c5e9ce71f8d9b1e393c5f98e0aae701f7c575cff2a5b1e29feacef80187a51566d6ea1813dbda39e3f4

C:\Users\Admin\Documents\GuardFox\k1kI5wggSG37w69OU4wZuaJX.exe

MD5 89adadf0793070e75068a86d5fbf08a0
SHA1 eb18574b7da1bb5b5d4d4640c1a6b51b82a62549
SHA256 9e7f1ae2a0118fb5875c7596c51adb637f2f11d7616d3005beda28c18d7b5a9e
SHA512 5fdc83fe557ebba8c6ced1173ea0f5154643ebf076cb6275b97fbf5e816f951e4b837408b0d4bad3dbef4d86dca034bfe87db77eb5f049b412e304478ad66899

C:\Users\Admin\Documents\GuardFox\K09rhbtbGrLuLpGU5YfvkldM.exe

MD5 33b6176088aa8676e7dd04fddbb4f832
SHA1 9f67feb9dd42f51aee33ea9bb047cc62b8d135b1
SHA256 d910285b11347ab6c6c27feed3226e3c8a3d0e3036185f622cb5f0bea4ec44e5
SHA512 c569ffb96cd5583afbc7e07ac706939cf29dfbb5419b7eb54dcec7e5954b43312e01db79a03c07a9afd965cd47164c721d14494b46501e753bf3ce1b82093069

C:\Users\Admin\Documents\GuardFox\THZlFKHWyHhQ3PnSm1WV6COo.exe

MD5 f3e4804ab0ba308bb4325ba3a34d6f65
SHA1 c323f5516f0c88393057510b2c7c2b5957d6751d
SHA256 ace17058a1706aea6d6d2036fb6bd5b01025a7c9cbb28c4c47e9ffbefe276f1d
SHA512 81475f52bf23b985106cfd47752c408b2a2ab875517668320a0d38a5193ec6fb3216e12e4ed237cbb623aa38d99ebdbee3f69aebe159a2da7e5de3ff864b6b30

memory/1304-531-0x0000000077B20000-0x0000000077B22000-memory.dmp

C:\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

MD5 78816926d26a0a3aec43cdc3c4956ab8
SHA1 809e335d6002b6f32b162a00a51fd2332e8f8a79
SHA256 accf49b74c6162e418771f5820d677a54d4e9a3ba46d2c39c1053193afb6c035
SHA512 b0a57ffbf8316fadbdfb8569fcea3e0992cc96463cfe1d59419c65677c2920835da18beef8427e7a31b0350266978de80a2b880a3cfb458ce8ac2fec23b2b22f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8c8f2577bd7b73df1c3c804c896c8f56
SHA1 fe384d1b7f9d4ab48afbf2210851c3d72936400e
SHA256 8c7a6eeb096d601747efb5b37d20800fff19ccbb53361581b8e237b071533dae
SHA512 017ff552836d227df32926f54235a9c352e1e2d0af3670821383d4e28ffd2801af25398acd41c7dbc1fba10ddbb628435f23ec18759265f1a5f95a8bc28812b0

C:\Users\Admin\Documents\GuardFox\e5Bd6wsLjXnztjdrdizZDslm.exe

MD5 8953614f4470b5cfe549e69f30b2c896
SHA1 fd27cf492ea218646eb2242f29a008e2ddc556ec
SHA256 04b7cd51fb43a366c13b47c22823cc4bf66e34aba8cd9e4e64553200b8a17c92
SHA512 109d69bdb9389c696ba9eec9c837023fd3ef8876346caa8b7d5431d7d2357859f34943fbc4b210c639e632562f100c49ab70e2c6f27186f9ee42df481ca6fd18

C:\Users\Admin\Documents\GuardFox\THZlFKHWyHhQ3PnSm1WV6COo.exe

MD5 31fca95f00faa6d8906c08fcedcd3157
SHA1 4b135b768a6ad5360bdc89f70eb6e63564cb0019
SHA256 62befb6fca9d7a3ee18d5f78b3a7c631c0ec9c809a796b8d30c333d917715ab7
SHA512 222a5ccb631be40362ce28dbf0bdbe7b30151c6962dcc0aed3ba58da50e842cb5b9658073daf9d77b4eb95ee27ba33bb23c6622af64f559774cdd7016d54ac4f

memory/2200-791-0x0000000002130000-0x0000000002194000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

C:\Users\Admin\Documents\GuardFox\K09rhbtbGrLuLpGU5YfvkldM.exe

MD5 9b5f6b947895e56f6d89d8dfef9184fd
SHA1 7be614db9d2de8c9fee67be8b5cbd3626aa1cca2
SHA256 22a6b64de8636eaf707d15bb607e26dc5d5c4c1a9a96c8b3ee38bf09eb6d56dd
SHA512 e02ce935abfcdc92e993c6c93909d451361bc84d0298a7cb307280ba5af3c6dab6be7a4d1c2e07a64796e72ca91c1c134961667918f6bf168beff3e768c5ca1e

C:\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

MD5 2d76f991f7bcb1e4f2e990673db4be07
SHA1 67bffff35e3be98501c2d5c6766670bcbcc4afc7
SHA256 0a5ee78e708f8435f77528f0f6e806f1cb0b5c618617c6039b3e40b5c6763f40
SHA512 76cfb92e2172bbeab8344f18ba6988ff38f6ecef90e88d9768c0d3878fbf2b42fa2e43c4ae5d62f82f2569c4b62564bf4dfae28b12dfe8d5d8f70966e2a5aa61

C:\Users\Admin\Documents\GuardFox\e5Bd6wsLjXnztjdrdizZDslm.exe

MD5 5e2144c5c83c1fee76aa38ff002a66f4
SHA1 0a8bc2588fd0250b4dd7d24bfb310a5fe42009a2
SHA256 3d2f19ccdd21f307c10b37208f940a8804632ed7c4aad5e5e9b1b2d875decdf7
SHA512 4093abd39a27771aef89a645499d49a60a43683a71b5e6eb1cd12e718adbf789317689ee4007c69dcfe87674a47c2b41a9fa288b02d61c629d4e8f4cf09f49c8

C:\Users\Admin\Documents\GuardFox\THZlFKHWyHhQ3PnSm1WV6COo.exe

MD5 e46cccaf3a4d5392e968ab989a1844d0
SHA1 14b07397170e569ee79fc9064655b5ff8c59bbd3
SHA256 7abec92af879b98f1fb9999857b9a14a9769f6f188df3f478cc7632a6736b423
SHA512 c7b883adf05ed2a739762e48e8c13fdac7628b080b6d70b2429977ba509750466fab15a0a6e7380adebe305da73164b2c906cf09dc466d8b03e6f64a54824e09

C:\Users\Admin\Documents\GuardFox\SGuv35g7kNHTsHxPR5QGrGHQ.exe

MD5 4cb8ce39787f0f2c5bde032d9e12c783
SHA1 3345368b48f39195fd8ff227b053022ea042aecd
SHA256 565a0ac9a1b19bd285e112a3805f8e4802ddc24221e4df16ee8ecafae08a8799
SHA512 e3d85867cf057bbd30f98e92a600b97ad1bc3911f8dd9c902b58f6efee4e986cb2f75696a2608da2dc90d53bf8be3157800a78138fbee9f15d1bafa94f4cdd26

C:\Users\Admin\Documents\GuardFox\aPnwp2xAhAjL8RYsu5HT29v8.exe

MD5 01ab980285a04949fc80c7d1cb3a539e
SHA1 679eae3d0c8e75cff3e62e423263b0fc9a992a4b
SHA256 e87ec7fff8033d85fee373f8dc74f7d5f35e0a967ec25f5c9c6d51efba3841c0
SHA512 4c34b2c042538e6f4af9efebd0861640dd696d69ccaa1a4e9d006b306e3b463250ca50b92e72d6b387ac25edaed3a22095bc2a73dec236c4a8e984aeb8ea38b3

C:\Users\Admin\Documents\GuardFox\Mc9tVzF6IkkHASMBailK8TBz.exe

MD5 5df9cb8728f384fe52743cca46cdf898
SHA1 f9066df504346a39a2c27137aa977cde506dcbd6
SHA256 7b7c716c50042f12072f56b82570fe820baf615e08d001f1d8b183d2617857a3
SHA512 220f8bca4e0e391d02ffcd7f528c529c1e88dcecbc7b90cb760681191cce7708c9dcd34a8f2eb205b97e2a44c786ef49ee43b8d10ae8c14b03c06dce36170e07

C:\Users\Admin\Documents\GuardFox\gRfOp2VODxVQ1Ra8buliycgB.exe

MD5 b246d07fce22a734de8cb21b3df21ad3
SHA1 ec0a8d012aee9e19be8f67eac9bdef8ea639e6de
SHA256 c68ea274a8d834b48dc8800964a86b431c0c1295e75f17be0fd78b7afd122898
SHA512 7e3d8fa0f884da1d2a366f6cd597bec196de20458d00c0546901a22de4f4ed73d0f2c33aeafe04f7538384caf1dc90b9eab9da9a1d9e82c77ef251ec430b6d50

C:\Users\Admin\Documents\GuardFox\zGSMKJ3gVV1X6YpG4gBi2Dx_.exe

MD5 6fe0b735a03d35402ef73e0a570e92e1
SHA1 d8061d01e359b0c6a02f430a4c6b31e78a65992d
SHA256 379db0893887974455ccbefcd42a8b3574401a5ded156680da41045828d447bb
SHA512 ea90e854fde0802445b1c3e7cc44f1353b7b51d9f22bfbdd4f43d0969d7dcf793b69100731d41dc3df49abb3f2b6aa63e01c1232453422067be9d9bd66d130e6

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 b8f44e5a55d7d24dffa78bd73e03232e
SHA1 e57145e90f2ebd9cd302a00a046af312c965748e
SHA256 db2da7faf7028280956ac3fdd34e21c7df935d44d4af502979e0ec55c9c97825
SHA512 1d62baec661bb528d35c9072e969d86feef2e1a0d181afd96cc121242bc37b26440292cb4c7232647cea998a848babbb20dfbee09b615f9948f2c0202346da46

C:\Users\Admin\Documents\GuardFox\yPjaS7wR7iTJKevxHiHrOPVV.exe

MD5 e8e8e4a6d20a567d7850865b8435b10f
SHA1 946a6c3062975e2afccc95f6739b0c554297691a
SHA256 b5a537d949d4ab67b0147a63030d26aaea631e78dfb7fea72ff29bf571b27b53
SHA512 8ad2a20857736b1655b41fa17cdd153e8e4360ef0958ffa04945d3c9634e9dbc3d97cb3c32513bf33fdbde854eb9d2fb6b4bc96d7f1844e082e1cd8295b840f1

C:\Users\Admin\Documents\GuardFox\aPnwp2xAhAjL8RYsu5HT29v8.exe

MD5 d87d79c83eb85e22cfa829b8e095b516
SHA1 62788dca02f2115392de04794edd1cc034c448c3
SHA256 dce45932eff3ca3a3aa3f871531abae09b098033fa692884c7abf089c5a5c97d
SHA512 63d7ea9593ce282e9fbbe81110cf600d7ce7cb03afeef43c1a1828507437785db7b784ccf0719eeee945ed7ee3deac264cf2cdb80fea6be9d3030465d3529bbe

C:\Users\Admin\Documents\GuardFox\Mc9tVzF6IkkHASMBailK8TBz.exe

MD5 ebd6f7a6cb7aa2c1f16389618828dd18
SHA1 6f0ab3eae5a5c4ed3383ac48a4ac067294c87728
SHA256 80b7f795cac71ff494d915f171bca9feca53cf6d9c6d5b87b2c773ea8266403e
SHA512 b0ab45f303c0c7051da0248713d0b672d262bafde69112e3fe021426bfce869089329b324e3355a94cea76cec4feb6a024ab74499e1f025f82eebc3da11521be

C:\Users\Admin\Documents\GuardFox\zGSMKJ3gVV1X6YpG4gBi2Dx_.exe

MD5 abdd44ee49644dd47d86cf9ee321d2d1
SHA1 6414ddfab7d91d4be56e654219e56fb66cd1bf4f
SHA256 38cb8c23fa6a0aa7d2d8c3b58285b075adef643640838cb0e406f86a238eb607
SHA512 8f25c9285ecfbb3d54f0ce21161eabf34dae40ff82bdea80773c7702b9f9b25b5852c6e6b5ffc5e5ed71e1808f872f34894f39a783689d1feadee6c796f216ff

\Users\Admin\Documents\GuardFox\yPjaS7wR7iTJKevxHiHrOPVV.exe

MD5 aa4d9dec958548bb7045f82e30e1487e
SHA1 adbcb71a8b8a4b1af5b77298cbf2ecbcd1276935
SHA256 fa48c84668675167c64f5e1f3d58c589bdb2a497ffe440b0b5a550615b341cd8
SHA512 064dcfd0feae39213db675e1a8a8336b680bd369d4db653816e11071b0a305e505411825a0c48b30a8dac41a4d35e95dbb92d0347bf37fa059fd9040053ba0e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 08e3f5d4edd74c03f03fd120e7bb4565
SHA1 cc2ce926449c8e759adc3e05e9f5e39c49ee2707
SHA256 b8c9062de08bc7f364fc080922ba210bac65308b59588223144b1ffb7a9fb742
SHA512 defdc595d83ccf5a2a90240f01a0a1b0e10dffcc29203bf20e46bcfe521b1646d25461dd2fb513928f45376839ea34a0d0e9782d023e5c7abf3f2926e2cbdfcd

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f3f3a5613a8bd24f558018752316070
SHA1 7962c473e97157f4fe5421435394cefeb9fc943b
SHA256 a1d69f0ce2e5ad3198c6f3a23ee0975fe5654a21bbcf11cf34f76014b3f24ffe
SHA512 735b6a0bc556f4c128524ce54a74feff4fbe37a538284a841e63c6134e81cea597ab630655fc6714ba953182b6faad718150d9daaf5b9ae92ec6e5a4edf03bc5

memory/2080-468-0x0000000001240000-0x0000000001298000-memory.dmp

memory/2304-467-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\gRfOp2VODxVQ1Ra8buliycgB.exe

MD5 f740608b4fc3a10a4526f0c2db5fc67d
SHA1 91a6a17d5a90be772997021532d6d0615d550fed
SHA256 35e87fae499edf23f25bfc5be34be901c0dcef34851db88b7d96eeeb6733860d
SHA512 2d45013aa54d29977eb173ef873ee2464081ee650c3df04fd381f9e8aaaca4bbc58de61228cbf365439ad05a81de4bed8cdafbf4a3762eb489da23d65010fe3c

C:\Users\Admin\Documents\GuardFox\QT6kRHTOlSZnVIstIr7gKrvg.exe

MD5 ffb0383d564e75cd8eecf8fafc513e49
SHA1 c7da6de4130cab9bdca1eaf0213bd9e3ce1206e9
SHA256 f825baede5ee31b7c858ffa84097574f07025c5ce002aa96d8cb2fc61e51eae3
SHA512 160b7da61a017237a15d8ef73c75582f1265c3e0e4f23295aedde04b1bb96c691fdad05cb850717f9f89c30133a414239da008b58fa81c6ad97db254c30a239e

C:\Users\Admin\Documents\GuardFox\lrBYQ9ApVOtdrHYt0x5LB2Ew.exe

MD5 5fa878455587d484dba37e41a46b9343
SHA1 82f4dd3a18554bda4425a897433b31f2d783587a
SHA256 e63841c08999245e9c424161cca81afbecb2c9e20b53aa2eb988a923cddbe6a4
SHA512 60e23805e4a72ed423a65d2a3b19c2f6f4c16587f74499f78478180e0964dc9a80a584fb3a607c7a61ddf8085cd3ae23a5bf6a0d25aff78b96b808007d7e1654

memory/1872-446-0x000000013FB50000-0x0000000140594000-memory.dmp

\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

MD5 2730df5b5242ebc512d8170073c7e671
SHA1 65a7118e3b3c5053d1480f06392766cfe19e7f9b
SHA256 b3d176f2d510f745006d884835ac8aef6e5eb9b41dcaab08cf2cb0f3bfc40422
SHA512 b9e947994fd81a99a6a87b9933c9eef15eb71ea2a2c22483ec86c0a8ce29feacd690dfa948276c40f3b1bd542b4d58710b2d768df3cc005681ad7b83ae5b00b9

\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

MD5 8218f42931e88b87e2dfa0cf0f454bff
SHA1 35e9f98445f3d8ce4a355528a51571965e06c224
SHA256 8211ce1354e9206290ecf846581f2f8ea49ce5bde2589dad581f0919636b0e35
SHA512 b5387e3e25f4179d71a5b975680d4fe7fc975bcf8415393aaf690a65068682605401a2c5c9f6ea9361e75e53ab2ac3977f74af90a50f3cdb75d3c8836f6d3f35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1c64238596725ca86caa236d21969eb0
SHA1 ede0a36a101cd34629691a754e292a0810de8bca
SHA256 2b7ddb30646c350592f27c1cd45c009b98032ad8c04a0777594dc4eab80cfd42
SHA512 23735d9f67258cc52375f964e4d89aa0201f7d7eadc694b888131e937cf3b947ead44fb0853faa9b945300502946cc4ae0c5ac3f239802ca16059b16e140aead

\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

MD5 e05993043849abdb0e45df515a5ea46d
SHA1 e5445faf830a754e632629e2a08e5b8883bec8dd
SHA256 da8af6a23dbe3c47f7bbcd3deb6578dafdcdf3fc318f0f33e71b470e52e08566
SHA512 7175890714e9aff7f764549efc90a80c6f0529318ef5f278ed7dc640591ab41f354a98eca0e4a988294b001fc69a3b17c87ba087aa5b8a0be91a4122d5dfc350

\Users\Admin\Documents\GuardFox\uHwhDsNFs_uGIMs6F59vqpG0.exe

MD5 dc9ea24a91eba3cc1b5c31a6f988bb15
SHA1 fbd764f8106448c2eabbf14423178722e8e52713
SHA256 4042b569ab3afa84569cf3726f2f3c88144178132bfc92a792c081a89891671e
SHA512 bf50cc6c2168ddf2f29eb9db1da22c9fc8eb24435b357060ec396828985fc7d849a4dc1af665359c487cb6a51620c79e50e64f4d1e60d6c92d0236f1ab4c821e

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CQVX0JB0\buildcosta[1].exe

MD5 f6db09a010c187dcf9e462d85de5dce3
SHA1 846856c8264da881633ee8d1a48c965fabcd1c7c
SHA256 fda84d697f560685ffc8fd22392477c0b91e3f2e440264cdb4db92f6d82ce50c
SHA512 1adca5a6813ee537558a83163d64b831bb90b5c228ee0f17dbb84fcaf46698d53c914cdf1d19c21752f8594eef4e7686da83cc1b875980c34cfab27398027b0f

C:\Users\Admin\AppData\Local\Temp\533E.exe

MD5 b6a5467c7c805cfa277ce46f5ee33357
SHA1 4a22b6597904b888e3c9b99eeadce2880e0f0039
SHA256 659df3449b0810e0193c1548767cf28b5380c30c8cfc93ea00f5b7737981d733
SHA512 19a5906ace0d515717a1c49604b6a7b34e6e7b27588239c8fe5f997501ff5cf80606d896e7de4c6310a6fc17efda9122b6d7c4b2ed875fba92505e28ae7ae049

memory/2244-940-0x0000000005810000-0x0000000005A18000-memory.dmp

memory/2376-941-0x0000000000AF0000-0x0000000001AA3000-memory.dmp

memory/2376-955-0x0000000077640000-0x0000000077750000-memory.dmp

memory/2376-957-0x00000000770F0000-0x0000000077137000-memory.dmp

C:\Users\Admin\Documents\GuardFox\v72b8H4q_hHKWVVIwqLtukiw.exe

MD5 3ef3679b8cd4a62d1ea38f193f66cf0f
SHA1 c3755f2ec8940e9948bf6c181547d3a0fbeb2cea
SHA256 c1b13a43cef22432c5325e81ebd4a0e9f7b681107f5cf788312fff6d7e38c4d6
SHA512 5e80032fd4674131700ee4cc9079ca3cce46bea2a9ff7b63cefb43c17cd964ece92ead001696e6d86ee7bcfe4fe169a36158fe66ab2fa309897e185c98d3520a

memory/1304-979-0x0000000140000000-0x0000000140876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DI7MS.tmp\84CB.tmp

MD5 f7a1e7ca916b5665f68f9d8559aabacf
SHA1 d35baf1d886e338beac6ec1cd77d2b1e9386cedf
SHA256 4860cc12e693259f41fc361dade9c473e3af6f2a3665b8e150b30fbc4db155d7
SHA512 341ad526bf17d6ce141cf97cf8af0342c2a8646086cb767efe806ba2ef571c6768162270e65830582399fbcaf8619f74a66fb823b5a0a224270cb7f36239bab8

memory/2420-1001-0x0000000000A30000-0x0000000001018000-memory.dmp

memory/1304-997-0x0000000077970000-0x0000000077B19000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 af57f187d1a74b0053d5e779cb9c1a2a
SHA1 76933223b7f6b12c0bd7ca223cd1dabfbaf52b56
SHA256 ba501609e0676034d65dd4275665fc3899018e111046b950770db1b952b8eb8a
SHA512 88cc9e78c247959eed5b0e4741f65ebd01a523ac2982e7eb45f1d68dcefc5939294dc757c134d3e65dd629cb805393243b49e293baf705f06d50785228791bad

C:\Users\Admin\AppData\Local\Temp\CD32.exe

MD5 22e9c6cadd6ebccec93480dc06edbf6d
SHA1 3eae76e366fddc50d1106dafae1680e9d2eebb93
SHA256 ca817b0a262c566609c3425d5ecbcd15fd87899db730894076e3468bcd5190cb
SHA512 47ab8a4d9799eab27e24931e7e905de9ec6cd3cebbc4e1b1dbb2b134edf280a54e81c2d6d1d2ae5269835d24f270b5fbe33e7c43990a2fd3c19147d9416c21fa

memory/2716-1033-0x00000000001B0000-0x0000000000704000-memory.dmp

memory/2996-1044-0x00000000012C0000-0x00000000017F4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 16:31

Reported

2024-01-23 16:33

Platform

win10v2004-20231215-en

Max time kernel

20s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\o9cQpsoPKZEcwzdpOEEfjKS0.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe N/A
N/A N/A C:\Windows\system32\powercfg.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\_q2vD9rmquvw9BRa8wd995tb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4668 set thread context of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\JHwdRTPiVjZdu1uvZ4wHzsJi.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsj1D39.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\rss\csrss.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2780 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\System32\Conhost.exe
PID 2780 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\System32\Conhost.exe
PID 2780 wrote to memory of 5244 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\System32\Conhost.exe
PID 2780 wrote to memory of 5464 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe
PID 2780 wrote to memory of 5464 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe
PID 2780 wrote to memory of 5464 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe
PID 2780 wrote to memory of 5564 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe
PID 2780 wrote to memory of 5564 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe
PID 2780 wrote to memory of 5564 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe
PID 2780 wrote to memory of 5696 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe
PID 2780 wrote to memory of 5696 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe
PID 2780 wrote to memory of 5696 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe
PID 2780 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe
PID 2780 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe
PID 2780 wrote to memory of 5720 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe
PID 2780 wrote to memory of 5732 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe
PID 2780 wrote to memory of 5732 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe
PID 2780 wrote to memory of 5732 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe
PID 2780 wrote to memory of 6040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe
PID 2780 wrote to memory of 6040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe
PID 2780 wrote to memory of 6040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe
PID 2780 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\o9cQpsoPKZEcwzdpOEEfjKS0.exe
PID 2780 wrote to memory of 6096 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\o9cQpsoPKZEcwzdpOEEfjKS0.exe
PID 6040 wrote to memory of 5660 N/A C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp
PID 6040 wrote to memory of 5660 N/A C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp
PID 6040 wrote to memory of 5660 N/A C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp
PID 2780 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\SysWOW64\rundll32.exe
PID 2780 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\SysWOW64\rundll32.exe
PID 2780 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\SysWOW64\rundll32.exe
PID 2780 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe
PID 2780 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe
PID 2780 wrote to memory of 2312 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe
PID 2780 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe
PID 2780 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe
PID 2780 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe
PID 2780 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe
PID 2780 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe
PID 2780 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 5384 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Windows\SysWOW64\WerFault.exe
PID 2780 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe
PID 2780 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe
PID 2780 wrote to memory of 5328 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe
PID 2780 wrote to memory of 5316 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe
PID 2780 wrote to memory of 5316 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe
PID 2780 wrote to memory of 5316 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
PID 2780 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe
PID 2780 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe
PID 2780 wrote to memory of 5752 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe
PID 2780 wrote to memory of 5884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe
PID 2780 wrote to memory of 5884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe
PID 2780 wrote to memory of 5884 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe
PID 5660 wrote to memory of 5904 N/A C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp C:\Windows\system32\powercfg.exe
PID 5660 wrote to memory of 5904 N/A C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp C:\Windows\system32\powercfg.exe
PID 5660 wrote to memory of 5904 N/A C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp C:\Windows\system32\powercfg.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe
PID 4668 wrote to memory of 5436 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5464 -ip 5464

C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe

"C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe"

C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe

"C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5464 -s 340

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Users\Admin\Documents\GuardFox\_q2vD9rmquvw9BRa8wd995tb.exe

"C:\Users\Admin\Documents\GuardFox\_q2vD9rmquvw9BRa8wd995tb.exe"

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -i

C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe

"C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe"

C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe

"C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe"

C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

"C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe"

C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe

"C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe"

C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe

"C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe"

C:\Users\Admin\Documents\GuardFox\GrOwuxn9g3h_LenoAnfzARTT.exe

"C:\Users\Admin\Documents\GuardFox\GrOwuxn9g3h_LenoAnfzARTT.exe"

C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe

"C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe"

C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

"C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe"

C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp" /SL5="$5011E,3515248,54272,C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe"

C:\Users\Admin\Documents\GuardFox\o9cQpsoPKZEcwzdpOEEfjKS0.exe

"C:\Users\Admin\Documents\GuardFox\o9cQpsoPKZEcwzdpOEEfjKS0.exe"

C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe

"C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe"

C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe

"C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe"

C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe

"C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe"

C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe

"C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe"

C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe

"C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe"

C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe

"C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe"

C:\Users\Admin\Documents\GuardFox\JHwdRTPiVjZdu1uvZ4wHzsJi.exe

"C:\Users\Admin\Documents\GuardFox\JHwdRTPiVjZdu1uvZ4wHzsJi.exe"

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -s

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5244 -ip 5244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5244 -s 512

C:\Users\Admin\Documents\GuardFox\kilIGnE7Ee7xlISTtwnuNAyU.exe

"C:\Users\Admin\Documents\GuardFox\kilIGnE7Ee7xlISTtwnuNAyU.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN kilIGnE7Ee7xlISTtwnuNAyU.exe /TR "C:\Users\Admin\Documents\GuardFox\kilIGnE7Ee7xlISTtwnuNAyU.exe" /F

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\69ede988-cabe-4c3a-bd33-3c9b20ac4279" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Users\Admin\Documents\GuardFox\qemu-ga.exe

"C:\Users\Admin\Documents\GuardFox\qemu-ga.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd91c59758,0x7ffd91c59768,0x7ffd91c59778

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 372

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 4440 -ip 4440

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2184 --field-trial-handle=1928,i,15234740933686316559,4096264762207578264,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 --field-trial-handle=1928,i,15234740933686316559,4096264762207578264,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1676 --field-trial-handle=1928,i,15234740933686316559,4096264762207578264,131072 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 396

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3120 --field-trial-handle=1928,i,15234740933686316559,4096264762207578264,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3092 --field-trial-handle=1928,i,15234740933686316559,4096264762207578264,131072 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4440 -ip 4440

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 412

C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4440 -ip 4440

C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 680

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 208 -ip 208

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4828 --field-trial-handle=1928,i,15234740933686316559,4096264762207578264,131072 /prefetch:8

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 360

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 692

C:\Users\Admin\AppData\Local\Temp\nsj1D39.tmp

C:\Users\Admin\AppData\Local\Temp\nsj1D39.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 744

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 776

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Users\Admin\AppData\Local\Temp\1000117001\rty27.exe

"C:\Users\Admin\AppData\Local\Temp\1000117001\rty27.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 740

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 708

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 852

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 5720 -ip 5720

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 2488

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 860

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 828

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 860

C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

"C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

"C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 436 -ip 436

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 436 -s 568

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 4440 -ip 4440

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4440 -s 732

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsj1D39.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3020 -s 2392

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 3020 -ip 3020

C:\Users\Admin\Documents\GuardFox\kilIGnE7Ee7xlISTtwnuNAyU.exe

C:\Users\Admin\Documents\GuardFox\kilIGnE7Ee7xlISTtwnuNAyU.exe

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 192 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 356

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 652

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 724

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 396 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 732

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 736

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1276 -ip 1276

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1276 -s 776

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 380

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 396

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 428

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 372 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 684

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 196 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 752

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 780

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1588 -ip 1588

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1588 -s 788

Network

Country Destination Domain Proto
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 14.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 130.147.105.77.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 294self-limited.sbs udp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 ji.alie3ksggg.com udp
FI 109.107.182.40:80 109.107.182.40 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 joxy.ayazprak.com udp
NL 77.246.104.70:80 77.246.104.70 tcp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
US 188.114.97.2:80 294self-limited.sbs tcp
US 172.67.173.86:80 joxy.ayazprak.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.97.2:80 294self-limited.sbs tcp
US 188.114.97.2:80 294self-limited.sbs tcp
RU 87.240.132.67:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.97.2:443 294self-limited.sbs tcp
RU 87.240.132.67:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
KR 211.40.39.251:80 cczhk.com tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
GB 173.222.13.40:80 x2.c.lencr.org tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
KR 211.40.39.251:80 cczhk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
NL 95.142.206.3:443 tcp
NL 95.142.206.1:443 tcp
NL 95.142.206.1:443 tcp
RU 87.240.132.67:443 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
NL 95.142.206.2:443 tcp
DE 77.105.147.130:80 77.105.147.130 tcp
DE 185.172.128.24:80 tcp
US 104.26.8.59:443 api.myip.com tcp
RU 193.233.132.67:50505 tcp
US 172.67.137.14:443 tcp
NL 45.15.156.229:80 tcp
HK 154.92.15.189:443 ji.alie3ksggg.com tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 104.26.8.59:443 api.myip.com tcp
US 34.117.186.192:443 ipinfo.io tcp
DE 185.172.128.19:80 tcp
RU 87.240.132.67:443 vk.com tcp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 172.67.174.43:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
GB 142.250.187.195:443 tcp
GB 142.250.187.202:443 tcp
NL 91.92.245.15:80 tcp
MK 95.86.30.3:80 gxutc2c.com tcp
NL 45.15.156.60:12050 tcp
RU 5.42.65.31:48396 tcp
GB 96.17.179.201:80 tcp
NL 52.142.223.178:80 tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
US 104.26.13.31:443 tcp
HK 154.92.15.189:443 ji.alie3ksggg.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 188.114.97.2:443 expenditureddisumilarwo.site tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
RU 158.160.118.17:80 tcp
AT 5.42.64.33:80 tcp
DE 185.172.128.90:80 tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
NL 52.142.223.178:80 tcp
RU 87.240.132.67:80 tcp
US 8.8.8.8:53 paperambiguonusphoterew.site udp
US 8.8.8.8:53 udp
GB 173.222.13.40:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
US 8.8.8.8:53 udp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:443 tcp
RU 87.240.132.67:80 tcp
RU 87.240.132.67:443 tcp
US 8.8.8.8:53 udp
N/A 104.18.20.226:80 tcp
US 8.8.8.8:53 udp
N/A 104.18.21.226:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
RU 87.240.132.67:443 tcp
US 8.8.8.8:53 udp
RU 87.240.132.67:443 tcp
US 8.8.8.8:53 udp
N/A 95.142.206.0:443 tcp
RU 87.240.132.67:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
NL 95.142.206.3:443 tcp
RU 87.240.132.67:443 tcp
RU 87.240.132.67:443 tcp
RU 87.240.132.67:443 tcp
US 8.8.8.8:53 udp
RU 87.240.132.67:443 tcp
US 8.8.8.8:53 udp
RU 87.240.132.67:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 172.67.177.31:443 paperambiguonusphoterew.site tcp
US 8.8.8.8:53 31.177.67.172.in-addr.arpa udp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
FR 51.210.150.92:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 92.150.210.51.in-addr.arpa udp
US 8.8.8.8:53 pastebin.com udp
US 172.67.34.170:443 pastebin.com tcp
GB 51.195.138.197:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 170.34.67.172.in-addr.arpa udp
US 8.8.8.8:53 197.138.195.51.in-addr.arpa udp
GB 96.17.179.41:80 tcp
GB 96.17.179.41:80 tcp
GB 96.17.179.201:80 tcp
US 172.67.175.187:443 tcp
DE 185.172.128.19:80 tcp
US 8.8.8.8:53 copyrightspareddcitwew.site udp
US 104.21.55.202:443 copyrightspareddcitwew.site tcp
US 8.8.8.8:53 202.55.21.104.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp

Files

memory/2780-0-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-1-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-7-0x00007FFDAD5E0000-0x00007FFDAD69E000-memory.dmp

memory/2780-6-0x00007FFDAD1F0000-0x00007FFDAD4B9000-memory.dmp

memory/2780-10-0x00007FFD80030000-0x00007FFD80031000-memory.dmp

memory/2780-11-0x00007FFDAF4D0000-0x00007FFDAF6C5000-memory.dmp

memory/2780-12-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-13-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-9-0x00007FFD80000000-0x00007FFD80002000-memory.dmp

memory/2780-14-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-8-0x00007FFDAD1F0000-0x00007FFDAD4B9000-memory.dmp

memory/2780-15-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-16-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-17-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-18-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-19-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/2780-20-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe

MD5 61692f0b639c69dc04b67646d9d3bf91
SHA1 3bb6e2ffdbd7839098561d7c595d5911012efd7c
SHA256 36e762370e26fd18e7735a93cc3d67234ad8ed53d829e623f5dc4e33a05fb7a3
SHA512 410e6984b4e332d4afab26d403c447353cced7bfaa1cd3b1a9263f58604964fefe3cc49b59da1cecc73e27fe3da707ccd6bf7b3d0ec168097070df21eef95eef

C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe

MD5 e47402fe288fc80f70f1dd3fba01be13
SHA1 20339af8e44fddc8cbc9866b0b72b907e8d5f1ce
SHA256 06d036cd8bf5b58ee130dca3a5dcbd3d9063feb51ff469654e0a0a18ad7aae3b
SHA512 1eaf31103a0c229975b3bfca2b237074aa86295127554f50dc2233d17ce43eecfa26df8c13eafbd1b8639c87f33a4ad153547d77d41750872616ed3b8b4623ae

C:\Users\Admin\Documents\GuardFox\JHwdRTPiVjZdu1uvZ4wHzsJi.exe

MD5 6d44527862725a132b75e38a93ff47a4
SHA1 ed1405c6e725e852dd0de9b2bb9aaf778524dd0c
SHA256 9dbd160c39ce3f6324692ef5c4b55974eda81a89481b2d008224ae4b3fd3480f
SHA512 42544c2f529c6860a3ea1a0e637fa30483b05f9d86117168a4a0f0db97fab87ebeb8712cd0c85dc519603d7f10e09245e0794c71cf06e4c13571655ad3cc66a9

C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe

MD5 35a48a797f5d433aab31d6a52bbc14a8
SHA1 421e55bae7bbcad5e2d0ef1a73a7b9c0a616f355
SHA256 e89f4562d306d2bce6a5f978fd04fd5def16dbedc46c5aa16d199bfc8eedb0eb
SHA512 f28ccad641fa47d49d2863b190ff7ece6f70c6851b5b56ef1c60e3832c605ee2c114df92ffa5ece0ac54bf64be266a821ff1d355f52bddcf3b11ba41daa90258

C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe

MD5 2b4adc35b730436cf337d1afdc913df9
SHA1 e5fe0fd80e1b21eb81e153732a271e909ec4f1d5
SHA256 08f1cd68f879f4be83cd9db74643f1ead9e956bea1d5146f3dc46ba911f5a9d2
SHA512 d9fb270c8b87d96f78b34002ffc364d7665308d52342bb9794bde9f9631494c1695c895178de2501a4be8b6bb4965b163bc72a5b6ee1089cd03c69a020dfa25e

C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe

MD5 e091b393fae6cd2780e4b9d40a911bd8
SHA1 1ab6c2d9d04170f6ba420238add82e5818701c1b
SHA256 89b518ea7b5cc6a622229a2231eb8a61a43e911d7ec5a7782111e2ad27bd670b
SHA512 818c330be673b23ece1dfd3e60096a4cf423351548cd22aae5be26d50e561dfcfc730292e902ed5839b677b3f1a24ce0afd2443f4723143d5d8d6e7fc9cb54b2

C:\Users\Admin\Documents\GuardFox\o9cQpsoPKZEcwzdpOEEfjKS0.exe

MD5 a9e6e3919d53f3d7287b336dc0eea738
SHA1 7cdfbdc6e113bb9bb59c9e8f2012ab1ce40a5ecd
SHA256 1102c62357a314344e7c5c98610160d5941d1cac1fcb6d92c9237ff2055754fc
SHA512 a86ea183968695cea6b8f66b65f9da68271ad563e551001713ce54076433afce9e0e975dc26053eba4e7289fc685711a27927b14773872101c24ce43b9f82c51

C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe

MD5 b110d42f488f666e3911d2ce418559a6
SHA1 aa0d163be3cbb90ca714f769b77a40cab9000ac9
SHA256 d853be0e0dfa6bf2504101ad99c01c28bd1b831a16cb1dddfa821c6dfddab68b
SHA512 061401281a869543cf89649a2d506dde705469552ebcdda27a383b39be914dddda4857342de8ce14d3cac6e971e4d276278647de1f7d892d21801acc9fc0b52c

C:\Users\Admin\Documents\GuardFox\mmWF8pTdNbMuhIEYX62D821t.exe

MD5 f0d969a8713a20db4815499bc14a010f
SHA1 f0c6e5fb8434d2b80c2bbf8d47850c31760a1cef
SHA256 96bbf4fbd5076f8415a0b56b5066ffcbfca7ec9853d7fc2956449f5162bcd8e8
SHA512 064d5010920d4b7efcb6690d77acf816d995c533297bfa68eaa30327e7f23fe2810b11e6b2844a1221871fb1a42242c925eee8dc89bccb026a575c80d2ce7bfb

C:\Users\Admin\Documents\GuardFox\ruG1blOZb4m4OwsuHDO3_mNX.exe

MD5 46d4bc71ce67807a9988d01cb8039aac
SHA1 1b482db59bbd995ef1430748042c99c98a436945
SHA256 4a8cf9e3fd1f6ba07930f4ce1b1aa5c64b160f18f3ae03688c1f36536b749017
SHA512 ad4c6e62aafbe9f828bf15ed16d48ad8af63765b4b6c8876f1b9f53f8141361948eda0337100936568a38415a00728997a4e997d11398cb9c9851c8d28e7218a

C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe

MD5 d22136ad0c154dc6ccb32a17e69d03d8
SHA1 0b0d79fc4dd9e741187beaa0be6ff0fc5b55017f
SHA256 b299202c0fec08715a53ebb3a336f457eb4b274ddad70177f34e15a6e5f5d0a2
SHA512 403ea7b582142be14bcfd7dc951a4e87477b00cc42f16376b0f061645113c35ca317a0f27ec7b102c694f9d114e6153498d072fd36541d725737637ed0912ed8

C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe

MD5 7c84d4b61805ff6356ecc523104019bf
SHA1 1aeb53be5800852de6f949c04c6ebabeb38198d9
SHA256 8d4abf4a865e9c315ee9b1bec15e1f932158f75320af35df0c89bcd3e4bba593
SHA512 7588fd954d17e64589925df2578ecb8e587c3ce87a7686d30aef7676d738b5ee95cbaa97c6d3d9fba5543f7e5539a7bb37702ceeed912f66505bab00ff5a6267

C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe

MD5 d6ecdf43edf9123acb09375a627b86c1
SHA1 8fbacf2b434289cbaeb54f31e636281a1ff19965
SHA256 fa3d9b5fb22881411e0dfa30e82aba7109f746e3179077eabc9a9b8fa382f436
SHA512 456d8b7d5a35a67ed04b2e140beec678b3686273109ea2c3cf3d192b2e631cb03cb32b51e065a8d2282f032013a702f9a19f40f21587fbf5b36699b43801fbd8

C:\Users\Admin\Documents\GuardFox\GrOwuxn9g3h_LenoAnfzARTT.exe

MD5 865a88f7456d441513a11b9efd206df3
SHA1 ee656bfb63d0c4abdac0444e5a253dde62541f87
SHA256 27139a8d4192daace502890b616324a3e064e53bece3f86af60d39b083318d5d
SHA512 58850677d5730a563557d78d3da9b8e9a5aa0b6b61373571820cbf4496b8ec5c8ec4e0b803a7dfcb5d42667c6eccc68f459ec391989998bdfe38d1d961aaa310

C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

MD5 b91b160b4fbc76d07527b82598211119
SHA1 cdefb4ca4addf2bdce894d6a57010f6e271d7203
SHA256 b84f3a75b88843f496ee68209d2cbafddd9f3f59b95656f40d4e396694dd11b9
SHA512 394291cdb40134cb62b6e2180b3ad7c9abdc2a78154d3e4e26e5e3d3c243b99ce316773db512dcaf81df4d450d5e71b4c42d454ea0d4decac2bc86345b4e73cc

C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe

MD5 fdbf8084996045ac57c012b159f1a1ad
SHA1 ab3bee1f88be71462aa4f11c6ac3878e0a82941b
SHA256 cadc762202efc4bde4264f80c76fcaeba83b3fcc14a8db2068adb97e618a6ca5
SHA512 9cf2c8ba1f457e59da248bcafff608ff6312c6a41c820d1236718ce66ccfee24ee0e94f9eb628323e4733d424615dc76f88a2a176c95df4d52181699f5267fc7

C:\Users\Admin\Documents\GuardFox\_q2vD9rmquvw9BRa8wd995tb.exe

MD5 1d5b43bbc1e9af49bb2f221e7839a623
SHA1 02588745fc68ba0356d68bbf17ab57d070dd4b55
SHA256 110890ab6cfff16005ab79db6096fc468be23f1918d9d9647366798a798b7aa4
SHA512 b6e2f48a940671806b9a60937308a4fb68880b70310d8573ab319196ff95f0b794f95ec2772ea7cb7c75a70f2f6ac461ad19bac8b6fad8deb444aaba14a25f41

memory/2780-150-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

C:\Users\Admin\Documents\GuardFox\zS8yXorgB6vI3hIuvu6cGp8B.exe

MD5 128b45be2df32d310a7299512b80dc96
SHA1 1910eda06b3e6594db7e3ad10539d1c596697467
SHA256 cd031a046c508d4f1e37d627c95a27e571a153c7c625493269eddb5c03fa5237
SHA512 413b76f35ea72d8e8f668c71be27c8d6684c0977559b49d93fab933683aeb5dc1fabceb81943a0e5959c4cc35cdb99bb7830c2c9b9dd76c8250f7cc233629bf6

C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe

MD5 0d2b358f70d299adc56592f9d8cfcbd0
SHA1 d8f8d272a2fbfcc0669da5bc90b10767db90d00a
SHA256 cd43cbb1f13886f5c6bc5ef0e35f8c3eaf24b69c72bcc7152c56c41e8e3cbae9
SHA512 e5a9db5a57be3d0297dd0b6912bd41a2c3312098d0e17c6d614946b8dc63ad2cae6297a6012126142b17f86f9f4a9df86b6292f83a16519d9b2315ade75c8463

C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe

MD5 6bb163a61c8de4abaac0a57838a1d8d3
SHA1 6fc715ed763a9b8895a76d3c7ca2dbbebf6bbf75
SHA256 ad7147f9afc45009f28f4926ae340d61c18e5111881a64ab5533895c804f8bf6
SHA512 a76ea48779c1e40ab648da8fd9cc00d6c471c747f51bc0c6b2fe2ae8cab9140d180b0a83ce553ba8c3019994d9d6bffbeb93c3b16acc99533d807c2199e6df8e

C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe

MD5 cc5db91953eb3833af4ea6348274086e
SHA1 d597da6f2a7653967c7b720155cf3fe43bd068d6
SHA256 d136b17cab00721b96addaa2c147cda7da145cd49c1439854f3033dc52de604d
SHA512 aa0b71b71f332576cbc2718264a4d54144d716da18daf5f32f2c1980e27c6f33fc7fe9aa00b1d7c38fe2016a02c3ed4eb8d17f1221cea9c2d1a64f93b8033d8f

C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe

MD5 6ec83770852f048bb953b577d66acd56
SHA1 9eef677562f5460df6034f4668b144cc4435d7cb
SHA256 609fc4ecca8abf0bd00b9d3d9ccb933dbf0bf035748befc4aa87a4f77f7a96c8
SHA512 73cfdd327c529b67d41ce2f1aaf9c9a4f37ca5bd15a51b8d695e4d9caa7743639f2a54d910490bb022d2ff1c4683030f42ae1e12cf916582a115cd5e3a316079

C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe

MD5 854100a3721d654dc7bb1125c1fbfdb2
SHA1 b9b3e1387340fd93a6c5ca77c0291cfcded2ebdd
SHA256 dc74e0efec6b121e3e0b851cbe018aba37cab524d3762c5c7b91ec9005ad5f99
SHA512 1b9d9e8bd4fad94e7196918c5b08ff589f27c37c65849b2a889e41cdaddc726a3e080715c4ef822164c8969e850d07a27e3e58ab462d831c57d2ee85f55ede3b

C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe

MD5 424f1ee1eef31285fd4ed3d07b2cc9f3
SHA1 b20929019267f1ba24b73cc49f399ac5b7914b26
SHA256 d8359580d3509abc71dbc452b643e889ba5baa579e3aa8de6a891ac238f1c44c
SHA512 791ad3e5e7620c5dda6256d2e14abb31e18ca1f37bb6ea69c2fef00ba9feff405a8eab1f47ac7140068c0ad42e9fb583a328566a9e77130f6224683fdd9b9d4c

C:\Users\Admin\Documents\GuardFox\JHwdRTPiVjZdu1uvZ4wHzsJi.exe

MD5 747f26fac411f9294d8f7e3b57e18687
SHA1 3eed9f044663c335616dff999d204d0af5828790
SHA256 4078860583edb9f1662b1645d2868f8f8992ce5b93c599c0492ca40f528f536d
SHA512 458ec8b1602185125fde38c9d4427d6f92644d41a23942b85cc68312ed53174fa5658c17911d7ae8f30f2ef225d6962da58330dc915873bf040762915d0e786d

C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe

MD5 45b383b7ccc74def38ffd1622085eae9
SHA1 9a2a42ad0a34095e15d6c6fe9ae312df0791c364
SHA256 7e8ad9d74d32efadf47556bf7b1ac2728eedc04cc364a11c3da4be78e66bfb4d
SHA512 6c4f2915b75e49cf48235b7f7004efd278f130a7b66a2db2447655d0145274e020b552b906313ea6fc932a7c084a00afe9c26e33cc70466b1b8cd09df9fbc63a

C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe

MD5 970200a3bcfdc7f5c665e8d3e657e204
SHA1 c76fa6c153e698840dd5adf4868718a23e40928b
SHA256 c59ad7d632abbbdcc7f018f21012d59046abc96c9ac40456817f36a40d1ecaed
SHA512 9d2ec5e0a05fa6804f8970fcbd1be4cac806f52e63767b09ea0c61e14b37c1a1722adb88bfde4c5f3b2edde65a623ca7b366781bd3691a07ff6f0319e20bcb9a

memory/6040-666-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\2_PhPUvgZ0vJTIk2ohYmPx6i.exe

MD5 1e429296417bc0f1a903e1699b9eebb9
SHA1 c09785a034e8e98216b4d97d7144ec80523f4401
SHA256 949d9c498ba2077e67224cdca937cf2e5537d0c6a338384c570c5f2694f8319e
SHA512 80f49b21a8a5204f54aa4e80d648e1cf535f73ad35bd51582a859eec8a4ac6db01730e9c78d7b67277817a636b2a2b1cc51da6d3504145ad2f6afba3785c2c56

C:\Users\Admin\Documents\GuardFox\ZxEIsayTB1ELKzR7mAA_z6yQ.exe

MD5 87f900e5b83f0214f19d2b372f9e03d5
SHA1 a94bda1ef21bb432f2d917be1ab06d760f4cfcfe
SHA256 3e6246340f3899ab1d129331ede86b71a6a4c9de5be97e1750f08864b720fb5c
SHA512 7e022fa03eb18dd0ab5a03dd2975c5d42972df6ffcc6270a1d7f1719787a9273c727c96f7b8d99669667b93f83b9288cb332d229a3d2fd6f55aac3b01ed04d07

C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe

MD5 cde97960c2cc3bc19045889f57bcca4f
SHA1 2bd26bf93e012a44faf25fa01c858fc918110974
SHA256 596f4da22e1d58e263ed8a636f1fc1e1e17f4f39e20301bd54664df43160ad64
SHA512 14ecfba9cfc6de903c0d77b20c7c78576d8d6b671086cdd31131d2dba24a76881c38afbfc7836488fbf92154dfee8fd51909216e8e30d3809a8c7ceed1392ca2

C:\Users\Admin\Documents\GuardFox\o9cQpsoPKZEcwzdpOEEfjKS0.exe

MD5 7bb4e4a54b72722f877b062c4cc9dbb0
SHA1 5990baea57f927098846df41a8ed886b162e4eca
SHA256 5c4f585d378549286675445ba9b1861c0a5b2a6496fa37e10f89154056f737d0
SHA512 acf70c85b2409ed49cd9801c96816e22dc1be73d52d7f9178a5559479342d6b4b8b43f46fc27f95c02b07fffcdef090ddc93b50702d546fc6770c049a79eae9e

C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe

MD5 314500fd409743d9364883e4b1af8783
SHA1 fa8041ee5c74ae68c0e56a4a5bd438ca52551c16
SHA256 b85e1892fc51e3797e8ba6625102bffe506cd0da71bbabfc596a851ab0b99523
SHA512 ea257b5ae42613aac92a2b8c68aa2e82284816f3ee7dc8532293ff22968ce86c55801f096a42fb5deba865cd184e62e4a842e28cc059f0d31136fc91d9ebb46d

C:\Users\Admin\Documents\GuardFox\o9cQpsoPKZEcwzdpOEEfjKS0.exe

MD5 fca4cc91019a946c83b6f7dd76d3ab2a
SHA1 688358dbfbef3b6c863bf1e920a3ec68dbe4e7c0
SHA256 7f45d7838f6a91b82c226150daca6bf9205cc604e044906d8751959479e2e22c
SHA512 0d2312eea3c4878a1c5095d9a69067d940732d847d31bd233d72ca540e7464685fd78d2a395e610894c7b4f77dd97be933dd6b98e7e09e15971466d624ec9f5c

C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe

MD5 2fc91bfe0c7f6b6f293665a4fcbad232
SHA1 74fb4070e7f24ac483cdb17acd62dc0c93a3da9e
SHA256 74320d64e18f50950278670b6c7c5ca7ec5820c775b600435fd4b8001587ef5b
SHA512 5c495bf0c850916d20877a358099da0e4ee1d3eef8ca52cffe7c692c59a30c6174f2cbe792dd47b686a1f45553f3fd6d6ae30f7baa22869d46196211f12a0879

memory/5564-610-0x0000000000820000-0x0000000000D03000-memory.dmp

memory/2780-675-0x00007FFDAD1F0000-0x00007FFDAD4B9000-memory.dmp

memory/2780-678-0x00007FFDAD5E0000-0x00007FFDAD69E000-memory.dmp

memory/6040-681-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5732-690-0x0000000000490000-0x0000000000590000-memory.dmp

C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

MD5 a92b40673022e3af2faf70250151260d
SHA1 4237907911dbb42151807302edf1c57094ea29ec
SHA256 6b5ea284f39998b5f221d8cc55987586b35e89e3c9125f4b700ebcfcd839ce76
SHA512 5e9947d58319c5cb7eb1f515a69e672490db34fbc0c15d3ee53b564095341baeaa07542209baea7090c5e0ad596980010135b15ec67c57f9fb350d280f766881

memory/5244-707-0x0000000002010000-0x000000000209B000-memory.dmp

C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

MD5 a20d22aae9350b4abf5a2d14220cd07a
SHA1 ad651adeee61364e1d2d4ed52d8cc44f58805c56
SHA256 d424e973f606965b3bdecab7cdccf54565080ed537c94be51a4b1be1c9eae037
SHA512 f3ddbcba789c8d85fbb08823a2421285af3ae7d391af720d99107e7797776b11d0d69dd7fc813163d2ae7996dcb35ca85464a6da175c501838c97daee820533a

C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe

MD5 63f4ea78e4fe4e6f988df948cf33661e
SHA1 d897c4a103a35851a2c8e01c4cee4da0fdda449b
SHA256 aac5eb0d2d7190ef96d46c9854c4bab2a74843ee24d71e0526c0d8707955cc8b
SHA512 17cdf1d3985c17e8eebb3f4c2810db3b3d49487ffdb5fcdf1ccf4ab982294ebe1f8ba0ed5ad8e345f0b6eb4ada944c7f85bbfe8d98dfcca6242b220e2d9fb974

memory/5464-916-0x0000000000480000-0x000000000048B000-memory.dmp

memory/5464-900-0x00000000005D0000-0x00000000006D0000-memory.dmp

memory/5720-833-0x00000000007B0000-0x00000000007CC000-memory.dmp

C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe

MD5 b8a5528ee826375879020179affdc99a
SHA1 4a463a7200ad36e9220e2f21421944ce984dda15
SHA256 e109e2bd6a67cb4a9903b5bf79b89ff9aa0803f200011ebe235c2fa28c7cd004
SHA512 f7665ae9cf1f230c7f5a6df18c8053efe7529a93231dcdfa0e746691e3df4d05bd921e62f5fa0158624c20533b1938c2bff256aeb76a77c8b0c2d838d01302d0

memory/5720-762-0x0000000000850000-0x0000000000950000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 ab9b1d2a6b1bce8d7332f3de9ef1bf60
SHA1 b204105cd357ba6e2e0f5ae3c1e4a7f0bf5afb81
SHA256 a7022b4b10abe3feaf91a445e70e7d7ad9b4142720bb7f5677d959f0470c049b
SHA512 df173a61c678ff3727e3b720fb820483a9b53641dbc0153719b0cac8c0c8d29f8bebb172838f694baf2c6beebdac155da53e4322dad7470448a92d570f808a56

C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe

MD5 8e051ab6b9159a1f11ac47775a988c38
SHA1 2d894c9da1bd5731460739335d1f9f63f0052933
SHA256 f07ecc77e1884844c4a70bb96371bf2f42abd62e609f7305f5fd16fcee777cef
SHA512 87345fc77093fc7126ceb15a2d9a29ef477423a634f0b9edea609de99bb346c8173e56014c92f5ac85025c52ef30e6bf7653488f5cc8c32a8e7ba34e3c77d5c7

C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe

MD5 d94323b48e864172d283de59f6e0c8db
SHA1 6876dc39d32b4a2576f8a44eaa2883e820f67bd1
SHA256 4692ab68fef6e4312b911cabdde3d963b26ba2588d3c146cc42268a3c569907e
SHA512 539a55ef78facde791cc84e40cd04d4b93490387dc5e9053d6e688157d603fcc12630d50aa358fcb05b4985821ef6af5d3a252f4103aaf00e13b2c2c4848cbdd

C:\Users\Admin\Documents\GuardFox\Rr3Jv0BhakXDhheSTJsxXuTs.exe

MD5 0fada396214ee06955066d5715679b92
SHA1 db4fe835ce7d273fa0111bef766b3146b8eeb5c6
SHA256 4c36eda2171ff921762c38bb11f767802aabc0ff04529f18d13b8a4ed9ac2450
SHA512 43fd7bf0e902de8283729476b55b4e9694a6f441b95c511e8d397b5c8a5828a7e82efb4a848bca7382b6aab0c630e7354de8818d461bd9591044d6347f126b10

memory/5732-733-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-N6NAR.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/5732-699-0x0000000000480000-0x000000000048B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp

MD5 c7f5dcc54f23de2003bf42d268262274
SHA1 3cf03589aaaf782ccea772870172a402c9b4b37a
SHA256 a394c2fc5c4bead183071b02e84c430de58916dc828f0eb2249aa5aff53f99e1
SHA512 670269e9b5eca0e6cbb213a4380cd71d52b6194be61af809b1571c19fcf682c1a9c68760facb4c642d45133b90d61bf1960bdb9ae231b0d88244e2dd6b4dff8c

C:\Users\Admin\AppData\Local\Temp\is-4FE62.tmp\ZxEIsayTB1ELKzR7mAA_z6yQ.tmp

MD5 15fc617ea14cee3b753839aa41994eb7
SHA1 09a9be3926d55a0c4cd682a43653101d88246e85
SHA256 2078a504a953ad75527ea34e37a226c5737bd28ac8631a22b05bf4d43385f071
SHA512 1dc8904ea14aa464b0f9a1525a514ec736654d77fcea2147dea9739f2a0785ed3c0fca1074a034ed2a0545f899d61fdc83bce0fe972896ba974334f2b07ef0db

C:\Users\Admin\Documents\GuardFox\JHwdRTPiVjZdu1uvZ4wHzsJi.exe

MD5 876748e1e16d48df8b9a278bf51250ea
SHA1 3ac7d449e03586025d924dfada4eb825ce76cd20
SHA256 f941b4dfcddc4de33d4828ef1d82f7747a610404d82112270da9b72e6703d233
SHA512 1d9220f1b209d9be0ac199a218bf701267b66c4d150aa92c66db161f1d00904b52b6accf0e294f6dd16959709665cc47ef5674f9b7403959035e0008a1ee19f0

C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe

MD5 d9540f23e790747e6b50ebd4a303c1a5
SHA1 7d255f42c4d285da23b024b229830bd37bd71318
SHA256 f45d1a95054f346a725ed74005beae798af1f5422a1572b73fbbc35cbdfe316d
SHA512 3cd7792cd17c67c96d7952ed12ca4e4030de169a73658fe07365cd15cbdea7c116708ef247d1480ef62ff96fcc2539f1e6c4d0c7f90c60f9ceeef8c7afc0517e

memory/2780-672-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

C:\Users\Admin\Documents\GuardFox\_q2vD9rmquvw9BRa8wd995tb.exe

MD5 c0af2fac66bd22ccd24f96bd8ff82e83
SHA1 1d47382193dfef92aa84363c26b745a910fc642b
SHA256 c94808531db86533c6bc95379f75cb9385923d9f19f6b3960cf5af7a990b7abd
SHA512 0dd3eb11d171b28ab199d86afd672ba416ea739251756bbb522f44462af7a7b5fe7a1b4c5c4932643971ec9478f3bf9defc8aa938c96206260be81fbc81c25d8

C:\Users\Admin\Documents\GuardFox\871sk2dTwl9pwQmcSy9_xceI.exe

MD5 b0e1ee71812bf09622d3df6c4e19c714
SHA1 fa97926ce3c1b03cc6d3ded689d05a16c508f820
SHA256 e99f8c8587e99cda505cbbe19a513b267e8ee737afc36caa61d3eb1a76ab6b59
SHA512 8719052623b2377197d4b5bd2f10caf6931648cb2273dd46c76686f9426e86e5a7fca8c165e0e0737740457a014a54aa2b4a67af8b8842f896c5be69cc0d1799

C:\Users\Admin\Documents\GuardFox\nhi1SK0Vvbcyim7lPa1I5Q8w.exe

MD5 d4b885fee063bfbd37b33a8a18e42e28
SHA1 c5008890800311cb28cbd0d4e89d7678b2815468
SHA256 4f61b1aec4097037186160cd4a0b5c7b33dbf2df1f1b67a427a42d8982a43ed0
SHA512 5e5ff1f771b4eb1b1b5deef99551b230abdb7c51ae084159893bf6592d96c25df63d93257607304a05a571bf7823c676f06263960bbd2b466b7c085b83a1952d

C:\Users\Admin\Documents\GuardFox\ZVsDYq3Ch4_MMg9aTQKTVxSw.exe

MD5 8f0a1303e720cde60697e527726fa021
SHA1 8980b0c908b8a229c3fbd25b65770fbfdcb40b8d
SHA256 3522edafe36cd8c1d314e12f48b02acbe4aea3da4b741315680262ec9535b89b
SHA512 2cb6534d7dac85b7ba9a972e0c3905a631a0493274abed7a8a7ba956b9293c48e27032620379b78fea83ebc1d088077c14fd0f4e4fb616cbbf1305e835448831

C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe

MD5 1b8d4a72128415ed2614fb7a337c9a64
SHA1 93fb3bdc00cd66148f6bbd5d7e8cf63d1fedb350
SHA256 8aad1fc6d1c92e1376ed36c3ad8730feda51883d3b7b0faa4ed43516192c0d8e
SHA512 7755918b23ed92d8bd5e910e5ba95f489bbccfe8a8f8dbb5b53b2040d260b6b78e67a3ab5bfca1b254289b1853b945dd7f6bb6eedc1e23ccc7579c3501ad4d54

C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe

MD5 cbcc1020551de305c9e0e68fc57845a4
SHA1 ff52750d71f10aa1662d4693943b115d43ddc1db
SHA256 54e141b86f922eabb2f20c73425d251cfd7bfe39b06536e70f8050b3c7d585b9
SHA512 64f4bf012b424f76fa201ec05d5f781b9bf1a07615d5881bb38b0a8c34e20b6942b9e35552cea9b61705b1dd16cb426c96a243f1f5dafd15a06592e823fa9f64

C:\Users\Admin\Documents\GuardFox\tZ3sF5t6fvcIb4OapKTmlR3J.exe

MD5 01af3741843e8c6d2f029d00a09cb19e
SHA1 310e878b071991fd0cc1bfbb3d336062523ed1b9
SHA256 afe0eaf505a31ae9310efec93ee92e33ec931c872dacd0f3cc5b8609da0044ed
SHA512 5af3eb9867b620a2949aada75b243867720684451003e4aa2c18a9365c450d9addf5f0fa54fcef5803cbeda629b197b1e1cc90ef3eafe5acb94e7fc3331bd32e

memory/2780-381-0x00007FFD80010000-0x00007FFD80011000-memory.dmp

C:\Users\Admin\Documents\GuardFox\c3AoZYpYAN5y_5E0jn2Xw5Yh.exe

MD5 091e7d6b1d0f0998a327f7e3fceeed30
SHA1 5858ba692dbcd7e9c1ae99b2cf1efa53f5d8ef53
SHA256 d0ff675b57f4ca16613ed6fb8d16c7487eda26496f79072636e5227d4d5d0a41
SHA512 389017d2f6a86a31935fd82ee203ca1c27eed43ec414377116cac4c4a4c1869c48dd32828178e1f0e4d885f1c512c183f98d6aaffd11fce1ced4f2b0eaec2854

C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe

MD5 ed607feadfa957ce51680950f60e42aa
SHA1 e2bb5cd0d9368cb654b6c877be2102a6f5fced46
SHA256 034be83ab3f2234923b4e5d1e1afa4d12043347635d4fede8fa51bfa138e2450
SHA512 c5dd922f0e375e404ef788b05b91afc721ee5715d48f41d21513e3ba4939c3f1f827dde2fce43631285f25c6ba57d38e94a4ba6565d8a72da19e440562f82f93

C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe

MD5 b7d3df5eb168e2cdc90ebcc13023bffc
SHA1 76785f0b0721fc275c16090c68667f4c173d0ddd
SHA256 cdd29bbdc03e71aa5d94455500be9c476673bedb3834585bcd5266d787d1136f
SHA512 7cb112cab9443b5c3ed5d55636d35e01e5287acc9e92b2c84c4381433c0c6213162360eb77145f0af693cb64d1a747fe4bfc73c9c9ba54e702195bd8204aebe9

memory/5464-932-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4668-939-0x0000000000A40000-0x0000000000AD8000-memory.dmp

C:\ProgramData\TVTunerClassic66\TVTunerClassic66.exe

MD5 251b11a6c24c2f8fecabf5a4c163155d
SHA1 389a0cb8858027d1f3c54caecf0b6d5965aad024
SHA256 715bd088ca6c620e18950fe81923a19da40a309314c5d17520bbf0aa5e0b0e9a
SHA512 564267be62d0a8da1a2f472f4b63d35b57403644a93cbeb7ad9e302f18076ea5049dfdcf00729cec2dc2e519e7fbefdcc403c50030f3e78888e05118319dc2d4

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 554b36a7abbe93a2ecb3a77ae96b9d59
SHA1 0611e94e30c62a9896c99ce797cdc6f42bf3e5f2
SHA256 f2520ec27a6f37406f5d1099cd3a8bce4f1b4dbd3cdda9282544f7a357761e6b
SHA512 bb32fcc946febffcc0854d9bf3a6a3bf5721bff5912711dd91b86ee621744629d83f1f55fe675eac497862b8ca28ddbb7a1738cae98d46d9adc2c5c55c8555a3

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 42b8c03d670d61d236561472423750da
SHA1 a130343847afb7d4d0d4c057d6b03e5309e8db12
SHA256 7b12b73eefd32038acacaeee17d75fdc6034ce0468becb4351342ca533248d38
SHA512 414791032486d8d81beea6f0b099401f71793ae21dceb5002718c81f134553ca78dec75869526f9e40de28dfbe875cdcbeffdb2bd38e24f5f36bbef7d224f725

C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe

MD5 6759e4f91dcd8e8656a4868754846b97
SHA1 281544552910ceff25ba041d7a1aaa9124aa2093
SHA256 18c0d6409af840417ae73dd9d0c69d7169c70333634a17f5e25833e95f3c8bdc
SHA512 f952a4a12fb4affd69ac1b7393308874f09e3251bb43654e49848df67ac41d807f825eeafd4e8b1f411195fd442882c9422e1f2535da7eb6d21593e693231c43

C:\Users\Admin\Documents\GuardFox\rrWr6EtlIuK_vq7EqTglUb8N.exe

MD5 e361fa252e7e2d8bc29a1280590342c1
SHA1 dcfd6288b43e6f9225e531a9d566fbab9618016d
SHA256 85b0731684ec2e86c688306f7fa10e224fec622808c552f9b8d1f22d74e8f949
SHA512 d69ccf9bb7f6a1828d8af900afaf04049c573de567418c89721fce3b8e69d108c1ae9115f1a5974ce06cb3a52ca6be6fd7d503c0512ca957253fee798cbe51f2

C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe

MD5 0b419d8c66e1c947b9c916093e82ecaa
SHA1 c0cb84f3fd88be7e169deabbf4b0a52e41cdc8fa
SHA256 37d76c9a38c35b80ac296681fb9e53e4fe4054e6035aa18f45aac1c39f215ae8
SHA512 5e00d525cc3a2186aed534edee808f9c73bbdf1c1a60e7b234319fe04d2c22e4ea4a16f88aade6120c4c2bc2ecac64ac00e5cf945724e7d10edb498ffe24fe27

memory/5904-931-0x0000000000400000-0x0000000000889000-memory.dmp

C:\Users\Admin\Documents\GuardFox\C3x1e4ZsTyHsRoZe2nRoREFS.exe

MD5 d8d2b6f55511b9180d63162b7072a396
SHA1 adccaa8591fca5e84675675ec21ca01ce3f40a5b
SHA256 cbee44b5036a7bc3d8d2149c6086a692d56bea4ebf4e1e7404e53b7ec7558477
SHA512 0851a13fdfb5414c4a00187b0de07c49ca6130a2540afb3cf2e998bd06ed6fa5617d94594b6fd89594760f4c7193f669e35662645544a989b0b814015733ccc6

C:\Users\Admin\Documents\GuardFox\GrOwuxn9g3h_LenoAnfzARTT.exe

MD5 df35b910d8c563e1ad279a6199cf780f
SHA1 f512d2cdf572b9a73c4ebcff5eaca72b2a0586e6
SHA256 869ab0dd6fc81406a7be048c207aefef220f845789e126375d80a544612f1b55
SHA512 34c33fe242050d5f58b3e8a7982ad41f276fa08107a103f36b36a5a186d3d23e73707786395c4eb1f452f67ef314830be2887f65e46e32913f48b1083cdc7595

C:\Users\Admin\Documents\GuardFox\GrOwuxn9g3h_LenoAnfzARTT.exe

MD5 c70194ceb1a3240170e24ef632239fec
SHA1 b0136561464699f40f0413972756ed449e85b2de
SHA256 a3d858ec64d351600a315bfa97c295894183682258eac1a0f901f73a8ad3a18f
SHA512 e03a63dd5deb6c054e45222ab4332d8030301356544baba3c521e34c49495175f6855dbbc22b992174a334ab7525c32d0abaa6d63083145365150778a0afa3c2

C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe

MD5 460783ccd36efc4f94cf015f71a58c7f
SHA1 83f44aa67a06c9fe07c8c8f1a5f9452a2cd13f66
SHA256 f9ef49e76b6fcd9af763966550d97c3bff669d423ce065cbded3ad73ce069e73
SHA512 274d38711ab114d4f7d4f313b752e3a8f3afbbe0c0196fb1fbe3211ff32d15ec708fc01b0cfc5e16cbcba3ed2625b22b187c4b948484e4b4dc742432b3ba74d2

memory/5436-923-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\gXZVCk1BZlo0mniV8eftEhbm.exe

MD5 4ff99fc91298dbc0a1404c30bb6be02a
SHA1 ced54e0bf51efaf95f774ed1f92e780ba77c6f89
SHA256 5402c5e2fe9bc3380c0cb22aa120019c1f8d2a7343fdc250d23af48105030adf
SHA512 ec6a8946fd5fd5a53a60c47a194a59b2c526422ecbf3dbccbaa0628ee489ccd4bb5b37138abe451e8e25057ecebb9e1c9e3190d44e956539c5dff01328877608

C:\Users\Admin\Documents\GuardFox\ULeuvS6KQfIm0_cpAv6oSGUC.exe

MD5 361eaaa18a4f87e160d828126caac489
SHA1 75d1d1388adf608b809b5f14024bd7f50295f8d7
SHA256 e4a402ebae1a5060624fe928b52b95b2b6b41b54f00539be350ad69ea324bf47
SHA512 0e5d9f58cb677a0040b7695c58a58bad6a74b771b393610cc3237df5ede3971b37fe34a86b24659578e0be40f4985fdef5bfec14d3129f3137a9332ee2d30d2d

memory/5384-917-0x0000000000390000-0x00000000003E8000-memory.dmp

memory/2552-943-0x00007FFDAF6D0000-0x00007FFDAF6D2000-memory.dmp

memory/5752-948-0x00000000049E0000-0x0000000004F84000-memory.dmp

memory/5316-947-0x00000000005F0000-0x0000000000B5C000-memory.dmp

memory/5904-945-0x0000000000400000-0x0000000000889000-memory.dmp

memory/5752-942-0x0000000004980000-0x00000000049E4000-memory.dmp

memory/5436-941-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\_q2vD9rmquvw9BRa8wd995tb.exe

MD5 b61ab96e0f38f53f3d5f1e0727bb7f53
SHA1 dd74ecd50226c8d88c980867ef6e582871c50292
SHA256 9db90f8cf4686711fb45c5844868e36c8b0c7c98c89da1d9b7c735b318626154
SHA512 967868d2aaef0d3bb3e47235df8d3bb7206d9c8a50c4f9c9b4c7fc674e3bce962c54d24dd1e99424d1721765ab37cb8858f722e939bff3f5286cbaab4bb2aab6

C:\Users\Admin\Documents\GuardFox\_q2vD9rmquvw9BRa8wd995tb.exe

MD5 d8d24cf4f1d82663b2087770375af1a2
SHA1 3c74c701ce33d71d941fedb1adeb1c87839354ab
SHA256 c0eee28a20afe4f81e4c339939f2f3d7e96827ea90e4d1679eb7fc7f57935b17
SHA512 9ff00388cebb392376e28e8da5abdf5bd4622090b54f18c8d544aa58249a79739a0c3bd30ebad1930ab08a89e20ca63637d0d9c15f39b33687a65a75bf260401

memory/5436-935-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\hwvf9I3YuZpp59caz_02tkYa.exe

MD5 1b88e892c24124b6dc71c4d87d5cf23a
SHA1 8d0f7c04c788ca71ef934329b78138dbc92f4d06
SHA256 9b41e2e6554ebae6ad35617de1be833c0112b7d9999b38bcc07b0ddb228fcc4d
SHA512 5ce58e18673a2685a7dfd4cfd42a026fd6ad0eb12ff73833cec8d13529661a99ea8c9794a1a77978952aa9bc195efc15573aa6a6183a643ec4f8778123d33b0c

memory/4668-940-0x0000000002530000-0x000000000264B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 fff0e59694b17cbb3a3671c432d3beb5
SHA1 50786b924bc9e570601da3a294b706d91ebe4f54
SHA256 1138dca6df667a4888122e21e827bec1efc5e1ad4184837a4a36dbd82a95bbf5
SHA512 bd1f0ead5d03772c725a6f6b793cb9cab68989967c33e4e1e8e9b5236498c9fdecf37c6c562411c969b604fb88826a699a3777a13ba61c0848aef546229bf123

memory/5316-955-0x00000000054E0000-0x000000000557C000-memory.dmp

memory/5752-954-0x0000000004FD0000-0x0000000005034000-memory.dmp

memory/5384-951-0x00000000053C0000-0x00000000059D8000-memory.dmp

memory/2552-950-0x0000000140000000-0x0000000140876000-memory.dmp

memory/2312-961-0x0000000000780000-0x0000000001094000-memory.dmp

memory/5384-959-0x0000000004C70000-0x0000000004C82000-memory.dmp

memory/756-952-0x0000000000C40000-0x000000000193F000-memory.dmp

memory/2312-967-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/2312-972-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/2312-971-0x0000000000780000-0x0000000001094000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/5956-975-0x0000000000400000-0x0000000000D40000-memory.dmp

memory/2780-976-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/3556-974-0x0000000001570000-0x0000000001586000-memory.dmp

memory/5384-969-0x0000000004CD0000-0x0000000004D0C000-memory.dmp

memory/5956-970-0x0000000000DD0000-0x0000000000DD1000-memory.dmp

memory/5384-963-0x0000000004EB0000-0x0000000004FBA000-memory.dmp

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 7fbc23967ef0aa49602fe512801f4f11
SHA1 9914bbe0978ba4f95b6d4e6dcc9d425b0a79c187
SHA256 151c8e68d7f6e83dc94c89d6933100461c55ca42d8d4bf2d996afdcd15e4e86d
SHA512 978b2b6989e473fc1cca5ac34ca4744aadaddb558cd1f317af0daa9da5b8221dc30dd74155b9400a0f6947a315773443a67801b827783c28fb9920d65ec08811

memory/5384-979-0x0000000004D30000-0x0000000004D7C000-memory.dmp

memory/5884-981-0x0000000000D70000-0x0000000001D23000-memory.dmp

memory/5328-995-0x0000000000580000-0x0000000000EC7000-memory.dmp

memory/5732-994-0x0000000000400000-0x000000000043C000-memory.dmp

memory/5328-992-0x0000000000FF0000-0x0000000000FF1000-memory.dmp

memory/2312-990-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/5600-1002-0x0000000000400000-0x0000000000454000-memory.dmp

memory/2312-1001-0x0000000005970000-0x0000000005A02000-memory.dmp

memory/5384-998-0x0000000071C10000-0x00000000723C0000-memory.dmp

memory/2312-1008-0x00000000058A0000-0x00000000058AA000-memory.dmp

memory/2780-1007-0x00007FF633EC0000-0x00007FF634904000-memory.dmp

memory/5384-1017-0x0000000004FC0000-0x0000000005026000-memory.dmp

C:\Users\Admin\Documents\GuardFox\bd8oqd2X_KNvUIchBGw_sNLU.exe

MD5 b392ea4d10fcd77886c779352a1f851f
SHA1 37f9e6368f3434ff4c390c2c58008601ef624c7e
SHA256 0dbc6f1f90320e508ae26d02375f206f4c322228f2dd45878a75cbd144e47e58
SHA512 64eba332d6ef3e21a9f4e3a8548df3245635850e79250fba20a26aab15e0b85fb7540f63cfb14810deae28aea61bb071114d3c95adf866f6dddcd3a4f6e1d99b

memory/2780-1015-0x00007FFDAF4D0000-0x00007FFDAF6C5000-memory.dmp

memory/2780-1012-0x00007FFDAD1F0000-0x00007FFDAD4B9000-memory.dmp

memory/2312-1014-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/2312-1011-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/2780-1020-0x00007FFDAD5E0000-0x00007FFDAD69E000-memory.dmp

memory/5752-1023-0x0000000071C10000-0x00000000723C0000-memory.dmp

memory/5720-1031-0x0000000000400000-0x000000000062E000-memory.dmp

memory/756-1024-0x0000000000C40000-0x000000000193F000-memory.dmp

memory/5564-1025-0x0000000000820000-0x0000000000D03000-memory.dmp

memory/2312-1022-0x00000000771C4000-0x00000000771C6000-memory.dmp

memory/756-1018-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/756-1036-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/2552-1040-0x0000000140000000-0x0000000140876000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 9a3cb14f023a8a7547e2e2084edcbce2
SHA1 f7f7078801197583448d4dacb25dc4b1cd5b5344
SHA256 a03166b7a115e7f3bcb93a4c58c1da9734f72a0f501c770a09a240cf7756487c
SHA512 cde2d211982033eaab647d3596f05b8e0c0c3a1d145733b2886dd5d614dadd71e1b3f467f00729a61a0ca603977e1d7d554881833089ef04db5195bc488494f5

memory/5956-1056-0x0000000002950000-0x0000000002951000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7eDL.CPL

MD5 19afd54c3121aa3e9a22c63d7c667ddb
SHA1 e1978af1acb0efe334a30c19594cf7faaa971c07
SHA256 1f81d15b2afda7db3b384eb26c2b57b1b5801fff7e54aba4190c8d2c153c5d29
SHA512 a91d8230499c2030767a1a60d582b604b3e3710e5c700ec440a5eb8c6f16b05049c44d7881483a6834d3070f79689156fca5fe8efb7129f38a9c73123a0bbb83

memory/5884-1075-0x0000000076F40000-0x0000000077030000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 01a26d70a8375fa48741354f52933b72
SHA1 323c28ce5befe42454e32edb11721f9aea0bb83e
SHA256 016755c96d70ea69f68572a7d35a96dfee144adfcf8ad77eed046ff2a997f0c7
SHA512 034e27ede1ee995adca9e9d83e4d01420222676ca6ef3870826b57a6f2b97daf0d23cd5200e83856f3264791a369ba06349d68e24ff84956ccca9671ed8346fe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 def82cd58d89e1d081e077913b61e7ef
SHA1 150f7cb3192c953a7f45f2348ce18a13ce78fa8f
SHA256 e2c63cb615d98419ce6d49d7a9aa8de8c4912503c8794fd4d34a9708e09fa2aa
SHA512 ccbce358f6f1bd5b9ceb5e44704c2744d6b870dfe27267d6169410e6e5aaf960dbd0eb2b556f560fa8f15a4d7057f6067eaf7762238803cf04504a73468c4fde

memory/5884-1084-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/5884-1077-0x0000000076F40000-0x0000000077030000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570

MD5 c754d28984555c8d5a27818fdb99ba99
SHA1 f746b66b7e2f86c09b001efb2dcfa8e8cdfee281
SHA256 1f0b58cd2d64cb28b553834b73b15d4664025a9a0bb88f6e17bbe9e6cff46d98
SHA512 f9c643dd1239e4f0e5c4edcb735d7e4ff19322621b5fe0d704e9e7073738aa0b87ff330fe97ad26d513731b72825ec6904338082d30210cbf44c4638ecdc607d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570

MD5 99f25cb837f8445649fafe4f50116edb
SHA1 7cd37819950b95758a84a68949e28e07fe0daccc
SHA256 6adb0f49740bf40758019147f0f951ede4db34834f45ff8be143616e8f4394fe
SHA512 a35862543ef682f3b251d557f208f52a6664f642881f6749b99670cf904dabc1a1682051ce12c97b822aacb82b57a3970d236b6a6afe5af08e93668a87711bf1

C:\Users\Admin\Documents\GuardFox\kilIGnE7Ee7xlISTtwnuNAyU.exe

MD5 23f06600a549ac1131597b849021e8ce
SHA1 7ad52e00c0218a1f6efcd11e99b99641b1e776f0
SHA256 ea0d0aee76356fb52168ed7f00ec164b43112c6391d21fd5c32f88a6d11c6c7a
SHA512 163613f6c5afa2c87a825545231f1e3c24944b416694d4dd248a3362ce015ca5c069d2d16b61aa4b1c03792ee2ba7bd1184dc12a248b10b5c4eeb0c6443623fa

memory/5720-1067-0x0000000000400000-0x000000000062E000-memory.dmp

memory/756-1065-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/6096-1062-0x00007FF776570000-0x00007FF7765C6000-memory.dmp

C:\Users\Admin\Documents\GuardFox\Jg4tvtWsk3avtNIkam4gAPUG.exe

MD5 b19bf21759183cc16df70c53e8d257eb
SHA1 e575c5d4d34e4d3a341c1b99bdd6504618064c91
SHA256 56b1d42e905b9b77d02e965296384ca8b562aa4ce71e4cfb07c04a1b26de501a
SHA512 2e3c653c4a4802301d181f6b702cc8718a1e4d84f109e699ca77258060d57c978ace344e3b52b7a83c85a9a3e3fdbbcbac14b052ed31400fdc0dcc96f062343a

memory/756-1061-0x0000000076F40000-0x0000000077030000-memory.dmp

memory/756-1058-0x0000000076F40000-0x0000000077030000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 a9a57ff96c0a4540dc89382a4f5a0a35
SHA1 69bec1d35708491a5d165f500b35f1ff1334dabb
SHA256 72da779541479bec888f402ca03c87f4ea3df96f380665b04c01f7bb08bdf32d
SHA512 5cd6c25e665f988ed9ae6a9a3da3a31f8b8549a0aa52a733568514c04dffb37fd55f70641278df3b6fc792606bded68e0c7c176558768c36f40e8defa75b3d0f

C:\Users\Admin\Documents\GuardFox\kilIGnE7Ee7xlISTtwnuNAyU.exe

MD5 773f0fe5c9f89d9914c61721885cc9b3
SHA1 2bfc6a9e8995c99da68a98718b2ddde9aa262048
SHA256 460f361e5c82bf12d1042ac08cc941d4e24967df53fef2d43980abf3e00823dc
SHA512 2046f77438c05c39edc1e7634bac3f1842b62a3291043b182979aba0244dad6df9695da1ea6d6d6bb3760e37c04b00da0a79ebc898f7b8446ba4698e208ca517

C:\Users\Admin\Documents\GuardFox\kilIGnE7Ee7xlISTtwnuNAyU.exe

MD5 ee91a677bce1906e77f3d3b09c3d89a4
SHA1 f2a9b02d328bcccaf03f94e4e8c2af706bb3e2d9
SHA256 baafe12d9d5efb3ef2cc4256a7f74530cd7e34563d9a72deae19a9efb9568b0e
SHA512 5e7e6495167b802da4d0dabe3e0a329448d10ce57ebc9e25b407d743ddb98b8c17456473051b2ae165d00a805657bed8ac0157bc5d0df2ca43ef91158d57becc

memory/5956-1043-0x0000000000400000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 dc6a437a305af2e1184e105f557768ff
SHA1 2183a0e126eb949103d188b24462da41ab649e0c
SHA256 588b3b802f29cebc9131d0ad232eb21d455d977ebd4fb6765601c9a179097dee
SHA512 2da6f5a15418991e05fa1da4e745298252f4268ae408a186bdbf819b8b822714c9ac04b7d61e8698a5c9035a881a8100008256f22c4541ea0f2e16399d615ea0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b0e04da50e22c31e5a1bcd823b31bc0a
SHA1 834ed42ea8cc071f41030231dfd38dbdd3a92c33
SHA256 b97307b15450163273d276f2918012e7afbcb2dfe9359886402fc7acbc198031
SHA512 37f70063bf02ed58b18dba6b1986fae9d57a6b54cded5d929098dab98fe450e81a8461c59e3f19a7e45c2b59295494264322747427cd1a30cdb3cbdd12238df5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 42adab366981eab55ca177e6ed21f07d
SHA1 38ce535c4da07c662421b11a77e5ad19d4b4afbd
SHA256 164b369e79315a67f27d120eacd616b4bda85b8cda1b19490803efadbcc0878b
SHA512 803769a28118283b397fdab6e355a626b0f9234dcaf1067b4db1a0a322474e2dff801667d505f7007d67be15e82a8b5fee5295364abc987634b6d2babf16345a

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 c023f94afff0b31b7619120d70f0ce62
SHA1 7dd6e4246854dd14f5fb379fc95ba3bd4af11930
SHA256 f85606b7397430677a13fa2664032ddb1c72b81658e7db2c731a34bc892b3c18
SHA512 856c3105a857520058936333c6a038d5e7ab84ca33a6b86e617996b964532204bbfabf03f558cc30b86efa69aefc0520a50b932b9eece8f54e9bf5bbd2242483

C:\Users\Admin\Documents\GuardFox\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 664fe7a5e29a751577c1acd73e141159
SHA1 f43f1bf32742874e83994c0a4560d9110e314816
SHA256 3971160c4a58e8d8d5c8e2588d6c99a809470846a88ea7078a836cdd0ccaf38b
SHA512 28cb4fbce0e884838e4c2d18f5f49f582626ac41ae99b18b269d3e5761c6928e52cf4034000654109f4bcb4b5bdb33221bf3a4e2e7af7e5de83066a9898e2a8f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 9685a2ff5479b0dc1cc4da404fcb3a76
SHA1 370849bfdb3b928ece2a0d1423f9b43cf411c3f7
SHA256 c76b3afcaf3fdb6bb8e7e0647a6e179820c7ad0f9353e8750f213454ebfd4fe2
SHA512 85942c292a94628800d6ed70a6707f6dc326d07d1792d3b9cd8ed29b622fab3bfc9417f91475515075591d423fa6069e4d20fd0bb2103d6556f6c168c522de70

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ceoajhiemdnnjfbilpkblfjghmmbhbda\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe

MD5 5d92497f882dee9307c5600303aa3aba
SHA1 6c1324ecbc8418cf00e558a685249459690c5295
SHA256 5cb256e6f43761c8e49ddc2f3a52962ee18cf80367d2a1314e54e679bb0dd531
SHA512 6a31d65060e8c4ff51f2f1b712d722b66c2b944d5a8e9cae754ec4e7a6eb8c72f36bc6c5aec3754d643f1f2029e65e84858a86f0ffb2b6733e9824c937ed0442

C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe

MD5 07115ec04357e7144798a4b67cc98614
SHA1 b31172f3180dc608fbc916acff2d536bf15a1a0d
SHA256 3908c781ea862125800cddaa48192036008dcaab24a20ebed9af29ba167c63ec
SHA512 50a92726469941c96349b22af215d7d80bb552feb09fae891903fb590bb8feec8f8f005a789a322363c77aef3f12c3f9c9470d4aefa389e7c294a948e28846da

C:\Users\Admin\AppData\Local\Temp\nsc179B.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\ProgramData\mozglue.dll

MD5 821ea2f9a59e591fefc9afc0c9438002
SHA1 35de88ad95afb11443b260374ada983a78242fce
SHA256 48a27d09f083c45b124861cf72b294b32681df12cd79a0bab05991792af838a2
SHA512 04042986db210006b8c836b7b7a191c4a52a1d8efa0edc5865ad25561b09495ec31c1bfeb88d95f33e387eb4726e21f775c14855c88d9583107b1edb8b4dc9fa

C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe

MD5 4a334b4f4216e5a370ed4e214e64ce21
SHA1 19e2327701cad6daba5da73422fc53c620c47d66
SHA256 083ad5013523b62eaa8217d3f8570d0d6ea1c087409d3e17739b0687ad892599
SHA512 fc6fe74115c38ec0c5a27aa84d45b74359012ece39ccb59ad6c44f0a9eae44b4605e0ced8e19aeca5585824ac0a1d7577e9e9ddc95cb05cf8fd453e58eaddff1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b7a94b3de2bb727fa32cf0cd29d2092c
SHA1 ebf5f304646c6af7e9a369100c151d91d71f2184
SHA256 49bc04f5dc00bfe748a268485560e46ea917a5cbc8d12f3325184455af8379fc
SHA512 1bc6c58af1dc241ab62d9421d44dbe2bfcb8575717524296d2a7c9ce61046df779f229827e06061dda3d237ea534de9b246f0011188e0aae166cd85787d8833a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 79dc9cbfafe952f1b3c31017876a7955
SHA1 889358200ce4075e76c3e469b6db63a8b4b50a4a
SHA256 6325d207bcbbdeaec6b3b73153a59549e3f6a0fcc478af2c22fac057d460a24c
SHA512 51b178ec14d663172602c4ca6c5e27547a0234f76133560713c65262341ee01adf2edaefe592f94579e078075f81dd3ae473d4e6ce1deb4b5ea022f30b59d016

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 7d174d09a29f1bf6f7a2c7e3e5b549bc
SHA1 a2e7b9f5a9c6e28cd5d45867918c75ed89157ab7
SHA256 a46c9dd7ece8aecff62cf2d75fb4734f20c556e890979cffba75ab9e0318f324
SHA512 2c4001a55de3cacdcf0236d27deaa9f7aa549ae974855870faea4af9e07c5e86c65729184849d8f5eb943d998db173998d8b03ede559e78686ecfc6fcdce0a7d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\a689780c793a34ad21406f00ea026895

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\ProgramData\KJEHDHIE

MD5 26767c12271852a16a294f25c961fe85
SHA1 b384a61493e4945c3657770796fd4da0b9daa31b
SHA256 4d98bc1361aa2d7897eba94f90637d9504f3a1ee27b2245f51d838af42a2d9b1
SHA512 3f7c7b2d9a1c9056b961a90e47fd0aded1f0a5cd3018b465ec00e5f53cb63d202678e85cc0a6b2c6b5fc4c204bbb4abb9d07535274f7670d9978e89471809903

C:\ProgramData\HIIIEGDB

MD5 78f7973c570de55b3c9eb47af004999c
SHA1 bf05dba68bedd2b19eee7784aa5d70f8167936b9
SHA256 e911b3b7a3061f5239da2dfe1385f46b922aabc8bc42fa23418afc6a9ee4e34a
SHA512 7e40929fb85f2f6896a0877846551cdfa73a8693e032da140b2ee2b89e26855508b9a0784e3254b20354531bda0f3b7d910bb43a61db9e609dc965f5062e1a6d

C:\ProgramData\nss3.dll

MD5 534a57629b543cc4c630e8855baf173f
SHA1 8490fc2c32ffe18eb1a9baa0a16a43bfc51d1d74
SHA256 7a7c6de88f8322ffd05a66aa7a928447a6c798f81681b9609306ebbb2d7b292d
SHA512 c4fd088ad624c694f0e55a9ac89f1ca77a30abd0456b548284deacbb4c7dc577efeac49d282d633afa8c1129bb17de90cb9ba3fb6ec4ee4b98eb2270cafde72e

C:\ProgramData\CopySearch.txt

MD5 e293805ade5021089e9902d7e90566f1
SHA1 058fccbae4a68bac8e06a265b1b0ffa2c21989e2
SHA256 e8829c989bd67cc4a9a9b62cee217bb50eeebe1bf759c8b3069527bbca704bcb
SHA512 9b8114281fce9ad5406c179a2d36d48b3efae0812ec478fde4432edac32ae608b54b96a3f00d099a7ecc52e3e511b1fef57d634a776335a2907ca8aa4951e63a

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s2oehbs3.3a4.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\ProgramData\ConvertFromPing.xlsx

MD5 ec30c5386e026ce1f0b564accb8fcde4
SHA1 b506e736a1a15eee7838eb5ed62f2f2505c98577
SHA256 7b44893fec3d788a940bebccbbc71cf03ae3c37826b22dc798bd9184835eb181
SHA512 3a87e9e5b8896acb475482a40f72990dc175b06eb0308cfb7df4a0c4c489a4564558cd55bf0515cf5f19c2e8f313f8f00d660461deb5d2bd80033f4c7182d805