Malware Analysis Report

2024-12-08 00:42

Sample ID 240123-tx5t9accbl
Target SecuriteInfo.com.Win64.Evo-gen.16085.20859
SHA256 07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820
Tags
themida djvu redline smokeloader stealc zgrat pub1 pub3 backdoor discovery evasion infostealer ransomware rat stealer trojan upx amadey logsdiller cloud (telegram: @logsdillabot) persistence spyware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

07fc70e17fc81a62cce3afd89755eb174e090bb3c0f170ea23a55ac7cdda1820

Threat Level: Known bad

The file SecuriteInfo.com.Win64.Evo-gen.16085.20859 was found to be: Known bad.

Malicious Activity Summary

themida djvu redline smokeloader stealc zgrat pub1 pub3 backdoor discovery evasion infostealer ransomware rat stealer trojan upx amadey logsdiller cloud (telegram: @logsdillabot) persistence spyware

Stealc

Detect ZGRat V1

SmokeLoader

Djvu Ransomware

ZGRat

Detected Djvu ransomware

RedLine

Amadey

RedLine payload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Creates new service(s)

Stops running service(s)

Downloads MZ/PE file

Modifies Windows Firewall

.NET Reactor proctector

Checks BIOS information in registry

Modifies file permissions

Checks computer location settings

Themida packer

Reads user/profile data of web browsers

UPX packed file

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Enumerates processes with tasklist

Creates scheduled task(s)

Delays execution with timeout.exe

Runs ping.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-23 16:27

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-23 16:27

Reported

2024-01-23 16:29

Platform

win7-20231215-en

Max time kernel

4s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Downloads MZ/PE file

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe"

C:\Users\Admin\Documents\GuardFox\zJ3jMj0GzYgdwDzzw9qRdQOd.exe

"C:\Users\Admin\Documents\GuardFox\zJ3jMj0GzYgdwDzzw9qRdQOd.exe"

C:\Users\Admin\Documents\GuardFox\KZH0_ViJLjDh1uYJKXnz_kpG.exe

"C:\Users\Admin\Documents\GuardFox\KZH0_ViJLjDh1uYJKXnz_kpG.exe"

C:\Users\Admin\Documents\GuardFox\0X5ArJglY2ONQo5sIbFdVoVP.exe

"C:\Users\Admin\Documents\GuardFox\0X5ArJglY2ONQo5sIbFdVoVP.exe"

C:\Users\Admin\Documents\GuardFox\cOJ7wsghBeakoo5SG56pGvIV.exe

"C:\Users\Admin\Documents\GuardFox\cOJ7wsghBeakoo5SG56pGvIV.exe"

C:\Users\Admin\Documents\GuardFox\YKK0vMV080jyVNM0bgr2l5L5.exe

"C:\Users\Admin\Documents\GuardFox\YKK0vMV080jyVNM0bgr2l5L5.exe"

C:\Users\Admin\Documents\GuardFox\DoewBw18fNbRUt9tzl2z14d9.exe

"C:\Users\Admin\Documents\GuardFox\DoewBw18fNbRUt9tzl2z14d9.exe"

C:\Users\Admin\Documents\GuardFox\qizZt7Bur6z1txTH4YXbihzk.exe

"C:\Users\Admin\Documents\GuardFox\qizZt7Bur6z1txTH4YXbihzk.exe"

C:\Users\Admin\Documents\GuardFox\2vg8st5gxt7xVyaMTMyPHcEB.exe

"C:\Users\Admin\Documents\GuardFox\2vg8st5gxt7xVyaMTMyPHcEB.exe"

C:\Users\Admin\AppData\Local\Temp\is-M0B92.tmp\0X5ArJglY2ONQo5sIbFdVoVP.tmp

"C:\Users\Admin\AppData\Local\Temp\is-M0B92.tmp\0X5ArJglY2ONQo5sIbFdVoVP.tmp" /SL5="$2019C,3515248,54272,C:\Users\Admin\Documents\GuardFox\0X5ArJglY2ONQo5sIbFdVoVP.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Users\Admin\Documents\GuardFox\1h5oX6AfKdjA7QKitchLMY7C.exe

"C:\Users\Admin\Documents\GuardFox\1h5oX6AfKdjA7QKitchLMY7C.exe"

C:\Users\Admin\Documents\GuardFox\xMUVVLpKRVMcQQBdGWoU2g9b.exe

"C:\Users\Admin\Documents\GuardFox\xMUVVLpKRVMcQQBdGWoU2g9b.exe"

C:\Users\Admin\Documents\GuardFox\3WEhPygXtgmAE0ixSLD2QBPg.exe

"C:\Users\Admin\Documents\GuardFox\3WEhPygXtgmAE0ixSLD2QBPg.exe"

C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe

"C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe"

C:\Users\Admin\Documents\GuardFox\K9064dCxqH0SR5hUFk6wIdGs.exe

"C:\Users\Admin\Documents\GuardFox\K9064dCxqH0SR5hUFk6wIdGs.exe"

C:\Users\Admin\Documents\GuardFox\u1nAJohI9NiVQVIhO_u_9qRV.exe

"C:\Users\Admin\Documents\GuardFox\u1nAJohI9NiVQVIhO_u_9qRV.exe"

C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe

"C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe"

C:\Users\Admin\Documents\GuardFox\S4yNXJTJDxFHKlOXMvXdgu88.exe

"C:\Users\Admin\Documents\GuardFox\S4yNXJTJDxFHKlOXMvXdgu88.exe"

C:\Users\Admin\Documents\GuardFox\ilGyp4NneBqw4pbxzA7S7WGw.exe

"C:\Users\Admin\Documents\GuardFox\ilGyp4NneBqw4pbxzA7S7WGw.exe"

C:\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe

"C:\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe"

C:\Users\Admin\Documents\GuardFox\_d_6oqBrYO9oDROynM5zoWeZ.exe

"C:\Users\Admin\Documents\GuardFox\_d_6oqBrYO9oDROynM5zoWeZ.exe"

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -i

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1328 -s 592

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -s

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\54f46832-0836-4997-843f-8dc0861ac106" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Users\Admin\AppData\Local\Temp\4BDF.exe

C:\Users\Admin\AppData\Local\Temp\4BDF.exe

C:\Users\Admin\AppData\Local\Temp\4BDF.exe

C:\Users\Admin\AppData\Local\Temp\4BDF.exe

C:\Users\Admin\AppData\Local\Temp\5DDA.exe

C:\Users\Admin\AppData\Local\Temp\5DDA.exe

C:\Windows\SysWOW64\cmd.exe

cmd /k cmd < Dot & exit

C:\Users\Admin\AppData\Local\Temp\is-IAPO0.tmp\731F.tmp

"C:\Users\Admin\AppData\Local\Temp\is-IAPO0.tmp\731F.tmp" /SL5="$1020E,3501695,54272,C:\Users\Admin\AppData\Local\Temp\731F.exe"

C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe

"C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\731F.exe

C:\Users\Admin\AppData\Local\Temp\731F.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\2vg8st5gxt7xVyaMTMyPHcEB.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Users\Admin\AppData\Local\Temp\9032.exe

C:\Users\Admin\AppData\Local\Temp\9032.exe

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\AC3B.exe

C:\Users\Admin\AppData\Local\Temp\AC3B.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 872 -s 692

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\CB21.dll

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe"

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\D1F5.exe

C:\Users\Admin\AppData\Local\Temp\D1F5.exe

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\CB21.dll

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Users\Admin\AppData\Local\Temp\2563.exe

C:\Users\Admin\AppData\Local\Temp\2563.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c mkdir 17595

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Produce + Vegetation + Workshops 17595\d

C:\Windows\SysWOW64\PING.EXE

ping -n 5 localhost

C:\Users\Admin\AppData\Local\Temp\30998\17595\Protest.pif

17595\Protest.pif 17595\d

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Thumbnail + Hugh + Generic + Obj + Ve 17595\Protest.pif

C:\Users\Admin\AppData\Local\Temp\55E5.exe

C:\Users\Admin\AppData\Local\Temp\55E5.exe

C:\Users\Admin\AppData\Local\Temp\nstD00E.tmp

C:\Users\Admin\AppData\Local\Temp\nstD00E.tmp

Network

Country Destination Domain Proto
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 joxy.ayazprak.com udp
US 8.8.8.8:53 ji.alie3ksggg.com udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 294self-limited.sbs udp
NL 77.246.104.70:80 77.246.104.70 tcp
FI 109.107.182.40:80 109.107.182.40 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.96.2:80 294self-limited.sbs tcp
US 104.21.80.24:80 joxy.ayazprak.com tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
MX 187.204.28.170:80 cczhk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.96.2:80 294self-limited.sbs tcp
RU 87.240.132.67:80 vk.com tcp
US 188.114.96.2:80 294self-limited.sbs tcp
RU 87.240.132.67:80 vk.com tcp
MX 187.204.28.170:80 cczhk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 188.114.96.2:80 294self-limited.sbs tcp
US 188.114.96.2:443 294self-limited.sbs tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:80 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
RU 87.240.132.67:443 vk.com tcp
US 8.8.8.8:53 sun6-23.userapi.com udp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
RU 87.240.132.67:443 vk.com tcp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
NL 95.142.206.2:443 tcp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
RU 87.240.132.67:443 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
RU 87.240.132.67:443 vk.com tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 iplis.ru udp
US 104.21.63.150:443 iplis.ru tcp
DE 185.172.128.24:80 185.172.128.24 tcp
HK 154.92.15.189:443 ji.alie3ksggg.com tcp
US 104.21.65.24:443 tcp
US 104.21.4.208:443 tcp
NL 95.142.206.0:443 tcp
RU 87.240.132.67:443 vk.com tcp
GB 96.17.179.205:80 tcp
RU 193.233.132.67:50505 tcp
NL 91.92.245.15:80 tcp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
US 104.26.12.31:443 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 trmpc.com udp
PA 190.218.35.224:80 trmpc.com tcp
DE 185.172.128.90:80 tcp
DE 185.172.128.53:80 tcp
US 8.8.8.8:53 gxutc2c.com udp
KR 211.119.84.112:80 gxutc2c.com tcp
KR 211.119.84.112:80 gxutc2c.com tcp
KR 211.119.84.112:80 gxutc2c.com tcp
DE 185.172.128.53:80 tcp
KR 211.119.84.112:80 gxutc2c.com tcp
US 8.8.8.8:53 EvaxeIyBnCRISyqZrpFErpEgmoP.EvaxeIyBnCRISyqZrpFErpEgmoP udp
KR 211.119.84.112:80 gxutc2c.com tcp
GB 96.17.179.201:80 tcp
KR 211.119.84.112:80 gxutc2c.com tcp
KR 211.119.84.112:80 gxutc2c.com tcp
DE 185.172.128.109:80 185.172.128.109 tcp
KR 211.119.84.112:80 gxutc2c.com tcp

Files

memory/1944-0-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-1-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-6-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

memory/1944-7-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

memory/1944-8-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

memory/1944-10-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/1944-9-0x0000000000170000-0x0000000000171000-memory.dmp

memory/1944-13-0x0000000077970000-0x0000000077B19000-memory.dmp

memory/1944-12-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-11-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

memory/1944-14-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-15-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-16-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-17-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-18-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-19-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-20-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-21-0x000000013FAE0000-0x0000000140524000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar5D13.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab5CD2.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 42b26397e6a70a04b6a9e329abab5bb7
SHA1 3891e4fd608b2a3555abcfe29419d3c3a84b97a5
SHA256 823d04d6bb411cdb200d87ebed65b91cb407617e55d19022ca180513213ba8b9
SHA512 3da0de130964805e9bf4ac91e5b2165e98b9af9db0afb60bc993619894da0907f822730fd856476e7229fed6e1165c412c2c9b34d807b5810c0c21abf61ba9b7

C:\Users\Admin\Documents\GuardFox\2vg8st5gxt7xVyaMTMyPHcEB.exe

MD5 65b7eb148d5827a5f22d4c0b68354ce9
SHA1 82731f9f58300b45a26acab23fefcdd2d63017b2
SHA256 644ade98f0be05d2e575d727dad84042abc43c52c7bb7f40a97df7df1afb9dea
SHA512 eea0b37f9a362b54dab288b4b3b64dfcccc39c30bcb4f44ee483d0e22ea8d5b298e440c77fc7f810b47d7c4eeb9242133d9d23bf93b22e620ca850c57237f7bb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34d4d31e279bec61cb3b922cfa1106c6
SHA1 9bc4e658006a79e0c3cabe2a6d1cff262ac78fc0
SHA256 9334c5191f6e9c4030ddc24f29f26bc046f08d46b1709af2aad06aa25dbd8d47
SHA512 a11173d2c46ff4ce60b36cd58194a6eab1b437076d10e457dbdccfd312edde2eac05e51ed03fb110db9734b0506740bcd9ef1cf9c8b2a3d9942b5296ea72680f

memory/1944-134-0x000000013FAE0000-0x0000000140524000-memory.dmp

C:\Users\Admin\Documents\GuardFox\0X5ArJglY2ONQo5sIbFdVoVP.exe

MD5 f66d6f5645ea4a5e4286ac266966e37f
SHA1 5fecf361e6f146355daa02d3678f45162deb8a71
SHA256 e7fc17e49e7a2025711c5aba292c5ed4d387383ad01017e87c9a1518e58ce2f2
SHA512 78578eb1d77b068e2ffecd11866efd558ef8bdf79ede1abf9133556f0191d541100d39a9531b469beaa89703e3f23c6aaafacfded5b2353b5216dd22cc00eadc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7393d266688e9ecc002165f34b231a45
SHA1 6bf8fd2ba7dcaa21d504c216965d81250bf8bdc5
SHA256 e88e2b54a5d750f5e263faa38287fc234620fddbe71dda49b945bbfab3a8d5ed
SHA512 7ba27739cd035508ea5e9face9a617442fcf77fb309d472c4b97c11f49ebcc44c294aa307b56f4351e87d1f54c8a3c91bed03a63374f566190ec950d2da1cbc7

C:\Users\Admin\Documents\GuardFox\qizZt7Bur6z1txTH4YXbihzk.exe

MD5 f740608b4fc3a10a4526f0c2db5fc67d
SHA1 91a6a17d5a90be772997021532d6d0615d550fed
SHA256 35e87fae499edf23f25bfc5be34be901c0dcef34851db88b7d96eeeb6733860d
SHA512 2d45013aa54d29977eb173ef873ee2464081ee650c3df04fd381f9e8aaaca4bbc58de61228cbf365439ad05a81de4bed8cdafbf4a3762eb489da23d65010fe3c

C:\Users\Admin\Documents\GuardFox\DoewBw18fNbRUt9tzl2z14d9.exe

MD5 ebd6f7a6cb7aa2c1f16389618828dd18
SHA1 6f0ab3eae5a5c4ed3383ac48a4ac067294c87728
SHA256 80b7f795cac71ff494d915f171bca9feca53cf6d9c6d5b87b2c773ea8266403e
SHA512 b0ab45f303c0c7051da0248713d0b672d262bafde69112e3fe021426bfce869089329b324e3355a94cea76cec4feb6a024ab74499e1f025f82eebc3da11521be

C:\Users\Admin\Documents\GuardFox\YKK0vMV080jyVNM0bgr2l5L5.exe

MD5 5373721eba16b7c52d1f53b02ca95302
SHA1 8b945293d135a1afd888babf4738971dbd607475
SHA256 8dcc8b0423941480f2dc4fcaca1811ea61164b8f8f213396b18ad32a20833b88
SHA512 c5d0c13f0d6036a54de22eb2996333bd7d908664879509699fa03a234b4b4e9fa62c8396b07cda534edf2102f3df5fa633b1e70265d536d9dfcefa28256ea4e4

C:\Users\Admin\Documents\GuardFox\cOJ7wsghBeakoo5SG56pGvIV.exe

MD5 e2a1976a1de9ce8f22ab1c9e8405cef1
SHA1 7a8782a0b383d49b918093a39ea68e11191f039d
SHA256 eac9ff6fb58b8b1f49a61dc3a976fd4c30e4c515bbc100ebde721ca9e4949db9
SHA512 2b6f700ec66783548ada441ad2d6cac53900d84c17e386a58f4385f6f826bcfb0529e7773256c5bbc4c5a85ebfb30f1e8dce4267224d29810ef8640f0ded4c99

C:\Users\Admin\Documents\GuardFox\KZH0_ViJLjDh1uYJKXnz_kpG.exe

MD5 2c6c31fbb52dcc0675921ee9bc9a18e0
SHA1 db6d0678f4a895ef817eee0dc15b8f09964d125e
SHA256 fe079ab15f1ec887e1c50987c5a33410b27aa8a5509f2812f404d56dae1ed6a2
SHA512 2d0ff27542d9ee58655a8f5eeec3a1ea8ee8bc146c7035ed8b3daf6f4ea79160089f4c296bf76adcb86c9da72ebc58e1f6b355b1ff237d373d2ed97b00e4faaa

C:\Users\Admin\Documents\GuardFox\zJ3jMj0GzYgdwDzzw9qRdQOd.exe

MD5 fa31fbfe7e5d4f1d48d2e36a246cb4d0
SHA1 d2fd080418c47aa2e662b63943236dffb3e08ce5
SHA256 71cabe5d7d93c8cd2e4c0ff042383547181ddf0fc6d346c315e1ac670e3d0869
SHA512 8e8f19e920a0c387f6927860cd466657462e1f88783065d8d1354e48120b4b631c46d9fe542d883723abc43c1d83147b9624d4bf3e492bc82a5627b6a6378300

memory/1944-229-0x000000013FAE0000-0x0000000140524000-memory.dmp

memory/1944-246-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe

MD5 19a16b92859c68276d2c7a40cd97aa1e
SHA1 e663afffb471ed6c61d2d43fa4476bafe527fb19
SHA256 ee3d3ba1ed746cdb5d465f1a33e1cab4081d11cffb92a29b7f0ade2abe3565de
SHA512 c0ca6ef5660059b46483d4ac245018fea59eed9ed7426944cac0e04be8695877dbf4613a04a5494211274a393faaf1276a58627d62b525fe14ccb0ded41f1493

C:\Users\Admin\Documents\GuardFox\S4yNXJTJDxFHKlOXMvXdgu88.exe

MD5 e55c4ff4955b3cb33399030bb0ab4c28
SHA1 7ac45a3b0e4b0576f2f4ebe174a2c8bc775e1ea6
SHA256 46026c1ca2d3f1489c5e697de12d6c5c4c11dd8261ad903bc684c9a22edc9151
SHA512 9ffc6460ed692919ee0303f8cebee266b8f9d4f09dcc5c41389777f4a79fee9b144c3986b5ebc8458cdf81116234629bf06080f9a7788de7503cf30b0a830dc2

C:\Users\Admin\Documents\GuardFox\tpt8Z_Rgp4UVHKBj0WPdCHra.exe

MD5 95f80dc65819376a452f65b299fae7fd
SHA1 31dd3a984c71978432c4a8f20c988fb27e24e70a
SHA256 f2f15ad6be3cf33486b91f012d817190470cd340d6a34725bc0873d0ed53fb18
SHA512 58115691c0cfafc59573d03923a4cd4f24232d0f394cd7f549a57d15a6358027489e5b475c7cb1321a6a2d9bb2bfe4ae86fc0ae7612ae1ad8dc3d297ea4e6b73

C:\Users\Admin\Documents\GuardFox\_d_6oqBrYO9oDROynM5zoWeZ.exe

MD5 4dd06db5030f5f443ca8d74c940e8f71
SHA1 2ede388bbd7fed2d49006d083989a4c89d2f1854
SHA256 8872490263809f28f160683ff1f0b90ba30b425b35f34a8054ebf7f7e8531086
SHA512 3d36f25817317a744f329e50abdf0a4731201ce94f64713b884453fce9a1b3da3c7ff1f5cfdade71bec81cc20b572cc821b1eee4db26136e72378a1e6077322f

C:\Users\Admin\Documents\GuardFox\u1nAJohI9NiVQVIhO_u_9qRV.exe

MD5 b4bcb96996f07b78d7adaca8e303522a
SHA1 9b66721c244827b56a0b04fd7d59b945e7f4ce08
SHA256 7655b19873caae125f013b1acf74b9ceda60fb7380b81f4dc8363adb8947f1fc
SHA512 620b69b2a75bc6c0819fd59fa9fb6da89f771e067fff5914f72413139103a1a09685f9f17b054458c26acc45691bc9f0b35fcacf5121024d61bf5e4a6861e286

C:\Users\Admin\Documents\GuardFox\1h5oX6AfKdjA7QKitchLMY7C.exe

MD5 4f2586a0f7e0d4017d86d9b74b22390c
SHA1 122dd0f7c461e1b19772378580f01862a7ac9926
SHA256 70b08304ec499a6bb13f55c22e74b7fc13ff578bffdecfecb4f8a0aeb3b88d9a
SHA512 8cc8bb3e9e0fc6b7ccb9c5d25358347dc904164b2151d632706aff1aaefdd4c6d7a99c5718d721443aa8d6927dbb048dafbd35ae46b723573caabedbbe2cd193

C:\Users\Admin\Documents\GuardFox\ZILA72kaOM5pYZfXMY03cnKT.exe

MD5 f5be32f456e268df40170f71cd023b61
SHA1 2e49703d449838799ba8365fac58b052c87866ee
SHA256 66bf7e7eda0645921f7ce179ef6945d213b8852366a2881ea407052abbf06f2a
SHA512 41739f065c1868c6eb79d202737adecf817cfde8afedbdbc5d7bb2a544df40f922c77fe7ab1dbc8bd849cf7804357ffd1bbb27310e7d175ca5ac88ba40c3e726

C:\Users\Admin\Documents\GuardFox\K9064dCxqH0SR5hUFk6wIdGs.exe

MD5 29ec7ecc8b9ec550042d0f0843b51627
SHA1 abb1f34f29274b63d17d9e0fbff03f9dcd64b96c
SHA256 cafdaec53b96ac156ef00ea10f0eb503e8773a6d73d8985964ff7e091405bf7f
SHA512 a2444e57690019725b5b6f5fd8af2443e99c319d40e968b3c00da642c3ec40c8105aafdc68063dfc07e6f1e844d9ff6ddbbaac0803aacc29a200208e385cf962

C:\Users\Admin\Documents\GuardFox\ilGyp4NneBqw4pbxzA7S7WGw.exe

MD5 d8b55bc6b954e09256b65f02ef7dd687
SHA1 558a0277d25673e410f7d6758eca32c27d5ec7c2
SHA256 67f9a06ebb02beaaf2d28328962906a073fcdcfc66b377dbcd6ad1d0e74de577
SHA512 eff671c78e7a39aa4e3e2ddbf9cae9aadb25bce77532b4b573b6659d7a59be37f353dc806cbc8b92f3c761cfd02b566228b5f75a68de529b3b75dd38783a38c8

C:\Users\Admin\Documents\GuardFox\3WEhPygXtgmAE0ixSLD2QBPg.exe

MD5 21a57e123048b409f24493e4ff240fb6
SHA1 a341cb1930b81f36a5b48f52bb1fcd180f589757
SHA256 1bdc8ed047e57eb2183c34e5f7b8049cfece73c4cdfcbb48ed24eff1c7edadaa
SHA512 46f78cf22513562a23d44c0057459f48c4850659485338936aca8ebe1934245855b2d15ba8d3b473c64d1a3e021b7c4892fa4b6d03e9f0bbba5fa10587c2f492

C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe

MD5 e9216525ee09510c8c1b5cfd68eb74d8
SHA1 58f8982d4ebbde62ebd11b82e0ac68ab1f97f6cd
SHA256 325ae4ed4ebaa092882647da4fbbe2d588e50ce76dac163e4d8b0be2f3911985
SHA512 7593a3c907ae8bea96d32924632f566bbcfe2d636d5f97248cf0738d64924ae6a7727625ef7dca5ffeaed256761ca3c807563c27166aefe01711ec6f7abdb768

C:\Users\Admin\Documents\GuardFox\xMUVVLpKRVMcQQBdGWoU2g9b.exe

MD5 499b89da4e0de844ba62e9d51f6dad88
SHA1 ebe293a851442b2b4e36796813428f6495e14862
SHA256 8c458db2b5142f926c99e3581b8487a36283ede88356cc2849c0120cd98329aa
SHA512 da91fc200eaeb30fc67f44ca0457fcc4462a2fdc4fa1b44a2a0e1e629877047fbea6683be4448a1375f8e3581114d251bb0c20b6b5930ff555f525ba67134060

memory/1944-352-0x0000000077970000-0x0000000077B19000-memory.dmp

C:\Users\Admin\Documents\GuardFox\0Cx81LmgTTDIL79OjufUMdUs.exe

MD5 3d8d237b751486ab1340c6c6d4a79bef
SHA1 960b32b30e6d8fc8eb097ae1190a9a164f453208
SHA256 77dbd5a3584f5cc70d3044349521e67f927727f1b13a08cc1c7ee516b6883c3e
SHA512 dc9e5880b14bfa7e836b55eaa13002438c82b536370725ab2a2047c534fece751bb5983ec1d12cdf1810c1c5138d379b88ae79fe63182addb24de9394ab24e29

\Users\Admin\Documents\GuardFox\qizZt7Bur6z1txTH4YXbihzk.exe

MD5 2676652e28d41a1da75a042da53ac749
SHA1 f2c03b266efd7f85e862812a85bfa8c3324e59cd
SHA256 3e24b512ab655fe087b58dffb20f330077c47cf4958aa69f8d02482399696b66
SHA512 787127acd1abd9ff420f5d0d6bd1be035b3d569df9f31b4c95fcc767216278a6b05b1934326a0bf001196092ead5a9f2bc8806a890b09a6f5324910fd78729e7

memory/1704-401-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\cOJ7wsghBeakoo5SG56pGvIV.exe

MD5 95016d5592c590e2e1d999ab7ef3aa51
SHA1 3d813ebca5d937eeb935172c4687c46ae4fbfafd
SHA256 93a698786a021035b167ae7f736b4443a691e203232117fa11b6ad606aaf77ea
SHA512 f9fc18c7a637f10d76cdd654d5343489378892fc30af5cfd4885e5418901a35cb6058048ac4476511cfd69b6f341c6048f1f4d2d731e93a7c7c73192244c52e5

memory/2584-408-0x000000013F810000-0x000000013F866000-memory.dmp

memory/2744-434-0x00000000008E0000-0x0000000000972000-memory.dmp

C:\Users\Admin\Documents\GuardFox\K9064dCxqH0SR5hUFk6wIdGs.exe

MD5 575612e2a6d358ee6833231312abcab2
SHA1 bb65fb8f730eb23d5e88312d88ed6b77b3159994
SHA256 4c16492d1df7c1d8bc6d7634473857014cf8b16bf58b2ac39a46f8084f6f6cb6
SHA512 08c374b43a07ddb019b25423b26c85b8cfa0ec0d9b42b1d43453311e1fbef21482334579bc74983e7a66c8dc4625bca299d874dcddf50e75d97500bc1ec3b345

memory/2216-444-0x0000000000F00000-0x0000000000F58000-memory.dmp

memory/388-450-0x0000000000D70000-0x0000000001684000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-M0B92.tmp\0X5ArJglY2ONQo5sIbFdVoVP.tmp

MD5 a5116e30c644284c4aef3cf81b7d38eb
SHA1 08c7f475cf70af878c2cf655b6dfc0ee3196e4c6
SHA256 2d755dd3c20d53c77246f0cb0a3caa3d59e68785c5c43544dd0babbc661630d5
SHA512 dc8c5157d0b11d97bf4c05bd8815cd58e747925bc7881489a38b21d0ade1e49fb1e0b8e0398699273ff979a867ce7e04e21ed65ef23e761cf53ff0200ff80229

memory/1328-447-0x00000000046D0000-0x0000000004734000-memory.dmp

memory/2744-452-0x0000000000B30000-0x0000000000C4B000-memory.dmp

memory/2244-453-0x0000000000A70000-0x000000000176F000-memory.dmp

memory/388-456-0x0000000076EB0000-0x0000000076FC0000-memory.dmp

memory/1020-462-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1020-494-0x0000000000220000-0x000000000022B000-memory.dmp

C:\Users\Admin\Documents\GuardFox\u1nAJohI9NiVQVIhO_u_9qRV.exe

MD5 c7384afb068f12cb2a2736d9094cd820
SHA1 9d440f795c87a57bf5badd9d7283e11edd618dee
SHA256 2cab68df059efa6f7994fdd280a9584166c7ff058ffe291c98b512bdfec9c049
SHA512 d6af9640633b628d5a0e00969e83d51ecdaa118ed01c08fe73531ddc4993e4050df0d5bf7d4ee9968c224dc57501079fd0936ec7f4b2c3b9f63f362ca0c0d141

C:\Users\Admin\AppData\Local\Temp\is-M0B92.tmp\0X5ArJglY2ONQo5sIbFdVoVP.tmp

MD5 9e0d14e7cbaaf12a2e76819ed5ab1c4d
SHA1 589a186c63b9de5b6852cea444c4eb407242aee3
SHA256 10a4c06e78159722c3a94df6ead602de066ed57222dfbb2df5e10c16a4a63f64
SHA512 7ac3ed82990fc5c5c16e9b96e01aa6a96188b1f310a92f73ef521659b49380ec31eb4d5e486f00e558f676e81ada435f04585659b189d3913e7d3e0c685af255

memory/1856-504-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe

MD5 e92df1f4e0b6cbc7634d9bc8b3410eef
SHA1 1f3f056d7b14d21eacc9cbd401555263d424d6d6
SHA256 2ded7159ee7b23e51ccc243517510ba0ed586af6f3c6aebfb7f6af98965557f5
SHA512 84b83ee1abe59ff38926f999a7f6d09e2bb6ab25ee034c7e5b78fc1e481056b2bd86e72942af740ce4f47c16eb57f494ff3a1e2fb65f3854e13cf933e93330ab

memory/1856-501-0x0000000000400000-0x0000000000537000-memory.dmp

memory/928-518-0x0000000000220000-0x0000000000221000-memory.dmp

memory/928-524-0x0000000000220000-0x0000000000221000-memory.dmp

memory/928-537-0x0000000000400000-0x0000000000D40000-memory.dmp

memory/2208-535-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2208-543-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/2208-544-0x00000000010E0000-0x0000000001A27000-memory.dmp

memory/3040-542-0x0000000000340000-0x00000000012F3000-memory.dmp

memory/388-556-0x0000000000D70000-0x0000000001684000-memory.dmp

memory/2756-534-0x0000000077B20000-0x0000000077B22000-memory.dmp

memory/928-529-0x0000000000400000-0x0000000000D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7eDL.CPL

MD5 85d7ca9383a1b5187bba14f80703e8e4
SHA1 e4fc9ff1acdb403178c2d54524db414396f442aa
SHA256 dfa5b97e17d9a9f9173e0f59f84d88511505430ed8d1f2e4adf73ad25239daf0
SHA512 88d94a3615ff9aad81c6ee91a5e423813c1c585a74916c7a0ed974ac04a5c3adf011c297e9d39e2c9b0a68de0e66b3d7776b6465ac2b42b7e25da0a92bbe96f1

memory/1524-600-0x0000000000600000-0x000000000060E000-memory.dmp

memory/1524-602-0x0000000000230000-0x000000000023B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PowerExpertNT.lnk

MD5 b18ca7ff547c776699ba7d986aff752b
SHA1 871eca7d4ee8bf5c90363a3f8809b734bd680f18
SHA256 1df93c99e3fa7e2584332f822db9777f5feaf4e44b8800946956a27e1ecc82cf
SHA512 2d3a9fef07f69719ae1dbb7eaa84a627f7afb545bc6687733d3ac6d9ee5076de61b11c1125c245094b18dd3ed21f8cac356188e082b80c8261fadce384e6ba91

\Users\Admin\AppData\Local\Temp\PowerExpertNT\PowerExpertNT.exe

MD5 9f6b9d07e0e1041150acaa97a368bcef
SHA1 02f52fd00786c4fb9a2b115fdb0ba040e6b49ef8
SHA256 dfa0ace04bab84553210479ff5a8b95ee87fbc9fa661037f1a7a5c9081117597
SHA512 c38f8ece7a0742b1f1d53a7a8e3ecf8ec00b465bca63620ecac7b441f84d1ad77413f9e0055eeecc9ca5a118e0477dde1993f7ab28312b9ad0c48d9d3cf4670e

memory/1524-599-0x0000000000400000-0x000000000043D000-memory.dmp

\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 f5a98ff46e05011aee19f1032c0ca3bb
SHA1 63e3a30a8765b4ca213359564ea012c9812f0e06
SHA256 a9374e19434373738556eaf32ec64045b85a57337e347d7c8444cb16d4635aba
SHA512 c317a45b6983a5e1432b027a1f7188401b17824e5d281fba42366839a39e25a025bc4f84fe655640dd0bf21529fb576c89f3b3e0bad479fa25f6b820aeae29cc

memory/1328-612-0x0000000004730000-0x0000000004794000-memory.dmp

\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 852b7a7d1eaf27a2528a74ca92f099b7
SHA1 f1c9b4d4849d2d92f718a9ebd1a0308a3a7d4255
SHA256 301d9a5f7d4fdd33888590c3f9bbde32b21b6429d59a6d8db21d0dccb4b2a675
SHA512 ab048d56121daf451dc34dd76400db22972f3f0f90338df79d600b5763848250b432c15aafd5f6ab298e2ef5e547ec90afb37fe37ccf78a50a7893291aa753cd

\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 73476bf4a8731d3dc134ed25b46db59b
SHA1 bbe65a4f764f184c361d71d9fa5c855931e2ab3a
SHA256 91b8413906ed52b1a58056d549c174af197274b6d38904485c12032db45ba78c
SHA512 e268f5bc9d0f2c35d2f7bcaca4d54e2c1473da546495286f635566d22f5795f3ae16953f1db45c05e62d5fd16dae4955e628318d557bac3dde76b6ad5d9cf18b

\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 c70b30525754f6b4e2a1eabe08de3b6a
SHA1 907c5cef27575704adba8db7b4e8ababc767cb54
SHA256 770abdb99927d2b8bd7b9c418e0eef62a0337dd93b58f591de9df1e12d5f678e
SHA512 b5be99a1ac632a0c6d1248d1b9ebe36dec38fb5a23c6bb68dbf93d4ac618e04c5084882e34d5aefed1774c64df3f5d44bd9afd4e1a22e5683fb6e0279394898c

memory/1220-566-0x0000000002AD0000-0x0000000002AE6000-memory.dmp

memory/2528-617-0x0000000010000000-0x0000000010242000-memory.dmp

memory/1752-530-0x00000000002B0000-0x000000000033B000-memory.dmp

memory/928-528-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2756-517-0x0000000077B20000-0x0000000077B22000-memory.dmp

C:\Users\Admin\Documents\GuardFox\3WEhPygXtgmAE0ixSLD2QBPg.exe

MD5 5e9d3fcd8b7a49e4ed03b7a4e0ffdf1d
SHA1 405d71e66c54fe04b0d903b539d6ec552f64b538
SHA256 afa16200750a440b3c55256d3aa4a082332b753ef6911738d5525b783529927f
SHA512 3d3dbf4c8f10c6708b07990905d8458b705555075134cffb216cdc17b309f356116954657ad2bbc31656bdb3ffaee86b3d1d245241cf22f3d7398474940cb796

memory/1856-493-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

C:\Users\Admin\Documents\GuardFox\1h5oX6AfKdjA7QKitchLMY7C.exe

MD5 d325656ed73576aed21ecdb533e4b469
SHA1 c824f407a05c22b4a07636d6e53d0f1c9afe9358
SHA256 074b0b0f9c47f2afe5792cc0254f324fed0e4a5ad75dcf43c48426571fd40453
SHA512 6e4fb7af7a5a4cf1c7aa282f396bc47c78c59ccb1782ebf09e26498a050d1050fc52bef3f67f0e157384171f7de7284fcb7288b25cf61a9c23f9255162039231

C:\Users\Admin\Documents\GuardFox\1h5oX6AfKdjA7QKitchLMY7C.exe

MD5 67572e0aa806645fe136bdda362c1352
SHA1 ae41e47921a42b80e0c330357cd2bf3d0b65eede
SHA256 591be8061d304141946f792ecc579fa437dcae50fd76eff204d55ef41e317f8d
SHA512 52c96d96e0fbaa9d805be4773d8ab14c5884cd15a89cf036e2e861df9135d4b6bfc2e9118022a97aeb71169ef071473edbdc8dd06e6cd3a5cc0e28024931dcf2

C:\Users\Admin\Documents\GuardFox\xMUVVLpKRVMcQQBdGWoU2g9b.exe

MD5 7fb0f780d3ef29af2da679cf034829c3
SHA1 68ab6db1545475f41ff4b6fb471cd322b810dcab
SHA256 38a4608c0b9bac48f44dd8affdc79f01d90e627556f9342f2c21e44da4b9f6c8
SHA512 ff41818e432b33412f5dfd8dd440d87edf981b018b52565275d6096e713a3c09156297749579bd36924be53b5d348631ba8deca9aa9e841b778366aa7f78419e

\Users\Admin\AppData\Local\Temp\is-JK1GO.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

\Users\Admin\AppData\Local\Temp\is-JK1GO.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\Documents\GuardFox\xMUVVLpKRVMcQQBdGWoU2g9b.exe

MD5 9271806ac71a07442ae166584e26f42c
SHA1 72c50cfc4c4806c86e7380bbb42628663bf9c157
SHA256 e62fba6b9430224d1f39f6837242dfa487530762e4eac010a1b1792659de9330
SHA512 75ee68f4fbff50810848db0fee24dc545c2d5b8cb72cbc1c91eb6e418fc7b6f6584d30dff0fce3bffd512c96f72a937c5da1f4386979967824e607b5c8d5959b

C:\Users\Admin\Documents\GuardFox\3WEhPygXtgmAE0ixSLD2QBPg.exe

MD5 601b46c1f24b87b694163a3a2d758608
SHA1 e551bbc867877be83256148acf76261ee60ebea1
SHA256 79be6eafee90e738399ff5f6828570013f6ae2fb75cea32232dec28bca690108
SHA512 19b553e060680ed2d8df8bcce494eb22669b302c18d9a38830c8d23f7e790cce0c40728f1042fe2f73fe2ec6c1ee4cb1aa79add75d40aec3e95b7a222b9a93d4

C:\Users\Admin\Documents\GuardFox\xMUVVLpKRVMcQQBdGWoU2g9b.exe

MD5 51baa11bfbfb52c2f9f99394c31ed82f
SHA1 2d9499bb470ae0b7ce868bb425594d250c3021ae
SHA256 b980339bb3eccd6c5a16eca1fb423fa12f9d6109fbbb53e26acc21eef099d8e3
SHA512 f40a1be3f9a47363f712febdbab3a43ee10d7d584422c38ee0e4da558f70f610c3f1707b4d9abb2a0730ec1932b739c3d91a695e5e3407cc6314fccc7cc60b2a

\Users\Admin\Documents\GuardFox\1h5oX6AfKdjA7QKitchLMY7C.exe

MD5 495d40c2bf1e8bc819f7537f2b8cd35e
SHA1 231df1bf1ece08daac6e00d175a3db76d4b1516d
SHA256 b153b5d97a38cde2ff81663272a48094101d634cdb1e80eb6641a6cdf155a93a
SHA512 36dd8c34080455ad1caf6b8c47c93096715bc8a3cb50c9ee2a8d9522a73352138ee2c2ae0401aabbd44dc0a368118d9179b1444f48f823d7c34a9a5e55f3c590

memory/1020-465-0x0000000000620000-0x000000000062E000-memory.dmp

memory/872-464-0x00000000013B0000-0x000000000191C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe

MD5 1dd8d18051328439b2ec873cbba003f4
SHA1 e02cfa185076a81c03fd7ec361cc9af274346be4
SHA256 4e408148b0710f358733268837e82bd147d5daafe5ae700b03e48636f8aba8ce
SHA512 33ba7e83b252ed6a80c5e55bb4ea6dfc848d951cca2dd553cf2a76b947c6aec5af72de702987985ecaed28e9a21a8390c9ec111ba735f67cdc5313fae1e49b9c

memory/3040-631-0x0000000000340000-0x00000000012F3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-M0B92.tmp\0X5ArJglY2ONQo5sIbFdVoVP.tmp

MD5 f7a1e7ca916b5665f68f9d8559aabacf
SHA1 d35baf1d886e338beac6ec1cd77d2b1e9386cedf
SHA256 4860cc12e693259f41fc361dade9c473e3af6f2a3665b8e150b30fbc4db155d7
SHA512 341ad526bf17d6ce141cf97cf8af0342c2a8646086cb767efe806ba2ef571c6768162270e65830582399fbcaf8619f74a66fb823b5a0a224270cb7f36239bab8

memory/388-460-0x0000000076EB0000-0x0000000076FC0000-memory.dmp

memory/388-454-0x0000000076EB0000-0x0000000076FC0000-memory.dmp

memory/2744-451-0x00000000008E0000-0x0000000000972000-memory.dmp

C:\Users\Admin\Documents\GuardFox\u1nAJohI9NiVQVIhO_u_9qRV.exe

MD5 01dc26008f4485b64820aa3b6ca4035a
SHA1 046f4034eaa513618889d967627f162c40584b38
SHA256 f3323eac403e1c112528bdb40c136416bfea8f3e5067dbeac1230e56729cbef5
SHA512 3966da82f57295d219e1360a35e000a334b9f0038ecd1cc43b8993b4bf1b6239e32397159a1ea0ff9c66fabacedd17b1ee3784b7403dc16217a44860b4b818a7

C:\Users\Admin\Documents\GuardFox\S4yNXJTJDxFHKlOXMvXdgu88.exe

MD5 5fa878455587d484dba37e41a46b9343
SHA1 82f4dd3a18554bda4425a897433b31f2d783587a
SHA256 e63841c08999245e9c424161cca81afbecb2c9e20b53aa2eb988a923cddbe6a4
SHA512 60e23805e4a72ed423a65d2a3b19c2f6f4c16587f74499f78478180e0964dc9a80a584fb3a607c7a61ddf8085cd3ae23a5bf6a0d25aff78b96b808007d7e1654

C:\Users\Admin\Documents\GuardFox\u1nAJohI9NiVQVIhO_u_9qRV.exe

MD5 db6b6b3b8b0acf249e87e090f5fe0ccf
SHA1 44f171a46cab9aa8dad2d6db064b693d4e02c5b5
SHA256 750df7aedb9ea7e14b5389fd6e4071f7ddbbc1c5e494dd05398d4598a9cb1723
SHA512 b154afb37ed994747e550c746b95872ef045685e7dceb83f526634fa1503cddece58e0eb39eaabef3033715ecc0266561055fce2090de70ec12320e51b7a596b

C:\Users\Admin\Documents\GuardFox\_d_6oqBrYO9oDROynM5zoWeZ.exe

MD5 916f9c69347044d2b139f701678d3d87
SHA1 6ffe5b42ffbf4a783c9904938bc157cd462c8400
SHA256 b5e190e82761cdeb42ee2d6e2139cc3a969aaf532cf8d6993dab441e4aa2f621
SHA512 65d03a5b5a6223efb7fd997704454dc43c364553f965ed173cf2cce4342cb70e01565e9d8dd470612f6dfe03f0448fe0d119f7ee9f4b968ddc39fbf3da4e6e42

C:\Users\Admin\Documents\GuardFox\p2ALwcMAIBBRoJauOyM6tY_I.exe

MD5 6f0e5ad311936054a33eb7287c594521
SHA1 c973d47705660081bcbce5a99832c5f035168776
SHA256 54ee98582d3733d200040666a41685a51467de8ed0f6e06bd076fb94ee7ec1a9
SHA512 a00a696feee34b30eaa3dc88878d649ea824d82abf67fbcfd058a2942d52a0092f750e3a41abc303b8b04a33b05a34b528be4e9827a272a40067e66ba8fa367d

memory/952-431-0x00000000008C0000-0x0000000000DA3000-memory.dmp

C:\Users\Admin\Documents\GuardFox\ilGyp4NneBqw4pbxzA7S7WGw.exe

MD5 752f7918a746b52d7ad0ebbf398b3fe0
SHA1 20f9b3c105fe0fd0f76363e3ee14890844d6fc55
SHA256 6c501edf4e43ec6eb06b61b29970570ade5961a63232e4a49c25c5ffe814843b
SHA512 53d2fb1c731a349e40356a8e865fe376ac7ccb1f5f4f61a38f6121d3fca9e1226774cee072cba565c42b76ef1d538c6f9d560c2ae3eeb72a92b1bd654ee2b81e

C:\Users\Admin\Documents\GuardFox\0X5ArJglY2ONQo5sIbFdVoVP.exe

MD5 9dafb97588be0e104cb9c8b6be62f373
SHA1 65e97d3146059df75d46e25f08f873325f50d576
SHA256 874ce7bfed886ccf5aa0397172270de1e14a5adf3e5d2a0112e359f7aa2cdad8
SHA512 642230fdc66153b980a37050119561e4a3f2f8265d7cb353fd08243a65f0fa61ac9152425cdf2acaef3e36f921ba2f1a3f4b30cc17946df2a1fb38807da5fef5

C:\Users\Admin\Documents\GuardFox\_d_6oqBrYO9oDROynM5zoWeZ.exe

MD5 918e3c0afcbb04797beb3a0d0a0e9431
SHA1 2deabf3e815d57d7acf416858db8a210f4b21915
SHA256 6af930fca4b0fe132f348b0f8eae0b21ab3410f44bddd567064f12cd4e37977d
SHA512 653d09d95db5a885fcbe0b60c5b8efa1677f03059a362e2939e277edd6ffb06bbe816eab9759ed07728c1ac9cd74082c45f7664abc3abf5595bb7e0bcf58a6f7

C:\Users\Admin\Documents\GuardFox\ilGyp4NneBqw4pbxzA7S7WGw.exe

MD5 0f2ece55e7d9c911ace08e907815fbda
SHA1 c6d34826da6a21ee313e08172909fe6b57fca968
SHA256 604bb0e5165d9caf7e1c92936aea5f1b2f8180c828d0bf82154c9db14164d35b
SHA512 60c774db214226f7f6c13f6a2a05decc62b572b0ee71a6454a6094289bdabf65e3d2ef4dd2d53a0c05f56e4f2a1c4700617b2a191cad2f67b4a23f0a1fa8dbae

C:\Users\Admin\Documents\GuardFox\ilGyp4NneBqw4pbxzA7S7WGw.exe

MD5 a0874ada9e27a6bd6fff8909e495768b
SHA1 2ebc052c567dd9a5ed8d3eace9e615b98a4384da
SHA256 86a620d514db5f45019d1e0a7232680faee59687f54948d7ff12be857b4454a8
SHA512 0423537b90d1e37f1e3c5b0d65f401bf00fec3f5e1d993da21f196e1721cf60132d14e260dd8ef46242fec02199f0fc87f081308df2e93d05e91786663f04878

C:\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe

MD5 78816926d26a0a3aec43cdc3c4956ab8
SHA1 809e335d6002b6f32b162a00a51fd2332e8f8a79
SHA256 accf49b74c6162e418771f5820d677a54d4e9a3ba46d2c39c1053193afb6c035
SHA512 b0a57ffbf8316fadbdfb8569fcea3e0992cc96463cfe1d59419c65677c2920835da18beef8427e7a31b0350266978de80a2b880a3cfb458ce8ac2fec23b2b22f

memory/1944-414-0x0000000000180000-0x0000000000181000-memory.dmp

C:\Users\Admin\Documents\GuardFox\zJ3jMj0GzYgdwDzzw9qRdQOd.exe

MD5 647aa5195d5e0b79d5ac67c9c9065c4b
SHA1 c3de06765555ee4758e77f8495b0eb6f89f86aa4
SHA256 646d7f95a05e617db68a99e2b55bf5fe457af405b48eade8138330703bb21e55
SHA512 78c91deaef517cc3c110e3363d2669e8c40fab6b69d88fea3471ee1985f6ba27198343ad421dc08228c719c5fb0a58197ddc29c2e13deb3168ab47d5400537cc

C:\Users\Admin\Documents\GuardFox\KZH0_ViJLjDh1uYJKXnz_kpG.exe

MD5 9a19d296dcae5af72bcdcd0287b52dea
SHA1 c50e8f2205b1b87403d52f3d94613b4c56ca5407
SHA256 4d7946c16ab2396f76dd730628dfb66469defcc19bd65502d2785c474832a97a
SHA512 6292f24f055da98bea37e9b0cf265c6086f2717b4e82b3d7eee383751ce691376323ffec2eb1e12009c7874fe0e8482675946fe44eb696d6181c364a9a221dbe

memory/1944-378-0x000000013FAE0000-0x0000000140524000-memory.dmp

C:\Users\Admin\Documents\GuardFox\cOJ7wsghBeakoo5SG56pGvIV.exe

MD5 77a6e18faf24c43482753c10d8991c1c
SHA1 1cdbf4930a913753dd521c99f96dac04ef9c31b5
SHA256 dcf970cb259e1c7c2687ffcdeac3e14b2d3c9879795b7666141566f8d7b7f41b
SHA512 9e6bcedee96bc3b4486c79fce28dccd5c3f10584e72074491b14b4ab698aa324dfedbf700faa4e08e959904ec53c70ff30f2e86e382632c54aec0e3ae08ea42b

C:\Users\Admin\Documents\GuardFox\0X5ArJglY2ONQo5sIbFdVoVP.exe

MD5 4a124a78187a3c675e8433a01fcdc3b4
SHA1 8af979dc93904333112e7c0f161b369e0dbdaf49
SHA256 03d7cbb6bde96fd93a30d6d600318fe2e8286a49911ed9322762fd518ad22545
SHA512 6ec28db4cfbaa9609e6370dd2a2a71c4e4b1341d77c1cd199302974b76083e75cec407724edf42c32c0b689290cf7c5c93812a4232a3e510a44fb15567c9493d

C:\Users\Admin\Documents\GuardFox\2vg8st5gxt7xVyaMTMyPHcEB.exe

MD5 abdd44ee49644dd47d86cf9ee321d2d1
SHA1 6414ddfab7d91d4be56e654219e56fb66cd1bf4f
SHA256 38cb8c23fa6a0aa7d2d8c3b58285b075adef643640838cb0e406f86a238eb607
SHA512 8f25c9285ecfbb3d54f0ce21161eabf34dae40ff82bdea80773c7702b9f9b25b5852c6e6b5ffc5e5ed71e1808f872f34894f39a783689d1feadee6c796f216ff

\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 5fbcdeb1d1286b952997ef9ece24c462
SHA1 af0aaab89a40b489cce80357068bbd384621acfc
SHA256 a14ddacdefd71556cad5f421556bbb7b9f5b820dcc39a73ec519b078486830a0
SHA512 562f9b1a68ef360f1aec22709646a00668c8f4310835d8b7598d27b8086040cb6b2b9fe700710956fa57146b4813d5c37bdae2e751b12e5260319ba27b02b79f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c4eb09fb1754972832db9cb92df89323
SHA1 458f4e4935523b1862645b3f24e30ac29635b50b
SHA256 266d92a0402c1ee853ddbe77980e9e1a1c42a07bc954a6adea0477a30d77c73c
SHA512 c3ba2557d5dff99c8688aa3457bd3254b5c69a783108d02f966f7c3cf480db3e6f397c0bb52119dfae6a75422e437ee24bc5e5f8dd9137cc7f7196dc758e9705

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 9040620f7f6be970e5ca4be4ac5c825a
SHA1 db164e269c2bdae18ae77edf7892e48175497a17
SHA256 48adcd872e40b48282beca827de2094580e45e1476ca862ec786fdc23e769f5f
SHA512 b5d6239ca752ca2aa97626cdd586d0b46fc5018f308fbf920da061788067e244719db59ca26b878ab2eb0a959087c3582a98a4450301d328baf26d66db7bdb12

\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe

MD5 c00675b7122fc0fee4c9799bea17ff7b
SHA1 6ff612747d3206b3ddfb024a9dbf50d5ba60f5d6
SHA256 b7b67b2c68534909a8d9bd09e15aed3efc703f4c83e088f4e149754aef950f07
SHA512 8cc54227d3af50b2adf173c89116b83a0148ecc15807613fb377b064e15f3532490c527e9ab9adf24f38524606fb3d4d3ec5cddafb7770771f5f74132d78fa20

\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe

MD5 f3ccbd82b763466ed17fbcaee6712afb
SHA1 1e2d31385324282b41147e32afead3c68edb7935
SHA256 81b9b50183ccb48b49f2ca6ca70346ddb9d720c00019d522aa81e49da3cda3d4
SHA512 b7f22d459d42488d08281db1ee0218ab2a23423f9abfdc4daa67837d2725eeeed0dfd57daecbbd20e736d3e5013adeef0db17c9f4ba8c429660c72eadc4c2a7a

\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe

MD5 933aafb9fee54e28ab7caa3725856b6e
SHA1 d528d563606d9508cd5295aedc60e9b23af08f14
SHA256 df04c05c352c7730700004caada9a405c180432d28591b2400fd2da1ce5c2983
SHA512 76c3e280d8344eb4e4008a2eebfd9539e3be6d627f101b36b61ad0a9bc3f177b6facf4da7df0dbd1cb6aa0380fad8841c838a846e4dcbeb046a012558185819d

\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe

MD5 461783c465969d627ce54cf34ce54a69
SHA1 9459cd9be9f1783c163035a066a5436744243bd0
SHA256 78c7eb7c4cb9a9ac4262a7c96044c6003f63203941a5cbdd46839ef0631d77da
SHA512 534058a078253a88ac3b8f2f86e27bc86bfd0ccd357557254f0c1571e755d0650712352fb6552c6a2f16c574611d19fd5218b9905ae0c953c961daf597749481

memory/1944-738-0x0000000077970000-0x0000000077B19000-memory.dmp

memory/1944-737-0x000007FEFDA20000-0x000007FEFDA8C000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\Documents\GuardFox\YKK0vMV080jyVNM0bgr2l5L5.exe

MD5 ed5dfe2f5985c130889ffeaabeeeaf02
SHA1 ce41a96cac1bc27f71ec57746ab242d0c0f66746
SHA256 73ef1a13af91b0b3e5c3b884d24579d08643f9ebd84cb0106f9735c851443113
SHA512 30b678f8fc9fe6debb79747ab1f88d69adf0bf9d1446c2b6ed56d52deb0a24ea93c1c9044f3556ed039af493ade4abc136f1b9c857a59a13c5d305b8737c82d8

memory/2560-750-0x0000000000400000-0x0000000000889000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 d67821adb9675cdb6aea3cc96c2ebb85
SHA1 d67f91d98358624148fe6afd69ce96a83df0154a
SHA256 05999c164df8711a100dadf843c1719a66af07e93162a6325351898c0dc83e2f
SHA512 3e311dbd6433eee427fc0531f344a8ce23fd2565ed20e90ca7a32dcaef05e2cd76a0e41490c6f3deb31bf40dff17b76bab17a09241fa158b8a76d68bb85a5364

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2c6295e4d566606499a7d3d8d47a9ec5
SHA1 92d841bd02c2f1c19431312bfa8d86e94c40c9e5
SHA256 4bed452eaf0f7d0382950d337494fa12eaa6a2479704dcce6acc29baee20d222
SHA512 6758ccf330c4b58b872c2f80a2eeb3ff746c8e0e499cf8c2e31450c032da253e7488272c0b4fd15450cc762a05b56f2771bbea7243588fa0359e30384cefc757

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 c02c30c4827505ed5994715115f5abab
SHA1 c510b6a19e50ca58ed4ff69b85e18108c7921ff8
SHA256 986d3e40371e4383936f6e6e93d619ab19340db24732dce4d8fc4201956dfca0
SHA512 2b38dfd787837ed9a698e0e305e3bcb4079b3a3adc98c43b6bd0444dd95202303e1f53793ee1caa3ead69dc07e8329d1a0a19feb285d85c560e621c351ca631d

memory/1944-736-0x000000013FAE0000-0x0000000140524000-memory.dmp

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 dc8c848493dc249db02cb9edc0c8e39e
SHA1 dc11e851fcbea4c13998f31295b1d36ded323af1
SHA256 3495de09b5aa093637dfe2e40e12a872c5f031193064bb291fcb0755f584ff1c
SHA512 d20403e9484043a64f87e358048c8598056a6d6359c73064a109196289207c18883a192d55639118a4e72f148e7a792fdf097d4dc2379a49aece39ebdb9fb44d

\Users\Admin\Documents\GuardFox\hQgtvqK8VmQ1LY7m1AXNSeZx.exe

MD5 4ff1d9fcfebf18efc26ac8460dbd16e8
SHA1 2b3f6147bdd4eaba08bd9a1272ca2cf2e631a323
SHA256 3935c9d8034916ba6ac712ac3569e20c893a24e7577f8cfee6f7bf25e7fcee4d
SHA512 2560f88b29d2f03f0096d6985ba00f452592387d0b7bbe728c581df07cbc8f938c75712ecf8871e386924505af72e5797d5a158c55a606f85b3cb7ef8fe952d6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 75c71fd794a9c8e9bdf61b4affad614f
SHA1 a3496e4f89c993e46e24f3b3fffd26644ee95744
SHA256 49dea7e1ed13b52808c7e480b95810e72af3d42578cdc246f2713dab31d571e0
SHA512 ed07477feb3763f6324afb2dc674f24d2aa905e39c84502611c423bcdd36573a6b9d7d52637d828e6508a6d6185e934a5e79104080b40e7b3a1a621ee219611e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 58fa57480ae8206394e935752a581182
SHA1 952691e8f332f3afccd8a82e4d6760d35563854c
SHA256 55028a662584a58d57b7608196efdeda9ba2ab484f6e5ccb5cd35a92a0d74aaf
SHA512 3ccc1db054d27796efc051b1da89c1500a72b3ad56fe8c523a1c292c67583f5c4e1016cc8db487ad6bd06033a79ccfb91350c8d6a06634c2b5903b873bfbb2f7

memory/2216-826-0x0000000074510000-0x0000000074BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4BDF.exe

MD5 c37d97b7a4fbd0bcce3080d9dfff254d
SHA1 999136d0a9c82fcd8a345c3bf710b34ce13f7947
SHA256 426e8fa653f12c897ca71cfd608913aae188e0c3dfa09694cee79341463a5335
SHA512 e88417125b36c057ccf352025fcc51ca2a7c76bc53713a224e95a12442672bfcd5108f9a9093289a36941eaaebe4f60cfc8599616b0416d1498d63db1ff1b89b

C:\Users\Admin\AppData\Local\Temp\4BDF.exe

MD5 8d9838200994599f67783d670d7d981f
SHA1 138550bbfbfa619bbe88016c64ab3842f5a6877c
SHA256 f0ba9a0191e61b1371835c464f9d9b3f4e7a8b3c1da1db3cf50683c9b1d2360a
SHA512 89d2167de1c029eeb08859df420bdf6163516f2b401f7d327a223e7f28d1a93c93da059a72bf6fe10aa1964af23a86364915b01d03b2ff00021bb7ad30bcff44

C:\Users\Admin\AppData\Local\Temp\4BDF.exe

MD5 78a136a01d7556ab30014ed0bad5c71b
SHA1 ef3de91cf1a59565a0a4b414112e31ceb9aa3d8b
SHA256 75826efc3ef7d7f8d9973755803e706088b12a55bbc4262d513dafc6a85388d0
SHA512 a1eec140a220ca000077aa81b94bd717c922293987d3ad91014624a49f00a0bd4e566754a0aceeb68587aefbb69fe8c22f4b739dda103ea9220957e6bb36ea31

\Users\Admin\AppData\Local\Temp\4BDF.exe

MD5 b8442811034a8a99ace222e561def11a
SHA1 43ce5fcf88fc840a3b8a10e25d704d84f3f08673
SHA256 57dccdd72d2c583893819aa9407dbf3af1eaabd94c45183071ecc57514ef7a68
SHA512 bba058add02830132f0f8b8c84504456554ef9ae6f43bf64ca875082731ee46225d24a27716cd086426559a36a15095bceffdd90d5e31f459ae966b3945d6733

memory/872-863-0x0000000005880000-0x0000000005A88000-memory.dmp

memory/872-869-0x0000000006BC0000-0x0000000006D52000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-IAPO0.tmp\731F.tmp

MD5 43534325bcaa2e866b9bfb404b1e77e9
SHA1 e3d88ed969308070d9d5995dc83cc7e8bf422f04
SHA256 dfde8a7e7da4aefaaa54b398efdeb2c496f14cc416a007ade3014f29135633e2
SHA512 14f429cb9a20857a7c1c886caa53620d08d1cbc9e4284e10332d4c7ca518f6d6bb12d9261b51e5918111bee37d54c4a699aec18b96e3c40ef0c7556ada5f422c

memory/1856-881-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-DJ327.tmp

MD5 54ffd881611a92540e4c85e2759278c9
SHA1 ef0c1ec4f6efe6abdf9a23f1adcd88c4ec5b4348
SHA256 d075cbfb1b43dadcdac8cf572c18689134e59319fbe425e82c7bb7c4e7d5948c
SHA512 d9f77cacb264d080e12e765cba3e1cc69a19c186526bbcb25d093e0a83b4b4b8beef37a4acf2e803a08eb76c77d4a97a21fea74475d6d9d16a63f2137ab6253b

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-Q6VVF.tmp

MD5 8f920115a9ac5904787bc4578f161a52
SHA1 941332d718cf5161881ca903b2fb125124cac68b
SHA256 f8b63fa29af4c7cff131bf14fbdaac8e6b6945444e0f13e57417fea4a3de1a6b
SHA512 b8521748d276de667e2013c697005adc45e405fee9a9970b80427cb47ba829e2f9e31fdae2bafc54cca5aeaa4c371f4d25e1ea34989eea19e732fd129abfa1c2

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-9AT55.tmp

MD5 613ccb3ab7bc5304da08120a11bb34f2
SHA1 9e1231dc2ddc6deb2a66d494c45f0dfcf04b1d97
SHA256 565efa1b0407d221b1e6bc44811f529f98fe4d9ffb6e756b56b9525acb87ce28
SHA512 d27efae6748105c343abcdc8777d2c5065bc342569af2fd3bee92544a01ad4caefe359adf69fa56bae1fbc87f86575b797c20d821a42869d0b34ab1004b0138a

memory/872-1011-0x0000000000400000-0x0000000000410000-memory.dmp

memory/1996-1013-0x0000000000AD0000-0x0000000000ADF000-memory.dmp

memory/1996-1014-0x0000000000230000-0x000000000024C000-memory.dmp

memory/1996-1015-0x0000000000400000-0x000000000062E000-memory.dmp

memory/2880-1021-0x00000000003A0000-0x0000000000988000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 4a36a1278bc41e7202724299afed08b4
SHA1 36446a59c7d237f198c8b8394a7b3abd971126a4
SHA256 1d94a01259d5f5bc8acfad4cb70fcb17f750722ab9d4d128142c9a7a4c7c0389
SHA512 13732eca432d21706d1e31129d2c91429d62a208c49edfe8f00b778a4090b84e90d25f034d093d21e3e437ead5956040e490a2a80d9863c587042d162509b3b9

memory/2880-1035-0x0000000074510000-0x0000000074BFE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\AC3B.exe

MD5 6119b15b8c6cc97435ec6f77f0ab8f3a
SHA1 a1813821b8091c9930ac5684c4e7558ff04dbfc1
SHA256 7efb2cf4637599f5a8688c276c199e96ea316ef2836ceb1336382fb1cc091ef2
SHA512 bb6ab136b7972f49c5c65ce98d3e95260e86c4812d9845191054a40e4f92ac4d856d24b249b84820898333370a78a133f08b861fab82542bf042d2428b58324a

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

memory/2228-1077-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2228-1082-0x0000000000400000-0x000000000043C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nseADDE.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

memory/2228-1076-0x0000000000520000-0x000000000052E000-memory.dmp

memory/2268-1101-0x0000000000C10000-0x0000000001164000-memory.dmp

memory/2600-1110-0x0000000000010000-0x0000000000544000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nstD00E.tmp

MD5 379fbc100c50379dae4dd1a7ea5782af
SHA1 a2079a19b40e117dbc115936fb37eeb0759a0074
SHA256 c8e870c9649b4dcd70e73cd9ecadce2f5f247b37f240a3eca9564048c56d2b36
SHA512 ded939694aee266fe260d185fb113ef581cda6d7a8e28bd8575a80c48028a5a226ce0f71b99bc20bef8da284dfae47acc5d43c8f2d50b826fdc1d1b91c196a7b

memory/2024-1130-0x0000000000280000-0x0000000000286000-memory.dmp

memory/3044-1129-0x0000000077B60000-0x0000000077C36000-memory.dmp

memory/3044-1123-0x0000000000400000-0x0000000000502000-memory.dmp

memory/2528-1131-0x0000000000130000-0x0000000000136000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-23 16:27

Reported

2024-01-23 16:29

Platform

win10v2004-20231215-en

Max time kernel

17s

Max time network

160s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\GEMP3wBL4EHtx1DKvSUjrltk.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\Fhiu40oo3t1NFSHs6Nih2CPH.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsm5580.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1AC6.exe

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win64.Evo-gen.16085.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Users\Admin\Documents\GuardFox\HUVHjonu_Hje6G6JU7VaoIjt.exe

"C:\Users\Admin\Documents\GuardFox\HUVHjonu_Hje6G6JU7VaoIjt.exe"

C:\Users\Admin\Documents\GuardFox\Fhiu40oo3t1NFSHs6Nih2CPH.exe

"C:\Users\Admin\Documents\GuardFox\Fhiu40oo3t1NFSHs6Nih2CPH.exe"

C:\Users\Admin\Documents\GuardFox\V30CDH8Dluq42uED6_5d_908.exe

"C:\Users\Admin\Documents\GuardFox\V30CDH8Dluq42uED6_5d_908.exe"

C:\Users\Admin\Documents\GuardFox\JTb0PxmZFALhKcqoAtyuiktg.exe

"C:\Users\Admin\Documents\GuardFox\JTb0PxmZFALhKcqoAtyuiktg.exe"

C:\Users\Admin\Documents\GuardFox\EwpduaZj10LbAfghmKbC0XEl.exe

"C:\Users\Admin\Documents\GuardFox\EwpduaZj10LbAfghmKbC0XEl.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4468 -ip 4468

C:\Users\Admin\Documents\GuardFox\sbuycKPFZHgRBaJKN1N1aCEz.exe

"C:\Users\Admin\Documents\GuardFox\sbuycKPFZHgRBaJKN1N1aCEz.exe"

C:\Users\Admin\Documents\GuardFox\TBM9dwaxRE1IJerNiSbnNqaC.exe

"C:\Users\Admin\Documents\GuardFox\TBM9dwaxRE1IJerNiSbnNqaC.exe"

C:\Users\Admin\Documents\GuardFox\Iz2F_E2SsHuStXA_nVq69RNt.exe

"C:\Users\Admin\Documents\GuardFox\Iz2F_E2SsHuStXA_nVq69RNt.exe"

C:\Users\Admin\Documents\GuardFox\V4pYAb0MjziI6mmnQmBlqBlp.exe

"C:\Users\Admin\Documents\GuardFox\V4pYAb0MjziI6mmnQmBlqBlp.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 340

C:\Windows\SysWOW64\control.exe

"C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -i

C:\Users\Admin\Documents\GuardFox\qKYZynyy_NBhtwhTUfWTQeXE.exe

"C:\Users\Admin\Documents\GuardFox\qKYZynyy_NBhtwhTUfWTQeXE.exe"

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

"C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe"

C:\Users\Admin\Documents\GuardFox\zZoOSmhBGpbqhOnj9hrXXQ2h.exe

"C:\Users\Admin\Documents\GuardFox\zZoOSmhBGpbqhOnj9hrXXQ2h.exe"

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

"C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe"

C:\Users\Admin\AppData\Local\Temp\is-Q4J0B.tmp\HUVHjonu_Hje6G6JU7VaoIjt.tmp

"C:\Users\Admin\AppData\Local\Temp\is-Q4J0B.tmp\HUVHjonu_Hje6G6JU7VaoIjt.tmp" /SL5="$60208,3515248,54272,C:\Users\Admin\Documents\GuardFox\HUVHjonu_Hje6G6JU7VaoIjt.exe"

C:\Users\Admin\Documents\GuardFox\GEMP3wBL4EHtx1DKvSUjrltk.exe

"C:\Users\Admin\Documents\GuardFox\GEMP3wBL4EHtx1DKvSUjrltk.exe"

C:\Users\Admin\Documents\GuardFox\DlobcuKPjhqxD04VLJeAxs1Y.exe

"C:\Users\Admin\Documents\GuardFox\DlobcuKPjhqxD04VLJeAxs1Y.exe"

C:\Users\Admin\Documents\GuardFox\7LsW1tgu4RRNjIZfO6UkF0OD.exe

"C:\Users\Admin\Documents\GuardFox\7LsW1tgu4RRNjIZfO6UkF0OD.exe"

C:\Users\Admin\Documents\GuardFox\Kziy09yGH2ihEicFLDPHF7al.exe

"C:\Users\Admin\Documents\GuardFox\Kziy09yGH2ihEicFLDPHF7al.exe"

C:\Users\Admin\Documents\GuardFox\Ib3nHb7tep7rCpzrk68gEeCy.exe

"C:\Users\Admin\Documents\GuardFox\Ib3nHb7tep7rCpzrk68gEeCy.exe"

C:\Users\Admin\Documents\GuardFox\pNDGpTJMyJXYIj9W4rvJQwL8.exe

"C:\Users\Admin\Documents\GuardFox\pNDGpTJMyJXYIj9W4rvJQwL8.exe"

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

"C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe" -s

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\544cfb45-d499-4a8f-8c9c-7cb7a2319129" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\dialer.exe

"C:\Windows\system32\dialer.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4800 -ip 4800

C:\Users\Admin\Documents\GuardFox\JW2xld96xf8kgJdQEwqnGgrz.exe

"C:\Users\Admin\Documents\GuardFox\JW2xld96xf8kgJdQEwqnGgrz.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4800 -s 548

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN JW2xld96xf8kgJdQEwqnGgrz.exe /TR "C:\Users\Admin\Documents\GuardFox\JW2xld96xf8kgJdQEwqnGgrz.exe" /F

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\Documents\GuardFox\qemu-ga.exe

"C:\Users\Admin\Documents\GuardFox\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 372

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 228 -ip 228

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82539758,0x7ffc82539768,0x7ffc82539778

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 388

C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe

"C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 228 -ip 228

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 392

C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 5720 -ip 5720

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5720 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 228 -ip 228

C:\Users\Admin\AppData\Local\Temp\nsm5580.tmp

C:\Users\Admin\AppData\Local\Temp\nsm5580.tmp

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 680

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 228 -ip 228

C:\Users\Admin\AppData\Local\Temp\1000117001\rty27.exe

"C:\Users\Admin\AppData\Local\Temp\1000117001\rty27.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 720

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2112 --field-trial-handle=1888,i,3709614183489646200,12497876995794323442,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1888,i,3709614183489646200,12497876995794323442,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=1888,i,3709614183489646200,12497876995794323442,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3104 --field-trial-handle=1888,i,3709614183489646200,12497876995794323442,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3096 --field-trial-handle=1888,i,3709614183489646200,12497876995794323442,131072 /prefetch:1

C:\Windows\system32\RunDll32.exe

C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 228 -ip 228

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\Fhiu40oo3t1NFSHs6Nih2CPH.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 1812 -ip 1812

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\7eDL.CPL",

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1812 -s 2124

C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 720

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 228 -ip 228

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 748

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

"C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

"C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 5236 -ip 5236

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4100 --field-trial-handle=1888,i,3709614183489646200,12497876995794323442,131072 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5236 -s 568

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 588 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 916

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 932

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 896

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 820

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 384 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 644

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 776

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 624

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 744

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsm5580.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 6124 -ip 6124

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6124 -s 2364

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

"C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 5340 -ip 5340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 336

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 5340 -ip 5340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 352

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 5340 -ip 5340

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5340 -ip 5340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 5340 -ip 5340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 616 -p 5340 -ip 5340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 700

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 5340 -ip 5340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 5340 -ip 5340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 5340 -ip 5340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5340 -s 752

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Users\Admin\AppData\Local\Temp\EEDF.exe

C:\Users\Admin\AppData\Local\Temp\EEDF.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Users\Admin\AppData\Local\Temp\EEDF.exe

C:\Users\Admin\AppData\Local\Temp\EEDF.exe

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "WSNKISKT"

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "WSNKISKT" binpath= "C:\ProgramData\wikombernizc\reakuqnanrkn.exe" start= "auto"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "WSNKISKT"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\ProgramData\wikombernizc\reakuqnanrkn.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\F420.exe

C:\Users\Admin\AppData\Local\Temp\F420.exe

C:\Users\Admin\Documents\GuardFox\JW2xld96xf8kgJdQEwqnGgrz.exe

C:\Users\Admin\Documents\GuardFox\JW2xld96xf8kgJdQEwqnGgrz.exe

C:\Users\Admin\AppData\Local\Temp\F970.exe

C:\Users\Admin\AppData\Local\Temp\F970.exe

C:\Users\Admin\AppData\Local\Temp\is-FKK43.tmp\F970.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FKK43.tmp\F970.tmp" /SL5="$20300,3501695,54272,C:\Users\Admin\AppData\Local\Temp\F970.exe"

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop UsoSvc

C:\Windows\system32\wusa.exe

wusa /uninstall /kb:890830 /quiet /norestart

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop WaaSMedicSvc

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop wuauserv

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop bits

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop dosvc

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0

C:\Windows\system32\powercfg.exe

C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\902.exe

C:\Users\Admin\AppData\Local\Temp\902.exe

C:\Windows\SysWOW64\cmd.exe

cmd /k cmd < Dot & exit

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\cmd.exe

cmd

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\1AC6.exe

C:\Users\Admin\AppData\Local\Temp\1AC6.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 5240 -ip 5240

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5240 -s 348

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\243D.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\243D.dll

C:\Users\Admin\AppData\Local\Temp\27F7.exe

C:\Users\Admin\AppData\Local\Temp\27F7.exe

C:\Users\Admin\AppData\Local\Temp\48BE.exe

C:\Users\Admin\AppData\Local\Temp\48BE.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 182.178.17.96.in-addr.arpa udp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 130.147.105.77.in-addr.arpa udp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 8.8.8.8:53 294self-limited.sbs udp
FI 109.107.182.40:80 109.107.182.40 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 ji.alie3ksggg.com udp
NL 77.246.104.70:80 77.246.104.70 tcp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 joxy.ayazprak.com udp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 104.21.10.36:80 294self-limited.sbs tcp
US 104.21.80.24:80 joxy.ayazprak.com tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
BG 95.158.162.200:80 cczhk.com tcp
US 104.21.10.36:80 294self-limited.sbs tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
BG 95.158.162.200:80 cczhk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 104.21.10.36:80 294self-limited.sbs tcp
US 104.21.10.36:443 294self-limited.sbs tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 200.162.158.95.in-addr.arpa udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 164.137.240.87.in-addr.arpa udp
US 8.8.8.8:53 40.182.107.109.in-addr.arpa udp
US 8.8.8.8:53 24.80.21.104.in-addr.arpa udp
US 8.8.8.8:53 36.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 33.64.42.5.in-addr.arpa udp
US 8.8.8.8:53 70.104.246.77.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 4.181.190.20.in-addr.arpa udp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 sun6-23.userapi.com udp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
US 8.8.8.8:53 1.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 3.206.142.95.in-addr.arpa udp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
NL 95.142.206.2:443 tcp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 sun6-20.userapi.com udp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
US 20.72.205.209:443 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
DE 77.105.147.130:80 77.105.147.130 tcp
DE 185.172.128.24:80 185.172.128.24 tcp
US 8.8.8.8:53 24.128.172.185.in-addr.arpa udp
US 172.67.147.32:443 tcp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 32.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
RU 87.240.137.164:443 vk.com tcp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 201.179.17.96.in-addr.arpa udp
FR 194.33.191.60:44675 tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
RU 193.233.132.67:50505 tcp
US 8.8.8.8:53 60.191.33.194.in-addr.arpa udp
NL 45.15.156.229:80 45.15.156.229 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 67.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 229.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
NL 45.15.156.60:12050 tcp
NL 91.92.245.15:80 tcp
US 8.8.8.8:53 60.156.15.45.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 combinethemepiggerygoj.site udp
US 104.21.38.174:443 combinethemepiggerygoj.site tcp
DE 185.172.128.19:80 185.172.128.19 tcp
RU 87.240.137.164:80 vk.com tcp
US 8.8.8.8:53 174.38.21.104.in-addr.arpa udp
RU 87.240.137.164:80 vk.com tcp
RU 87.240.137.164:443 vk.com tcp
HK 154.92.15.189:80 i.alie3ksgaa.com tcp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 172.67.175.187:443 qualifiedbehaviorrykej.site tcp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 188.114.97.2:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
DE 185.172.128.19:80 185.172.128.19 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 api.ip.sb udp
US 188.114.96.2:443 weedpairfolkloredheryw.site tcp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 45.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 blackvlastelin.com udp
US 188.114.97.2:443 blackvlastelin.com tcp
NL 195.20.16.45:80 195.20.16.45 tcp
DE 185.172.128.109:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 galandskiyher5.com udp
RU 158.160.118.17:80 galandskiyher5.com tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 150.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 ji.alie3ksgff.com udp
US 104.21.63.150:443 tcp
US 172.67.132.113:443 iplogger.org tcp
HK 154.92.15.189:80 ji.alie3ksgff.com tcp
AT 5.42.64.33:80 5.42.64.33 tcp
RU 5.42.65.31:48396 tcp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
HK 154.92.15.189:443 ji.alie3ksgff.com tcp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 43.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 app.alie3ksgaa.com udp
HK 154.92.15.189:80 app.alie3ksgaa.com tcp
DE 185.172.128.79:80 185.172.128.79 tcp
US 8.8.8.8:53 79.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 172.67.133.222:443 expenditureddisumilarwo.site tcp
US 8.8.8.8:53 222.133.67.172.in-addr.arpa udp
RU 87.240.137.164:80 tcp
RU 87.240.137.164:80 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 185.172.128.90:80 tcp
RU 87.240.137.164:443 tcp
RU 87.240.137.164:443 tcp
US 8.8.8.8:53 udp
RU 87.240.137.164:443 tcp
RU 87.240.137.164:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 tiny.ayazprak.com udp
US 172.67.173.86:80 tiny.ayazprak.com tcp
FR 163.172.29.34:443 tcp
US 8.8.8.8:53 86.173.67.172.in-addr.arpa udp
US 50.7.8.141:443 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 141.8.7.50.in-addr.arpa udp
DE 136.243.92.194:9001 tcp
DE 45.136.30.7:443 tcp
US 8.8.8.8:53 194.92.243.136.in-addr.arpa udp
US 8.8.8.8:53 7.30.136.45.in-addr.arpa udp
US 8.8.8.8:53 zeph-eu2.nanopool.org udp
FR 163.172.171.111:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 trmpc.com udp
US 8.8.8.8:53 pastebin.com udp
US 104.20.68.143:443 pastebin.com tcp
NL 51.15.89.13:10943 zeph-eu2.nanopool.org tcp
US 8.8.8.8:53 udp
AR 190.224.203.37:80 trmpc.com tcp
US 8.8.8.8:53 13.89.15.51.in-addr.arpa udp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 paperambiguonusphoterew.site udp
US 172.67.177.31:443 paperambiguonusphoterew.site tcp
US 8.8.8.8:53 31.177.67.172.in-addr.arpa udp
DE 45.136.30.7:443 tcp
DE 136.243.92.194:9001 tcp
FI 95.216.22.22:8443 tcp
US 8.8.8.8:53 22.22.216.95.in-addr.arpa udp
US 8.8.8.8:53 staff.sportzentrum.net udp
US 8.8.8.8:53 staff.sportzentrum.net udp
US 8.8.8.8:53 gta5grand.com udp
US 8.8.8.8:53 gta5grand.com udp
US 8.8.8.8:53 karriere.volkswagen.de udp
US 72.52.179.174:22 staff.sportzentrum.net tcp
US 8.8.8.8:53 karriere.volkswagen.de udp
US 8.8.8.8:53 accounts.google.com udp
US 72.52.179.174:21 staff.sportzentrum.net tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 dgtic.minedu.gob.bo udp
US 72.52.179.174:443 staff.sportzentrum.net tcp
DE 143.164.100.109:22 karriere.volkswagen.de tcp
US 104.26.3.213:22 gta5grand.com tcp
US 104.26.3.213:21 gta5grand.com tcp
US 8.8.8.8:53 mail.hope-mail.com udp
US 8.8.8.8:53 dgtic.minedu.gob.bo udp
US 8.8.8.8:53 sicoes.gob.bo udp
US 104.26.3.213:443 gta5grand.com tcp
DE 143.164.100.109:21 karriere.volkswagen.de tcp
US 8.8.8.8:53 aspmx.l.google.com udp
US 8.8.8.8:53 aulavirtual.unefco.edu.bo udp
US 8.8.8.8:53 mailin14.audi.de udp
DE 143.164.100.109:443 karriere.volkswagen.de tcp
IE 209.85.203.84:22 accounts.google.com tcp
IE 209.85.203.84:21 accounts.google.com tcp
US 8.8.8.8:53 sicoes.gob.bo udp
US 8.8.8.8:53 aulavirtual.unefco.edu.bo udp
US 8.8.8.8:53 campus.chamilo.org udp
NL 159.65.192.215:143 mail.hope-mail.com tcp
US 104.26.3.213:80 gta5grand.com tcp
BO 177.222.57.17:22 dgtic.minedu.gob.bo tcp
BO 177.222.57.17:21 dgtic.minedu.gob.bo tcp
IE 209.85.203.84:443 accounts.google.com tcp
US 8.8.8.8:53 alt3.gmr-smtp-in.l.google.com udp
US 8.8.8.8:53 campus.chamilo.org udp
NL 159.65.192.215:465 mail.hope-mail.com tcp
US 8.8.8.8:53 us05web.zoom.us udp
US 8.8.8.8:53 213.3.26.104.in-addr.arpa udp
US 72.52.179.174:80 staff.sportzentrum.net tcp
BO 177.222.57.17:443 dgtic.minedu.gob.bo tcp
US 8.8.8.8:53 us05web.zoom.us udp
US 8.8.8.8:53 creately.com udp
IE 209.85.202.27:143 aspmx.l.google.com tcp
IE 209.85.202.27:465 aspmx.l.google.com tcp
BO 200.87.143.221:22 sicoes.gob.bo tcp
BO 200.87.143.221:21 sicoes.gob.bo tcp
IE 209.85.202.27:995 aspmx.l.google.com tcp
DE 143.164.102.55:143 mailin14.audi.de tcp
US 104.26.3.213:80 gta5grand.com tcp
US 8.8.8.8:53 109.100.164.143.in-addr.arpa udp
NL 159.65.192.215:995 mail.hope-mail.com tcp
BO 200.87.143.221:443 sicoes.gob.bo tcp
US 198.98.53.183:22 aulavirtual.unefco.edu.bo tcp
US 198.98.53.183:21 aulavirtual.unefco.edu.bo tcp
US 104.26.2.213:22 gta5grand.com tcp
US 104.26.2.213:21 gta5grand.com tcp
ES 195.78.229.20:22 campus.chamilo.org tcp
US 8.8.8.8:53 creately.com udp
US 72.52.179.174:21 staff.sportzentrum.net tcp
US 8.8.8.8:53 84.203.85.209.in-addr.arpa udp
US 8.8.8.8:53 mail.sicoes.gob.bo udp
US 8.8.8.8:53 mail.aulavirtual.unefco.edu.bo udp
DE 143.164.102.55:465 mailin14.audi.de tcp
DE 143.164.100.109:80 karriere.volkswagen.de tcp
US 198.98.53.183:443 mail.aulavirtual.unefco.edu.bo tcp
NL 142.251.9.14:143 alt3.gmr-smtp-in.l.google.com tcp
NL 142.251.9.14:465 alt3.gmr-smtp-in.l.google.com tcp
IE 209.85.203.84:80 accounts.google.com tcp
DE 143.164.100.109:80 karriere.volkswagen.de tcp
ES 195.78.229.20:21 campus.chamilo.org tcp
BO 177.222.57.17:143 dgtic.minedu.gob.bo tcp
US 8.8.8.8:53 academicoaltiplano.sie.gob.bo udp
US 8.8.8.8:53 174.179.52.72.in-addr.arpa udp
US 8.8.8.8:53 17.57.222.177.in-addr.arpa udp
US 8.8.8.8:53 183.53.98.198.in-addr.arpa udp
US 8.8.8.8:53 221.143.87.200.in-addr.arpa udp
US 104.26.3.213:443 gta5grand.com tcp
DE 143.164.102.55:995 mailin14.audi.de tcp
US 5.161.182.241:143 mail.hope-mail.com tcp
US 172.67.71.138:22 gta5grand.com tcp
US 172.67.71.138:21 gta5grand.com tcp
NL 142.251.9.14:995 alt3.gmr-smtp-in.l.google.com tcp
US 170.114.52.5:22 us05web.zoom.us tcp
US 170.114.52.5:21 us05web.zoom.us tcp
ES 195.78.229.20:443 campus.chamilo.org tcp
US 104.26.3.213:443 gta5grand.com tcp
US 8.8.8.8:53 ww1.sportzentrum.net udp
US 72.52.179.174:80 staff.sportzentrum.net tcp
IE 209.85.203.84:80 accounts.google.com tcp
US 8.8.8.8:53 academicoaltiplano.sie.gob.bo udp
US 8.8.8.8:53 campus.chamilo.org udp
BO 200.87.143.221:80 sicoes.gob.bo tcp
BO 190.181.50.197:21 sicoes.gob.bo tcp
BO 190.181.50.197:22 sicoes.gob.bo tcp
BO 177.222.57.17:465 dgtic.minedu.gob.bo tcp
BO 177.222.57.17:80 dgtic.minedu.gob.bo tcp
US 5.161.182.241:465 mail.hope-mail.com tcp
US 170.114.52.5:443 us05web.zoom.us tcp
US 198.98.53.183:143 mail.aulavirtual.unefco.edu.bo tcp
DE 18.173.154.81:22 creately.com tcp
BO 200.87.143.221:22 sicoes.gob.bo tcp
DE 18.173.154.81:21 creately.com tcp
US 8.8.8.8:53 es-la.facebook.com udp
US 8.8.8.8:53 20.229.78.195.in-addr.arpa udp
US 8.8.8.8:53 5.52.114.170.in-addr.arpa udp
US 5.161.182.241:995 mail.hope-mail.com tcp
US 104.26.3.213:443 gta5grand.com tcp
US 198.98.53.183:465 mail.aulavirtual.unefco.edu.bo tcp
US 198.98.53.183:80 mail.aulavirtual.unefco.edu.bo tcp
BO 200.87.143.93:143 mail.sicoes.gob.bo tcp
DE 18.173.154.81:443 creately.com tcp
BO 200.87.143.221:21 sicoes.gob.bo tcp
DE 64.190.63.136:80 ww1.sportzentrum.net tcp
BO 177.222.57.17:995 dgtic.minedu.gob.bo tcp
US 198.98.53.183:21 mail.aulavirtual.unefco.edu.bo tcp
BO 200.87.143.93:995 mail.sicoes.gob.bo tcp
BO 200.87.143.93:465 mail.sicoes.gob.bo tcp
US 8.8.8.8:53 us05web.zoom.us udp
US 8.8.8.8:53 es-la.facebook.com udp
ES 195.78.229.20:143 campus.chamilo.org tcp
US 198.98.53.183:995 mail.aulavirtual.unefco.edu.bo tcp
IE 209.85.203.84:443 accounts.google.com tcp
DE 143.164.100.109:443 karriere.volkswagen.de tcp
DE 143.164.100.109:443 karriere.volkswagen.de tcp
DE 143.164.100.109:443 karriere.volkswagen.de tcp
BO 200.87.143.221:443 sicoes.gob.bo tcp
ES 195.78.229.20:22 campus.chamilo.org tcp
DE 18.173.154.87:22 creately.com tcp
US 8.8.8.8:53 sib.org.bo udp
DE 18.173.154.87:21 creately.com tcp
BO 190.181.50.197:22 sicoes.gob.bo tcp
ES 195.78.229.20:80 campus.chamilo.org tcp
US 170.114.52.5:143 us05web.zoom.us tcp
ES 195.78.229.20:465 campus.chamilo.org tcp
US 170.114.52.5:21 us05web.zoom.us tcp
US 170.114.52.5:22 us05web.zoom.us tcp
US 104.26.3.213:80 gta5grand.com tcp
BO 177.222.57.17:80 dgtic.minedu.gob.bo tcp
ES 195.78.229.20:80 campus.chamilo.org tcp
IE 209.85.202.27:143 aspmx.l.google.com tcp
IE 209.85.203.84:443 accounts.google.com tcp
ES 195.78.229.20:21 campus.chamilo.org tcp
BO 200.87.143.221:80 sicoes.gob.bo tcp
US 198.98.53.183:443 mail.aulavirtual.unefco.edu.bo tcp
US 170.114.52.5:80 us05web.zoom.us tcp
US 8.8.8.8:53 sib.org.bo udp
US 8.8.8.8:53 academico.sie.gob.bo udp
US 8.8.8.8:53 academicoaltiplano.sie.gob.bo udp
US 8.8.8.8:53 81.154.173.18.in-addr.arpa udp
US 8.8.8.8:53 136.63.190.64.in-addr.arpa udp
US 170.114.52.5:465 us05web.zoom.us tcp
US 8.8.8.8:53 ww7.sportzentrum.net udp
BO 200.87.143.93:143 mail.sicoes.gob.bo tcp
BO 190.181.50.197:21 sicoes.gob.bo tcp
ES 195.78.229.20:995 campus.chamilo.org tcp
IE 209.85.202.27:465 aspmx.l.google.com tcp
US 72.52.179.174:80 staff.sportzentrum.net tcp
DE 18.173.154.81:80 creately.com tcp
US 170.114.52.5:22 us05web.zoom.us tcp
US 104.26.3.213:22 gta5grand.com tcp
ES 195.78.229.20:443 campus.chamilo.org tcp
US 170.114.52.5:80 us05web.zoom.us tcp
GB 163.70.147.22:22 es-la.facebook.com tcp
US 104.26.3.213:21 gta5grand.com tcp
GB 163.70.147.22:21 es-la.facebook.com tcp
NL 159.65.192.215:143 mail.hope-mail.com tcp
US 72.52.179.174:22 staff.sportzentrum.net tcp
DE 143.164.100.109:22 karriere.volkswagen.de tcp
IE 209.85.203.84:22 accounts.google.com tcp
US 8.8.8.8:53 academico.sie.gob.bo udp
US 8.8.8.8:53 accounts.majorleaguegaming.com udp
BO 200.87.143.93:465 mail.sicoes.gob.bo tcp
US 170.114.52.5:995 us05web.zoom.us tcp
BO 200.87.143.221:80 sicoes.gob.bo tcp
US 104.26.3.213:80 gta5grand.com tcp
IE 209.85.202.27:995 aspmx.l.google.com tcp
US 8.8.8.8:53 smtpin.vvv.facebook.com udp
US 170.114.52.5:443 us05web.zoom.us tcp
US 170.114.52.5:21 us05web.zoom.us tcp
DE 143.164.100.109:21 karriere.volkswagen.de tcp
US 209.59.190.46:21 sib.org.bo tcp
US 8.8.8.8:53 accounts.majorleaguegaming.com udp
GB 163.70.147.22:443 es-la.facebook.com tcp
DE 18.173.154.81:80 creately.com tcp
BO 200.87.143.221:22 sicoes.gob.bo tcp
US 72.52.179.174:990 staff.sportzentrum.net tcp
IE 209.85.202.27:465 aspmx.l.google.com tcp
BO 200.87.143.221:21 sicoes.gob.bo tcp
US 209.59.190.46:22 sib.org.bo tcp
US 104.26.2.213:22 gta5grand.com tcp
IE 209.85.202.27:143 aspmx.l.google.com tcp
US 104.26.2.213:21 gta5grand.com tcp
US 5.161.182.241:143 mail.hope-mail.com tcp
ES 195.78.229.20:143 campus.chamilo.org tcp
DE 143.164.102.55:143 mailin14.audi.de tcp
BO 177.222.57.17:21 dgtic.minedu.gob.bo tcp
NL 159.65.192.215:465 mail.hope-mail.com tcp
BO 177.222.57.17:22 dgtic.minedu.gob.bo tcp
US 198.98.53.183:22 mail.aulavirtual.unefco.edu.bo tcp
US 8.8.8.8:53 signup.na.leagueoflegends.com udp
BO 200.87.143.93:995 mail.sicoes.gob.bo tcp
IE 209.85.203.84:21 accounts.google.com tcp
US 198.98.53.183:21 mail.aulavirtual.unefco.edu.bo tcp
US 199.59.243.225:80 ww7.sportzentrum.net tcp
US 198.98.53.183:443 mail.aulavirtual.unefco.edu.bo tcp
BO 200.87.143.221:443 sicoes.gob.bo tcp
BO 177.222.57.17:443 dgtic.minedu.gob.bo tcp
DE 143.164.100.109:80 karriere.volkswagen.de tcp
IE 209.85.203.84:80 accounts.google.com tcp
DE 143.164.100.109:80 karriere.volkswagen.de tcp
US 8.8.8.8:53 signup.na.leagueoflegends.com udp
DE 143.164.102.55:465 mailin14.audi.de tcp
BO 190.181.50.197:22 sicoes.gob.bo tcp
BO 190.181.50.197:21 sicoes.gob.bo tcp
US 5.161.182.241:465 mail.hope-mail.com tcp
NL 142.251.9.14:143 alt3.gmr-smtp-in.l.google.com tcp
ES 195.78.229.20:465 campus.chamilo.org tcp
NL 159.65.192.215:995 mail.hope-mail.com tcp
ES 195.78.229.20:21 campus.chamilo.org tcp
ES 195.78.229.20:80 campus.chamilo.org tcp
US 8.8.8.8:53 elephantbet.co.mz udp
US 198.98.53.183:443 mail.aulavirtual.unefco.edu.bo tcp
ES 195.78.229.20:143 campus.chamilo.org tcp
IE 209.85.202.27:995 aspmx.l.google.com tcp
US 170.114.52.5:143 us05web.zoom.us tcp
US 173.252.87.251:143 smtpin.vvv.facebook.com tcp
ES 195.78.229.20:443 campus.chamilo.org tcp
US 170.114.52.5:990 us05web.zoom.us tcp
US 170.114.52.5:222 us05web.zoom.us tcp
US 104.26.3.213:443 gta5grand.com tcp
IE 209.85.203.84:80 accounts.google.com tcp
US 104.26.3.213:443 gta5grand.com tcp
ES 195.78.229.20:22 campus.chamilo.org tcp
US 8.8.8.8:53 sibnet.sib.org.bo udp
US 8.8.8.8:53 46.190.59.209.in-addr.arpa udp
DE 143.164.102.55:995 mailin14.audi.de tcp
US 8.8.8.8:53 copyrightspareddcitwew.site udp
US 8.8.8.8:53 elephantbet.co.mz udp
US 104.21.55.202:443 copyrightspareddcitwew.site tcp
NL 142.251.9.14:995 alt3.gmr-smtp-in.l.google.com tcp
BO 177.222.57.30:21 academico.sie.gob.bo tcp
NL 142.251.9.14:465 alt3.gmr-smtp-in.l.google.com tcp
US 198.98.53.183:995 mail.aulavirtual.unefco.edu.bo tcp
ES 195.78.229.20:995 campus.chamilo.org tcp
BO 200.87.143.93:143 mail.sicoes.gob.bo tcp
BO 177.222.57.17:143 dgtic.minedu.gob.bo tcp
US 8.8.8.8:53 m.facebook.com udp
US 198.98.53.183:143 mail.aulavirtual.unefco.edu.bo tcp
US 170.114.52.5:443 us05web.zoom.us tcp
US 170.114.52.5:465 us05web.zoom.us tcp
US 173.252.87.251:465 smtpin.vvv.facebook.com tcp
DE 18.173.154.81:22 creately.com tcp
GB 163.70.147.22:80 es-la.facebook.com tcp
BO 177.222.57.17:465 dgtic.minedu.gob.bo tcp
ES 195.78.229.20:80 campus.chamilo.org tcp
BO 200.87.143.93:465 mail.sicoes.gob.bo tcp
US 8.8.8.8:53 22.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 225.243.59.199.in-addr.arpa udp
DE 18.173.154.81:21 creately.com tcp
BO 200.87.143.221:22 sicoes.gob.bo tcp
DE 18.173.187.81:21 accounts.majorleaguegaming.com tcp
BO 177.222.57.30:443 academico.sie.gob.bo tcp
US 170.114.52.5:143 us05web.zoom.us tcp
US 170.114.52.5:22 us05web.zoom.us tcp
BO 200.87.143.221:80 sicoes.gob.bo tcp
ES 195.78.229.20:80 campus.chamilo.org tcp
US 8.8.8.8:53 web.facebook.com udp
US 8.8.8.8:53 droidvpn.com udp
BO 200.87.130.51:465 sibnet.sib.org.bo tcp
US 8.8.8.8:53 academicoaltiplano.sie.gob.bo udp
US 173.252.87.251:995 smtpin.vvv.facebook.com tcp
US 198.98.53.183:465 mail.aulavirtual.unefco.edu.bo tcp
BO 200.87.143.221:21 sicoes.gob.bo tcp
US 170.114.52.5:995 us05web.zoom.us tcp
ES 195.78.229.20:22 campus.chamilo.org tcp
US 72.52.179.174:80 staff.sportzentrum.net tcp
DE 18.173.154.81:443 creately.com tcp
US 8.8.8.8:53 202.55.21.104.in-addr.arpa udp
BO 200.87.130.51:143 sibnet.sib.org.bo tcp
US 170.114.52.5:21 us05web.zoom.us tcp
DE 18.173.187.81:443 accounts.majorleaguegaming.com tcp
BO 200.87.143.93:995 mail.sicoes.gob.bo tcp
GB 3.10.126.228:21 signup.na.leagueoflegends.com tcp
US 8.8.8.8:53 web.facebook.com udp
US 170.114.52.5:465 us05web.zoom.us tcp
US 170.114.52.5:80 us05web.zoom.us tcp
ES 195.78.229.20:465 campus.chamilo.org tcp
US 170.114.52.5:80 us05web.zoom.us tcp
GB 163.70.147.22:22 web.facebook.com tcp
IE 209.85.202.27:143 aspmx.l.google.com tcp
ES 195.78.229.20:21 campus.chamilo.org tcp
US 209.59.190.46:80 sib.org.bo tcp
BO 200.87.130.51:995 sibnet.sib.org.bo tcp
US 8.8.8.8:53 droidvpn.com udp
US 8.8.8.8:53 academico.apolitecnica.ac.mz udp
US 72.52.179.174:80 staff.sportzentrum.net tcp
IE 209.85.203.84:443 accounts.google.com tcp
DE 143.164.100.109:443 karriere.volkswagen.de tcp
US 8.8.8.8:53 30.57.222.177.in-addr.arpa udp
US 198.98.53.183:80 mail.aulavirtual.unefco.edu.bo tcp
ES 195.78.229.20:443 campus.chamilo.org tcp
US 8.8.8.8:53 academico.apolitecnica.ac.mz udp
US 8.8.8.8:53 account.live.com udp
ES 195.78.229.20:80 campus.chamilo.org tcp
US 8.8.8.8:53 spool.mail.gandi.net udp
BO 200.87.143.221:443 sicoes.gob.bo tcp
US 72.52.179.174:80 staff.sportzentrum.net tcp
US 8.8.8.8:53 81.187.173.18.in-addr.arpa udp
US 104.26.3.213:80 gta5grand.com tcp
US 8.8.8.8:53 account.live.com udp
US 8.8.8.8:53 es.surveymonkey.com udp

Files

memory/840-0-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-1-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-6-0x00007FFCA0FD0000-0x00007FFCA1299000-memory.dmp

memory/840-7-0x00007FFCA1BD0000-0x00007FFCA1C8E000-memory.dmp

memory/840-8-0x00007FFCA0FD0000-0x00007FFCA1299000-memory.dmp

memory/840-9-0x00007FFCA33F0000-0x00007FFCA35E5000-memory.dmp

memory/840-10-0x00007FFC80030000-0x00007FFC80031000-memory.dmp

memory/840-12-0x00007FFCA0FD0000-0x00007FFCA1299000-memory.dmp

memory/840-11-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-13-0x00007FFC80000000-0x00007FFC80002000-memory.dmp

memory/840-14-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-15-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-16-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-17-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-18-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-19-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-20-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-21-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

C:\Users\Admin\Documents\GuardFox\Fhiu40oo3t1NFSHs6Nih2CPH.exe

MD5 abdd44ee49644dd47d86cf9ee321d2d1
SHA1 6414ddfab7d91d4be56e654219e56fb66cd1bf4f
SHA256 38cb8c23fa6a0aa7d2d8c3b58285b075adef643640838cb0e406f86a238eb607
SHA512 8f25c9285ecfbb3d54f0ce21161eabf34dae40ff82bdea80773c7702b9f9b25b5852c6e6b5ffc5e5ed71e1808f872f34894f39a783689d1feadee6c796f216ff

C:\Users\Admin\Documents\GuardFox\HUVHjonu_Hje6G6JU7VaoIjt.exe

MD5 3fdc03bf751bd82fe71fd7aa097ba266
SHA1 d3eff184804b1d32560bab9764fd090a35aada20
SHA256 3b1737e6ac3ca0bf6b2146e6336054bd83f9d03c808f7d631ab08e6bee988882
SHA512 416ea4bfa76b4dab68b11fdf828e5c2348f5f78ad96fb844f2b9ca0533e1ab16c10b03a061fb34c0fdd029cd05c711dc2ac5855a631965c42840fe9ec57a91e5

C:\Users\Admin\Documents\GuardFox\GEMP3wBL4EHtx1DKvSUjrltk.exe

MD5 ebd6f7a6cb7aa2c1f16389618828dd18
SHA1 6f0ab3eae5a5c4ed3383ac48a4ac067294c87728
SHA256 80b7f795cac71ff494d915f171bca9feca53cf6d9c6d5b87b2c773ea8266403e
SHA512 b0ab45f303c0c7051da0248713d0b672d262bafde69112e3fe021426bfce869089329b324e3355a94cea76cec4feb6a024ab74499e1f025f82eebc3da11521be

C:\Users\Admin\Documents\GuardFox\DlobcuKPjhqxD04VLJeAxs1Y.exe

MD5 0300df90c7be2e5f7124509c7d3ef042
SHA1 e2b17e87f16280d5597cddaa1db7b4c93bd53cc6
SHA256 eefaf8133d167973725e6b43f93fe13bcdc491d9570dd0034ac6e726704e0b95
SHA512 bc29a934e777b15ec150898912d3f5accb392f834cb158b030c90fd5c9c2c36c78b016cbe69bbfbdee53bb68e67b9bd0ad00a79ec9b1782a8eb7c2ef5c24203b

C:\Users\Admin\Documents\GuardFox\Ib3nHb7tep7rCpzrk68gEeCy.exe

MD5 5373721eba16b7c52d1f53b02ca95302
SHA1 8b945293d135a1afd888babf4738971dbd607475
SHA256 8dcc8b0423941480f2dc4fcaca1811ea61164b8f8f213396b18ad32a20833b88
SHA512 c5d0c13f0d6036a54de22eb2996333bd7d908664879509699fa03a234b4b4e9fa62c8396b07cda534edf2102f3df5fa633b1e70265d536d9dfcefa28256ea4e4

C:\Users\Admin\Documents\GuardFox\7LsW1tgu4RRNjIZfO6UkF0OD.exe

MD5 f740608b4fc3a10a4526f0c2db5fc67d
SHA1 91a6a17d5a90be772997021532d6d0615d550fed
SHA256 35e87fae499edf23f25bfc5be34be901c0dcef34851db88b7d96eeeb6733860d
SHA512 2d45013aa54d29977eb173ef873ee2464081ee650c3df04fd381f9e8aaaca4bbc58de61228cbf365439ad05a81de4bed8cdafbf4a3762eb489da23d65010fe3c

C:\Users\Admin\Documents\GuardFox\Kziy09yGH2ihEicFLDPHF7al.exe

MD5 3587237650454077f0091c4b785cc0a4
SHA1 3382a89b5ad5437c5d398e1a823c1f30abcad5a1
SHA256 38835336488e14f393512cc51ab575686cdc8193ac53a9efa1e5daa5881a92d8
SHA512 a0b2b6af85e42b125970feb1101017b5af671f1b2d68a9b04d4cec742125fea68180e4d4622b14a6e2f52343498bef4f037e799acbd745442935799f79702e8d

C:\Users\Admin\Documents\GuardFox\zZoOSmhBGpbqhOnj9hrXXQ2h.exe

MD5 bbf6e342443d542bc441c19218d1938c
SHA1 531eb607991320a4a82453e853ddead10e87fd10
SHA256 c9946ebd3b46a85c3e6d4b657994150928ceb1030d3c4f4594e80a130c230698
SHA512 4ea5f07803633c0fbbe3d1d5ee61b778ffce067e29a4825d43d36244a4c6c590706d58a175079e2ebef0d0e157f7135d7ae3a2619cdbf8d90b91fab3f1e5af55

C:\Users\Admin\Documents\GuardFox\9UdKiMABHzlnZ75ggE48MsEl.exe

MD5 0338d812ee80b867ee55aeca639aea4b
SHA1 c8000bdd98b4e25d7f7d58575a88cae4423fc329
SHA256 8a04644aead7ae70566f1affc9f53507d5ea89fff0e2add36fca584a3ac08eec
SHA512 611f72f5d8fc065afbe829365a0b9f5acf861eed37335a3b0a8e0009903dc4a25f4b20e4e5c2c9ab66091f2b1f128e0d4dc9f34cea14463472cc9506c14f9a4a

C:\Users\Admin\Documents\GuardFox\qKYZynyy_NBhtwhTUfWTQeXE.exe

MD5 b7bc9e112100ed482631a02cff4c533d
SHA1 66e8d225495d097bc4f570c176b67f52964349f9
SHA256 110b2111d924c6c26437b633ad933d08003742723725ad22037e5a337cc16069
SHA512 e6d6b43ec74c72ff61f016d6faf2e390b5e908ca6a5a3f307c70e48562f82b7b32d6a8a2773d106dd0ce52f655b15d5aa30c22489dae40b6ac266acd0746bdd6

memory/840-114-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

C:\Users\Admin\Documents\GuardFox\TBM9dwaxRE1IJerNiSbnNqaC.exe

MD5 5fa878455587d484dba37e41a46b9343
SHA1 82f4dd3a18554bda4425a897433b31f2d783587a
SHA256 e63841c08999245e9c424161cca81afbecb2c9e20b53aa2eb988a923cddbe6a4
SHA512 60e23805e4a72ed423a65d2a3b19c2f6f4c16587f74499f78478180e0964dc9a80a584fb3a607c7a61ddf8085cd3ae23a5bf6a0d25aff78b96b808007d7e1654

C:\Users\Admin\Documents\GuardFox\EwpduaZj10LbAfghmKbC0XEl.exe

MD5 7b8e8862202f2c42bd909e44a20ce7ac
SHA1 5174b3130f9da872e70c705a6eecf378b9981365
SHA256 bb168eb325b35d5bdd98a628a5832952c35bb6e18a5bd9031d9f50fad9ac61da
SHA512 26398dea94a1a7d9dc3a744ee1f210071361241ef5658259e1af5c1de4728036a4e93c975d80aaf134b6c57001e135925f4204241282d73537f85356d11b7285

C:\Users\Admin\Documents\GuardFox\sbuycKPFZHgRBaJKN1N1aCEz.exe

MD5 2dce99f902dafc3c53f20db467b8655f
SHA1 fa206f040a42536170553c205fa0dbe95df9c337
SHA256 891f2a710fd359c92435537a4fd83776ad188304d3b3b8ee81e5d62b2114f0a1
SHA512 12d282164ffc8fd5900c935ec7b6d2827c7a6c44f2df33ff2016c85bd7199a5b4ed15dca8c4bea655658e5362f5e4cf0c0201079ed4392984b29d23da5879bc6

C:\Users\Admin\Documents\GuardFox\JdZPq1P5EKDFC4HyZ_OuQvq9.exe

MD5 cbf8063075619138caa08fb1afb1cfa2
SHA1 bdd94089d791985baf2f459a0c518710887b5471
SHA256 5030e4e9b296805fe67e5224c49be0c834f9fe3ce1028bd36f2d7ab9ec88caa1
SHA512 5230127832c1518fdec8a7ce4e264148f1fa0a30068f5a0aca9d85348a4a412f05233a7951c08fddbd104e7f1ab41cc9b405f6413ce5b7db356478a24fc43853

C:\Users\Admin\Documents\GuardFox\Iz2F_E2SsHuStXA_nVq69RNt.exe

MD5 bf21be3446b558a2864093d287090247
SHA1 cf6435fec0562f30badd13ad4305c75ac58a3d99
SHA256 6e03ecd231d9b04fb6eb31331d478aa33ee08b64fd487a4b1c58c4ddf20ba195
SHA512 8551b54e70e3933ac125acf83f52fab927369097acd12885724523552b2559a26e79c33e0016b703915060be5d728757db7e4c8c192967c6de021295927060f1

C:\Users\Admin\Documents\GuardFox\KdVPYGEBaFAKLdQMMkqc0P9O.exe

MD5 3f750d3e7f23601110827271f4af175a
SHA1 357a39dd4c271870e2036c8c85ec5b58ed55984e
SHA256 3c3f0b4ff1e617138d09f5a1bec8e28f8517d63735978bc1646da6cb3967ce49
SHA512 7fbbed3b7f0750b5389f5ce341cb7dbff1980f2a729e20abf2f60888de3959d11ad4303562c527c143932426cb5bbf4533d70f0a1fd272d665dbdc92e70e396f

C:\Users\Admin\Documents\GuardFox\V30CDH8Dluq42uED6_5d_908.exe

MD5 82e178bd7bfcdb6eb59874636a000a30
SHA1 077bf3ba8147b8df18c98d450e2f1b197e9859e6
SHA256 ae8118215495ebe87042849318bcfc4e122d69775effbc375aae3e76ea120059
SHA512 9f8fdb14410bb61d58f2f0790ebbef0a75d7dcb70d786aea9138b3e903fa63fbb018d76163e10a06bbc078ff98fec9bdd62a5cdbb7cdbe979d31b6fd35a98f65

C:\Users\Admin\Documents\GuardFox\pNDGpTJMyJXYIj9W4rvJQwL8.exe

MD5 90487cf41bc9545f0aac8c6bf0a6b855
SHA1 32d444978a1e90f449393c095e451ddc920c9122
SHA256 339c65b2fa9c57e5455181829df42a83ce220844e2dbba006a5f24b6e1012b2f
SHA512 bda05055737444a1d514845a693a99c75682a328242cec1b163aac22b441208002032b245b7825a51d0e15326cb5b6ce7a14a05179e9605e0f4a75229a8e1ad8

C:\Users\Admin\Documents\GuardFox\V4pYAb0MjziI6mmnQmBlqBlp.exe

MD5 5b7b15e57bf07b1cf432b370f2c367ca
SHA1 7679de14d2950fd85983b68331515e668ad25de9
SHA256 e9ef42e373a505c4a24b3f31b349775a420c92353a6fe64cccee3986455ad062
SHA512 50d11642c97e3442b31a5fe3f3a1cf9b6c1a608fea25e0e4557f20b25d9217986679a7cf683d5344d8deb47b8ae8733e079d944b2001ea9836a586d269713cf9

C:\Users\Admin\Documents\GuardFox\JTb0PxmZFALhKcqoAtyuiktg.exe

MD5 026733d178143f6742ae5c9f308abb57
SHA1 eb077b40272cc399d25376053531d4b7c0bac7cf
SHA256 e7790b04a89009e8c77eec9e6e64a4bc85d91c730003a83da47b58da91dab060
SHA512 1a1d12f1edb82b3171a860552b5a9e7115a8f1de8a9d1c0a88efd0096080c24699294f3b2ea00158dddcfcd949a8d9a2748a68bfb374959f7c6e78f0ac5eda6d

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

MD5 55f4a05bd965b92e765bae679cfa54fa
SHA1 e6bb39eb3f182cb73e1d998f8875a33e9cf1d6c6
SHA256 6e9e3854a7d5ed2c4b486f7a3cbc6525e51e9895ce804308a5cfa35a7c88bdc6
SHA512 00f0bace053a11e32fd387bfb04a6ac5a87158b981db99bcaa201d53d9b3453acf022d6d88be7ef82c255377228c720409265d2bc037bfb4a28aca9ce17f4b79

C:\Users\Admin\Documents\GuardFox\V30CDH8Dluq42uED6_5d_908.exe

MD5 32230b2cf5811f0a184e2702a59190e0
SHA1 db772145066b84cf040b9b2b88c822c85997d914
SHA256 6df670800034fe8fc0b8d05c9f3ea89f143ddc8c5122dcf381477a4f2e48da0b
SHA512 9710c1ddb04b561f300ce336ec2c1c263f5b51e526dc7a91de1fde3be4297dacec51eb797022a4a5753766d4cc13fd8bb64762b6ee69f051e23daed9b382229e

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

MD5 90d8dd3b634c60d0c7129ade169c139d
SHA1 91c4695e3d4a4043aa2600905d41eae5831fb97a
SHA256 63a0b432d31b1fdba074142f65ea3ac360fbe6cbbaeeee02f69845d459a24e95
SHA512 29ed005f8c8f0dc07bd6622cf9ce4604cb1313bb30581186c4d1cf1f9f91f0cbde96b116f416f65df4fde38b4e48293c761b0f2bf4444147d27fc268c887e782

C:\Users\Admin\Documents\GuardFox\JTb0PxmZFALhKcqoAtyuiktg.exe

MD5 8106372827f3792f9b79a8ce0b32d275
SHA1 cfff571cf58eff5268342ddabd395dd938442bdc
SHA256 9d8782d492f3a1cc06c25fd4415927ee0274c024465b2db58393b7c6c46d9ca2
SHA512 3ac870e2aaddde91da93eb4fcf5d4dfe887de863417ab09c8a92a7082445f622734daff9060ecf88d175c7fead0c131e4635d0458b6786e977a19be7929caf2f

C:\Users\Admin\Documents\GuardFox\Kziy09yGH2ihEicFLDPHF7al.exe

MD5 fbc8c9fe49f30e78b2f3ba323ebfa70f
SHA1 21c15004f75c098737cce3bf9818b833eea7404a
SHA256 660185be0f587322a3daa203803eecf49d42a686ceffa06315491ecf37d73701
SHA512 fda14ebb8f3b6d8fd9501e57c686640fded4c7e581ea938ec7016ea999410bde9b98042b035c8d0d9da3a70af17ec6731b446656fbc9b9a06aa5c87f8c2cf85b

C:\Users\Admin\Documents\GuardFox\HUVHjonu_Hje6G6JU7VaoIjt.exe

MD5 f913fe9d70042c53b254827acc6b499f
SHA1 b250b7e729c4ef048003a355744e73fd53c116ba
SHA256 8cb8cc58c6944b015ad8afd1759486b0441240fec99e54a37e06b8f75089ff00
SHA512 5376c6a286d740a4f0faa65bf65adf3892928bc874a7d4c1cf3ea736fdd6bc66b0e230a3cae4ffeaa494fcf5cecc97d3078f9fc4773d1b006833983181a323bf

C:\Users\Admin\Documents\GuardFox\HUVHjonu_Hje6G6JU7VaoIjt.exe

MD5 fa0b656d3d278e9336c15448ef7c2d15
SHA1 4cd51fcf01b7f6e685f79778ecb56e9045d0e30f
SHA256 5122af5f90ae5fa4445cbb52cc7352e1e529586dc7f7188ae3d1d9415b484445
SHA512 b54d6f836c1df07ed5b870b7229fb304cc0df9477cee86efb6cf091a1b06204bb8f01ff7bbe0560c57c6c2505a704cff66e9ea5811d54b0176aff4dd44f6df32

C:\Users\Admin\Documents\GuardFox\sbuycKPFZHgRBaJKN1N1aCEz.exe

MD5 502868901be03efb85000e67c64601b3
SHA1 d4ac62ca27427002331abb0cbb8e247ce6c5193c
SHA256 8ae07f45777add8b7af1e0b112165d7800350f9091448da55b7caf06a228a750
SHA512 97a0bab350923fb6712c0805f8dc4d2ef4ef4ad7a5e66c2b29057f4a76e561ac4ab8d982f015f885cc9fe608ed2e9dd15e5edf99bad6ab6e3a2b2d63386ece78

C:\Users\Admin\Documents\GuardFox\pNDGpTJMyJXYIj9W4rvJQwL8.exe

MD5 2a25d202bade6cc79ff0d61effb4e1ef
SHA1 8ec2ac45283a15ac0560844e1c46bc7f0c2c5774
SHA256 7b55a1c6d0f72455bccd6a93db9d6b11030b050b691d4c90697935a3d6ffaecc
SHA512 983b120a8d229d37ee0d62cac303e97b1086de9bbca9f9ab0e1607332cf87611aaca4fe2e17db584ac19d1cb74302486a5851202f6161d9bbc55cb593a65d40b

memory/840-603-0x00007FFC80010000-0x00007FFC80011000-memory.dmp

C:\Users\Admin\Documents\GuardFox\GEMP3wBL4EHtx1DKvSUjrltk.exe

MD5 e1cb766dc575cc1bf368143497e4734e
SHA1 5d73dfa40b600bd0b03893d9d519bec8321c68f0
SHA256 3e5dbc59f5e21ac6512581b1268295f48b863a8a5b1609072b84dfceb609b784
SHA512 f7e3563c7c7360aeacdcd02c4e6e0eee914f06944a20f4db3cd77f332f60095ef7868a5d9653fb191c487730cf3e3e58ff7c148c1f1862b60faa79335a30fa0a

C:\Users\Admin\Documents\GuardFox\DlobcuKPjhqxD04VLJeAxs1Y.exe

MD5 04a0ff98b24970358be912742b1b12e9
SHA1 7662063af43a5a00e747517c9f6d86eb2b40b33e
SHA256 f6552d836ffc1cd88e7b952efdc0388570734d652cb9356be169fe3981b15ca1
SHA512 1c51c64fc2438f13ed6d1cf814de34a0d24b2ad952c74d1ee61a2b49bbae210893a7f64d781c024da69737bedc4b91eb59a322ae4f855b6a9cfb7119572d5230

C:\Users\Admin\Documents\GuardFox\7LsW1tgu4RRNjIZfO6UkF0OD.exe

MD5 d0901b92749db4d796381d541e977f04
SHA1 b3ceb02addc1add99e9c099228a09ad3a0e04d79
SHA256 67c2e03ac2744fe2e87983c42cfa7c86cf8069a6b3dac91ff4b214218eb78b01
SHA512 73d02fde1190c89c7977890cde69e0f71efdc5f10cb811eadeeeb657ec31d06d1a2d5fb04ec5a2556aaa329d89481a7b879c4bcba577babc1f451bc1b12eb516

C:\Users\Admin\Documents\GuardFox\Ib3nHb7tep7rCpzrk68gEeCy.exe

MD5 80ce593e055e11b63b129103d490bbaa
SHA1 0057cff329b9b1d8cb7d0d946d938c12cc5471f6
SHA256 c5766284acf2a88d735a6401e7b2b12c2ff0b5ddc7744779242c90db06225dd3
SHA512 636ae91b58fc872e063c5425f935e9ad05554c659706b2367b17584d5d16fc1acebd09062688e3be90dc6db9e0377f88523a653f729de97a476ea1068d2005ee

C:\Users\Admin\Documents\GuardFox\pNDGpTJMyJXYIj9W4rvJQwL8.exe

MD5 34d0dc32f8fab919a969f7d8a6185057
SHA1 d8c01aefc6381ed0e81a528a66e82e4819a0b063
SHA256 95247ce385d65ee38a0d020cfbd46fe70e88a779e2501d83841761d562f93880
SHA512 9b35304fe5301b15882bddbe23f9e82d69e5b7726761076de66fb51b8e36f09f7a35e63f139f227b9b778b1815c24e8881ab014b55de77bae667a7ad3d4629c0

C:\Users\Admin\Documents\GuardFox\Ib3nHb7tep7rCpzrk68gEeCy.exe

MD5 5f3cc6eb7d7e17292a0276d27af98bf3
SHA1 d401b9ecd245b73bfd29de7eda5b99e40eff4d91
SHA256 22f4d6222a7ad203bb98a80e8179b337920e109d7540be3427585193d632e627
SHA512 6d9dd083fe2684929e0e77a677ad9c5cae82ec2165e2cde94ac8e5000d8d7ffc9bda47fcd65aa56dc74c84472c729b87ec267d5bde3304c099fe239e554b2209

C:\Users\Admin\Documents\GuardFox\DlobcuKPjhqxD04VLJeAxs1Y.exe

MD5 47ccf763cfee28a4769e61ea0999deec
SHA1 0c013af2165a7df3878808411a780bafd08fa4cd
SHA256 858da9cc7e55da3937dbb0c12e3c44505a0808b676ed98bf6c0b2d556539e866
SHA512 eff34d00122c8f4432516c1a7d2ebf360591b9bf199c2b57d678a008f193c706b3c41185115abc3124d6297f6f22502ab28ee14dfebd53160c45aadc9c57d1d8

C:\Users\Admin\Documents\GuardFox\7LsW1tgu4RRNjIZfO6UkF0OD.exe

MD5 7daea3a8269ca531bec3b57f351c5f11
SHA1 96d1bdb08a1e83ce573e11651320ca276017c8ec
SHA256 17c2a327606ca410fc6e6a393d4a4b242e8c0903a9e8fa0ae8e99cbbb562b0f3
SHA512 4b4a956212a7e9ea004435642583c7438db679273cc638a60bc04546d569d03cfa336e04c5f7beb79b57e55984e9db1607b1229566cbdab76ffba3012d6fbb74

memory/5900-678-0x0000000000D20000-0x0000000001203000-memory.dmp

C:\Users\Admin\Documents\GuardFox\Kziy09yGH2ihEicFLDPHF7al.exe

MD5 0537da2ea91d9c0204fb0a6ba01ed11f
SHA1 69c83b99c015b372c6c2a10b5ec8b5999d51c906
SHA256 327c8262f490d93c9d0d633d868623041b9649372953047aafadaa1effc67e41
SHA512 03097895449ae0e7be27e9a343c29e8536e93c90ed1f4940cc9597684e20e67c11026ec00f7cb8ee08911864d771c9db5f3d3c97c03ee104f25addf4a9e9b1bb

memory/5964-682-0x00000000005B0000-0x00000000005BB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-Q4J0B.tmp\HUVHjonu_Hje6G6JU7VaoIjt.tmp

MD5 178a36772a6533aa2b6cfc730e0ece5b
SHA1 2077eabf003d62430d003e4b6cc0b89870534c65
SHA256 39d54851669305265953dbf7a1bc7f9370ac13c9e5a99e0990a41b68a5375eb2
SHA512 cf740e40da39bd795f2fc639bfe3bde038280e0f53068f34c26bc77b9b475d65260baadd9f4c1b951546988b7345d4fae52b7fbd42096d9ad46f98983a5f7a4f

C:\Users\Admin\AppData\Local\Temp\is-Q4J0B.tmp\HUVHjonu_Hje6G6JU7VaoIjt.tmp

MD5 dc54d0d10aaba59bc309cfe34e2fb44b
SHA1 acd39e1d610e90102bffcefb59ac594b2c66f114
SHA256 260260b6fe49d8682566d5749d4b2438416d0ad2fadadac2b73fc9f623ef4478
SHA512 643500a5c20f3a4ab3f9169c1e4ee4c22f3b5cc81ff7cae7422da7ae66fd65965a8206cd9229ca63c11329bad95effafc5bb7a1b0881cb562b166cc6d90083ee

memory/1812-688-0x0000000000790000-0x00000000007AC000-memory.dmp

memory/1812-689-0x0000000000400000-0x000000000062E000-memory.dmp

memory/4468-691-0x0000000000480000-0x000000000048B000-memory.dmp

memory/5964-715-0x0000000000600000-0x0000000000700000-memory.dmp

C:\Users\Admin\Documents\GuardFox\GEMP3wBL4EHtx1DKvSUjrltk.exe

MD5 fc46234d4c69d58e648d72302a1406ac
SHA1 34f70aaf3ee9c3f09e5f1c9c3708dde984ce38e3
SHA256 d2afea6d72413f5235b512d740d8283bcbcfecd2a7e97e3deee5b0b283a1394d
SHA512 072180a272dd3d9fe3d026ad37da48710918bc2562fd4310264534951886c5682393eacd03fcaeef73cb5e6b41deb25d52d8ad7699d36ebff33b368a03b8fd80

C:\Users\Admin\AppData\Local\Temp\is-EPDDO.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\Documents\GuardFox\sbuycKPFZHgRBaJKN1N1aCEz.exe

MD5 df9cbd5114a0a995233d6b4a2ea30d66
SHA1 b8ecce509463887d837ef7ccedfe57b34c109ed3
SHA256 c9e1861cec48f0cc3a7528dde67f8e08b3c5dd249405d9efb43986c1a4b01758
SHA512 be0b8522320f6ac4bf8b17e2a93f73a38e8081365636df11fc11074e9b9c189b028f80e15af08598e605950a53eabcac2378b811399e577ef8e8d6ded6512b12

C:\Users\Admin\Documents\GuardFox\sbuycKPFZHgRBaJKN1N1aCEz.exe

MD5 a9f5eec6112e3828eb18a32aff5f0440
SHA1 da5da36fc081ad8d7379336d685857fa695bde07
SHA256 e4d1bf47757116e75e7cd321265d914cdc0bd5861d4a1ba82e3ce0217c538499
SHA512 8f563e942744f834b3a849dcd0c0b24429345c2618aa7246180e570a9c06ba2ede210984b23d5a2c014a6af601c545570d5dddb60645c9f60743a8f8885b40c4

C:\Users\Admin\Documents\GuardFox\zZoOSmhBGpbqhOnj9hrXXQ2h.exe

MD5 3d4fd70475c366b991ba3e5befbe862f
SHA1 4aea50b28029abd602ced03396d332417b61df1d
SHA256 99bfe586f2b4e64610a29ad2f9a23bd7ed4edec011172f7c0a47b5f74c541b78
SHA512 9ee28f77d260c3981f0cbb1e7b470eeef5f6faec15376a8f1f0c3b92c1fd5374641f7098fbade713174ad588814c6809c764d71b3fe61fe154bdd88d4257f66f

C:\Users\Admin\Documents\GuardFox\zZoOSmhBGpbqhOnj9hrXXQ2h.exe

MD5 bee2b57866965861f9380a95f8195c9a
SHA1 1ea9c5fd00d1523cca7003d49c5724ec509da5a8
SHA256 a5954eace2cccca1fec38e1de5b8fe859ebc3e7166dcb901176521a6ebf0f0c9
SHA512 c8addc047354f93e059d45c9e6ea8bb309ec895daf822e24021f11e6a598edda69a512b80927964f0e287f4b4317e6cfbf9c612a8fc29b3d0c21a840fc5b709f

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

MD5 b23afa9df6df17f979f65d92af77942d
SHA1 b13b206f088dda385566f7e90211b5e3b7cb0383
SHA256 fe9e9241baf4d59de23503e543981a28b3571ef5c33f80328543eeb403afb5f9
SHA512 a86ad0889f7016620356f87179d3c6d36c02921c2834ceebf3bac1edf98a8fadc8f03b7ea5255c743f6cf3fa7bed0c089477e1e7bb2e13c0c27ede2b36461659

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

MD5 3ea5a9fc917c894462ee6761728266b8
SHA1 e5128ff26f9d96e3c47021c51d3aafd9386114a7
SHA256 67ae0780b9cfab6ec27b28a9a767f019c429e803b0ecc27bf7ab36d608085ab6
SHA512 6b685957c8903ead75ed8fff77ba69219946ca249eba0545866683b81f5005a1fc205b8baaa24eb74634b188a0e5a61f37b9421cd69d02dd82f637f911c2d5e0

C:\Users\Admin\Documents\GuardFox\V30CDH8Dluq42uED6_5d_908.exe

MD5 5c007e2c288c3af201853c7b5fe6ce79
SHA1 7aef41708ef2d4b3a47d6e84793d458d218ebbba
SHA256 747434f993aa3afc5436f81da1efb8431517e980ba57b6fd203a2091bd61f4bc
SHA512 f4843971cec2d821786f1652126832cfda62bff35934abbf9a576e2047259285f93573a62458c93d8e6205e78b3f1b01f2352dca5ac42386687439e002e44d5e

C:\Users\Admin\Documents\GuardFox\V30CDH8Dluq42uED6_5d_908.exe

MD5 18375b1b7895eb996a528352c2b34bc1
SHA1 1010b53f3007f6c8a4731b37058eba868acad694
SHA256 82fd3555f1d75cc1e57efc3d7bce382b544d06e896343a35c1d3f9bd6d9cad85
SHA512 26f5bc251e214fca4d2f352c06ff90a334320849dbed9bd02211808139c19a75293d133ac096160620e53f2148fc96b6c2d7d3728159a7fd510ccb94c5136860

C:\Users\Admin\Documents\GuardFox\JTb0PxmZFALhKcqoAtyuiktg.exe

MD5 39f6788e7f8353ecc003a99ce45d3355
SHA1 d1d98bfcdf41108ea1e3dbcaf9ec425265c86861
SHA256 64c147bed56a52fc41afcc96e983f9312f5ad68103c4142cd161ef304ef69a3c
SHA512 2f4c73198e15c3da035127112d3854878e9de4662a31eae3cd2d8506f4c7e02cbfd5ffb32a2a834295c26fee03b62e83c6923cc35712ecd3dfe85a19ef31243c

C:\Users\Admin\Documents\GuardFox\EwpduaZj10LbAfghmKbC0XEl.exe

MD5 50ebac3b8916f5c03d6fc1573fbec583
SHA1 ca5be7aeabd053f330588d1fd04f8a84c4f0dcb3
SHA256 a50847fd89fd4a18b7415661d19bb016ad668c49dd260baa07e0376bc8d90d61
SHA512 6665335e912d350808f1fe01a647213060b2eb19337e27481696acee0b909f2f044e2c3a3b862fb57532f349820e949b6b98f5e2e29105b2b9f80932dd98bf99

C:\Users\Admin\Documents\GuardFox\EwpduaZj10LbAfghmKbC0XEl.exe

MD5 f04f1a44c5847c2745701adee09ca0c0
SHA1 ed5f46c66b0a2663ca8d9ec41a5c60ce33343f7c
SHA256 35a0138d5f1dadf0026ab2fc9e02208245102f199fa541bf99e1420355e22dd5
SHA512 649c621470b1db83d5b5bb0f8ff2e38436817f3a588e0e3a87c7886640854c256f82a2e4ab6858e578441e3885740140a3578385a810f4c62bdd8b72967fb764

memory/4468-723-0x0000000000670000-0x0000000000770000-memory.dmp

memory/840-863-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-906-0x00007FFCA0FD0000-0x00007FFCA1299000-memory.dmp

memory/4536-913-0x0000000000610000-0x0000000000611000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

memory/5588-923-0x0000000000400000-0x0000000000537000-memory.dmp

memory/5588-930-0x0000000000400000-0x0000000000537000-memory.dmp

memory/1436-943-0x0000000002540000-0x000000000265B000-memory.dmp

C:\Users\Admin\Documents\GuardFox\qKYZynyy_NBhtwhTUfWTQeXE.exe

MD5 b90cdb4a2042bd0a6167bb1bc9e8ad94
SHA1 122c52c8291252bc2577ebddcc7113accd23d929
SHA256 54990ee80391578fda5d8680dbd0e1a2d521dabffa3f094a4465a70181b1e5e4
SHA512 aa33bbd310d6c54aeb8ca1031e9b3969f38a06e7df915cd9e099942409d8936b9e035b9a9b378cbc0fc1e537ab82befcb708769befbfef90d2dc323127d10b5a

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 76ee1b57425fa824014e58cf489f9928
SHA1 4dc015c1701f7fc8e70c4629313ed5a781b83099
SHA256 b1b1abb9ccb838ff324eeb1bf1a9b30ecfe3520aba28f61a15685995b90bba4f
SHA512 dae41969a07a7f9abe632a649e097ac7d1c6edb0d89b7fb0da0e52cf17db920e1fc8be2e805cfade6c1e32f186863286b07731665f769e911b158392a8145760

memory/2804-960-0x00007FFCA35F0000-0x00007FFCA35F2000-memory.dmp

memory/4300-959-0x0000000005000000-0x0000000005064000-memory.dmp

memory/5428-958-0x0000000005180000-0x0000000005192000-memory.dmp

memory/840-952-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/5428-950-0x00000000058B0000-0x0000000005EC8000-memory.dmp

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 6f33ccbfb65037bb8f15d956fa0375be
SHA1 85c760fe15369194767ae6620df57bdf7b5b24d7
SHA256 32d2ebff858569c4268b6383aca9fda89311450a766899c63d334c605b7d0df0
SHA512 8997855c1499b12ca79a8af6f4d4d85fac0a09332bd2dc858a0ab0248e69fc4fc7557717758901e50b41b849438a9f3364a33cc6a818cefdcadbd838d5e542a4

memory/4300-947-0x0000000004A10000-0x0000000004FB4000-memory.dmp

memory/2896-951-0x0000000005290000-0x000000000532C000-memory.dmp

memory/5588-949-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3956-946-0x0000000000BC0000-0x0000000001B73000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 1daf9bcd2766a3f4812f4c37cf8b9d7f
SHA1 16598effdd2c3541e60227ef7279e89d50f144b7
SHA256 a3492e4248df533189fda02f6b7dc8e1bbbe5ccbdf8823f4f24faa5144df46b4
SHA512 37cda8d8bb9a4a4b24bbda2ff16ae5d36d86ad32c1f13c6453e8aaebc7f9442e51c34efc1cc96bddbc60e157b07a818bb9adfd7032d52bc093cdeaf03eedf106

C:\Users\Admin\Documents\GuardFox\ztf35Sy2IebzEPWHO3U10kcF.exe

MD5 0a7ba92de129324b108148efed139677
SHA1 634ef23a81d864b183cf2ea1f0bb8bf9a1fc47e6
SHA256 f04e92f6ab432dc857dab3251c2c0ce3a880a408d810d8f9e430fe62f8f9e3cc
SHA512 14e96363150ad53fedba14c60459528e22c3fadb5e7a2f6ec62bf5788794e354cd35caf5e9c7af8e19ec27e42db0274fc3396dcb6c0204aad996658b988fe4ec

memory/1436-938-0x0000000000B77000-0x0000000000C09000-memory.dmp

memory/2896-927-0x0000000000470000-0x00000000009DC000-memory.dmp

C:\Users\Admin\Documents\GuardFox\qKYZynyy_NBhtwhTUfWTQeXE.exe

MD5 cae19937bf01eabc6618b719d001053a
SHA1 3ccfebbc7a00776a81e498347e54c664736a301a
SHA256 da450c89b880b1d154127d2fe9bf53cc8d48b985decb881f7c4a17e376612249
SHA512 449a18b2a1aa1df62be4dc28eeceea020d1a89e38e1210adad84f64791233da2ef6834eaf1af99b71721aeee3c324e055040a872f388ca7f4ae8fe43b227e161

memory/4300-922-0x0000000002350000-0x00000000023B4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 fb7dd465e7d9417401670d2db856595e
SHA1 13a3ed34099ce82b16ab397315de7a7a5caff766
SHA256 9810c5ab62e08de4520867619015aa235a54ba1284de454c22b9014061215815
SHA512 935ca765b10c92b66af06fdb83ffeeb460db1f928560fe858c1d8560fe8a7f2ff14c4eca4891363d426bcadc87ab9a9e8feecbdcc505726d6b5be79c765a0141

C:\Users\Admin\Documents\GuardFox\Iz2F_E2SsHuStXA_nVq69RNt.exe

MD5 95eda1020636a6a9923eb7a40c5b6f5c
SHA1 04f14970f5333e099c874c6ec5038b14e41d54fa
SHA256 2bb95a44a8033f2c637b91ec2766dffef101630a1c009cbeef0905a633c0dfeb
SHA512 4a9fea6871fb980abcb902aa8aba3e5a0152a81683773f6f492e334334a625645c0b47fe49858bdac1edf048fd30f9e1b088c9e03c41a9f691dd6e307245cb46

C:\Users\Admin\Documents\GuardFox\V4pYAb0MjziI6mmnQmBlqBlp.exe

MD5 da9bdad0df080b7c330fbe5b47c9fd60
SHA1 9a8188f6ced264127c6b2fff5c8d6d68e25ef6c1
SHA256 00fd22574fdc52c4af573c2f4298b13c7c5ecafbaf8de6ecbdba221762f99386
SHA512 48ce10683a47a22f3054245f7f6e2d37d707bc9bac6bb5bbbcffe58fd3edef2af821909d563ee0d8c67c5b06a75e523326090ae74b090345ea07908d13121621

C:\Users\Admin\Documents\GuardFox\Iz2F_E2SsHuStXA_nVq69RNt.exe

MD5 ad9cf5a83e9c211f2099d573b6961584
SHA1 0c7e1c935697490092e12eb402162f8e5377b7a4
SHA256 1e5b67b934f63417bd1632859d85afda9be1eb03eb09c75e06b36a500f632c0d
SHA512 b8e6a1f05aa3e742162b95ee784ecac91980b83b22ee78c50b50d79781918e5a70da49f468b9d48921bb37871ab372a7330d4860bbae1f81e7a02d123512d839

C:\Users\Admin\Documents\GuardFox\V4pYAb0MjziI6mmnQmBlqBlp.exe

MD5 6f464ac85fb41827bccb4a21023378c2
SHA1 a962137656a8164b9652edc195b745e3c4910646
SHA256 d0c01aea107bdc2fa716cbf58c1974ca21815681adcdab080f5abb4ef009fddc
SHA512 6414ac437f111ae177a48a60d9eb54ea56dd5841004ec3e0c62928dbd482a24154fa40b226ff363dae8f5d5e567c370c0cf35b683e901e137782b67c63d92889

memory/5428-909-0x00000000008A0000-0x00000000008F8000-memory.dmp

memory/5428-965-0x00000000053A0000-0x00000000054AA000-memory.dmp

memory/2804-964-0x0000000140000000-0x0000000140876000-memory.dmp

memory/2896-967-0x0000000072E00000-0x00000000735B0000-memory.dmp

memory/5780-961-0x0000000000400000-0x0000000000889000-memory.dmp

memory/3420-963-0x0000000001060000-0x0000000001076000-memory.dmp

memory/4800-911-0x0000000002250000-0x00000000022DB000-memory.dmp

memory/4468-692-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1812-685-0x0000000000900000-0x0000000000A00000-memory.dmp

memory/5964-684-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1728-680-0x00007FF6B34F0000-0x00007FF6B3546000-memory.dmp

memory/4956-667-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\zZoOSmhBGpbqhOnj9hrXXQ2h.exe

MD5 4965e480459003ac3f00a47d255bd844
SHA1 1206bea3e29f6d16dcf08a31227e0fb8c1240f9a
SHA256 1a9126e74e5c23ed553fa7ebd75f2ffb8c14af809415b9d3937c02fa6c4c9dde
SHA512 ae66d9f1f5062e7fa1996427f1af84fdec23a7d18a45cc1a5b10479ca91a68318202daa3d95838d35b4026ea35ed9780c54e64db8f61a942ffe7898b74be9a1f

C:\Users\Admin\Documents\GuardFox\qKYZynyy_NBhtwhTUfWTQeXE.exe

MD5 cc049fd8ea33fca2d865424d5f56b96e
SHA1 42e6c806f9ed72b14b1889b2484ee13fe73fc8d7
SHA256 247fafbea6f2bfea5dea54df8f85e6830c1c6970bcbec31bdf2971f5b1441b2d
SHA512 dbe84dfde6b5981d38160593df33d559dde22130f262fe5d18aa4f8b6a023c07d537354747b0aa8040eb7980bc1de2fe8106469156343e20bf6569ac3e918dfa

C:\Users\Admin\Documents\GuardFox\EwpduaZj10LbAfghmKbC0XEl.exe

MD5 78816926d26a0a3aec43cdc3c4956ab8
SHA1 809e335d6002b6f32b162a00a51fd2332e8f8a79
SHA256 accf49b74c6162e418771f5820d677a54d4e9a3ba46d2c39c1053193afb6c035
SHA512 b0a57ffbf8316fadbdfb8569fcea3e0992cc96463cfe1d59419c65677c2920835da18beef8427e7a31b0350266978de80a2b880a3cfb458ce8ac2fec23b2b22f

C:\Users\Admin\Documents\GuardFox\Iz2F_E2SsHuStXA_nVq69RNt.exe

MD5 d4ac3c5d291d72aa20980676f9b75790
SHA1 d489a1c49a672ee13d938c3858af040d169e42cb
SHA256 2bbdd13429adf2d4aa15fa035c29390e44b17e3742804d1b6426c090e015ea63
SHA512 62f7e9eff0cff5daf10e3588ff43bc2ca0bde757ebab8f5a16fa31c15c14d0f38dfc6dd2b1e7ce4ab385c103178fdf5d3931460c1f021cc10484db86b0511442

memory/5428-973-0x00000000051E0000-0x000000000521C000-memory.dmp

memory/5508-968-0x0000000000460000-0x000000000115F000-memory.dmp

memory/1312-975-0x0000000077DE4000-0x0000000077DE6000-memory.dmp

memory/5964-971-0x0000000000400000-0x000000000043D000-memory.dmp

memory/5780-969-0x0000000000400000-0x0000000000889000-memory.dmp

memory/5428-978-0x0000000005290000-0x00000000052DC000-memory.dmp

memory/1312-976-0x0000000000450000-0x0000000000D64000-memory.dmp

memory/5428-982-0x0000000072E00000-0x00000000735B0000-memory.dmp

memory/840-987-0x00007FFCA0FD0000-0x00007FFCA1299000-memory.dmp

memory/1812-986-0x0000000000400000-0x000000000062E000-memory.dmp

C:\Users\Admin\AppData\Local\Web Resource Viewer\webresourceviewer.exe

MD5 8543d9894171710075152f44d9aafd57
SHA1 789e45acfa7cac7f2b7c8aa465e100c740d44635
SHA256 bd3d9c4de0f609c6f9618a036bfab5d01cdc19cf0c783132732f9a90747c7967
SHA512 43553a779efb09c1e52b56ea43d90dd0329c32b5667cd58a78d579c9944191488b2a9e357dfb0e8a3f734bc02048d98988ecd2d2b32e22282639c302766995c0

memory/840-981-0x00007FF6398B0000-0x00007FF63A2F4000-memory.dmp

memory/840-991-0x00007FFCA1BD0000-0x00007FFCA1C8E000-memory.dmp

memory/1312-990-0x0000000005530000-0x00000000055C2000-memory.dmp

memory/4956-989-0x0000000000400000-0x0000000000414000-memory.dmp

memory/840-993-0x00007FFCA33F0000-0x00007FFCA35E5000-memory.dmp

memory/5916-992-0x0000000000400000-0x0000000000454000-memory.dmp

memory/1312-995-0x00000000054B0000-0x00000000054BA000-memory.dmp

memory/5628-1003-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

memory/3956-998-0x0000000000BC0000-0x0000000001B73000-memory.dmp

memory/5532-1005-0x0000000000980000-0x00000000012C7000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

memory/4300-1020-0x0000000072E00000-0x00000000735B0000-memory.dmp

memory/5428-1019-0x0000000005620000-0x0000000005686000-memory.dmp

memory/5628-1006-0x0000000000400000-0x0000000000D40000-memory.dmp

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/5532-1002-0x00000000034E0000-0x00000000034E1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7eDL.CPL

MD5 e5e00238ad2cf184e54237951df4daa0
SHA1 30b44c9ef00259704f4f51b472a66ad153f85ca9
SHA256 f41b440c1222e5a5edcce6af4ce8953df7e0e452718966cc3e4e79cd1397623b
SHA512 c47bc03a3c96bbd9081562602d5238caebf0a5bee1506ae233dd672fecb12ee66b14871e251ef319a76b8ed8d2630c176c2c6befde52993734988fd9bb2ca3f9

memory/1812-1033-0x0000000061E00000-0x0000000061EF3000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7eDl.cpl

MD5 af90b0d4141e3024662bac83e4f48206
SHA1 882f8c053cac13ac0dc7927f757b6df1e9d7471b
SHA256 09e76675aa5b993f36384bfa97b94869178c8e75eb731e1f51f507573aa40310
SHA512 5bbd966ee76c77eece767e6f824a8982d3ee68ae74b4caa7bbfcde65febf6a41a02763724fe9665940e928afbf159cc712fc540cfba1439561974b4d84cab4be

C:\Users\Admin\Documents\GuardFox\JTb0PxmZFALhKcqoAtyuiktg.exe

MD5 ba8c91e4dc237de34a9a91004d04eb50
SHA1 506d20662fefda05993536b66b1c44f607fba7cd
SHA256 11f45adf6d94e5bb036cb104e476b5cd57abe6fa7915ea01475b8ac606c02e00
SHA512 ccf2691b1c62f9794451dcbbe0e22b979d33f76082b171cb2ab4d70ced64868450237db3ec105c8032f30b80340ee6cbbdbe5d3ce62a6aa2e8f26bdbbbae3dc3

memory/1312-1054-0x0000000076AD0000-0x0000000076BC0000-memory.dmp

memory/3956-1056-0x0000000076AD0000-0x0000000076BC0000-memory.dmp

memory/1312-1058-0x0000000076AD0000-0x0000000076BC0000-memory.dmp

memory/1312-1063-0x0000000076AD0000-0x0000000076BC0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570

MD5 45f01cde87b673a91026d282f79c395b
SHA1 0120b973caa006b996dcfc96ec6df937699b33de
SHA256 60f1e0c875ffe512dd10b4cdd854b298813219ee8e3a54827cfaa5e8d709feb6
SHA512 94d187f61ee070092370ea56a3072854b1eaba02d479216855c5ae7079cbd2024620eaef4bb7c81ad28f76094cbcf64f400b3e3faf1d8001fbd55be004b70848

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570

MD5 e901cfece1b8674aaed4ac5a9e1ff7f8
SHA1 21767f76932d1e1fb587ba437fd50affc1d97d8c
SHA256 45699fef9dfc5acd462e20ee732df1948ffc19750cac02284e8120015cb41ae8
SHA512 eadc1382204877bb2b6d4ec496412f2e043ea3bf0e8ee5bbed5e3dad92a3fd68fa7ff2c24de91dce5bd7cde3d9896cea686c3cf95d7de10ce0db2ea0000e4c80

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 589fde611353f6b2fa8c8afe88af1a0a
SHA1 57c87e13a64ce89bd6a6caf50e4926351675a5ee
SHA256 15c8ba6bd7d3bbec3363f20b6b32429a89ae276096ff587565da98d29529fc6e
SHA512 2ba829042e83bbbbc2be7239c31d322a6b7267b1afe7df6a2887d65ae0fb88de05f713dc038703ebebd10aad96d2ac75d4e55841dd6774263c3e319b8343923d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 d2cf38c2dbb1209bc8987b5ee6ccfedf
SHA1 64e373568d144b634f8468c97f8b8ea4bde3e4a4
SHA256 156dd420cfccc9472d5dc14afe3e715de5d47e537ccda59316a9be8e581e4d7b
SHA512 0509266293adc85819e6accb72337af6ed9a72e974b866ae5854dfd2a5055525380eb9f3dc39548de896e61b65b28f390c94ef579368a941af4bcc8fff9b7f2a

C:\Users\Admin\Documents\GuardFox\JW2xld96xf8kgJdQEwqnGgrz.exe

MD5 46f510b451021ce27537693e8dbf7420
SHA1 c294aaf7f325f1ace8f40920ce89d564fee9c9f9
SHA256 1dabb6e2edabd4167a3a570bd70c7f47ae96f32fc74348b8bf22319be4de4b7d
SHA512 53f25eb50c4fe7124ba64842fb419639d0c3abe1f8ed8b311e43a5ff8efc2d33cd97e65012bcf3ed8fabd0a193fa5d0660b53da56636e3a455bd04af2229abec

memory/5428-1075-0x0000000006090000-0x0000000006106000-memory.dmp

C:\Users\Admin\Documents\GuardFox\k9Keflj4cumGOB0nHrIBIism.exe

MD5 eab12c1dabdc764b86cf9afa8cbdacef
SHA1 b235a5f11926483c63a08d7223fbc54fff6d2953
SHA256 51d89b14cb52fd26a3995958fae9124ab774f00994ac9e3aa64ea52955fde8f0
SHA512 3547550905ec8aef76a816c81e3d9c5a59d9e0ffe9c060b835ea5c545c20ef56c14ed4accfd9d76e951baff4f894c0f5ffee7f5b0db2716aa710178d075a7abe

memory/5428-1107-0x0000000006270000-0x000000000628E000-memory.dmp

C:\Users\Admin\Documents\GuardFox\JW2xld96xf8kgJdQEwqnGgrz.exe

MD5 b55217b178b74e29da3a7ca7a714ab54
SHA1 f1d3bfe7b83fd50408cd678e48587e7a6f5618d1
SHA256 33b7a904b67bce952eff98b55e33c9d39fbd29f6cc3c2677fc0cc1a5b3f4d3b2
SHA512 ef1418c5c8a3607d681e8ebbfabfbd2f9268bbd954e5a05b7c0d4d6abf60aa3bc533e2ade24bfc9ef02202f7421a853739c596176ef85dadf16e3041805a6a65

C:\Users\Admin\Documents\GuardFox\JW2xld96xf8kgJdQEwqnGgrz.exe

MD5 0099a99f5ffb3c3ae78af0084136fab3
SHA1 0205a065728a9ec1133e8a372b1e3864df776e8c
SHA256 919ae827ff59fcbe3dbaea9e62855a4d27690818189f696cfb5916a88c823226
SHA512 5ac4f3265c7dd7d172284fb28c94f8fc6428c27853e70989f4ec4208f9897be91720e8eee1906d8e843ab05798f3279a12492a32e8a118f5621ac5e1be2031b6

memory/2804-1140-0x0000000140000000-0x0000000140876000-memory.dmp

memory/5428-1144-0x0000000008350000-0x00000000083A0000-memory.dmp

memory/5428-1143-0x0000000007D30000-0x0000000007EF2000-memory.dmp

memory/5428-1147-0x00000000088D0000-0x0000000008DFC000-memory.dmp

memory/4800-1148-0x000000000345F000-0x0000000003850000-memory.dmp

memory/4800-1146-0x0000000003450000-0x000000000345F000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

memory/5800-1161-0x00000000022F0000-0x00000000022FF000-memory.dmp

memory/5800-1162-0x00000000022FF000-0x00000000026F0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 f924638b5f0f0fbd9c84107135c0f158
SHA1 7091b773861c8ca03263769f4ab0b605a2da374d
SHA256 1c9edc08c17683bc6af3f79a4929e07844b2d8db08edd9d93f044ae69190f0b3
SHA512 f4f4af48b1dbd2842e8d34e51fb8907309d10252f311fecfdc69eb67171d4893fe3e70d89b47bc00268c9728b83bc10daf4e5badd382e380130d479a3160fc13

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 9cb5fed1df4d67fc4dbf77eb46d75f80
SHA1 cd045c2bc1753c4bd55e09cd7f6822ed81ab6f7a
SHA256 886ddf853ace08da35f7e95b04676b7b30d861e349cbc1a706d8fe74ffd83bfd
SHA512 4bd7801fcf0636cebb1736930944cfbbadb8ebe5086a90621a88bb4987a42f9840f40d1524511111080cdaeb400933e139335561859521a63c8eaa4cc5b3c717

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 b0e04da50e22c31e5a1bcd823b31bc0a
SHA1 834ed42ea8cc071f41030231dfd38dbdd3a92c33
SHA256 b97307b15450163273d276f2918012e7afbcb2dfe9359886402fc7acbc198031
SHA512 37f70063bf02ed58b18dba6b1986fae9d57a6b54cded5d929098dab98fe450e81a8461c59e3f19a7e45c2b59295494264322747427cd1a30cdb3cbdd12238df5

C:\Users\Admin\Documents\GuardFox\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

memory/2088-1183-0x0000000000930000-0x0000000000938000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 2c87a61333897fbcf530ba0365d2e700
SHA1 e1f24cb583d0c8c8a95e14557d0b01150d3071b6
SHA256 59d86aaa9d414ed5f0f812ea097166c707c78577589237047fde983b0ff62c2c
SHA512 52ce5c37d34134edece4c399739e13000b7947a218a6c66effec847a7eb0ab995705f4eec1caabf95d496a54c8deecf5ecb118acf5121c9ec6cffe5debd4de7b

C:\Users\Admin\AppData\Local\Temp\1000113001\e0cbefcb1af40c7d4aff4aca26621a98.exe

MD5 5a92aeb22e361ebcfbd975c5e18b614b
SHA1 a746eaf6e2ec4bb5caa1130cd5f74221f0711bc3
SHA256 9c59160407afc133e707bceee91d12b492a5e77982893d9bad73219b39085579
SHA512 e4341bf9744ea055df9b8a23b3760711c755192a9f7976538a57d30cfeb67fa51240271651bc2bb8587492cd6812de3e533bdd51a89c77b2291538adccd72b42

C:\ProgramData\mozglue.dll

MD5 d8eac53987b5005a3ebae4be5e3649d3
SHA1 baa011a3884297b14fe1de242b9dd2728681a67d
SHA256 9c6f457c53026bb88aac7925859900c1a4de5ffdf65aaf41d5dcc9d56eb1bfde
SHA512 8cb624fa3c8d0b2478b3e08e32551688418a277af5931004b07759b653a0204b0d578c382120e0abe4472eba7512408e68b7ff7cb30c9a70c1616c8407fb5bd4

C:\Users\Admin\AppData\Local\Temp\1000114001\InstallSetup8.exe

MD5 bb4b21aa7671e0baec96eba7864aa8e2
SHA1 d8353c2ae3748cf70a88651b5b66c3a71502a01b
SHA256 2593a7f5a9dc149268edb4879fbbc5df773b08deebfcdc391f66ad07597b2016
SHA512 c07f0eb40d4aabd3051d57e226e0789b5c419a6368a636fdcafd1189d70c4b06fcdeb89d43fdbd7e95e8e1828e6f2e4c8ee75a233a0d6a111cc6307f02bea09f

C:\Users\Admin\AppData\Local\Temp\1000115001\toolspub1.exe

MD5 7425a083398b17d64cfb52a00d48db50
SHA1 ef24f4394fe0ccfe21c5e0c025c2b04884c3d295
SHA256 ea73f95c11dc2dee2df70f6cdf91f2283ed93f02e7d374e1ced51adb1e8aa2c2
SHA512 3e38161eb5c845b287374c095246b96ae885140b9696d39a59ddbccd761f7f4e1e460e8a4a2931e070bacfa93aa8117a70334d5f237a51b94ebabf0f616c684b

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\nsj4E7A.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\1000119001\FirstZ.exe

MD5 162f0dde22d09397c77318df6da77f87
SHA1 d4215189ee53cb5a00aa52eef962c20d6cdc2b63
SHA256 ea4d490e028ab7abca09e3b981596808b333bfece1667f2c6d65f8f5ef5da481
SHA512 6e187adfd4dc94932b39c1ac19416bb88f93a7f27af86a2c827f382017e21ca82b5f2aff827b25991a25cf3fa2b5cd8c903ee221382d751ef03a836d582ca21a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ceoajhiemdnnjfbilpkblfjghmmbhbda\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 898ce1b4e9ccc82fc5f85614d29597a8
SHA1 4f7dfec452a53a133165f1959abefbcb922135fe
SHA256 9677aecea5733abe1ff96ed44c7433801b66aafe8f709dd5c6996394cc67d950
SHA512 21ca32c276993ddd8da1d2c5eb8335f75dbf87050f3533d75392ae07ba646dbb10d9b72fc9846b630ccb6c00e08c80a1f6c61d9b4032475322160c4b35af0fdd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 41b14389b4aa198ff0ad6288da442f89
SHA1 2fca0116c34bc7a00552e79dc9da4800581925af
SHA256 f47ecfa9118bcc33545be89741e528e86d169bbc9a1fddcc2eb73e0820342731
SHA512 470a8520387fbfd2641b9c45fa1a1c34af616b0ec63ac87840419991470b65cad4b14ee424e68764655fae45773377d5ac5284bffe77557f737c96913a519ed8

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 48d74d3db0f339870d96eab2a28219e0
SHA1 4e98b32e1304128e859167423b78b3af71416d8b
SHA256 0d192a45029e7d63f36f772b45754945e6aafc9a3a61681755b9ec4f4ca1a681
SHA512 a68b16debc525212ce745ffe495f56f94349e437360d9bb006da87e554ca7d98ac8b9561ddd5b548d668f1e45676b40c7408fadfa4bc8e188b728388096e935e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 43006352d0e7ee8cf655edea38e0425e
SHA1 1aa2a1ef78075e67cdb42dd2340f9f0912dcfee1
SHA256 05a8c478ce70187867e574a4cd156b06a861c2b8ec326ebbc323b0686d5d6cb8
SHA512 8655c2752445d5b3accd1064ade37b0c527881c8cc4b9f0ebfb25bde39afc43babf547be75a749dc13ee0a6d5044d2418501e61b328ba615d5b51eaea2474a52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5882b8.TMP

MD5 ad53bb075d09d1d0687136c4d6c85e55
SHA1 09efebe4bf539f48255795b4fdeb63d0627343a9
SHA256 bc909f379285232117a53e307c2c370ac1537f449ee0afbd9b1581aa02ee0ff6
SHA512 930c86a3b449cd2519bd4af5da68e2ccab03c092f4fd466d69ebe65111197c69b67b28ffa6a0592a36f46697373243ac9614ada61640f7c701dfba0027866dc7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 509ec7fac37ab5d2f3d7f296f7491071
SHA1 472e6ee776262147b90e3713b2413cc1152f5f33
SHA256 f3a11da2f92fad3498bade15472b602799c9d78a7bb3af7085d44d9fedd51791
SHA512 26482ed59217fefa962feaec138591ccee7f874f19426247a78a89ab8286ac597a7e98a26fc10c0d8b0d6cd609d706c6761544ea2199f6707a408eb45945b041

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5173333756c00117e23a58e41c5f2b2f
SHA1 e311444b48ccbd0da556a7126f8b35aa77f95bc4
SHA256 a67f17e4cbb4b7ec70e7961315d6ca1292630fedcdb545d6dc18c3834c7d345a
SHA512 fbc14d393cb72f79803cf282d9ad2097e4c7a4e7c01fcd8b9bbaac6bb16d7e4cf591ace208ba900a023db66460627341ef6bb9af3b987a0f33d9ce80d2d0b923

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\22916dda388fdd5c24ab9c90241be0b2

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\ProgramData\HJJDGHCB

MD5 f9eceb2b3b8275bde4b42e88496e0fcd
SHA1 05796a4fe4b2a239a397c5e22923f65bbff7c235
SHA256 89a147914373346218860e18036bbfad419d0cd7109ddf96b7332f68842bf99f
SHA512 216ad74d6f8d7adcaac616dcbfda838c707121f5f279bc3b3c941f431b1252f1a4ba2cc70dd29ccb574cfbc6f2e8d18c00acf3863052bac4f53bccbfacdd72e7

C:\ProgramData\GDBAKEGI

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\ProgramData\nss3.dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_s3zkot5z.nnn.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\is-BHOJ3.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-NT5H7.tmp

MD5 54ffd881611a92540e4c85e2759278c9
SHA1 ef0c1ec4f6efe6abdf9a23f1adcd88c4ec5b4348
SHA256 d075cbfb1b43dadcdac8cf572c18689134e59319fbe425e82c7bb7c4e7d5948c
SHA512 d9f77cacb264d080e12e765cba3e1cc69a19c186526bbcb25d093e0a83b4b4b8beef37a4acf2e803a08eb76c77d4a97a21fea74475d6d9d16a63f2137ab6253b

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-MQBOV.tmp

MD5 8f920115a9ac5904787bc4578f161a52
SHA1 941332d718cf5161881ca903b2fb125124cac68b
SHA256 f8b63fa29af4c7cff131bf14fbdaac8e6b6945444e0f13e57417fea4a3de1a6b
SHA512 b8521748d276de667e2013c697005adc45e405fee9a9970b80427cb47ba829e2f9e31fdae2bafc54cca5aeaa4c371f4d25e1ea34989eea19e732fd129abfa1c2

C:\Users\Admin\AppData\Local\Web Resource Viewer\lang\is-7HVRI.tmp

MD5 613ccb3ab7bc5304da08120a11bb34f2
SHA1 9e1231dc2ddc6deb2a66d494c45f0dfcf04b1d97
SHA256 565efa1b0407d221b1e6bc44811f529f98fe4d9ffb6e756b56b9525acb87ce28
SHA512 d27efae6748105c343abcdc8777d2c5065bc342569af2fd3bee92544a01ad4caefe359adf69fa56bae1fbc87f86575b797c20d821a42869d0b34ab1004b0138a

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 aef61b590ca96fc1059db0dc49023c36
SHA1 65390c6244122f2f7d4557aac80db38e5e7ad181
SHA256 13e2478d80f37d5bc020a0ff2083728608c99dbe57420f58e01dfaf8ca0d3b27
SHA512 98c838ad8071bfcbccbf36a5114c7e0b90b807291498e09f7753106e08d5541f3b9dc9d2843f3fb7b55584ecd44f9ebc1b6c6668a623bba2c2bbcfe6006608be

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 2301cdc3d53e8dfcdecaaef8489e742c
SHA1 26da14bded164c2477f1fa3837fc70ef89736c60
SHA256 0d36b3f0f173b44aac7ac3a61676146ea2369162ffe1c14854c89bb069ebbf8c
SHA512 51dc334026485b8264873c6b738520ac93d0fa3de6a465b88dd8a3aa48c55faec6003ea064afece29cf6a9e4b5958981002a1ec369955a6f3cb763470d5c7ee8

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 a73520525514801e915d6acc15243304
SHA1 f67775f245cc47ef12f7529345f7cb49d9237e80
SHA256 5c145a591cef8f4553d47941fc3d56495f24dbc58aa8d0157905caebdb281f9f
SHA512 9b156205a18cbed8cb9c8021dc4a0d14e4203c046bfedf177aad8f3ba673885865c4d46d71102d602dfd35279293f921db7c30dd7e9486c8bd1b9bb9c98d4d01

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 dc8d5c934396621184322266f24335c4
SHA1 b0273003df4ed68dade4a5838df375afb877f304
SHA256 eb39dd63dfaee1038ffd50c5ef68553c313c976f831409b8fa7e15f49410069c
SHA512 cd99f9edab7485c7d82e52247914476b100ec4024a879e95a1e053333ea89d8dce21efb7908823493714cd81f3545f915e8fab194e3bd7e1c456e63b57750965