Malware Analysis Report

2024-12-08 00:43

Sample ID 240125-p3s1esghbp
Target setup.exe
SHA256 b729041a35d234ebe4f05e2d8cd5c0e591a4a114ee3f8f5375b4a5e2eade869b
Tags
themida amadey djvu redline risepro smokeloader stealc zgrat pub3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b729041a35d234ebe4f05e2d8cd5c0e591a4a114ee3f8f5375b4a5e2eade869b

Threat Level: Known bad

The file setup.exe was found to be: Known bad.

Malicious Activity Summary

themida amadey djvu redline risepro smokeloader stealc zgrat pub3 backdoor discovery evasion infostealer persistence ransomware rat spyware stealer trojan

ZGRat

Djvu Ransomware

RedLine

SmokeLoader

RisePro

Stealc

Detect ZGRat V1

RedLine payload

Amadey

Detected Djvu ransomware

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Creates new service(s)

Stops running service(s)

Downloads MZ/PE file

.NET Reactor proctector

Modifies file permissions

Checks computer location settings

Reads user/profile data of web browsers

Checks BIOS information in registry

Themida packer

Looks up external IP address via web service

Checks whether UAC is enabled

NSIS Integrity Check function

AutoIT Executable

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Launches sc.exe

Program crash

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Kills process with taskkill

Delays execution with timeout.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 12:51

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 12:51

Reported

2024-01-25 12:54

Platform

win10v2004-20231215-en

Max time kernel

5s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Amadey

trojan amadey

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Creates new service(s)

persistence

Downloads MZ/PE file

Stops running service(s)

evasion

.NET Reactor proctector

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A

NSIS Integrity Check function

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A
N/A N/A C:\Windows\system32\sc.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\ebAxaGaWrmPTFikPMf2BNIV0.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\41DB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\Documents\GuardFox\H2MKshX0QMUqIM1mTeXAcHVI.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\2AB.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\toolspub1.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsh55B0.tmp
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\nsbC735.tmp

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\Documents\GuardFox\V1aQ4WgGmYDw4WTokypwxW0O.exe

"C:\Users\Admin\Documents\GuardFox\V1aQ4WgGmYDw4WTokypwxW0O.exe"

C:\Users\Admin\Documents\GuardFox\ebAxaGaWrmPTFikPMf2BNIV0.exe

"C:\Users\Admin\Documents\GuardFox\ebAxaGaWrmPTFikPMf2BNIV0.exe"

C:\Users\Admin\Documents\GuardFox\X_EnyONBjNVniUxjdzzaCDJx.exe

"C:\Users\Admin\Documents\GuardFox\X_EnyONBjNVniUxjdzzaCDJx.exe"

C:\Users\Admin\Documents\GuardFox\XXOA9F19qkaFn8XhoZKAzo0p.exe

"C:\Users\Admin\Documents\GuardFox\XXOA9F19qkaFn8XhoZKAzo0p.exe"

C:\Users\Admin\Documents\GuardFox\5il1F6kCyub7JoMkSaPcMygv.exe

"C:\Users\Admin\Documents\GuardFox\5il1F6kCyub7JoMkSaPcMygv.exe"

C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe

"C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6168 -ip 6168

C:\Users\Admin\Documents\GuardFox\EAjZobOuZpxn1lFyXQAYd0GT.exe

"C:\Users\Admin\Documents\GuardFox\EAjZobOuZpxn1lFyXQAYd0GT.exe"

C:\Users\Admin\Documents\GuardFox\JFnaejzd3kJTyTcM3MBHgFai.exe

"C:\Users\Admin\Documents\GuardFox\JFnaejzd3kJTyTcM3MBHgFai.exe"

C:\Users\Admin\Documents\GuardFox\9nAjk7ElylJ34eBZk5HqODkt.exe

"C:\Users\Admin\Documents\GuardFox\9nAjk7ElylJ34eBZk5HqODkt.exe"

C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe

"C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe"

C:\Windows\SysWOW64\regsvr32.exe

"C:\Windows\System32\regsvr32.exe" -s zi5OPV~J.ZcZ

C:\Users\Admin\AppData\Local\XDR Encode LIB\xdrencodelib.exe

"C:\Users\Admin\AppData\Local\XDR Encode LIB\xdrencodelib.exe" -i

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\AppData\Local\XDR Encode LIB\xdrencodelib.exe

"C:\Users\Admin\AppData\Local\XDR Encode LIB\xdrencodelib.exe" -s

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\814f385a-7c19-4988-9be9-fb7378e2b858" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH1\MPGPH1.exe" /tn "MPGPH1 HR" /sc HOURLY /rl HIGHEST

C:\Users\Admin\Documents\GuardFox\Ql5uOaERvm01yozk4imVjg8y.exe

"C:\Users\Admin\Documents\GuardFox\Ql5uOaERvm01yozk4imVjg8y.exe"

C:\Users\Admin\Documents\GuardFox\01H6aVrK5ITjQyGqEYss8eSC.exe

"C:\Users\Admin\Documents\GuardFox\01H6aVrK5ITjQyGqEYss8eSC.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\msvcp_win\UniversalInstaller.exe

C:\Users\Admin\AppData\Local\Temp\msvcp_win\UniversalInstaller.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN 01H6aVrK5ITjQyGqEYss8eSC.exe /TR "C:\Users\Admin\Documents\GuardFox\01H6aVrK5ITjQyGqEYss8eSC.exe" /F

C:\Users\Admin\AppData\Roaming\msvcp_win\UniversalInstaller.exe

"C:\Users\Admin\AppData\Roaming\msvcp_win\UniversalInstaller.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH1\MPGPH1.exe" /tn "MPGPH1 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd040d9758,0x7ffd040d9768,0x7ffd040d9778

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\BG_HewEom_yo4_0Ymqx5.exe

"C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\BG_HewEom_yo4_0Ymqx5.exe"

C:\Users\Admin\Documents\GuardFox\tOwu157Mq2IKHvu7Kopa_Klj.exe

"C:\Users\Admin\Documents\GuardFox\tOwu157Mq2IKHvu7Kopa_Klj.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6168 -s 340

C:\Users\Admin\Documents\GuardFox\09KCWMn5NJWpwl11JomKZL6W.exe

"C:\Users\Admin\Documents\GuardFox\09KCWMn5NJWpwl11JomKZL6W.exe"

C:\Users\Admin\Documents\GuardFox\grSxAgZJX8EppGTk0v0tdRzD.exe

"C:\Users\Admin\Documents\GuardFox\grSxAgZJX8EppGTk0v0tdRzD.exe"

C:\Users\Admin\Documents\GuardFox\Dimu1yCf_rncQH2Q9EK34rw7.exe

"C:\Users\Admin\Documents\GuardFox\Dimu1yCf_rncQH2Q9EK34rw7.exe"

C:\Users\Admin\AppData\Local\Temp\is-3NCJE.tmp\V1aQ4WgGmYDw4WTokypwxW0O.tmp

"C:\Users\Admin\AppData\Local\Temp\is-3NCJE.tmp\V1aQ4WgGmYDw4WTokypwxW0O.tmp" /SL5="$601C6,3267177,54272,C:\Users\Admin\Documents\GuardFox\V1aQ4WgGmYDw4WTokypwxW0O.exe"

C:\Users\Admin\Documents\GuardFox\VOuudOuU1Ykz6N8RTAbw4HLv.exe

"C:\Users\Admin\Documents\GuardFox\VOuudOuU1Ykz6N8RTAbw4HLv.exe"

C:\Users\Admin\Documents\GuardFox\m5OlHZeBRqi1Mg7BuzgzMLJO.exe

"C:\Users\Admin\Documents\GuardFox\m5OlHZeBRqi1Mg7BuzgzMLJO.exe"

C:\Users\Admin\Documents\GuardFox\rhita_ubUD9ElUjVw637Qqfd.exe

"C:\Users\Admin\Documents\GuardFox\rhita_ubUD9ElUjVw637Qqfd.exe"

C:\Users\Admin\Documents\GuardFox\H2MKshX0QMUqIM1mTeXAcHVI.exe

"C:\Users\Admin\Documents\GuardFox\H2MKshX0QMUqIM1mTeXAcHVI.exe"

C:\Users\Admin\Documents\GuardFox\aec295eMcA06P4qpEdbSbnh9.exe

"C:\Users\Admin\Documents\GuardFox\aec295eMcA06P4qpEdbSbnh9.exe"

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\pwIrSZJhdSPQHIU9wnJt.exe

"C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\pwIrSZJhdSPQHIU9wnJt.exe"

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\vvJw4rG2zAyTBq1J8RPQ.exe

"C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\vvJw4rG2zAyTBq1J8RPQ.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2240 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2928 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2936 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2008 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe"

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\t7SzBAV_odeIrXbYDGZk.exe

"C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\t7SzBAV_odeIrXbYDGZk.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2AB.exe

C:\Users\Admin\AppData\Local\Temp\2AB.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffcefae46f8,0x7ffcefae4708,0x7ffcefae4718

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\nE5wqfSnm8O9dB7Rjmv3.exe

"C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\nE5wqfSnm8O9dB7Rjmv3.exe"

C:\Users\Admin\AppData\Local\Temp\2AB.exe

C:\Users\Admin\AppData\Local\Temp\2AB.exe

C:\Users\Admin\AppData\Local\Temp\991.exe

C:\Users\Admin\AppData\Local\Temp\991.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explorhe.exe /TR "C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe" /F

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcefae46f8,0x7ffcefae4708,0x7ffcefae4718

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcefae46f8,0x7ffcefae4708,0x7ffcefae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcefae46f8,0x7ffcefae4708,0x7ffcefae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcefae46f8,0x7ffcefae4708,0x7ffcefae4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffcefae46f8,0x7ffcefae4708,0x7ffcefae4718

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3628 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5252 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1496,17736807919263485849,6676997977547285210,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2076 /prefetch:3

C:\Users\Admin\AppData\Local\Temp\1BF2.exe

C:\Users\Admin\AppData\Local\Temp\1BF2.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3904 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5400 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd040d9758,0x7ffd040d9768,0x7ffd040d9778

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4396 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=5108 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\is-V951F.tmp\1BF2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-V951F.tmp\1BF2.tmp" /SL5="$20336,3419525,54272,C:\Users\Admin\AppData\Local\Temp\1BF2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5900.0.687596558\545617948" -parentBuildID 20221007134813 -prefsHandle 1792 -prefMapHandle 1660 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ddd7f146-1cce-49b5-82a6-9d963341d515} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 1880 255c85d8658 gpu

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4904 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5900.1.1172115614\1443460469" -parentBuildID 20221007134813 -prefsHandle 2308 -prefMapHandle 2304 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cddda39b-f425-45c2-82a2-4eb8591f6617} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 2320 255bc3d9658 socket

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd040d9758,0x7ffd040d9768,0x7ffd040d9778

C:\Users\Admin\AppData\Local\Temp\1579.exe

C:\Users\Admin\AppData\Local\Temp\1579.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 5516 -ip 5516

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5660 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5900.2.1015180887\381696221" -childID 1 -isForBrowser -prefsHandle 3504 -prefMapHandle 3500 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7435fecc-5d08-4a76-a635-5bf2d85d0014} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 3516 255c8562b58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5900.3.2114858732\702287191" -childID 2 -isForBrowser -prefsHandle 3688 -prefMapHandle 3684 -prefsLen 21709 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c5e958f1-f38d-4fa4-894b-5804c1fefbb8} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 3700 255cc266858 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5900.5.944872052\647793367" -childID 4 -isForBrowser -prefsHandle 4832 -prefMapHandle 4828 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23568df7-6b98-41ad-91f0-6fd961a4e7a8} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 3828 255cec94858 tab

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\H2MKshX0QMUqIM1mTeXAcHVI.exe" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2008 -ip 2008

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5516 -s 1308

C:\Users\Admin\AppData\Local\Temp\41DB.exe

C:\Users\Admin\AppData\Local\Temp\41DB.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5900.6.1396627127\760816873" -childID 5 -isForBrowser -prefsHandle 5256 -prefMapHandle 5252 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {676b9269-45ea-4e82-8010-e544fcc18c36} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 5272 255cbc8bb58 tab

C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe

"C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 9188 -ip 9188

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe"

C:\Users\Admin\AppData\Local\Temp\49FB.exe

C:\Users\Admin\AppData\Local\Temp\49FB.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 9188 -s 340

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 6236 -ip 6236

C:\Users\Admin\AppData\Local\Temp\1000605001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000605001\leg221.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6236 -s 568

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\explorhe.exe

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

"C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe"

C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe

"C:\Users\Admin\AppData\Local\Temp\d887ceb89d\qemu-ga.exe"

C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe

"C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 2452

C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe

"C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe" --Admin IsNotAutoStart IsNotTask

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="5900.4.64406858\1430840451" -childID 3 -isForBrowser -prefsHandle 2976 -prefMapHandle 2960 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 964 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {869c6749-5f77-4ee5-a3be-6a8ed3c59be1} 5900 "\\.\pipe\gecko-crash-server-pipe.5900" 2996 255cd283558 tab

C:\Users\Admin\AppData\Local\Temp\3586.exe

C:\Users\Admin\AppData\Local\Temp\3586.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd040d9758,0x7ffd040d9768,0x7ffd040d9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4748 --field-trial-handle=1884,i,16710954634878438524,2363845882023732773,131072 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2476 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,17620963079219856816,16826920636930651884,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\1000611001\installs.exe

"C:\Users\Admin\AppData\Local\Temp\1000611001\installs.exe"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 5728 -ip 5728

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5728 -s 1292

C:\Users\Admin\AppData\Local\Temp\nsh55B0.tmp

C:\Users\Admin\AppData\Local\Temp\nsh55B0.tmp

C:\Users\Admin\AppData\Local\Temp\1000616001\latestrocki.exe

"C:\Users\Admin\AppData\Local\Temp\1000616001\latestrocki.exe"

C:\Users\Admin\AppData\Local\Temp\1000615001\2024.exe

"C:\Users\Admin\AppData\Local\Temp\1000615001\2024.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd040d9758,0x7ffd040d9768,0x7ffd040d9778

C:\Users\Admin\AppData\Local\Temp\1000614001\gold1201001.exe

"C:\Users\Admin\AppData\Local\Temp\1000614001\gold1201001.exe"

C:\Users\Admin\AppData\Local\Temp\1000613001\alex.exe

"C:\Users\Admin\AppData\Local\Temp\1000613001\alex.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Users\Admin\AppData\Local\Temp\1000612001\TrueCrypt_NyNIUi.exe

"C:\Users\Admin\AppData\Local\Temp\1000612001\TrueCrypt_NyNIUi.exe"

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe"

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

"C:\Users\Admin\AppData\Local\Temp\toolspub1.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

"C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 6428 -ip 6428

C:\Users\Admin\AppData\Local\Temp\rty25.exe

"C:\Users\Admin\AppData\Local\Temp\rty25.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6428 -s 348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1664 -ip 1664

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

"C:\Users\Admin\AppData\Local\Temp\FirstZ.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3108 -ip 3108

C:\Users\Admin\AppData\Local\Temp\nsbC735.tmp

C:\Users\Admin\AppData\Local\Temp\nsbC735.tmp

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2008 --field-trial-handle=2384,i,9421816938431777257,7135572331217421270,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1944 --field-trial-handle=2384,i,9421816938431777257,7135572331217421270,131072 /prefetch:8

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1836 --field-trial-handle=2384,i,9421816938431777257,7135572331217421270,131072 /prefetch:2

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 388

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\taskkill.exe

"taskkill.exe" /im chrome.exe /f

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3140 --field-trial-handle=2384,i,9421816938431777257,7135572331217421270,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=2384,i,9421816938431777257,7135572331217421270,131072 /prefetch:1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3108 -s 948

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7040 -ip 7040

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7040 -s 552

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 400

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe"

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

"C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe"

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 624 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1664 -ip 1664

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 716

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 1664 -ip 1664

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1664 -ip 1664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 772

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\1000618001\crypted.exe

"C:\Users\Admin\AppData\Local\Temp\1000618001\crypted.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Users\Admin\AppData\Local\Temp\1000619001\rdx1122.exe

"C:\Users\Admin\AppData\Local\Temp\1000619001\rdx1122.exe"

C:\Users\Admin\AppData\Local\Temp\1000617001\moto.exe

"C:\Users\Admin\AppData\Local\Temp\1000617001\moto.exe"

C:\Users\Admin\AppData\Local\Temp\1000620001\leg221.exe

"C:\Users\Admin\AppData\Local\Temp\1000620001\leg221.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 1664 -ip 1664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1664 -s 752

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe delete "FLWCUERA"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe

"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe create "FLWCUERA" binpath= "C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe" start= "auto"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe stop eventlog

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c choice /C Y /N /D Y /T 3 & Del "C:\Users\Admin\AppData\Local\Temp\1000617001\moto.exe"

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start "FLWCUERA"

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\ProgramData\eyfisgalqlbk\iojmibhyhiws.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

conhost.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\AppData\Local\Temp\nsh55B0.tmp" & del "C:\ProgramData\*.dll"" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 636 -p 8184 -ip 8184

C:\Windows\system32\choice.exe

choice /C Y /N /D Y /T 3

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 8184 -s 2504

C:\Users\Admin\Documents\GuardFox\01H6aVrK5ITjQyGqEYss8eSC.exe

C:\Users\Admin\Documents\GuardFox\01H6aVrK5ITjQyGqEYss8eSC.exe

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Windows\SysWOW64\timeout.exe

timeout /t 5

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 608 -p 7688 -ip 7688

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 7688 -s 1016

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "RegAsm.exe"

C:\Windows\SysWOW64\choice.exe

choice /C Y /N /D Y /T 3

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 130.147.105.77.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 294self-limited.sbs udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 8.8.8.8:53 ok.spartabig.com udp
AT 5.42.64.33:80 5.42.64.33 tcp
FI 109.107.182.40:80 109.107.182.40 tcp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 ji.alie3ksggg.com udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 104.21.15.216:80 ok.spartabig.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 172.67.189.229:80 294self-limited.sbs tcp
US 172.67.189.229:80 294self-limited.sbs tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 172.67.189.229:80 294self-limited.sbs tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 172.67.189.229:443 294self-limited.sbs tcp
HK 154.92.15.189:80 ji.alie3ksggg.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
KR 211.119.84.112:80 cczhk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
US 8.8.8.8:53 x2.c.lencr.org udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
US 8.8.8.8:53 189.15.92.154.in-addr.arpa udp
US 8.8.8.8:53 112.84.119.211.in-addr.arpa udp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
KR 211.119.84.112:80 cczhk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:80 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
NL 95.142.206.1:443 tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-20.userapi.com udp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 sun6-23.userapi.com udp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
NL 95.142.206.1:443 tcp
NL 95.142.206.2:443 tcp
NL 95.142.206.2:443 tcp
RU 93.186.225.194:443 vk.com tcp
NL 95.142.206.3:443 sun6-23.userapi.com tcp
RU 93.186.225.194:443 vk.com tcp
US 8.8.8.8:53 i.alie3ksgaa.com udp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
DE 185.172.128.24:80 tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 24.128.172.185.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 api.2ip.ua udp
RU 93.186.225.194:443 vk.com tcp
US 104.21.4.208:443 tcp
US 188.114.96.2:443 api.2ip.ua tcp
RU 93.186.225.194:443 vk.com tcp
CA 54.39.19.153:443 tcp
US 34.117.186.192:443 ipinfo.io tcp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 8.8.8.8:53 153.19.39.54.in-addr.arpa udp
RU 193.233.132.62:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 188.114.97.2:443 weedpairfolkloredheryw.site tcp
US 34.117.186.192:443 ipinfo.io tcp
NL 91.92.245.15:80 tcp
NL 195.20.16.46:80 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 3.182.107.109.in-addr.arpa udp
NL 195.20.16.46:80 tcp
FI 109.107.182.3:80 tcp
DE 77.105.147.130:80 77.105.147.130 tcp
RU 91.215.85.120:80 selebration17io.io tcp
RU 185.215.113.68:80 185.215.113.68 tcp
RU 193.233.132.67:50500 tcp
DE 146.70.169.164:2227 tcp
US 198.98.51.189:9001 tcp
FI 109.107.182.3:80 tcp
FR 157.240.195.35:443 udp
IE 209.85.203.84:443 udp
IE 209.85.203.84:443 tcp
GB 142.250.187.227:443 udp
FR 51.158.67.69:443 tcp
DE 144.76.43.199:9001 tcp
GB 216.58.201.110:443 udp
US 8.8.8.8:53 i.ytimg.com udp
RU 5.42.65.31:48396 tcp
US 172.67.173.89:443 tcp
IE 209.85.203.84:443 udp
US 172.67.160.12:443 tcp
DE 185.172.128.53:80 tcp
US 8.8.8.8:53 expenditureddisumilarwo.site udp
US 172.67.133.222:443 expenditureddisumilarwo.site tcp
US 172.67.129.233:443 tcp
DE 185.172.128.90:80 tcp
US 172.67.206.188:443 tcp
US 188.114.96.2:443 weedpairfolkloredheryw.site tcp
RU 193.233.132.62:50500 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 172.67.129.233:443 tcp
HK 154.92.15.189:80 i.alie3ksgaa.com tcp
US 172.67.206.188:443 tcp
RU 185.215.113.68:80 185.215.113.68 tcp
US 172.67.160.12:443 tcp
US 188.114.96.2:443 weedpairfolkloredheryw.site tcp
US 172.67.213.180:443 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
US 188.114.97.2:443 weedpairfolkloredheryw.site tcp
US 172.67.129.86:443 tcp
US 104.21.17.48:443 tcp
US 172.67.216.203:443 tcp
NL 45.15.156.60:12050 tcp
NL 195.20.16.103:20440 tcp
DE 185.172.128.79:80 185.172.128.79 tcp
AT 5.42.64.33:80 5.42.64.33 tcp
HK 154.92.15.189:443 i.alie3ksgaa.com tcp
RU 5.42.65.31:48396 tcp
HK 154.92.15.189:80 i.alie3ksgaa.com tcp
DE 185.172.128.33:8924 tcp
GB 142.250.187.195:443 tcp
GB 142.250.200.35:443 tcp
DE 144.76.1.85:25894 tcp
US 8.8.8.8:53 85.1.76.144.in-addr.arpa udp
NL 80.79.4.61:18236 tcp
DE 141.95.211.148:46011 tcp
US 8.8.8.8:53 61.4.79.80.in-addr.arpa udp
US 8.8.8.8:53 148.211.95.141.in-addr.arpa udp
DE 138.201.125.92:15647 tcp
DE 185.172.128.109:80 tcp
US 8.8.8.8:53 pool.hashvault.pro udp
DE 45.76.89.70:80 pool.hashvault.pro tcp
US 8.8.8.8:53 70.89.76.45.in-addr.arpa udp
GB 96.17.178.187:80 tcp
GB 96.17.178.187:80 tcp
US 172.67.177.31:443 tcp
US 8.8.8.8:53 qualifiedbehaviorrykej.site udp
US 172.67.175.187:443 qualifiedbehaviorrykej.site tcp
US 172.67.177.31:443 tcp
US 8.8.8.8:53 copyrightspareddcitwew.site udp
US 172.67.172.166:443 copyrightspareddcitwew.site tcp
US 8.8.8.8:53 combinethemepiggerygoj.site udp
US 172.67.137.14:443 combinethemepiggerygoj.site tcp
US 8.8.8.8:53 166.172.67.172.in-addr.arpa udp
US 8.8.8.8:53 14.137.67.172.in-addr.arpa udp
US 8.8.8.8:53 weedpairfolkloredheryw.site udp
US 188.114.96.2:443 weedpairfolkloredheryw.site tcp
DE 185.172.128.79:80 185.172.128.79 tcp
RU 185.215.113.68:80 tcp
DE 185.172.128.90:80 tcp
GB 96.17.179.201:80 tcp
US 172.67.175.187:443 qualifiedbehaviorrykej.site tcp
US 188.114.96.2:443 weedpairfolkloredheryw.site tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp

Files

memory/5040-0-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-1-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-6-0x00007FFD109D0000-0x00007FFD10C99000-memory.dmp

memory/5040-7-0x00007FFD109D0000-0x00007FFD10C99000-memory.dmp

memory/5040-8-0x00007FFD109D0000-0x00007FFD10C99000-memory.dmp

memory/5040-10-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-11-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-9-0x00007FFD109D0000-0x00007FFD10C99000-memory.dmp

memory/5040-14-0x00007FFD00030000-0x00007FFD00031000-memory.dmp

memory/5040-12-0x00007FFD11F60000-0x00007FFD1201E000-memory.dmp

memory/5040-16-0x00007FFD00000000-0x00007FFD00002000-memory.dmp

memory/5040-13-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-17-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-15-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-18-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-19-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-20-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/5040-29-0x00007FFD12DB0000-0x00007FFD12FA5000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/5040-21-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

C:\Users\Admin\Documents\GuardFox\H2MKshX0QMUqIM1mTeXAcHVI.exe

MD5 c515b257a1b382acd46bb93b1226c38b
SHA1 b9731cc318ac3583d5a01862bb94aebde87c8e45
SHA256 b83bbfe4d20ba2d97bf686b4fa838b5128042e134dee89e1704028608e656c0e
SHA512 d5678037c006bf9c67b0b3794d9466356779a971ca3221f301451578306ed90d64061ab53dfc478ad8879bc7adef0146a73a10d4674985ffed3d735dd9bacd47

C:\Users\Admin\Documents\GuardFox\V1aQ4WgGmYDw4WTokypwxW0O.exe

MD5 c6819be4745fa4008aec1a63c6c24b8a
SHA1 d9213d44c99ffdbe5786a3495b4bad5c053abc29
SHA256 1f70751f56b00036e7dbf8e329ddb379b17646fb6ea47e9e84d496a422bc33af
SHA512 f93301fb161a60a2eab81cb7c992528109dcad610e932139f8847bcc642454a6a98689bcee2109445b6a34408eeabb60a14253108844aa957255b43770e6b522

C:\Users\Admin\Documents\GuardFox\m5OlHZeBRqi1Mg7BuzgzMLJO.exe

MD5 ce32c3ae6472e077dfeb226fd9305f65
SHA1 52c0a92718aa4cdafbe888420e02109326a7a82b
SHA256 7f47b9b7b57b23615c64cbfa3da90331447e08d64ab62892a8d478fbe96a5f4a
SHA512 fba7c2ce1695a460da971f383fcea6982ff403891f6e419f3b393bc5e19657ce31ea54781cf6e89d45d1f211a811e6b59ed9f75a34f6852470da76e1d15a1827

C:\Users\Admin\Documents\GuardFox\aec295eMcA06P4qpEdbSbnh9.exe

MD5 333538d31f6ce081cf1d63a1f591bd20
SHA1 8f87d52c6727d258a69d73ee95d0262d1ad94dce
SHA256 7560537d2da216da37d931fcbcb6ca05cbaa57e2e21c34456fc8577209208369
SHA512 e4242ca78d7395dd0922de9745252c2b5aa4dbf16c8366bd6c38af65f3001045dd643f37b6eebe0fa1f4d1d79cedd34dbd1c33f40406631dac32ea802186fd98

C:\Users\Admin\Documents\GuardFox\rhita_ubUD9ElUjVw637Qqfd.exe

MD5 18794dc5cd9c72a299b1b3a489892444
SHA1 4f9b3e49f1441685b37ca35f2f8cf60470484996
SHA256 23782da6305681a0540af2f9652521f40984b015ba3da51fc4ef69d4f00c4158
SHA512 85f9a6e9ed768f8a9666807d72b9163dae9437a93e3e433b674c0e2b70ef47523281e64084c013d1ae56948a74bd20247c774fdeebaa71321d0328982a045a68

C:\Users\Admin\Documents\GuardFox\dHd5mez3fSUI5LIwBzCzmnxy.exe

MD5 b85fd23b01f15c5d39828815ac86af41
SHA1 f1763a05c95615ab8d28fee28fb37fb1f2044708
SHA256 45497df9e199612fa1aecfa09b4039a9e8545cac881a6a8a5411c99930c900ff
SHA512 559cd7b0f36f2e5865f301d3fbde0cdfe58f7b2ff6f2b478a60261175876420df0729054248a93b020cfa5897ee43c5fc6e11c16dd9e946188fddae82f2c9a67

C:\Users\Admin\Documents\GuardFox\EAjZobOuZpxn1lFyXQAYd0GT.exe

MD5 17316f2fc5d81a6f0f7bfd63e398e314
SHA1 743c01a4c7a1479574a1ae8a83c278c14973c668
SHA256 d4df196d04f3b429a5c35abcfa9f4d8b3d505d69868a4cd61fa7a2d8904b5ac7
SHA512 be21874b110a17396f0223fd040f8663c4f5f83e55b45a7b4dfa097fc4e1aa282a3c09bbfee59ad05ea6e8d7941af8205ffe84e7c33f007ae49fbb48e539bfd8

C:\Users\Admin\Documents\GuardFox\5il1F6kCyub7JoMkSaPcMygv.exe

MD5 83a18f1f6a2c524aad9d4c9a1dfba465
SHA1 f80dca5317ab65ef2b99cb547eaa75e756b417de
SHA256 360a1ee851561a0db2b6a2c294db52c6316d79f0394576871c32a3cb62341f61
SHA512 b84cc96e2453238fd060922b815712b4bc43f2ab4b456e445248496cb4e65180dd1bba30f07584caa95a83c616e4769ffd7cf9ee4d8fa610c43b81a758d9041f

C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe

MD5 e7727ff441cb3d78086ffa1ef0e3ddd2
SHA1 41b2d7bbc4de92060d735b521db7365c67ba1ed3
SHA256 efa4ef948ce3c0597661a9dbcd167f751d0d7432ce26f8dfc5f033cbb48752a7
SHA512 2057f7be01e0bebb6b6569cfbedf1533ebe1a5f663a1b2d74913d4205372e4584b8ef0dea82df6d70e6804911a23df7b911ca7157948d8c77355f2ef8c1982e0

C:\Users\Admin\Documents\GuardFox\grSxAgZJX8EppGTk0v0tdRzD.exe

MD5 3576558e6c5b98c1ac6d1cef391a7ffe
SHA1 1eed3e51ad45256f7afaa502282b8c1962faa936
SHA256 eefb0abb8fc4f94c52638aee5903850114815da709847d2e17fa51e056c4ad12
SHA512 8cfa6520aeb35e7baeb1a806772d748d321b24c028d3180068ae3e4754d63f19954cf3017f2041b6d4c59b32eaa06df97403a44bf530b441d282097427fb121e

C:\Users\Admin\Documents\GuardFox\X_EnyONBjNVniUxjdzzaCDJx.exe

MD5 772bccd006de8277ae9b8c64f356ad90
SHA1 feeb0aa603edbaebcedb99eb0aa19363340e06bc
SHA256 c2aef92efdf5b86832e3636a8bc072a9965eccadc94e587ec42e60842ef1ca42
SHA512 e5d08d32efe1be0c9ad6e42ae5cba14d753939535446383c3b381db06584a0f56ed6b76e3f03f83cff768f53e942374272f29b2968eea640f620f784182b1e3a

C:\Users\Admin\Documents\GuardFox\09KCWMn5NJWpwl11JomKZL6W.exe

MD5 8c70462cd4fd591ac4c386cbc91685e2
SHA1 8511ab46ddd029973413704d3433f76d67039166
SHA256 82efd7ba1760db6656ddba547bd16c3f92236c8b97c07d85ce10af7f69402217
SHA512 889232a22f57d31aeca7c41eb6dc33bfe1ae5963d59facaeba213d5d569af134dead49d7b2ecad6719fcc69a44bff290d3730386e9bc6d47acc95cf5f2c7960e

memory/5040-122-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

C:\Users\Admin\Documents\GuardFox\9nAjk7ElylJ34eBZk5HqODkt.exe

MD5 5918d7cd1e1da27f03b8749bf731f845
SHA1 070a65d39733bca373c12938fecbeaa85baf1e65
SHA256 b1a771b16327455bcaf36e5e503e53fe5420a86612e69210a8739aea5a673e59
SHA512 7685aa6d09e2cfd2c4e30422c406acbc9cb371df12fdf1725bf3784c9b4ee61159e1f9d895c8682306cea85dcce76f049af68f9080439f7bdd4bff981a949f71

C:\Users\Admin\Documents\GuardFox\jEJVgKSWIZRhch5k_nl5JGx8.exe

MD5 9aa8cee67e2078d5e7c624e4c1811c0f
SHA1 6ddb0b210b681c8ccee31569c17a36f3c023dac6
SHA256 3eb5a9b520e2b620200616703e0b39305f28530ca6ed291f50594797fc9ed841
SHA512 e3211adaa470a37c67b812b90a256eb8b5662139a4ea4659a16ecd1505563996ee0fe3ca152b6a58498af8675f3abb3d4a38060c789332e8ac3b1e8a32334bdb

C:\Users\Admin\Documents\GuardFox\QZFI9F0g0r9_BEIKd4z0mN5b.exe

MD5 e60c139eab767bb05c2c6ea9b0547af4
SHA1 161c2e911ea9643f4bb1f55028b66c797c3ba82b
SHA256 0f706c4691e5cfb0879ef343529473c6c55e06ed78799760bee1e07ebabc3c33
SHA512 6f639e1cec1f8091df181cff4b8990cdbe8a758c9aea18243676cbafcadf98430b006caff5b40491012968501e1742f4f4afe69612012d6401d80deb47f254ad

C:\Users\Admin\Documents\GuardFox\ebAxaGaWrmPTFikPMf2BNIV0.exe

MD5 998499d3f20b446cbede7b57512c8928
SHA1 7d6bfd198309871b758cea866338e26b9e657441
SHA256 4b3f261ba72943c09ab868fc2610948bbace61d5a1fc9131a2a45d58bead4dfd
SHA512 ef309a06f7662c2751a2c5b5619a20a0f2a82ee54d2b617cc5cda9995591c9466e20b589ae32aa2f322580767563dc9855ebd411ef371816edf159401649ab06

C:\Users\Admin\Documents\GuardFox\JFnaejzd3kJTyTcM3MBHgFai.exe

MD5 106eaef9810cb18f0e18362f078a33c0
SHA1 5b997aae8187f9e172e2eb469014ef90b86d2bd2
SHA256 79dce3e8d44dbdde540df0cc8453b10caf692149ff0c3ff4858c0c947310d236
SHA512 767ccc10627ad07b220cd65d5ce216df55038857d6a6a16d0ff6d366db2dc2c2f37f8ae36602918b7aa3e716c4f18c84a9e6ef8560bb805fae88f4f4d67e1deb

C:\Users\Admin\Documents\GuardFox\tOwu157Mq2IKHvu7Kopa_Klj.exe

MD5 a2b7d126ddf8f95e2e360b1469a3fc23
SHA1 8404d4c078fd979d78712173367ad39b462251f1
SHA256 af6c0c82f9e84ccd91fd32db29923a8bb3fd76aa8539e69b8fb7bebd6044879e
SHA512 44a0155e4488951c1418ea6cfe41113544ae293f15e2ff343cc6bbb0e043df5dfad0fdbc5802d0a8f20aa4046dbbed905c222e0da35cd1b52bd1afbab2f9b053

C:\Users\Admin\Documents\GuardFox\Dimu1yCf_rncQH2Q9EK34rw7.exe

MD5 842937bed196f1660587aa793428282f
SHA1 4c2e15f9cb4cd7e66738ccf5647434ec08bbc6d1
SHA256 76d636a18c9db8a1016e7b75b5c8ced5e3987eb01ff6a02f992051af7d404fba
SHA512 8b5d6da8ae0ef6e40ff592db21c74f1e8037bd3864d5255dd34e1753d9fd3b2901a0eae8fe6e47c15b80bf69986fe46aed45478df4efb075ef29bf6e72b48426

C:\Users\Admin\Documents\GuardFox\XXOA9F19qkaFn8XhoZKAzo0p.exe

MD5 d2bcc0663e833438eb95580f1d0833ab
SHA1 797fe4be6741a48edaa05775b67066e1012883ca
SHA256 2f9520501fdb02eedaebe96bbb99332715df42f85d2d1cce8eb4eb0ac1eaee86
SHA512 a3af0246c9dbe96486619ed3defd3b97648289d8dc9d4d63fcd03504a93345801ef1ba277955bd202f8b735100723f88b6df15093596d91cda6c500cb3a9f43d

memory/5040-174-0x00007FFD109D0000-0x00007FFD10C99000-memory.dmp

C:\Users\Admin\Documents\GuardFox\VOuudOuU1Ykz6N8RTAbw4HLv.exe

MD5 ff5cdd929999acc0741de426b150472e
SHA1 ca07d4c239e1a40d254c9b2a4d1ceecc13a7e56e
SHA256 bc25050eb45cbc43a8f7795aec051fd566525533c521bdc7cbd930fab3fa8b51
SHA512 563a61c26624df56d95579c9b1b8ec36f21375ae1081d26499b51ebab2d6189f2e9a807d230026e3a7302e730b4f62344bbe54194d14ca5b46f495122669dd3e

C:\Users\Admin\Documents\GuardFox\XXOA9F19qkaFn8XhoZKAzo0p.exe

MD5 f5f441e6091d332bbd1de28cfb2944cf
SHA1 31160ca91a4c31e60becf405e3aafe8fcf8539f5
SHA256 126756ec81ccc54470874ed683892d6ff25e6894ec63b8f49efa78b3bfdcef22
SHA512 6de7be032623ff8ae16aa73f738add80f84d1f038022c1f8dd277042040156838ed552c1f2ba8e381106c24584f6dc7e68db652243ac0f7a23b24f8b32f331da

memory/5040-557-0x00007FFD00010000-0x00007FFD00011000-memory.dmp

C:\Users\Admin\Documents\GuardFox\aec295eMcA06P4qpEdbSbnh9.exe

MD5 320095239d68a77d2dbe8b96f75c1803
SHA1 d66f46976874c6aaf3c05c32ba1afecb67f21407
SHA256 a049b87742cc3e515cd579f3f4d49c0a60ccde31853e1bf653e73afb33017602
SHA512 3c66296c738fec64f12f9565f20fc9b593ebcb36514665431f25a10f7af567b8f179654b544e5903ff8f1e0ef4fe0dacfd49735000bc790f3fe9789d5257a77d

C:\Users\Admin\Documents\GuardFox\H2MKshX0QMUqIM1mTeXAcHVI.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\Documents\GuardFox\ebAxaGaWrmPTFikPMf2BNIV0.exe

MD5 3d59f5a8f390f216b8cc139d724f6d35
SHA1 e3af0945c436e46f5890ef80b18b1add57dcc2bd
SHA256 a38a438b8239a65444d8319fa6f8b16883be0f77ed492925f66bb4d2e5c80279
SHA512 aee0d56fd5669cfbd1c221c39aee385b107e2fe93dd80a17d1565a7d92ecb2a91f1dfd1c50ff87c0a5bb593ed7ac62a1709557747516da9c1a47111a32fed3a0

C:\Users\Admin\Documents\GuardFox\X_EnyONBjNVniUxjdzzaCDJx.exe

MD5 b90a5ceac5be8bf5f4dac59ae4a0a6c5
SHA1 fc906ce708d1e89db485fec50e9897dfcab3956d
SHA256 f025426bd515f06c4e31e298a0694a305c633e0ec6ba0a2addfcfd60b15ff680
SHA512 739562a946c07b9ccf4aa0d3cff9fb074a211a11d7d4206166906e1cb4d6dc72c68f3c6ca3310ee442de1cf9a97e7d32889f82b8ed46191765b2c87f89d172d2

C:\Users\Admin\Documents\GuardFox\grSxAgZJX8EppGTk0v0tdRzD.exe

MD5 3a3e1d7ca4217498663721855b4a3a2c
SHA1 804f07c26e067322f41dd1a94d5d20de81e7fcb6
SHA256 a63f4ef3d7584a485363c3e018a1febed0821240619d36250a7b9a4b2fae4315
SHA512 b29f648024f11b3d7dd64368ae1caec45e0c79e250a5ca0691b01e67dc179ee518598eb645d583cfa04cbc4bf56bbcbb116dd7799aa89548b2c2dc1ae547c72f

C:\Users\Admin\Documents\GuardFox\VOuudOuU1Ykz6N8RTAbw4HLv.exe

MD5 aebe66c88f66f7b77e746584aca4c831
SHA1 3ad8f4a261a765b4c435e297a05264b68f9eea87
SHA256 b554ff6d288661d5294dcc4a3d0273ef04f100abd80fe3ba47568dda9320594f
SHA512 842db44dca1efcb74f04487ab9f39a8ae7814aa5a911a1b2d2f0c4c9beef95a8589903bbf938dc2a547ae472d5eb1ee059ba229021f495dd2ab29372f017e9a6

C:\Users\Admin\Documents\GuardFox\H2MKshX0QMUqIM1mTeXAcHVI.exe

MD5 7043290092eae5c46395ca909ae83d49
SHA1 c5f55e5de8865adf754a7024dcf6e0d30f87b60b
SHA256 7f811fb2f5580b0f4499831bcd988cc8b430cc99e8069e8f392a99a5d38b72bc
SHA512 56fb9914836169e1b7fa5e56e99d1d4161f3a728da3fa82d1e20e49817339ce9bce7dd8436ded4e2266a6249064d95d47c254d1f233cd218870ba3489db6df3a

memory/4156-712-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5040-718-0x00007FFD11F60000-0x00007FFD1201E000-memory.dmp

C:\Users\Admin\Documents\GuardFox\ebAxaGaWrmPTFikPMf2BNIV0.exe

MD5 82a4981dc81da2ed656bfe009c99fc02
SHA1 c01ab9b8a86959f8dae9879053305564ca62c0b5
SHA256 f77c782ee58209a2a78ca1dbca1ceb16fbda1581e7e422f71519058aecc735ba
SHA512 3c124450378d399ec1d03759afa8941f91cf5e330a0d9c69f07be32e910b21765339c308f32c5188c688d0bad0c7e85b098f07179578a18537f39ff05a770eb7

C:\Users\Admin\Documents\GuardFox\V1aQ4WgGmYDw4WTokypwxW0O.exe

MD5 3a329891088a7c44ae41b86ac86ed175
SHA1 ed3cdd83e5fdc24453c1e9e8143316360ab32784
SHA256 412670434b87245ae0ef077c9571a376f8d15ec8e2cfd59427cf6c52d2ec0fd6
SHA512 495d42e347ba1249b36646585f27141886edb816989c80910ab70f505b42cb412c8b3d419d568ecc2d911c9987da28fc8e408a4c4248b9b7a0eab72ed2fea8d1

memory/5040-714-0x00007FFD109D0000-0x00007FFD10C99000-memory.dmp

memory/6156-722-0x0000000000C20000-0x0000000001103000-memory.dmp

memory/4156-723-0x0000000000400000-0x0000000000414000-memory.dmp

memory/6148-726-0x0000000000560000-0x000000000056B000-memory.dmp

memory/6148-730-0x0000000000400000-0x0000000000448000-memory.dmp

memory/2008-731-0x0000000000680000-0x000000000069C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-B0E5B.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\AppData\Local\Temp\is-B0E5B.tmp\_isetup\_isdecmp.dll

MD5 b6f11a0ab7715f570f45900a1fe84732
SHA1 77b1201e535445af5ea94c1b03c0a1c34d67a77b
SHA256 e47dd306a9854599f02bc1b07ca6dfbd5220f8a1352faa9616d1a327de0bbf67
SHA512 78a757e67d21eb7cc95954df15e3eeff56113d6b40fb73f0c5f53304265cc52c79125d6f1b3655b64f9a411711b5b70f746080d708d7c222f4e65bad64b1b771

C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe

MD5 b9caddfba2938a10e9b17b29322aa953
SHA1 846f6bf6960872d93267d798e215adaf3a692606
SHA256 f0ab25a7306dc19a65fff8a384c445cd7a2842feb3c89cfd9357ee2919c8a70e
SHA512 ae46ab8a671f35d072b2aece1a6c11993e866765b90daca884ea3b018a85f0fea059e508eb3e1c77baad399ba60eb1c944a72d1c99cc584682cb5cfd4521869b

C:\Users\Admin\Documents\GuardFox\JFnaejzd3kJTyTcM3MBHgFai.exe

MD5 4ddbf05ddc7819a6dbd9c1fbc569c7b8
SHA1 72b742012260334397f11553966cdd8b980d9a45
SHA256 f846175ed1cf3b93022ac7bd5dd02996b77558706fe29582a685baae7a3436ff
SHA512 24c623a0a3a445d8f5dca8ec68bf17af8c5e15fde933735a0378d299069e2298c48f83e386e0d7b5f034fede31b7fab75ce2f3c2b3db6a437d689c15fef6b52a

C:\Users\Admin\Documents\GuardFox\09KCWMn5NJWpwl11JomKZL6W.exe

MD5 f7d2f4428f94dc57965fb7f67e164f61
SHA1 987794996f2e18dcc6e17ee9387e1a73300839a7
SHA256 a95450f9498d3247475f2e70b3d2aca20f32520aeeb1a7d71e66a508d07ff88a
SHA512 07a51619815b9ca59b5b642d39d154ef292fbdcf3019f317f6658d739e8327945ddeb2c7663acc3fe0618f6a213526518d09dd4b50e8bd7b45e6ea6d63ee28eb

memory/6168-845-0x00000000004A0000-0x00000000004AB000-memory.dmp

C:\Users\Admin\Documents\GuardFox\9nAjk7ElylJ34eBZk5HqODkt.exe

MD5 a496f9c5d278450d0badce1e42abac86
SHA1 8c221dac46108a0a75c24e938480d9b8723b5f5f
SHA256 0e1eb8cc8eedd917f293e0264636224c44e2f4db47843bc56f6af5b10b67b4f2
SHA512 db12fd16015d10af0659b19098cf24115e0e31c59b3715a913868b51c8ca7a0cdea2d8e3e80f3429aa2715f2b40b27d45770e15087ef9a1e33a9912fd1a83595

C:\Users\Admin\Documents\GuardFox\9nAjk7ElylJ34eBZk5HqODkt.exe

MD5 9a463dd800a86aaf4e7656cc32d1b12d
SHA1 4ee361f93305bae2aedc1449b61d9ec738361a2c
SHA256 fbf52b2200a27c04cc91c0301c418a6aa6b31ed738e3251f8cf4132a340806a1
SHA512 3b897496b0f510e890713a9de285b8eb0a1b62fd9a6a4f9a9e263060a49b5b5fa00f2b2dc4febd7d210e8c54146ff95cf6aa044c7c9470061444faf4d541d360

memory/6960-886-0x0000000004D70000-0x0000000005314000-memory.dmp

memory/6960-895-0x0000000004C70000-0x0000000004CDC000-memory.dmp

memory/7152-906-0x0000000000BC0000-0x0000000001B73000-memory.dmp

memory/2364-901-0x0000000005050000-0x00000000050EC000-memory.dmp

memory/5504-911-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2364-918-0x0000000072030000-0x00000000727E0000-memory.dmp

memory/6960-928-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/3712-938-0x0000000000400000-0x00000000008B0000-memory.dmp

memory/6960-937-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/6960-939-0x0000000004C70000-0x0000000004CD7000-memory.dmp

C:\ProgramData\IPTV Channel Browser 6.6\IPTV Channel Browser 6.6.exe

MD5 d732f07b15951ca19e4bf87361ce05ba
SHA1 883c73317c095a2ed0f509e02e5e7fdea009720f
SHA256 d91b145def4dfee0baa0f6f1aa66832359e1c55cb220a2b6ebcacb9befac4ab4
SHA512 bead6c5ce8408bc16c3f764dff15bd833fa6649e9660c3af8b2259d2d51f8918db9da831255f88f6e20845e970747e750ba165064f09517fe5e0645a42b0308d

memory/6960-951-0x0000000004C70000-0x0000000004CD7000-memory.dmp

memory/2624-955-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/6924-953-0x0000000005D10000-0x0000000005D76000-memory.dmp

memory/2624-959-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/5040-958-0x00007FFD109D0000-0x00007FFD10C99000-memory.dmp

memory/5040-963-0x00007FFD12DB0000-0x00007FFD12FA5000-memory.dmp

memory/4156-973-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/2624-997-0x0000000005280000-0x0000000005312000-memory.dmp

memory/2624-1007-0x0000000005250000-0x000000000525A000-memory.dmp

memory/2808-1015-0x0000000072030000-0x00000000727E0000-memory.dmp

memory/2624-1017-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/1968-1029-0x0000000140000000-0x0000000140876000-memory.dmp

memory/2624-1037-0x0000000076F94000-0x0000000076F96000-memory.dmp

memory/556-1049-0x0000000001170000-0x0000000001176000-memory.dmp

memory/6948-1052-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

memory/6948-1044-0x0000000000400000-0x0000000000D40000-memory.dmp

C:\Users\Admin\Documents\GuardFox\tOwu157Mq2IKHvu7Kopa_Klj.exe

MD5 d422e54f79b3ac2abbc55c422b9ae90f
SHA1 409323657376ac891324e8e2722ccde7a986d60a
SHA256 7cadcc8e3382a904a096708b8a90cde39b43ff60eb2a29cbb412b010371a7394
SHA512 d103cdddac8119479b435e3ed651c8f8a3f9ce38f4696f240c3c886489d1ea250ddce49898b8daa8ca8fc9e71a501a9abb9cebe794f8e0c984789fc9293f7c55

memory/5504-1034-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2624-1025-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/2624-1022-0x0000000075E50000-0x0000000075F40000-memory.dmp

memory/6960-981-0x0000000004C70000-0x0000000004CD7000-memory.dmp

C:\Users\Admin\AppData\Local\XDR Encode LIB\xdrencodelib.exe

MD5 05b4cc9b095cc851fcf724e862070ddf
SHA1 8ae5a67102b7445e29b787b658bc0089e716c676
SHA256 bcb29a36920b7631ae1e8db66ef86be4ee70c6b5c89c31f9d3bd7dc9514b5734
SHA512 8d597a2d68f83785748de495a0e223ec7316b908a113d500eba968f2107dfa95cc15603e64252391ecc7ce91c6314597dc2f6900fe30dd3cf626a3765070e526

memory/6156-980-0x0000000000C20000-0x0000000001103000-memory.dmp

memory/5516-990-0x0000000000400000-0x0000000000830000-memory.dmp

memory/2008-977-0x0000000000400000-0x000000000062E000-memory.dmp

memory/5108-979-0x0000000000D80000-0x00000000016C7000-memory.dmp

memory/5108-975-0x00000000034D0000-0x00000000034D1000-memory.dmp

memory/6960-974-0x0000000004C70000-0x0000000004CD7000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 93b3886bce89b59632cb37c0590af8a6
SHA1 04d3201fe6f36dc29947c0ca13cd3d8d2d6f5137
SHA256 851dd2bb0f555afaef368f1f761154da17360aeea4c01b72e43bf83264762c9f
SHA512 fc7baef346b827c3a1338819baa01af63d2d4c31f3f7e17b6f6b72adab70de81872a67e8f3c1a28453abb595dbac01819a9bcff0710e9651a45deaf2f89e65fb

C:\Users\Admin\Documents\GuardFox\01H6aVrK5ITjQyGqEYss8eSC.exe

MD5 7367594121aa591d4da7e7ee8559b688
SHA1 2b72b15d2f62a3ca99ce69f7129d967fa6ac8f41
SHA256 126994dd77fe38424ef1ddec0d0e8c0ca3291a2187d1a8a65788c45547de8cb5
SHA512 5fa8d082ffad6260119f2abb5dbd6699dca952bf0952eda569f37a17f6a3a8780877f4fc7e2f4625b345ddb08348e58e8f7563bcc1f0b50962406dee269fc110

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A65DBECD82A40019E873CE4ED0A79570

MD5 a562f4cd301f2b2dbb9e2ea6b4cf3626
SHA1 53ae0b9afddabd1451aab4079dd5155fb7637029
SHA256 5bbfb660ebe736a3f09bc2559d1560af8b46e95eb2ab5a3d77de510eb3515f94
SHA512 29b84c883ab671b810f3507eff6dc0c9dcdc1cfcb09f234d6b74453e29c6d9746519036fccab355834633b9162319c01ee173eebc97d5eeb97f42749d4e4683c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A65DBECD82A40019E873CE4ED0A79570

MD5 6543791e52074c33097d50ccb1753002
SHA1 721e5d49d6222b74902b6c1df40155309df66e61
SHA256 344fabfdeebc02cfb1b0b4f3e89f7308aa22651c029ec58b8bba1b59388cd4da
SHA512 e074c3ce82fbe73bdba5ace16ce4f9ba512510905b0e857c82351c84091d5ee071ad9c72bd57777e4685b095913dc8a3cd10755a0e799b47dcffca4e3adfaa75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 0b38551b1d56621ec4c4591e3cca378b
SHA1 467d862cfa9d954c591d5d7ec040c2b4f3d25bbe
SHA256 1592f1d97f92d6c613ddbd8b65b9f1fe999e2d4ac060ea6fa8251f2e9b90760e
SHA512 caa28c6858d4efaf1cd8046a3f7cda7369c7c685a58d27393abc645b3b7cc6a7b7369d0fa5373b7913532d40ab1b6f0e3f72ecd7e1d93e0b193507144ea447f8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\ACF244F1A10D4DBED0D88EBA0C43A9B5_16756CC7371BB76A269719AA1471E96C

MD5 1c9d92933742f6c36966c4583f46bd08
SHA1 ec4b491f184e0dbc3dceb3c0437f9273b5bc2f84
SHA256 5e233f71e9de6a7091923f21537b0e13470130eabc594173cf52e879f7849c66
SHA512 db29601b2ac260d45446820d52d2c692e129db619eba9135d6ec7fa9f61f8abb98c319bb1f67aac8f2929d96189961766adaa70f116948d11f7dae3a6391c467

memory/2624-971-0x0000000000B10000-0x00000000012E6000-memory.dmp

memory/5040-970-0x00007FFD11F60000-0x00007FFD1201E000-memory.dmp

C:\Users\Admin\Documents\GuardFox\FVlbmekZudhON4gzIqOnpuqU.exe

MD5 ac48f5ba13e20795eb303e258834028a
SHA1 9c3e13989244a593bf35fdd720e122d0c2ac711f
SHA256 f98404d91213253125de7edfc57034e7d9a2cea39a7bf8851062cffc856af3d9
SHA512 50433c5d7eb54b5b40d0978ac162b84fd46922e76519d4b8c39e01a35e996e1bea650efad7eafde7e94d936a5196f5b3ff7d6a22a873dbe719931006d8ff8f53

memory/6148-969-0x0000000000703000-0x0000000000711000-memory.dmp

memory/6148-962-0x0000000000400000-0x0000000000448000-memory.dmp

memory/6960-960-0x0000000004C70000-0x0000000004CD7000-memory.dmp

memory/5040-947-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/3480-952-0x0000000002D70000-0x0000000002D86000-memory.dmp

memory/2624-950-0x0000000000B10000-0x00000000012E6000-memory.dmp

memory/3712-949-0x0000000000400000-0x00000000008B0000-memory.dmp

memory/7152-942-0x0000000000BC0000-0x0000000001B73000-memory.dmp

memory/6960-943-0x0000000004D60000-0x0000000004D70000-memory.dmp

memory/2808-931-0x00000000051D0000-0x000000000541E000-memory.dmp

C:\Users\Admin\Documents\GuardFox\Ql5uOaERvm01yozk4imVjg8y.exe

MD5 2bbde77b165fc88f467357e3012b7fb6
SHA1 f06fdc361f1804a938c957db6aab253c7497f765
SHA256 a35fd21aebc58bf9f6e969d39b3dd013f29deba4bfbd6700da6b779d96a8131d
SHA512 7587fa82cbb2dde1d95f0a6052fed7902beb34dd85319c4330b7d1868a36d5b14a80458e7473beaeaeb95990f5d74947909d611cb1526c920060f9b9595df8ef

memory/6948-930-0x0000000000400000-0x0000000000D40000-memory.dmp

C:\Users\Admin\Documents\GuardFox\01H6aVrK5ITjQyGqEYss8eSC.exe

MD5 7e92175703a8105c2ea0b8e5642e3e18
SHA1 571d40361144b3bfe19a51db18c5c51df55add83
SHA256 99843ab7c6b0b8f8537be6cffa32103649d37234d850e0d6ead7095a6b09275e
SHA512 6b47301f5d4d7062bd6b787681d95ebd0f06ca620e2b88c279a1b51024f30fdd5ceb30fa78cff7c5fbe7bada1940c02283cbfc46bf3849d80b188b0484ff1c3d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\Documents\GuardFox\Ql5uOaERvm01yozk4imVjg8y.exe

MD5 58ceb593c521e59fb870175411c5f266
SHA1 cd1dbf7a21798372572e476df49bd862a8fec273
SHA256 c99e20696e257cb20b21c57f7645360c16058fcb11059fd43ecfedcc6bd9039e
SHA512 c4d1debfc0ba4e5385fa6dd850010f6d37bfd5923eb7c676befaf7c88b3fa66202bed9d907ab3f86ea27f1c8272ae187880eee311236e05ead478a3f8c7e3376

C:\Users\Admin\AppData\Local\XDR Encode LIB\xdrencodelib.exe

MD5 35145d387402c18ce56cbc2a4a926022
SHA1 fcbd86369605c792050a92744c51c7be34dc6c96
SHA256 1d3bec54cea78afc770661284803829a50785389b1e28108efcc26d26782d0a0
SHA512 880b05b56021cdf76b6b015d7c873442247a46d0a78cb16062bedeebd4b670728623b6cf1bdfe00812bb39565b7f69b6ed740f9859cf5f6129ec423300be163f

C:\Users\Admin\AppData\Local\XDR Encode LIB\xdrencodelib.exe

MD5 6c3c7e3766ef2b8718c4b5202aa4d45e
SHA1 3a1a221c564f8e18735750039ea2e2e9837aa212
SHA256 f5b0a9b15848cb7d950eb6e95dcbc7bc9507d86dd2999eaa9124ab05fca05f38
SHA512 9d8f93532d8fbd7d88a603fd9014e84ffd737ac45f90f7d01e9b654a5d91fbede03c726463c250e434cb89937f060c6c10451e6a9bef40e091d4f8202371acd7

memory/556-924-0x0000000010000000-0x0000000010298000-memory.dmp

C:\Users\Admin\Documents\GuardFox\01H6aVrK5ITjQyGqEYss8eSC.exe

MD5 9fc22dfb91a5a3e9a924ec23de9705c4
SHA1 8ab4c1dcffe85fc13eda7a35f4889f6054f039ba
SHA256 e4dc9db7d0d24a3e79cb2c3c5a727f779697ee2fe660e5f290c56177cc648735
SHA512 f444d75be47992485c93f6f5d08c7a4ed9b73dda74124266dfcdacf22bb7cbd7e2c9228f6a6add380d486edf948df1217f3df28de02490c57e078ba7b2994b16

C:\Users\Admin\AppData\Local\Temp\zi5OPV~J.ZcZ

MD5 61886ed498beb2f750bc244d2ef2e477
SHA1 80166a4d8ac2159e81d06f0e888c6486f1bac961
SHA256 9f9ca4d6184f5ff33ab72452b3b37706bda1f6c1b546c8b9d5296387b3248902
SHA512 9404fe541ba09ba9c7d6ad7c1d2d12ecb3ac105fd16ff3244ff095a521ecb6c9a6a01fb1fca44c3a986efe400647ab800193246f3ace82d07a61b6d37b2dfb3b

C:\Users\Admin\AppData\Local\Temp\msvcp_win\UniversalInstaller.exe

MD5 b1a0a073cc8f01006b056009b302e397
SHA1 dd47dbb928cdd3608c7106a659844cc7d63c9f03
SHA256 30c7ae7ab62f3794418548111c59f2fb6dd146607a4db846fd370a0a13c17aa6
SHA512 42ed0f2430b98817e9b75c1caec71332854ab7a102110c799ba812550713d8c9c299bbf3ec976b9517eff8abd6a48e81e3688300879223c71ab9b03b69dbe9da

C:\Users\Admin\AppData\Local\Temp\zi5OPV~J.ZcZ

MD5 4f281476f30536b81b7877d3f16dfb09
SHA1 c3ee095f61704379a4bc575e818db996e592e4ad
SHA256 74068b9e413d0f7da17314906cb5f34f84e6ac6cb1f80ec92bb547e0e16bc506
SHA512 278acfe0ac048248419d2e9d384d88008be0d864c402a9bb31d976f1625a69e0d133c034f268e61b2b805ea475897939d3835c2177d1ed73f138e71cc6809bcd

C:\Users\Admin\AppData\Local\Temp\msvcp_win\UniversalInstaller.exe

MD5 f258cbb66954ea02c6d0e758a9065b2c
SHA1 94196422416127b3f0a7e539ff899a17c0ad5dd5
SHA256 dec8dc1bbcefaf05d30c2e9f41e4f8ab2460361d348401fdb9cba6891626e39f
SHA512 ae1acc629a86adc96c87c8c4d29997a2689ff165d9c2c4db888ea53cf6f83a63bcf7fc0a157a0314b772e6e10b3ac3e6c781154ec79fd0c7a64465666c1d44d8

memory/1968-921-0x0000000140000000-0x0000000140876000-memory.dmp

memory/6948-920-0x0000000000E50000-0x0000000000E51000-memory.dmp

memory/6960-919-0x0000000004C70000-0x0000000004CD7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\8ghN89CsjOW1Login Data For Account

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\UPG2LoPXwc7OWeb Data

MD5 ebd88e1094ec35b2f00b96a8e95ef4d4
SHA1 6d7d8b7b1b66a43894c3ccaa15091e894df42f88
SHA256 c510896327fd95ac5c63064095b0e826675d8eb2fee1acb45c390e2acdb98354
SHA512 f95470c8d1176134883119576fef988bab33a1e758d6b253fd9ff18e1ecd6d2e749d14a742911199b7933ca8a20046be2d623241c8f9e22a838b3403707be3f7

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\D87fZN3R3jFeWeb Data

MD5 02687bdd724237480b7a9065aa27a3ce
SHA1 585f0b1772fdab19ff1c669ff71cb33ed4e5589c
SHA256 9a535a05e405b789e9fdaf7eaf38e8673e4d0a8bd83768e72992282a69327d89
SHA512 f8ce4f6ad7211cbd17ba0cb574ac8f292727709479e059f4429a818d3b74dbe75d6e6f8cb5576b6bc7e3c1bd0b471127f0ddb38e816fad8aa44a77c15de7e6df

memory/1968-913-0x00007FFD12FB0000-0x00007FFD12FB2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jobA3W48N2PKjE7S0l\information.txt

MD5 6945491153c681ccac99097c77eef818
SHA1 d13f8db94e5c8b48fcb0237a2dca3e3e7b47718e
SHA256 ffe3801014bc82b0104c83f9401ea497d9a386133e661d7a8cb3df9ce0feda50
SHA512 b0ca1ac48e0794b27774155d160a4800c43c660a5e87216f4ac80e34600ef207db646dadd5f62f669a8e5326a88cb11baec9431d70bf8f243db13b5031ea6c22

memory/6924-910-0x0000000005990000-0x00000000059DC000-memory.dmp

memory/2808-905-0x0000000005430000-0x0000000005680000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751

MD5 60fe01df86be2e5331b0cdbe86165686
SHA1 2a79f9713c3f192862ff80508062e64e8e0b29bd
SHA256 c08ccbc876cd5a7cdfa9670f9637da57f6a1282198a9bc71fc7d7247a6e5b7a8
SHA512 ef9f9a4dedcbfe339f4f3d07fb614645596c6f2b15608bdccdad492578b735f7cb075bdaa07178c764582ee345857ec4665f90342694e6a60786bb3d9b3a3d23

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751

MD5 45dac7ae1b02ef06e60ee280eefe8256
SHA1 118dbc7dacb5ee83ed6643829fc6bd5c45851296
SHA256 20c480b38fd4cdebbd5684a37bd5716f44b891e7ff35ae8c66b350cc69f7924c
SHA512 f9889a371e1d29e13f54318ad41e0abb1752fcf9510d11648aeca1fc5702c151456d8f2fd052d758214519fa6f64582fa238ede3ae555fc27e33c24e8a668f85

memory/6960-907-0x0000000004C70000-0x0000000004CD7000-memory.dmp

memory/6960-903-0x0000000004C70000-0x0000000004CD7000-memory.dmp

memory/6924-902-0x0000000005930000-0x000000000596C000-memory.dmp

memory/5504-899-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\9BJtdwBE6uYtiYT3Askmjm_H.exe

MD5 6f0e5ad311936054a33eb7287c594521
SHA1 c973d47705660081bcbce5a99832c5f035168776
SHA256 54ee98582d3733d200040666a41685a51467de8ed0f6e06bd076fb94ee7ec1a9
SHA512 a00a696feee34b30eaa3dc88878d649ea824d82abf67fbcfd058a2942d52a0092f750e3a41abc303b8b04a33b05a34b528be4e9827a272a40067e66ba8fa367d

memory/6872-904-0x0000000000A2A000-0x0000000000ABC000-memory.dmp

memory/6924-897-0x0000000005B00000-0x0000000005C0A000-memory.dmp

memory/6924-891-0x00000000058D0000-0x00000000058E2000-memory.dmp

C:\Users\Admin\Documents\GuardFox\grSxAgZJX8EppGTk0v0tdRzD.exe

MD5 c717e4a1d52e8ed9eeea03163ff09c12
SHA1 8d83f50ea02ded7830c6a7cce70fc9ef23b19ee4
SHA256 fcfb528221e2578b93e6759ed3aa2060a82681388179c6da677f37437362d9a0
SHA512 7ba151de4018698e7d8b09da0f2d69c03ccc6c10bce7434b6862b7824918700ee46d6a7598e98c36255984de05f708962342e6e210d8d1c0f6438f2d525a9653

memory/6872-894-0x0000000002550000-0x000000000266B000-memory.dmp

C:\Users\Admin\Documents\GuardFox\tOwu157Mq2IKHvu7Kopa_Klj.exe

MD5 70c282ef5f1a6bc58df6a4c95826908b
SHA1 8e52c3c34513738c5a9b65cb49364cd1fd66d7b4
SHA256 2b9a434b5c54aef76e461091d65144605c7f5128c926e448053b89c465236376
SHA512 97b81874b9d5197d25593e3f35d7b236b017163cca30e5716cd0485ae925c86f1f6a4ea21feef7295a7b0a0d6e2c1f466cc1f77c94fb57408b4e7b59032c5f95

memory/5504-892-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3768-867-0x00007FF75E010000-0x00007FF75E2F1000-memory.dmp

C:\Users\Admin\Documents\GuardFox\JFnaejzd3kJTyTcM3MBHgFai.exe

MD5 f0d7132d79d27534a67442b43650c56d
SHA1 e837f7a6984787388bc33eb15a096dfb48c28fe5
SHA256 ce81b0c4b36063f2997f529b969053dd914ffae890b433e71d2241c2246e499f
SHA512 8474c798cee44e6eea1e47cbcb0f058b27ed708839af2686c6dfe7b47ddcca71ea92f7dcf070850c5bc370900305afdab83bcfd30280eb6db27def88d7b8beb1

memory/6960-862-0x0000000004B80000-0x0000000004BEE000-memory.dmp

memory/2364-873-0x00000000001A0000-0x0000000000672000-memory.dmp

memory/5040-872-0x00007FF66B850000-0x00007FF66C29D000-memory.dmp

memory/6924-871-0x0000000006010000-0x0000000006628000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\BG_HewEom_yo4_0Ymqx5.exe

MD5 798e2dd53a29056c42d58314be41c526
SHA1 89de34aec5d3e9a0c8ee09c86b2be01a465a1f40
SHA256 f092a3aa44c33843a579f6b18792bb4689bc8526b9da13094185efa16a4977e0
SHA512 c582f6fbca6e4afdb5315a91ba1fb3c83fee15fc6d9d6faa424db51f880a1e91a610feec212029db89c0679d8c3c0d975fd7bf63056e28726524e20a124c8674

memory/6168-861-0x0000000000400000-0x0000000000448000-memory.dmp

C:\Users\Admin\Documents\GuardFox\EAjZobOuZpxn1lFyXQAYd0GT.exe

MD5 cec2a426d01ff297fdae3761d08d74a0
SHA1 69f152d1b7ec68261ba77e0aa961d965dfb9aeaf
SHA256 0894974e5e13e47114411055550983d25c80aeddcf603ea9b933c9e15ca81615
SHA512 9c4b723fa6c9b335d32c78653aa78e4e3864d9b92e90e58b14616cdd53243433950b552d69f60be1ab284a6dd19296b18ee8c5f5cb48e42086653eafef0a9bb4

C:\Users\Admin\Documents\GuardFox\EAjZobOuZpxn1lFyXQAYd0GT.exe

MD5 8d0e343b7859e2e8b01ba27b785fb6d9
SHA1 07db9988e7a46d240d240bf68ac2214915fc7a29
SHA256 b630d2258805d7a9fdc68938776ff3dc0b82b18b1e05c6c766ac65d35b813eea
SHA512 29d559384c821e69f4bb4351cbb110b1d721d6628682133a1c12120e5ac645248484914ed38449666e80a8a36f13a8653b517c5d0d9a3aab5698828fdf569509

C:\Users\Admin\Documents\GuardFox\Dimu1yCf_rncQH2Q9EK34rw7.exe

MD5 2af82d48438b92042e69e9f781086c16
SHA1 4f90d3f52f4a301a0c2ac12377adbdfff7be438e
SHA256 7c9214806eeb5059b9611d6fe0cd6055742749caba6f1f8f8011aa67e3961da7
SHA512 cb8318e52dd50decbb8ac3cd6c1fd7faa6e33c726c08947658637115fb796ebfb2834171ba15e93d7eba736de0e20c5b07cb5f25262285ef46df6365fbcc1a1a

C:\Users\Admin\Documents\GuardFox\Dimu1yCf_rncQH2Q9EK34rw7.exe

MD5 3d8499bba63c053408c3b3c367c03e81
SHA1 1000d6acaac36293590d62be2d1a4f53e3a716f2
SHA256 f37c11a91f57c17b8ef6f256c855e9103eb493e344986bad9ad177e1a07f0782
SHA512 2b9161d6e19c4822be8f103c2fe2c385582850fd55492e8b0e3a65b811d01107bc053a312bb121cc6ba2cdd99a351a3c131d3ebaf1eeb1e845e0909acf673623

C:\Users\Admin\Documents\GuardFox\09KCWMn5NJWpwl11JomKZL6W.exe

MD5 99f3ce9562711629364aad75e991001f
SHA1 19e48dd85a5bcedc0d092d73bf631ac2cb598041
SHA256 813eb2c76ffb2b37f71e0f7be077590c628bc4ff3b02953eb41754f71ac820f9
SHA512 10ab001f7480ffaa62ae48daa25eb881b0555ffcb68880ac4582ac463ca7bbf984688ea16c14ce90e5477875755889e3c54f79ea7e3a70484defc28ca7155f9f

C:\Users\Admin\Documents\GuardFox\XXOA9F19qkaFn8XhoZKAzo0p.exe

MD5 288548c4ca6af432e08311454ca4ac35
SHA1 69602d7b2c45e6df5e373d3adf0944dfc754a725
SHA256 a524bf30609a9cecee703ed46171fedb7d950942934af5562a9e3d39a7cea637
SHA512 4053d34122e9f922c8957bf8dc871c9e9e03061f5e4ecdb78b6f2fbc0a6a6cae4d1838992460bebb7936022b6ac7ba33a95537cb9f7b6377f4db366cadb3111a

memory/6924-813-0x0000000000FC0000-0x0000000001042000-memory.dmp

memory/6168-812-0x00000000004C0000-0x00000000005C0000-memory.dmp

C:\Users\Admin\Documents\GuardFox\XXOA9F19qkaFn8XhoZKAzo0p.exe

MD5 b44f2bada8770838c324db7c8ffe08cb
SHA1 16e19d6e55e35764798887e8f5d0f37fdc6e8c9d
SHA256 a72793f83e7be0e9ef4a4df600f259e78cde7c99895d2f9134bbd01501fb6e13
SHA512 b348c0474d90548947d22a3886cf8fbc2ac3a800e3dea4b60a17f8b3cd019aa6a541fe619e69d77b9780a809092614284f70da1d16ecfc3dc375d94ab52e1b9b

C:\Users\Admin\Documents\GuardFox\X_EnyONBjNVniUxjdzzaCDJx.exe

MD5 b6f2813d8654c0c5ef146c58151d74bb
SHA1 d61806d8e255ffcebc725d39f8079f56e267ebd6
SHA256 7d20a76e07daa79d6d09daefea54498b976da8c6a120395668656abbca8e8976
SHA512 38894204b0618c3abb4ce11bbca871e0d0134b55ce64c77afd3e50c2cd54b942b5873daaffe4e1937bcbf4438ca85b6ec236f2305f33c44fe6af24f09f668a79

C:\Users\Admin\Documents\GuardFox\5il1F6kCyub7JoMkSaPcMygv.exe

MD5 1e08a53974fad84a8d48ff83df815497
SHA1 2848ba2b873b38a3eadd71bc7718906ae63e84a8
SHA256 acb180f3e117197da1a3d6efff32d5399bdb3b23f5131b28b734338f739fc9cc
SHA512 f79d4da043166b3df2d1be52dfb2842381064bf6e8bb63bc653c288d606e648ec85d569a60526c7ac87e959f581cfb7dfe38d6b9495af16299aaf3108c7f89af

memory/2008-776-0x0000000000400000-0x000000000062E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-3NCJE.tmp\V1aQ4WgGmYDw4WTokypwxW0O.tmp

MD5 30bb4d9a28c346356dd7f14df10bacec
SHA1 6e0834108e2774cddae9ee05cec92c25438040a0
SHA256 7011b4bb6d09d13ac1a951d304f7ca9938392b3d3fe0d7216c2a902eb4fded06
SHA512 6d5311a05c30e7132df12fbd4f482a20bc57122c6a65f977ddfbddc2383e0427e6a8499f3fae812eb7a9f34beb90f31869b5edaacd4050f19db146dde3a226fd

C:\Users\Admin\Documents\GuardFox\aec295eMcA06P4qpEdbSbnh9.exe

MD5 a5cd8dce77318005a1bbe1aaebbd3e78
SHA1 f70e225c4998a039aff85fe1643f23b4a7ad4e51
SHA256 8deccc5a421a583368d3e9c30974b9d0b5729e100f95d3b7dc4692d3f04cb6f8
SHA512 936a4dc25ccc18f16dfb3c14402b1b343ee1a03772b359b7d178954d0bc5072e42a8d152421e4005ea9e78ea09c1ad570155644221b03bacc4d84a973e1c8488

memory/6200-721-0x00007FF772EE0000-0x00007FF772F32000-memory.dmp

C:\Users\Admin\Documents\GuardFox\m5OlHZeBRqi1Mg7BuzgzMLJO.exe

MD5 4525fb814a65a198592d4ec7825aefe4
SHA1 029f14d83152e03a47d5414949aa2ee71b38ac92
SHA256 fee8ca8362543b4f6c986b3ece121ec08778799fe9b705657e486559b4c345d1
SHA512 44f491f65763e631dde9e274aa2380f97eb7275925ed490fe5cddbe44c9713799588c257010c3b48b4c3d66b7b8e8a7ceea8724631229e84bb12ca0050b95060

C:\Users\Admin\Documents\GuardFox\JFnaejzd3kJTyTcM3MBHgFai.exe

MD5 f9d09437c62f41b74daef7d84826092a
SHA1 1b57c3275727de14a3b812fcba3c919de84e6f80
SHA256 40b83d0d043d496ddbaf0b53df117cf7598d9f66253be53bd9bfda3955f5d824
SHA512 f065ab4275c2c7d05563131fd25e97e38b1f32e77b2811a7ac29d20ee4e5a1532383042f104633f8a2df8dfc55a526827d84cc5fa50e103d36d165015f7f8d82

C:\Users\Admin\Documents\GuardFox\rhita_ubUD9ElUjVw637Qqfd.exe

MD5 4f0e1e80aaf8e1d79511750816de3b52
SHA1 f3d4823d4d4c9b5f6a2a4a5e25032be27b62bd90
SHA256 9dcd3c77f1a8e1d4b9f7dd9391d9fa78ee13440e66bcf528e99bb7f9efdf0fa4
SHA512 9559127d866911d0cccb6ed84e806b16550c4164fc8e090c480029344d6180f306776950f0eeb1bc2d05ab06aaf8776d0588307c0a740ca44c688b3e1972301c

C:\Users\Admin\Documents\GuardFox\VOuudOuU1Ykz6N8RTAbw4HLv.exe

MD5 986ccd4c8b2686a84219b37eb940807c
SHA1 7782d7ba1f8b7e98fdb625fd9143b9df7b6c0bb9
SHA256 3c384c46b050af0d75ac6c85ea0d038075b27900dd5bc8da737286f131224a80
SHA512 b61330247587443a8a690caeca66d7109a621e09fafcd622ce1f20b41a903b9ea1cf69c9f8dc50206f91b49386d60f77f63ed0c416df7df6b1970fe8dcab028b

C:\Users\Admin\Documents\GuardFox\Dimu1yCf_rncQH2Q9EK34rw7.exe

MD5 d85d296a35f61087ffd5452cc866d91b
SHA1 d62b4ae093812736879c736dfaed9d3c3c8c42b8
SHA256 6129bf1d9abc23a3cb0439b905e782e6ea7a8522527e265cd127fa8ac5a46473
SHA512 4339b7f8fe57e80b35b8bb67eb9fc92c5393af16346e38fd1d16157cfe46a9a438d1c9c337226157aed6bb499a492f899acdbe89a7d3b1241eee8db197ef77ac

C:\Users\Admin\Documents\GuardFox\EAjZobOuZpxn1lFyXQAYd0GT.exe

MD5 b2e470a4632d30d5cd78f3ed09b12715
SHA1 da31bd46ed968a323dc9623e1dbb0d841be93c91
SHA256 6427f355242f671cf4f786f1105cdfbb2fc349b144fc3c9df227cb0d88a1eae0
SHA512 4eba91fbe5663d89fe2ca63a549185da685724d0ea2a44418294c1facdeba69f97b571902ab92afc49176eda820efdeb99d8cc75f7570443adad5a6897f38fae

C:\Users\Admin\Documents\GuardFox\09KCWMn5NJWpwl11JomKZL6W.exe

MD5 6d0f35858c7300ce2f711f88d2c2339e
SHA1 008da13bfb29a43ee01a21cf2dac5a0341551746
SHA256 7b532959f8ea1e2181131f5a00bc2fc0bdc6a4b22a2d8ee70fb7bb6e114a4362
SHA512 25a20ca0d65b8e2e20bf4482ab8b051c9978c37f0022ce76d6f11747ad677ea40545f8096a46e429f9abb065f9d616807eedc8e7d01a74e7f93a2eba2ca283b3

C:\Users\Admin\Documents\GuardFox\9nAjk7ElylJ34eBZk5HqODkt.exe

MD5 f26c4ac2165a66f34a2f8c76d676db7f
SHA1 cd004f10f8cafdf3d76916f65b5e5b47864c46a8
SHA256 799f896e509edf7affe1f685cbbb68d6569e5b42c4036697d344453ad94638db
SHA512 9f5a970b479f414ef16acfa18ecc3dc9dc86329baad5f83e33f734c6c8d5578e5192776ea32f90723e51013c17874b6c9ae03e71437d687a1c08c6415a269df0

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\pwIrSZJhdSPQHIU9wnJt.exe

MD5 00e8a3b970a27f797a04f0aab4db32f3
SHA1 8f46fa7862cfac57f8ccc0b5d0983e07ef69c409
SHA256 d29b41e58acb132fa88aae87c469560978f0d4038e38154739d472551ee2863a
SHA512 7f0f86ef90fb368ae82f3510991335c4cbd267a1a82fb36efcec9373719047d3c17372d71c67af662ce3a14597427819db7ffda2ed91d55b7750edfa728a8d35

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\vvJw4rG2zAyTBq1J8RPQ.exe

MD5 06d154795459a867e247efd197c4890e
SHA1 41cf822fd9084bcdaaf09fc19a890847df1fc09b
SHA256 645b701858c7548cb3d83ca438775d59ad0adb63ec7935d60b23fbc2e78f07b3
SHA512 dc783e8de71c6992e904e7757ddc407091a8d62a2ec557a7482672eac8621437d509f3483ac0089a1890759564dc3596fd8d28582c2ceb3019b75fe7dd4ade57

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 041500a075f2e1eb9c7501ba41d5217c
SHA1 dd929c601aca095c94346e6f05148c02c00f084f
SHA256 953987573e7057415c5fbd430abef648f2dc8124de01773a457f0365e46e648e
SHA512 be8776a46c07a659f1e28e039b880a37101a4bba5ed513a799767450ce09babb4e9740f2ada56383287e337e13e73d4b936be6f4b23d5ca16ef41c21e134946b

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\t7SzBAV_odeIrXbYDGZk.exe

MD5 5d37d8a89cde483d2445091f4eb1053c
SHA1 771861a55d3e312861d0397befaa9cf3e9f44d59
SHA256 92faa095cfbc7abd655a37c425f57e9f265873874de2707f34ccee5854d41ce5
SHA512 8d27870ac9b6c699895a9e6a92616ec442227c21dcd9669a64edae3d587025c61846e8c22797c1c1984ae9e15db8b2b8713da760c3ef4ee0a4a9983c4e6667a2

C:\ProgramData\mozglue.dll

MD5 d2131cc1ca85b9e42c855af646462414
SHA1 7f67df852fe5fba5ad64d3d43d2a86ce03fafc8f
SHA256 ec1b54ef526d602111bec7e8c41c3d7298b32f508100dd42ac9b1f220fbecea1
SHA512 2a4705b444c76e529ec1c105777a968fbfa09ba3f9b6f8aa9dbb81dbdc22830c997cd8627ec755aba2bfebfd84a1f674076cc5c533d4163db0bd61bade7b9a26

C:\ProgramData\CGDHDHJEBGHJKFIECBGCBGCAFI

MD5 6160fe47f9358bd1024bc07097901f38
SHA1 82d0696f752cab7a8070a4837c65ade2d873127c
SHA256 bea1f6bef3cf1b55e23c2a3e8802d58de4789521a860b8c4f090aeb7ba0b8ff7
SHA512 7f21defb2448d7b063332afa17761015aaff6b406a07a08035aa52c573ae49d1197405d10f9d0ac6bd3c0fdb09a0f627ca061d50d4ab1f4727b7cbe865b37ea7

C:\Users\Admin\AppData\Local\Temp\jobA4W48N2PKjE7S0l\nE5wqfSnm8O9dB7Rjmv3.exe

MD5 ef613b032f91dd8b50d31a60073b1ddb
SHA1 cc34f0801c5dd5a38eea4702871aedb6c3ca47f0
SHA256 ef7be84b685fd97cf3f4257a64d3b2c65f7f382d3a7ac59b6f13175b6e11bf4c
SHA512 d2c0ec938974f20a5357250238b854c54bee0e9f0707751bdd0fda88b6fafa3a0ca986b5290f82f602928e970ff1e24cbd4bcf7cbb8d7d598d1c6d0e938d871a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 5e77545b7e1c504b2f5ce7c5cc2ce1fe
SHA1 d81a6af13cf31fa410b85471e4509124ebeaff7e
SHA256 cbb617cd6cde793f367df016b200d35ce3c521ab901bbcb52928576bb180bc11
SHA512 cbc65c61334a8b18ece79acdb30a4af80aa9448c3edc3902b00eb48fd5038bf6013d1f3f6436c1bcb637e78c485ae8e352839ca3c9ddf7e45b3b82d23b0e6e37

C:\Users\Admin\AppData\Local\Temp\jobA4ZMtckb_gkjUzK\oOPEmFmu_xsJCookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\jobA4ZMtckb_gkjUzK\l6w3NVXsgpmDCookies

MD5 55f6abc8955b59465b3010241d2bca1c
SHA1 2cf5eb8a98b782b86695b2044aee53612e4c2ddc
SHA256 b666d00bfab1ab963ca5aca59afb9a9c2dbb983cacc64272b846209a2d407236
SHA512 2fa6ee9a974bde52cc022418acacd84317cb29c833ae4bea00cbf82cae24a1b3765b87f1633510f3b5592ef700790d071ff0fdcdd8c8f752b638b26e0c93baac

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 8c53701df5fc303c664235399e077a07
SHA1 1b8fc6c68de8f34338762f45451b72a515726295
SHA256 7edd95b8dd11f8d94d46818076e3cc2d52acad1e65000b55ab01f83eba2a1eac
SHA512 ea282314e17d1c5dc5aee787a83eac31e865bba760a40e9f8530e30c7354de85b4bf394e86238081ac3812eeb559e64466b1e882b99dfd9e6ac820f619c1cea9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 da720017583df8212fd69f8fcd7b6b6e
SHA1 0ea9e35cd6c6dd27a9601b0ec3a30cc8283dd738
SHA256 7ae143ff4808674a468026efd4944dc2007b3f6424ad789d88c0a3d31a625e1a
SHA512 4f526d979a5e772bc7cc8692fec922332ab8aa932573f93225dcb7908b55f42daeddf3f9d4b54ee47b042843d82483caee91a0273bdded58dc2a41b60b4ce0d4

C:\Users\Admin\AppData\Local\Temp\jobA3ZMtckb_gkjUzK\passwords.txt

MD5 cb415a199ac4c0a1c769510adcbade19
SHA1 6820fbc138ddae7291e529ab29d7050eaa9a91d9
SHA256 bae990e500fc3bbc98eddec0d4dd0b55c648cc74affc57f0ed06efa4bde79fee
SHA512 a4c967e7ba5293970450fc873bf203bf12763b9915a2f4acd9e6fa287f8e5f74887f24320ddac4769f591d7ef206f34ce041e7f7aaca615757801eb3664ba9a4

C:\Users\Admin\AppData\Local\Temp\jobA3ZMtckb_gkjUzK\information.txt

MD5 373e2f00fb837a2c725b59261fc2b73c
SHA1 86218ed004bbdc71f92d6d52701c343437cd0ece
SHA256 fe45e2780a7ef6264d4de41b0a7f233e601b63fd8008e4e29345fb003aeecc68
SHA512 2ab87d76db65c26436428be388ab74f2c23e753da8068aede0a74bf5343f1e65826a8d6bcc773940c4dbfe96974184a8b40e3e1d52ea920c55cae895a7f7c95d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 32724c5abc2815317926a9488a750e80
SHA1 f6c53ca13770c224beeedac6e79aa7ca843ef3f0
SHA256 5b1d47f452f04f840801fb7af435d4dded3354a7f2396125f0473b5150a35e78
SHA512 0b5deb7acc41111f90654df3b76792c1557d534a94302bfdb999c8f48d686a25e665d95ce8f7e88f73b32d1bbd7de581cb49d7e73e62f4edd04270569642e38e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 244373298f2eb3a12370ff941bdbc50b
SHA1 bde8745fd0d563cc40e9777664fd760e388341f3
SHA256 3c960c446b249794b5d1a951084471c866bf2a56073f80e0deb4aa3f449b02b1
SHA512 1f71ff3f708f88cbbe0ae29024fb4e9e0b579f7d12d4b50e58afe6858012f82d4065b6c61f5e1134ccfd88c0fe4e83ff23165e77072faee533631cf206c037d9

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 41f05c6a84473bfa5481cbd545a85a28
SHA1 b4f478bb726be08d76355e9ba289a93f0e701619
SHA256 973f402b740b9a3293c59b9a772c1bc39825c05692c98960cd9deb0e969daa76
SHA512 83963c2eeaa2126800184b6ba071ec354e5512a1e65b6ee55b09524754a1d40ba1f1b177497d1a23995bfa5778f47fd7d532a9a677cb752876d64c5d96300cbb

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 7021719e6539bcbf44236519c39d295f
SHA1 81accd8363787ae6bef34c5f4435faf012649075
SHA256 82e9f19826a49ed72be1e0f916e28b15e87b0939070b6d626f1f72fcf791d49d
SHA512 28ba34bd90e14541eda5fb9a53e8eca6fdba01b4dadfbffa2f87eb285a06fd86045b08fa760e14ed349a7c2531eb26952c1033a6c24bde2d92d10940b2ab6e61

C:\Users\Admin\AppData\Local\Temp\is-1CFI9.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Temp\jobA4ZMtckb_gkjUzK\o0qT3dWYBP7ZHistory

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\jobA4ZMtckb_gkjUzK\KvHrxJ77cmUgLogin Data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 289175ba8b879b9fbe54d29657bd33a2
SHA1 43fdc1bedbd95244bc9a24edf0d3c5f176415cab
SHA256 41a756a6187660b5c012a039113cd284324760f46bf02b7ae9cea4b91efd58cf
SHA512 2a27a5c2daa81adf81d68321f260dd5c367f26ebc855b8458da73ece8e5175720fc25dcc4fec2affbac97d99c179dfab8e10be08a248ac7d87851693e8e160cf

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 d62dd40b78db230e8b0d7ebcfdccb36f
SHA1 1b75a75fe9a3f8d43399b980ce468fe928b10ea5
SHA256 c4ae9cdc5cee8b5ca8c127c10f16d0c3d8a9c8738dc05cc1f65bfb56b803beda
SHA512 339016a894bcc842cf5bbedd0b90f76bc74be029a660a394c28ad0a8bd17d439aacc35e8a6b77065ad6401310bb7afe63e320abe9fb7247dceb22ffc4c19196f

C:\Users\Admin\AppData\Local\Temp\jobA4ZMtckb_gkjUzK\02zdBXl47cvzcookies.sqlite

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\jobA4ZMtckb_gkjUzK\02zdBXl47cvzHistory

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\pending_pings\34c5ba35-bb53-403d-92a0-cc455c6b9f6b

MD5 d61ba49f4505ddd582f7d6d183ad5a53
SHA1 16f7063d05e1537e08967e11968a323d36bd689f
SHA256 e4675476a90063ea42dde6089264abe2e70754e7ad6d19a74a7c3569ea8b994f
SHA512 8b8d76de187dd38b5a58792875a8b0b47a2e058f932ae3b5fcadd1524ecc4686957b172f141c5f1e5cc8ab3efd3bcbf72df2795bc46a028b8c6b6bd1cff1418f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\pending_pings\df050895-2c89-413b-9e16-55f0a67df017

MD5 b1459caf9ee07dab906a74a593b9791e
SHA1 42ba1fe4ea7877173c5e17607560317c5322b1e8
SHA256 18f5e6dfe267913213a73360efb0d2c0e534fa44b2212cfc1e248b7f1c45afce
SHA512 9e491f3879500c60d7f5d1098986b053b3c320bb42bb1031c3c63c265cc831cc7ec83df7602a240e9026f90080562ef6606dd05667673737ed52d7126efb1a18

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\datareporting\glean\db\data.safe.bin

MD5 c299b9da09be17bd0eb324f789c5e2fc
SHA1 f78aff8d92ef4050f540785ff9adc2f573464592
SHA256 f75cda32b53b9480712a2f07768497112952a93d05d175d290f886a6489ef463
SHA512 2c6b55024c039e97030395463a52cd134e28f7392b036ee152eba1d5b3879ecbd3075b116384c16eacb9ee7724c21ddb497a6bde68fb1f983ba7221c4aa2c72f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 1b7c22a214949975556626d7217e9a39
SHA1 d01c97e2944166ed23e47e4a62ff471ab8fa031f
SHA256 340c8464c2007ce3f80682e15dfafa4180b641d53c14201b929906b7b0284d87
SHA512 ba64847cf1d4157d50abe4f4a1e5c1996fe387c5808e2f758c7fb3213bfefe1f3712d343f0c30a16819749840954654a70611d2250fd0f7b032429db7afd2cc5

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs.js

MD5 280d7c4b0e810c74332a17f35aa14e8a
SHA1 6014290ff5b688ad9e43baed358fd6b87406507e
SHA256 f9ce22678ad23fcad2257366f465821b7f87e396aa3121c16534a62fadc9fe80
SHA512 2e8071923db39782251fa6a57069b3a07510a411eb11fd16a8f0d971257c951402a561b74f839e533925c6c55c94b2212a3e0f5c87d75db33621b55412d44156

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 62a58e22600e058ae31f710f6605a311
SHA1 7050a69cd04a8c0e4ef5a49c3ef4a5b099704863
SHA256 c4ce716bb251f5fada008a682b2b19ffd578692911f1d6a897596ffc2706da60
SHA512 614736d1df77da0124ed223ef186832fa26fe642715f86df448e456d57e2c96b71888001278c86f4bd572789541d9dccca0caba064eeb6d0a90799a5ff913957

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs-1.js

MD5 10c0cbf852a31cf19e36b13f1010e064
SHA1 6a73f54bd2f978aa39097b1aad248942b0d4b1c1
SHA256 4d9146245890bc81ba89235f13c2c8d7b1fea49817f942abc08154cf2ad237a7
SHA512 571fa6c43784b75cd9a66831b003e7c4da462b09011d193b84bc24741c3d837dce7f7f80df29e96a28e2495931a5ceef996dbb3d4d86e7a7ac1bcface85e5f17

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 ef6cff71f52e8cc172113e372afe9fbb
SHA1 6536e8b06f9159c87ef42b93af53dcb0dc8549d8
SHA256 4645f34899326b6722ef11636ba8fe5bbca59967b4b79da092415afb3050f0ab
SHA512 37e17d93979829065685d7f27cda74bdbea5561af21d6f7199e6f428551ee2d95a2795548c28f9f76b3911e9adecc99d9c0a6659ada1892a0155934a7bb915da

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

MD5 e3ad2391fac4ac375867668cf4ec7103
SHA1 1014b18f448e3bdf266b29658e610285f68cbf30
SHA256 22ee542377ff8cfc9b42efd165ef328e3d1f06aa7dd12e19229c73d210474b56
SHA512 d43f9b0c7081f43745772bdfbca19442fbc24a21cc80ccca610326818838d0d14a3d9d51f41e3081c75ce6ce206e1017d29ca06ef369e0e437818a53a28c706e

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 5bfc5bbd1f282adfd4977dc2ffdfb09e
SHA1 c5c145a4b1119b381a813d3e5548638f89b8bda0
SHA256 95f5a0d092dd63cfc59b8fade3a4986ca56c5b2b4aec4e961f01706dbf48208e
SHA512 8a474b8c7901f109308614b3fbab9a216d27e5c86cdcf751ae35eac3e0d0203256c92ee7a4ca3fb236334ca6fc1046e4632253d3b57e61ee27a758c1e4dc47af

C:\Users\Admin\AppData\Local\Temp\InstallSetup9.exe

MD5 4160a49a7ab6b3bf145933fe2434f489
SHA1 e792d7539215f0b052e5b898649983f0f2bc3ebd
SHA256 cc12bfcdddf67932cffc8563a3ea2c2d642d47284cc7d316b851cf5f6249e9fb
SHA512 7bf57937f5b13ca948d8963e28ae2cc37e70c26f7f2f5ecf13c3e2250257a65cb7a8fd701dbc4313a780b81bae8574c77db75d25eb22da71e4dabfdd773515fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e14ec86cfb3b1ecb4793ce6759aeb10d
SHA1 babdaf38f1eceaaa4694ff50529be9923fd8e2e1
SHA256 b18da522d05772f5efc5f23cc5da5c5f3e357fbae2b4142abc408043a6541c7e
SHA512 b3bc0331ed75d84ec2e5567ff8fa8a8df12bce268563cef17abb2b385d51bb3634539c06aff510d60e713756c66213caf4dcc23ca69a3a162dfd5e196b9d9e77

C:\Users\Admin\AppData\Local\Temp\1000605001\leg221.exe

MD5 bd8b2a79e58adac2ff18365dcb6e223e
SHA1 bfac6c417a93aec8f288096ae54ac988026aff4d
SHA256 b544658b575af359582e55d05560dcd334583801514dacc685a81e957cb708f8
SHA512 0aec33b681839e67bdee29d8b12977401e9467c6e51e171f4cd582f80f01b5eec2783e66a3f0208f13f70a3c3462f80c14c4551f230a66e6a8e71186308eb74a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 81bf3234d5964b4698c0747b22e9ddd0
SHA1 4fbf6b8ade4a65dcd16e88827d84b206f6c02956
SHA256 d70f8b3df244757252407523e26b8e39b04dca7055f33211368b2747740ebc02
SHA512 7e49f26d7a6820cb0ea5f3946c053aea45b61cd5741cc0dc42cdd43404b64ff0b6f8a594c9ffa671effd7c5dbdff85297a1579ed0b66bd13712d29f02765a4fb

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\sessionstore-backups\recovery.jsonlz4

MD5 d6aa0a1407ab174c4e1878b5d1478fd6
SHA1 4d5a7c0ed70e991a090961d061d9033b7b3c20a7
SHA256 f11a703fb402f087570e21845493dd366bfac0dd962b5b6cd044e9681d5a3fad
SHA512 ceb3a4136cfb9727496ba8b19d0de51f3867c32a1db264b5957be45f04d0f5126396a4c4fd881abc1c28a4f62cbd2ef7ec04a7ca0db746f54dfb6852e0cdb857

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\sqqfzpo5.default-release\prefs-1.js

MD5 39a545731a8fe44a1b3495a48d77ac7d
SHA1 7210a41df1026de1075cd6cf01fb52325802b1ea
SHA256 943a03cf2fdbbecda9ef3367184a47ce13403257460dadbb349d9e001fcb84a1
SHA512 dabb7dffec0b8fad07d567ec14458ec0e74d275889e59d91a52f6a26bb83cd23b59f6372fe504744b1fda08658554967d4d185b6bec35483e8a59d649c8c6bb8

C:\Users\Admin\AppData\Local\Temp\1000609001\stan.exe

MD5 d5647c22cb48b35ae458dc03ed36d0b6
SHA1 766c7b5013fab8d189083e8309dfaaf3279e8d62
SHA256 3aa28c20b8cd664287334c5a69bd064914b7042020199aaac261933fb61f96d9
SHA512 463ea920ecbd631bed4ec8d16de5048270d00e06bf1a167865c038e901d64f2713260f9d9b9c8cee7279f957fb61880af418f11ef1b2515cc69da90f5d143613

C:\Users\Admin\AppData\Local\Temp\F59E91F8

MD5 f69c58fccf7f1ef9513990da11b43d74
SHA1 e1ae0390fe3fcb46f59115a58ba6a66a1bbdfdfd
SHA256 37f223546cc6632dd8a42b6e9f74468bc188fa6735e14bf802257430b9ab9ee2
SHA512 aab8b3a4bcb73ec304b54e7ec9412513d28045a98e4714403345eada50876fa0d7005a222271c5d91eecb2e2c63c1b5c9c7ef7efb41e0d642ff5bb46100863c1

C:\Users\Admin\AppData\Local\Temp\nsy4E3C.tmp\INetC.dll

MD5 443333a0de1d2d36b3cdff2e8908df72
SHA1 bf0eec09e7f3819e50261e5cef5671623fe66510
SHA256 d1465b58942d3b85c5b6bdd891ba050d1d39aa60be254da5d81606559dc68df3
SHA512 3531b0bb41094aaa16d4a56eb9a94e13ab1c951321878d4d84aec72c1d687be7bfa21c4ffa5e410fc193adfba63e91f7c62fc341efd4b87ed79c03a097b48c28

C:\Users\Admin\AppData\Local\Temp\1000583001\store.exe

MD5 9ab6171ca736c845d7cc8cae0601d078
SHA1 8623cc29eecaafdd6d3c565e684d0c8d57344098
SHA256 96ad2b0a54a7bdd4a4611434f51acafe0a3ec4b2ba4b0bddf2a36a130986ad5a
SHA512 4b9890458c82cc3f137b32cae4b148c252af4f975810c6b7e693e2b235ba68f13fbf5878e9b4730134db09d6c781be01a11101cb24cb42d653ea48997f136291

C:\Users\Admin\AppData\Local\Temp\1000611001\installs.exe

MD5 ed55d2191f2a1490ebf9166fe37c8d9e
SHA1 812db3e1942b2a040016a542f6e473a715e03c64
SHA256 b9597fb32c6b653ea2287adcfcc0849177e728c486dc11904d11a5a63525c5d0
SHA512 5c69f35af1a45b858cdfc315c0de4869c2a18e7723735bfcaf51af960b7f8dbbc9cfddd8bb17f4fb771cbdbf09306acea8bff366e5a5b1dd069fc52778c6b69f

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 7b480e9fd54f1ce74bf8d2dc065f9837
SHA1 7d497bad7e3f4b56171e5b26bd0d1f295c280606
SHA256 b930a5a94eb83d923d6a671e1833b08807c0b2aaa673d562574abbac61628c78
SHA512 c04a1f1df7ece5b0ff46ed108bed35adae71330d298974931fa8517488bc5cd8d70d53b607ea5e72fe521096cef8ac35db07472022e02b54a5864329b4cf8cb1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 807419ca9a4734feaf8d8563a003b048
SHA1 a723c7d60a65886ffa068711f1e900ccc85922a6
SHA256 aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631
SHA512 f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

C:\Users\Admin\AppData\Local\Temp\1000612001\TrueCrypt_NyNIUi.exe

MD5 4ba39749b947ce951185fe7eadf493fa
SHA1 c0d839899d8ed8fbc5ccd6ff2f8ee84339cb49a8
SHA256 d160adb2c74f38d78080dd09b59b324935bfde35f3240c0d02cd0887c74997c2
SHA512 87a20e83bd76e3b9be4ac1dbae7212db9c18b4a87b3f2882705b6bd9b1155fc417f50ff0fb5ca0392d207e929caf21da8b7f657df0a09afb0331851152419c72

C:\Users\Admin\AppData\Local\Temp\1000613001\alex.exe

MD5 e7fee76a5bd24ac1bbbb6ba4a4af05e4
SHA1 63cef7c302f80da21dbc67a1733bd288a7088d25
SHA256 0d59e022a4477d86c657b11dac473a4c8a6fd2ca0bcf7ee5630ff040f8a4baa9
SHA512 c15c65b8640e14a4427e56c717c0a388213205db28454de7fe41fa0e573a53e2d9dbdfbbd4dba75a6d0906d7d1f8ac8273f15de4b0c9fa2646be40a28b44456c

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u2uqzahe.ys5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\Users\Admin\AppData\Local\Temp\1000614001\gold1201001.exe

MD5 f1e2fcd6d8997986f81eb3f7a5613965
SHA1 4a2e241e8f92aa80a1a30c640efe4493eb51088a
SHA256 ffd50796127441417b293e456f8e76a306c06c7d7311574a52b4de5f499ccc47
SHA512 ec6968e93bf2d7254d66add44a335583a6db027f7bf49ca1a512e9fda987acbfcda85a9e659816259fdac54269844559760a98d1feaa7e70c494d7c3c1b184da

C:\Users\Admin\AppData\Local\Temp\1000615001\2024.exe

MD5 879cc2cd2b436324c8a55234800c8b20
SHA1 eb7f9cc63698f7213c26522f8286a8c61b101ae2
SHA256 46b09453ee7649e19d432c2eff91cd8b1440ba3bf4ed491504a74b8895bfd84a
SHA512 e9354df95b92e093808569232bb660ec09ee2a924c604a832c828f52f03b156ae3174f0108bbbb8cd272546b1d973090c707e4b5df8f57fe35dff582e7d1c212

C:\Users\Admin\AppData\Local\Temp\1000616001\latestrocki.exe

MD5 cefd5fed3b74614e8eced81f78aa3729
SHA1 dd8124e6cd91e67bb99ce10074ff783339948dfb
SHA256 09dc5a4896944d40d2081e7aa2c52403d6270de0c766e44ab42cef84352ac84c
SHA512 54e5d5018a1baf57d0f4a7f9d2401652babb9a7991aef5086e6df6b4382dc3749575d71824d5bec707173dbf512809700fb09dcd6d122d82091f08e9c65a5084

C:\Users\Admin\AppData\Local\Temp\InstallSetup7.exe

MD5 5b20b4a882892a03e82f8e30c40ddd6b
SHA1 681538478f034c820a5842b3c6ee8498b57e005d
SHA256 ede128e2f2a1d020c5c13f97971710748b771ad6a0681b37c17454d540583331
SHA512 9b73254be0a1b212f2f3c67f6bf93f9eb413f883b8147ebf8708f5909bd1d1a57702cfcccd0340407d71c0598fa0f851395df15aea1ffe3c7c8a116c62d914b4

C:\Users\Admin\AppData\Local\Temp\toolspub1.exe

MD5 a717be4ba7d1ebc200810ab156ab6069
SHA1 3e3c705a0d4d0a660c9d2eb0b7b5f9a61c62ef18
SHA256 73e15acfde92b8a282aecc0b949e4770c65fedb029a0421c22bd47576527169c
SHA512 0320fd08e8516fb4cf1caf51a65b1edd763d6877770ac61d487db2d9ba782363adde0e601516c4fa9531269933eba91963748b0c1b01c1e5710e9fb93b86eb6b

C:\Users\Admin\AppData\Local\Temp\31839b57a4f11171d6abc8bbc4451ee4.exe

MD5 3692613ae5185a66fa683aa579056e03
SHA1 106d5140604ca24ac0d61c556c7ec6a676f2125b
SHA256 58a5322d50116cf99f3265181a4056d493ea7da90f5d4bf1b23ac23b988c28d6
SHA512 600b25a4d9b858fd5f4328d5866a0a4dfd8c47b7ca76e367bfadbcf1fecb756e278c1c55ff60d38a839d090734061e0fb9f813ea0a5e31cdf57e5541fe8e75d4

C:\Users\Admin\AppData\Local\Temp\rty25.exe

MD5 23c054fdec0f8672b9dfc8fec37c3ead
SHA1 1f6050135e5a5c2966eb38212397efec1d6e9142
SHA256 64b092015581148f650a0c13826d06c33146147eaff7aaf7058f48c632003b96
SHA512 962e63bb3d503fea505957095886a7e2075731c7bf089fb4e476be6c6b537d909807e9eb188d824434638172ab32832e0b2bd5a7450dbafce4690c1e79c6f6f9

C:\Users\Admin\AppData\Local\Temp\FirstZ.exe

MD5 27fd92a15da2d6b9bb6f93a6dbc9a3dd
SHA1 7dfb9880c2720571e859ca2295607a27cfebccaa
SHA256 c72dae3390bb342058e0b25077bd061cd36cba92120fc43d6e5205e5b114f3cf
SHA512 d0ba823b6644a599e2c3e1ef1f36f8d1427ab421570318d5ded0499b93f8397af3766209ecdfe4c43cca00f71752eaa92b554f515c07cd4497c4e1bde9985aa3

C:\Users\Admin\AppData\Local\Temp\nsbC735.tmp

MD5 2ea29f5d078a945f06929eaa1cce736f
SHA1 ad4af50677dcd9488b06426a3217644113e296bc
SHA256 c73c3b818446743a18b0d6d86431768e36879f1b83a0ba7e4db59ddfea473903
SHA512 78c74c2919b5575314c4c174847ba9da7bdd8871dbb2de93b7a0caa753a6de15fd92e36b6b830cde61d8633f5e472703fa45e7b451ec6b583048ed250c128b27

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\7cc2c25c-aaef-441b-87d5-f72dbbbdabb3.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Roaming\configurationValue\olehps.exe

MD5 cb9e8a97a88adb6e0d35e33a559f56cd
SHA1 1771237602a1a5ddd4b110198c3ff0d5b15368e1
SHA256 2cd6c97d28acdc797aacaa0dc67e23defd630509b3fc02e3d1740e4b372ebbca
SHA512 70a8d61eabd952efa07e529a56c3a7e579b3d32d0768dea50b78cfbb14d7afb5c1c262a77b83920242e4617dee328382f7387ab40a2ef2f27307ab389d72b03d

C:\Users\Admin\AppData\Roaming\configurationValue\Logs.exe

MD5 6d9577d251fb56eeabf4631d197d6da4
SHA1 388499f42f52a67f3f58a1e01d032da9378aa210
SHA256 0fd26f0697d08336965eacbf858f759363e4c2dede99d180ecfe1cdc1ab8ed08
SHA512 a825fa6fadc06b3e4ff31e168221b400b869cac6eb6637a7543e17affa6759066dda373f063f5c619409d6c6b1173e85cb98d6c2365023a75a098e3a5d545afc

C:\ProgramData\nss3.dll

MD5 17672d1e38a3cafc74481567f8d68cf3
SHA1 e71e39d320c6354773654afa9c281dc0de2a145d
SHA256 0b427437a0d902f05a685b35186f351ef2d1ba0d0005309df1d05fe9b1d32a6d
SHA512 27766e3d976fafad7b18543dec7024b48d3f18e8e7a10284e3e79aecd3dccfd9d92826eedcd931151525949cf3a30a515654e74fbf9dab4b35f16c279c677eb3

C:\Users\Admin\AppData\Local\Temp\1000617001\moto.exe

MD5 561d8814597693f8c3186acfadbe36c3
SHA1 b6a599a3dfa17fb715a6e8b3e521fcebb05bb12a
SHA256 a0bf2012f828a8fc4f8e389e5c28e9ae01cc8bfe1a399a663b2f712de0f0d829
SHA512 c0531143ce0e3695d74358d55287de6c7025ef7d8c32ad8f846c8744ef0f801803f816f2ab1207a5c50fba580740adf64504a9f68cd2352e1d14fe4d36ede8bf

C:\Users\Admin\AppData\Local\Temp\1000618001\crypted.exe

MD5 05ce0544fbe1ed4d5cbf002d88a9e351
SHA1 ef5b4afe56af7ddb8fc8718dedcf20eca6865825
SHA256 8109acb44e7b3e2bb59955c1fb0ce116cd276f2cf80bdc86e1ebcb9b11600e9c
SHA512 92773d27a1fca3ac99db03f6c64434cf9368d8a12a0e05bfcab3ae599797159412385693fb5fe9d1e873258e7e3e3b0e70b5f67dbaa45a134da09570b59d10b9

C:\ProgramData\MountWatch.txt

MD5 26ea18f69a59e70f0900a1e86a3877ad
SHA1 120f4e74ea9dff60937edf35613ba526b648a1da
SHA256 dfea5c095e0afbce553364bb710263530c853dd69f5f2407093f89f4e8986fa2
SHA512 724db78931c1a49602f61f66105509f02f748d05c8d7ce5071103023507d4ff59a8fb28de85542e7571534a815dc511b82a322f18b84820b1f0269298b7d3b60

C:\Users\Admin\AppData\Local\Temp\1000619001\rdx1122.exe

MD5 927fa2810d057f5b7740f9fd3d0af3c9
SHA1 b75d4c86d3b4fd9d6ecf4be05d9ebcf4d7fd7ec8
SHA256 9285f56d3f84131e78d09d2b85dad48a871eec4702cb6494e9c46a24f70e50f9
SHA512 54af68949da4520c87e24d613817003705e8e50d3006e81dcf5d924003c1a1b8185ba89f6878c0abac61f34efbe7a9233f28ba3e678a35983c1e74216a5ac1a8

C:\ProgramData\UndoOut.xlsx

MD5 4895904438fcaba5b287a498d584feec
SHA1 d5d71634ce953397e21f16522bfb1ba8d9028172
SHA256 5169dbff7cc51d32fc76e61331447fa79920f6ad775c456e4db017e1569ceb98
SHA512 6a8982d9a9878a59297c7a7f192679aaaa3de07cc45650e6c093b4f8c74a76780acd5868c36ed49258338e46bd52d2eb0b4fce61ca69aace7e25ba69a86ed46f

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\UA6WZR2N\microsoft.windows[1].xml

MD5 b97f6e2cc1520a2e8426851cb68f3b0f
SHA1 33a930fe90facb202ec3cd87ca0275af9dd20155
SHA256 a3546f0c8e475abc90346821be3c3d67f522161ea876c3d14247ba6d79a2b5aa
SHA512 9b3771942ffce17a52d4c0598bd0d4bb8f196c8731e5b129524b3d9507d411895e4c43d84479f06e5fb28c3403d6b0ec63b97f3a3cdb598873d17fd637abd06a