Malware Analysis Report

2024-11-13 18:57

Sample ID 240219-c3g7psgh61
Target 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk
SHA256 5e630ec0b4b2a9e5127a888d72c5b20e121a46a26026c29d8d314f77bf243a25
Tags
djvu glupteba risepro smokeloader stealc pub3 backdoor discovery dropper evasion loader persistence ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5e630ec0b4b2a9e5127a888d72c5b20e121a46a26026c29d8d314f77bf243a25

Threat Level: Known bad

The file 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk was found to be: Known bad.

Malicious Activity Summary

djvu glupteba risepro smokeloader stealc pub3 backdoor discovery dropper evasion loader persistence ransomware spyware stealer trojan

Djvu Ransomware

Glupteba

RisePro

Detected Djvu ransomware

SmokeLoader

Glupteba payload

Stealc

Detects executables containing URLs to raw contents of a Github gist

Detects executables referencing many varying, potentially fake Windows User-Agents

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Detects executables packed with VMProtect.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Detects executables packed with unregistered version of .NET Reactor

Detects executables Discord URL observed in first stage droppers

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Detects Windows executables referencing non-Windows User-Agents

Detect binaries embedding considerable number of MFA browser extension IDs.

Detects executables containing artifacts associated with disabling Widnows Defender

Detects executables built or packed with MPress PE compressor

Downloads MZ/PE file

Checks BIOS information in registry

Executes dropped EXE

Reads data files stored by FTP clients

Checks computer location settings

Reads user/profile data of web browsers

Modifies file permissions

Loads dropped DLL

Accesses cryptocurrency files/wallets, possible credential harvesting

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Checks installed software on the system

Adds Run key to start application

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Enumerates physical storage devices

Program crash

Unsigned PE

Modifies registry class

Suspicious use of UnmapMainImage

Suspicious behavior: MapViewOfSection

Checks processor information in registry

Checks SCSI registry key(s)

Uses Task Scheduler COM API

Suspicious use of AdjustPrivilegeToken

Kills process with taskkill

Suspicious use of FindShellTrayWindow

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-19 02:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 02:35

Reported

2024-02-19 02:38

Platform

win7-20231215-en

Max time kernel

120s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe

MD5 fa11e891181f71292e874762e54c309e
SHA1 6222e37af40fa08c4418d2170df3cb327e1821cc
SHA256 f68ea8983c06306b36e0407d02e0df667edf628bf390f334b44a61b4ec5321d7
SHA512 7e84a2773e29500a39db9fff5950b244bdde51a16574d24f61696c6877371765eb78a8d23e5a937b671861b3a84e1602d3da8d98554f5ab60c3f4db3eae2611e

C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\python311.dll

MD5 1fe47c83669491bf38a949253d7d960f
SHA1 de5cc181c0e26cbcb31309fe00d9f2f5264d2b25
SHA256 0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae
SHA512 05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-19 02:35

Reported

2024-02-19 02:38

Platform

win10v2004-20231222-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"

Signatures

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Detect binaries embedding considerable number of MFA browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects Windows executables referencing non-Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables Discord URL observed in first stage droppers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables built or packed with MPress PE compressor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing URLs to raw contents of a Github gist

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables containing artifacts associated with disabling Widnows Defender

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with VMProtect.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables packed with unregistered version of .NET Reactor

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many varying, potentially fake Windows User-Agents

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Windows\System32\Conhost.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\57cc9ce3-611b-4997-9b81-c5e8cb3be2c9\\Pk7JI9CaeC_pHZ0_62slrid9.exe\" --AutoStart" C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe N/A
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.2ip.ua N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\taskkill.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ N/A N/A
Key created \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\taskkill.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeCreatePagefilePrivilege N/A N/A N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1096 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe
PID 1096 wrote to memory of 3156 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe
PID 3156 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 4572 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4572 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 4572 wrote to memory of 824 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Conhost.exe
PID 1020 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe
PID 1020 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe
PID 1020 wrote to memory of 4692 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe
PID 3156 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 1552 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe
PID 1552 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe
PID 1552 wrote to memory of 2448 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe
PID 2448 wrote to memory of 4516 N/A C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp
PID 2448 wrote to memory of 4516 N/A C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp
PID 2448 wrote to memory of 4516 N/A C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp
PID 3156 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 856 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 2828 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe
PID 2828 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe
PID 2828 wrote to memory of 3684 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe
PID 3156 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 4516 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
PID 4516 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
PID 4516 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
PID 3156 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 4516 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
PID 4516 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
PID 4516 wrote to memory of 3480 N/A C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
PID 3156 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 4476 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 856 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe
PID 856 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe
PID 856 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe
PID 2628 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe
PID 2628 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe
PID 2628 wrote to memory of 4152 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe
PID 1624 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe
PID 1624 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe
PID 1624 wrote to memory of 4236 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe
PID 3156 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 3156 wrote to memory of 3168 N/A C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe C:\Windows\system32\cmd.exe
PID 4900 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe
PID 4900 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe
PID 4900 wrote to memory of 400 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe
PID 4476 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe
PID 4476 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe
PID 4476 wrote to memory of 3028 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe
PID 3168 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe
PID 3168 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe
PID 3168 wrote to memory of 2464 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe
PID 2464 wrote to memory of 2084 N/A C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe """

C:\Users\Admin\Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe

C:\Users\Admin/Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe """

C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe

C:\Users\Admin/Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe """

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\DLGTS9hVeQ3fDVtpD6KZc1BJ.exe """

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 824 -ip 824

C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe

C:\Users\Admin/Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe ""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 736

C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp

"C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp" /SL5="$5006C,3944858,54272,C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe" ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe """

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe """

C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe

C:\Users\Admin/Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe ""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 824 -ip 824

C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe

"C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe" -i

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe """

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 744

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe """

C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe

"C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe" -s

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe """

C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe

C:\Users\Admin/Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe ""

C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe

C:\Users\Admin/Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe """

C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe

C:\Users\Admin/Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe ""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 824 -ip 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 744

C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe

C:\Users\Admin/Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe ""

C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe

C:\Users\Admin/Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe ""

C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe

C:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe """

C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe

C:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe ""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 768

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe """

C:\Users\Admin\Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe

C:\Users\Admin/Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe ""

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 824 -ip 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 956

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 976

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\57cc9ce3-611b-4997-9b81-c5e8cb3be2c9" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe

"C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 824

C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe

"C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 1356

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe """

C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe

C:\Users\Admin/Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe ""

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /c taskkill /im "yIg2NIrbMKONezGt8Zis12rj.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe" & exit

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 824 -ip 824

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 1404

C:\Windows\SysWOW64\taskkill.exe

taskkill /im "yIg2NIrbMKONezGt8Zis12rj.exe" /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe """

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe """

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe """

C:\Users\Admin\Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe

C:\Users\Admin/Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe ""

C:\Users\Admin\Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe

C:\Users\Admin/Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe ""

C:\Users\Admin\Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe

C:\Users\Admin/Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe ""

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe """

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe """

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe """

C:\Users\Admin\Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe

C:\Users\Admin/Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe ""

C:\Users\Admin\Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe

C:\Users\Admin/Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe ""

C:\Users\Admin\Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe

C:\Users\Admin/Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe ""

Network

Country Destination Domain Proto
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 130.147.105.77.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
DE 77.105.147.130:80 77.105.147.130 tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 294down-river.sbs udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 gugle.fun udp
US 8.8.8.8:53 flex.sunaviat.com udp
US 8.8.8.8:53 acenitive.shop udp
US 8.8.8.8:53 cczhk.com udp
RU 5.42.65.115:80 5.42.65.115 tcp
RU 193.233.132.216:38324 tcp
US 8.8.8.8:53 cleued.com udp
US 8.8.8.8:53 monoblocked.com udp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
RU 93.186.225.194:443 vk.com tcp
US 104.21.45.242:80 flex.sunaviat.com tcp
US 172.67.215.205:443 acenitive.shop tcp
US 104.21.17.209:443 gugle.fun tcp
US 104.21.17.209:443 gugle.fun tcp
US 104.21.17.209:443 gugle.fun tcp
US 104.21.67.206:80 294down-river.sbs tcp
US 172.67.154.10:443 cleued.com tcp
RU 45.130.41.108:443 monoblocked.com tcp
KR 211.181.24.133:80 cczhk.com tcp
US 104.21.67.206:443 294down-river.sbs tcp
US 8.8.8.8:53 pergor.com udp
US 8.8.8.8:53 sun6-21.userapi.com udp
NL 95.142.206.2:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 sun6-20.userapi.com udp
NL 95.142.206.1:443 tcp
NL 95.142.206.1:443 tcp
NL 95.142.206.1:443 tcp
NL 95.142.206.1:443 tcp
US 172.67.156.81:443 tcp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
NL 95.142.206.2:443 tcp
US 8.8.8.8:53 632432.site udp
NL 194.104.136.64:443 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 udp
DE 185.172.128.24:80 185.172.128.24 tcp
US 8.8.8.8:53 64.136.104.194.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 greenbowelsustainny.fun udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 snuggleapplicationswo.fun udp
US 8.8.8.8:53 smallrabbitcrossing.site udp
US 8.8.8.8:53 punchtelephoneverdi.store udp
US 8.8.8.8:53 telephoneverdictyow.site udp
US 8.8.8.8:53 strainriskpropos.store udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 udp
US 8.8.8.8:53 habrafa.com udp
IR 151.233.51.166:80 habrafa.com tcp
US 8.8.8.8:53 166.51.233.151.in-addr.arpa udp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 iplogger.org udp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 113.132.67.172.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 sjyey.com udp
AR 190.224.203.37:80 sjyey.com tcp
AR 190.224.203.37:80 sjyey.com tcp
US 8.8.8.8:53 37.203.224.190.in-addr.arpa udp
US 8.8.8.8:53 udp
AR 190.224.203.37:80 sjyey.com tcp
AR 190.224.203.37:80 sjyey.com tcp
AR 190.224.203.37:80 sjyey.com tcp
AR 190.224.203.37:80 sjyey.com tcp
AR 190.224.203.37:80 sjyey.com tcp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\python311.dll

MD5 236f0f8f9e66863d1f2ab8bfe68a084e
SHA1 d907c7cbb18df84b5b38c76a0704edf6d6c3ceef
SHA256 6f4da2b5620fed6bf81c1cefcd213f5d585e9a660111e414efb28e7fc376f964
SHA512 fe081e0f2257084d634890403bb96aa5df60de8d5c6d777e16abb64b31d6fc3d86def37aa86e4e848011ea25f48f9ce892f74563b0aaa0fcb9aa3f8fe428549e

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe

MD5 b196713f13177e41d7ac4ca4ebd64e62
SHA1 fc7acf5c9aba46eb87fc5c82a1c76d35b468e8f7
SHA256 18fd9c1dba7d03ee76445aa57789373daba010272339c98f2715a3a9d6cf6d03
SHA512 be7b421b848b96128abf32209bd456f2025726bb25553366a3bbd495ad21300f86959035057a39254a4d56e388553efa3d0f09b715a1e4e3c5e1d0da1f080454

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\python311.dll

MD5 d48c701f2e8c722dc7d4324a48c8182a
SHA1 056d6b10f631806a5e1094b1a2c0320ecd2cdd0a
SHA256 4b2de451a3daa163bfac8af69954547263c6197900ec74a0deebc45762ac8dc9
SHA512 bd17512bba106244bd9fb967d616f8fcb42883f262b889cb55a3692669c8d0440b478cc07941d7cdb3c239bb6ef5ba9165fba38ac81abd9d69bb1813ba297f46

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe

MD5 3ba8271395be382507883d87afa41cc6
SHA1 dc3c24ecd4503ebc68f2838f7d8abe19e38a8f00
SHA256 f2e582eee882d0272b1d788f958d2acc1e9385d8947e489b800ff1470a3e5705
SHA512 5ad577dce50a8e7762714cd72dda3c9276bdb3ac70a54a8cc343a338c27f83ea0eaa7d72dd3e77e01c5f86e3c9dfa574aed563b297682382d6fdc240fcb7f6f0

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\vcruntime140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd

MD5 290dbf92268aebde8b9507b157bef602
SHA1 bea7221d7abbbc48840b46a19049217b27d3d13a
SHA256 e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe
SHA512 9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd

MD5 0a7eb5d67b14b983a38f82909472f380
SHA1 596f94c4659a055d8c629bc21a719ce441d8b924
SHA256 3bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380
SHA512 3b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\libcrypto-1_1.dll

MD5 80b72c24c74d59ae32ba2b0ea5e7dad2
SHA1 75f892e361619e51578b312605201571bfb67ff8
SHA256 eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d
SHA512 08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\libssl-1_1.dll

MD5 86f2d9cc8cc54bbb005b15cabf715e5d
SHA1 396833cba6802cb83367f6313c6e3c67521c51ad
SHA256 d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771
SHA512 0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd

MD5 1c88b53c50b5f2bb687b554a2fc7685d
SHA1 bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3
SHA256 19dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778
SHA512 a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd

MD5 2ab7e66dff1893fea6f124971221a2a9
SHA1 3be5864bc4176c552282f9da5fbd70cc1593eb02
SHA256 a5db7900ecd5ea5ab1c06a8f94b2885f00dd2e1adf34bcb50c8a71691a97804f
SHA512 985480fffcc7e1a25c0070f44492744c3820334a35b9a72b9147898395ab60c7a73ea8bbc761de5cc3b6f8799d07a96c2880a7b56953249230b05dd59a1390ad

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd

MD5 bc07d7ac5fdc92db1e23395fde3420f2
SHA1 e89479381beeba40992d8eb306850977d3b95806
SHA256 ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b
SHA512 b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd

MD5 496dcf8821ffc12f476878775999a8f3
SHA1 6b89b8fdd7cd610c08e28c3a14b34f751580cffd
SHA256 b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80
SHA512 07118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\pywintypes311.dll

MD5 90b786dc6795d8ad0870e290349b5b52
SHA1 592c54e67cf5d2d884339e7a8d7a21e003e6482f
SHA256 89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a
SHA512 c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\vcruntime140_1.dll

MD5 bba9680bc310d8d25e97b12463196c92
SHA1 9a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256 e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA512 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\win32security.pyd

MD5 0007e4004ee357b3242e446aad090d27
SHA1 4a26e091ca095699e6d7ecc6a6bfbb52e8135059
SHA256 10882e7945becf3e8f574b61d0209dd7442efd18ab33e95dceececc34148ab32
SHA512 170fa5971f201a18183437fc9e97dcd5b11546909d2e47860a62c10bff513e2509cb4082b728e762f1357145df84dcee1797133225536bd15fc87b2345659858

C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem

MD5 78d9dd608305a97773574d1c0fb10b61
SHA1 9e177f31a3622ad71c3d403422c9a980e563fe32
SHA256 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf
SHA512 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\libffi-8.dll

MD5 d86a9d75380fab7640bb950aeb05e50e
SHA1 1c61aaf9022cd1f09a959f7b2a65fb1372d187d7
SHA256 68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b
SHA512 18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\_bz2.pyd

MD5 a8a37ba5e81d967433809bf14d34e81d
SHA1 e4d9265449950b5c5a665e8163f7dda2badd5c41
SHA256 50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b
SHA512 b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\charset_normalizer\md__mypyc.pyd

MD5 f4192b63f194d4b4e420e319f08fd398
SHA1 03e2f59492e05f899cb5399a4971b3ee700f00c1
SHA256 0be6ce456259ec228b1e42b8406d6eecf4c9fc4c96b9c3dc6255695f539bfdca
SHA512 447f4909a742e3f2abbe37c2f02d1e9106ded7be5c1d3c1bcbe3985d61791c2eac85bfc9870518fb6d99c7bd32a73c99e9961b797aeee95756f59bf0d2038009

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\charset_normalizer\md.pyd

MD5 25e5dd43a30808f30857c6e46e6bc8df
SHA1 679cb7169813a9a0224f03624984645ea18aabe6
SHA256 62639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974
SHA512 904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\_queue.pyd

MD5 e0cc8c12f0b289ea87c436403bc357c1
SHA1 e342a4a600ef9358b3072041e66f66096fae4da4
SHA256 9517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03
SHA512 4d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77

C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\select.pyd

MD5 4ac28414a1d101e94198ae0ac3bd1eb8
SHA1 718fbf58ab92a2be2efdb84d26e4d37eb50ef825
SHA256 b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5
SHA512 2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2

C:\Users\Admin\Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe

MD5 9562c5e354c4d0d1d207ee38a1cf3785
SHA1 6267e562bc02a8fcf56a092113155e5cfb19abef
SHA256 c2054e2d06bf0fd32c33e5a3ff8eb16f194648b7ae109c7db945afb332053c11
SHA512 fec9866fad198af04818470d14076399e6c26be35025072b6fbcff5c72613fb3aab8c4cffe40fc3a6a604e785535e270a2c818efa1becfea77c95461d95f9505

C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe

MD5 b745bfd18f6232f090419de152ebebf0
SHA1 a45beb47818aa3d5388ecbd55069a43601153973
SHA256 0f5c2a1369d97d2a6cfdcf5186cb62818c41efec976fe9930a4f070f06c6dbff
SHA512 d12d160448810ed54bcda7c38fdcaf6ca4f1c31ccc0732153f87c4999364fdd4376ae9ad5e11453fd2294c5540f3ca1b1256a3d8d0d5ed7e731b6b85f418e018

C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe

MD5 8fd7f46e85795769df7e746b3869c7e3
SHA1 acbe34e48fd2e7d580bfe5fb913473bfab41edd8
SHA256 09ffa44302fb7674b294d26a01d11a0510251f66d23fd3626cba5a98e5453ba3
SHA512 5acdba0b24b8bf068cc1c1b080fecce9d3f8dffe13f3605a2f46a6cd28fef4630ea2ee575af0d230a89ca3f137da5051655cd4a2138920c76bfe9d1027d0380f

C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe

MD5 029139679a1e6fbf22f0617286ecd356
SHA1 8cdd3591493e84b6b130af03a91065535ceb1890
SHA256 6cd498c82768416078c6552229813120cfa11edbf06c123de39a9def8a019d4c
SHA512 e33c2cb3876d69038d71e7fed457e5dd285e095137c13e842182242e042ec13e4df6939a8451d959be9f5f8794984faa219feec4106b17d8e7f5bdcd759941c4

memory/824-112-0x0000000000820000-0x0000000000920000-memory.dmp

memory/824-113-0x00000000021C0000-0x00000000021ED000-memory.dmp

C:\Users\Admin\Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe

MD5 79f16592b6d173ed466c925f0f993c80
SHA1 b3ccee0b9c94fa77cd557580a5f1423a88edf90b
SHA256 0030a8277ec24f633189f2e9f037b529141044c141d3337ad50fcb2452bf8f53
SHA512 77a6c66a496d566cab657809f23ca33943bc8f3f9c8b2674eea0e5963704926f178386a3f15219cd08001a89c03dbdb130f18d6a3b7d494da0cc0343f40b730f

memory/4692-114-0x00000000023C0000-0x00000000023F4000-memory.dmp

C:\Users\Admin\Documents\GuardFox\DLGTS9hVeQ3fDVtpD6KZc1BJ.exe

MD5 d4512d526ce5b4c0b06c8806b128931e
SHA1 49f7d704819052ac2f2d7dd1b025e9ecf1dfa1d0
SHA256 951a4295ca6bcfbb4b96c898fdf2d1597422c77c18be02a85c298ee816d1e45d
SHA512 daa0819ef49f825e7a717a1fedf190451ee68ff74666480302e5dced6c9776f365d9efe4563560c8a2e1a866e046bd575a1218c4da4768966866542355c81626

memory/4692-123-0x0000000000750000-0x0000000000850000-memory.dmp

memory/824-116-0x0000000000400000-0x0000000000451000-memory.dmp

memory/4692-115-0x0000000000400000-0x0000000000647000-memory.dmp

C:\Users\Admin\Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe

MD5 51c28761ace7ec8ac460c8dd43df85fd
SHA1 bc175bced43b10474e450c21d6aa7c085e1ad975
SHA256 0414dd8e438db4fc4ade1967a14911376ba0a6460747ab6379ac7f288f70f4ce
SHA512 4ed95565879b2260107ac6e3fbd68acb13eacae9c8e2a2208f055ef1857ef5f1ee0439fcca6995e650e3c492cb78d3ca30f9931f1c31a96cd5dbe7f016119ed2

C:\Users\Admin\Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe

MD5 5784afb380c6bf72e8cf58f245528883
SHA1 b5c3f926de2ab331dac1a5d7adca9a9c7215b1a4
SHA256 9d965eda03984ab27d4d9d438860a80666c6e324e2232a153bcc5bc5cbec02df
SHA512 c6a61deb5bfd01043b3af35ff4d2567e5c40f7e674b7a67f8203662078e0e56fd1fb54adf6c9af78a6ece5a99f1c08e4fb186fa5046b362727e3c86f1b2adcc3

C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe

MD5 0c719aa00726d1875fee80e9034a150e
SHA1 5ff6e28f0e279260d0d14eaa873ebd768435301c
SHA256 b79bb046c3bd503822a11dc1ec20ccdfc327e6895ec32ac2acc402cf561a24f9
SHA512 24e55814bbec33430ab7b90c07be57ca361357906a614735f8c210193234e42587ca453ef3d273285aa4b986a6f5358294d3b4ac7edace3e47be1d066c72f562

memory/2448-138-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe

MD5 3e0eb2c034444b2dbe7ec7e53821dd49
SHA1 f21740db8e5a2af19781566e0052910e54c128d4
SHA256 5500d254228890f7823ee77eb1112f4224cade3460997e8c04b7a1a6fe1c872c
SHA512 b4b862d475e9af063f1e3198f724738a3d4b5192d5b5acefe0d4e1b4376b55ee75e1d8b4f58fff78542a49aa6f6e1c979c9632259010fff9ae2814ee08494f53

C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe

MD5 a7373bba2722eef27389f5d94fe4e783
SHA1 23972e45424c696943f2ddf2d66e672c87e5be67
SHA256 f426eef11c5054c02486f2280e8e97db372f9315eb6373d1bdbac64be4629ab3
SHA512 7b9ad2b26a88bcaf4e3735b3c7ca928faf7b8852359853a2d792ea850965a2cb1703dabda09740a8be21420a44f467894655549bb9a5280d37d30d23cf4b232a

C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp

MD5 956fd09810c6edb78fa81f98b7c7ae0d
SHA1 94170850cacdcb1c46348bf28aa84e135b2abbab
SHA256 b0f8ef03f6da9ade9149c1fde5233c5e0b6a29f2ff64e7506e96c79bbbf180be
SHA512 de28d055c13aa0fbe2d514d26515f635b37b24f58496864cdd2e17d088fe7397a73577a6e82e540fa9058d971b7573c1f99eb4bcbd1977624a75fea85b299e4a

memory/4516-163-0x0000000002200000-0x0000000002201000-memory.dmp

C:\Users\Admin\Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe

MD5 ce42b3f356ec80a646a93353a5e5e9e6
SHA1 9382fbb91ef69a8396162e2dab25331d5cb86250
SHA256 e179056e60c24f596f4badcb11473af4fc811ccefab89841c2b69297b7891440
SHA512 53e2fa1ff1778c408968d7f52386770101196d0fdc253c331fd95735c8be7b99c4e6dfb1a1bf6845f2de30dd6264839cc067275a899e5ad4c2f88f47fd14c516

C:\Users\Admin\AppData\Local\Temp\is-QS2VN.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe

MD5 98db1ccf5cf82b7917039e6c796c59a7
SHA1 340b1194ebe6b18c2034430283bbbc3647afdf77
SHA256 8b6fc239666d45099322783b2c2540cac961e0b7fd7992f41323ccdc40d5b681
SHA512 7bf622f1c412e11e81f5602c30ba706a24b08eb490282ea6806d1babe708a66afa0ab5ba8a5d6e02f5432d24f721cb769dc73342f01694d269d24effb42ee1ea

C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe

MD5 20a686fada79f8ef9e92e80febfb42a0
SHA1 a9129265902ad4248f25891c59c7945715998771
SHA256 72922eb704c0e300a20a943c2d28f4b51f11934c91487dc064c7b1f56e341489
SHA512 fcb9663ad1fd175268e2d64c9ebcb38bd60a365d305143136bca4e0cfbd6436f10988827a2d68b8f675d4f23cde81f43a5fba4d6052714d6f9294fb1b9c90ca7

C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe

MD5 09badb8acf8fe1c8d35791aa2593c118
SHA1 9c22f98c4d578b3f593b160362b10beb1a1ca901
SHA256 8af7c3f82ad26852a76b872771b62edb87eaf52d3f38332daa06f577a2122850
SHA512 9ace0b41912cc8b848fc619157423eb7ff118121202357c0831dbd7513a372e1c71ccb1ff8751ecb55709ed45fcec1c54583924d2555467c99823f2cbeffe955

C:\Users\Admin\Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe

MD5 a7c95606c6047218d78ea1ce15d342c8
SHA1 680532e567ee20ff61c92ac696a1feebf5e22658
SHA256 adfba1915986c71a7276a8d5aead9cb9f9b66cbcd5d1d630f9e09ccfd7163d1c
SHA512 681dc330efdbe42ffd6cc4ca2771287ad9ea4d1598c4d1bd003e18de6bf7d21e9677d692ce92dda4113df012b41382de84b24804373b54cd95f3384681831315

C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe

MD5 8fb2e718ed032a70e9f61075ee93b51d
SHA1 adb8d88e1e42be01bd37279de91ad08ad96c4ff7
SHA256 9427ae84f26283cf00820d1ccc89f3a34c6427ce19fc4476f0eaddabc7c4779e
SHA512 d0c23df2a577277789e2296f15408aecfc90ea8e6a35803ef2fe43eaba78c8de9cb25e3c2fd6e963ba24748240b7a36a3a328102bfdd26d219157b57f133d344

C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe

MD5 7497fdeba4aec1b75c8ceb591a4466c1
SHA1 26a060abf1b3713fe6f02066853ae5d75bd89702
SHA256 48786fd905f84291bb549b52a20868a09e8b9df993d5bab8d723fe5ff890a10b
SHA512 68b365e0d588f792474dd0af8f6df07add601ba88d9ff236fe2f275bd996c34c76218a8019ec949f36176846a2f41da206ca84ae80ba270305e326e788236329

memory/3684-242-0x0000000005720000-0x0000000005CC4000-memory.dmp

memory/3684-240-0x0000000072380000-0x0000000072B30000-memory.dmp

memory/1884-241-0x0000000000400000-0x00000000007E9000-memory.dmp

C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe

MD5 a7b1bf94d1cc0d4d7cc9a8adc0fd23b3
SHA1 b0c18bbb0803d3c4bd433660cbe49c0613f764db
SHA256 c7702dd40864d2760d5245998dcd35408e6cb6a4beef18c6b63f68965991673e
SHA512 9170fdfea3e852f38be09c7a455b11fc0f174ee81ff59fa0002ff6b482ca9febd27e9ee7bddcb98e8024d25948d3e4f9d211ba88910059a66cf3c6e770570aac

memory/3684-260-0x00000000053D0000-0x00000000053E0000-memory.dmp

C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe

MD5 ae1f9db87efd251c5b1aa2befb9c412f
SHA1 c441902902c1ada6b552cecaeb6a062a96d5c642
SHA256 18f0f3eb03ab85cf5b74ca51e666473e8ece4a75935f80053eaa8871909678de
SHA512 6f6884b731c5d9de05fc65a14c409bac05530e4e26336ee391d9d9e34aa5bb7b5e3deb5cc7f09f6fad8c5caa6f6da3a3bd035283ea59733dec61a9a375de6abf

memory/3480-264-0x0000000000400000-0x00000000007E9000-memory.dmp

memory/3684-261-0x00000000052F0000-0x00000000052FA000-memory.dmp

memory/3480-265-0x0000000000400000-0x00000000007E9000-memory.dmp

memory/1884-253-0x0000000000400000-0x00000000007E9000-memory.dmp

memory/3684-251-0x0000000005250000-0x00000000052E2000-memory.dmp

C:\ProgramData\E_MountLite_66\E_MountLite_66.exe

MD5 579a0fb769d745fffebe0785261f9386
SHA1 6f4d1cd9cb9115324fc3353b2395fe01d33889c8
SHA256 2f09d5b1bb25d55ceecd97222994d40ca5825502106e08f7bafbc9088bd1251f
SHA512 e3947c147107b789cac855e560fe11c9c956781ee8ecbde7d8ceb9ccf3363ec1d2d246d040761cd0baed66615fc8239266961ae17f3e59265a22251a4470d187

C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe

MD5 0871f2113db791bc05e503e95f284a50
SHA1 65dce56912350cbabe26251abdadc7a3184616ab
SHA256 89c0f787c4fa1e4573f367227eb6e16613b3a91aee3bf21ee2b70a41124d1f37
SHA512 f0ce340d3e4bfb6cae4330eef0a0dbcb1da290ab24b57327a2e1d8db1c98d67b27cd01e149bb5a57eab3ad7b0ca9e9d3150369b13456b043b21086a2c0bfa206

C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe

MD5 71369ca5f9f41bf02e2fa138a6f459bd
SHA1 caf54a41e6baf79239889eb9fddd6a9ddf8864cb
SHA256 df47533cfffa37dd58da9bf666ea9cecf2f7ecb03d4fb179e64e6a54576d4bc0
SHA512 a1681cd1f3c4cb4d4ece24c4601688b428d6a2362aa3ee0d5387476d6655f33d5388c35a4291d5ef7133617bdf4fed35ce641edfc359c616974afa3683516363

memory/3684-239-0x0000000000950000-0x0000000000988000-memory.dmp

C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe

MD5 91279277b9cc7d43752c76dcaea5fce6
SHA1 5411e516c578887602f29e56294e841b854b8b7e
SHA256 18d4c4325fa3930646e04f03a812ccc0c3b8907297db98317bde5a77fed7ea08
SHA512 3f4fbd59734f694ce2079ac10769d34366ec3d376f166c406acda9dc71bfa203e1a958e96bd218c6b6c1f47c12600c4bfc137675b6b2d297eed2107c80064696

C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe

MD5 1c32647a706fbef6faeac45a75201489
SHA1 9055c809cc813d8358bc465603165be70f9216b7
SHA256 f60e23e0d5cbd44794977c641d07228f8c7a9255f469a1fe9b2ae4c4cc009edc
SHA512 c8acb58b5686b5daf16de893a9a09c61429892b61195442c456982b14be16baef714b4cf1ad61705480afb880c48d82ace5f65a055ad3bad204a8e776971a3d0

memory/3972-272-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/3972-273-0x00000000004D0000-0x00000000004DB000-memory.dmp

memory/3972-278-0x0000000000400000-0x000000000044B000-memory.dmp

memory/824-279-0x0000000000820000-0x0000000000920000-memory.dmp

memory/4236-281-0x0000000000400000-0x0000000000574000-memory.dmp

memory/4236-284-0x0000000002150000-0x000000000219B000-memory.dmp

memory/4692-285-0x0000000000400000-0x0000000000647000-memory.dmp

memory/4236-286-0x00000000021A0000-0x00000000021A2000-memory.dmp

C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe

MD5 eb58950924c6ac0cb91a8360fcb445fe
SHA1 c04b6db5555ee5ddb660279c6b045779888bb80d
SHA256 14e0ec49dc3a135fdd01aec1c64c8ed51496f2d8e288eb8bfd5719e1ae8390b2
SHA512 1803ffc4b1c7ef72245f2762d2261b1b001baa52741f754bd3d3a4f86ff3ac41234a9920a3260602a9361068b83a1a2dd4eeab1c953811efe98c9cd307c5f42e

C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe

MD5 a682c9962fa92d449eb49fda4272f571
SHA1 ac243bbb7a37ecb111509fbc7cd85f46695ffbf3
SHA256 f52f2ab5e9f0c169ba1cf8860dc2b03acc64eb274510a910cc79257b4f50c553
SHA512 db4c852d53661dbe4589ca4319c689b87186329cc42ee49811629de17813d92c262c228f2eb7335cf7c13d79c28a37e5100a0b23195f0dcd7b506ceae5034789

memory/4236-294-0x0000000002200000-0x0000000002202000-memory.dmp

memory/4236-293-0x0000000000400000-0x0000000000574000-memory.dmp

memory/4236-292-0x0000000000400000-0x0000000000574000-memory.dmp

memory/4692-295-0x0000000000750000-0x0000000000850000-memory.dmp

memory/4236-296-0x0000000000400000-0x0000000000574000-memory.dmp

memory/4236-287-0x0000000000400000-0x0000000000574000-memory.dmp

memory/400-298-0x0000000002EC0000-0x00000000037AB000-memory.dmp

memory/400-299-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/4236-283-0x0000000002150000-0x000000000219B000-memory.dmp

memory/2448-300-0x0000000000400000-0x0000000000414000-memory.dmp

memory/4236-282-0x0000000000400000-0x0000000000574000-memory.dmp

memory/400-303-0x0000000002AC0000-0x0000000002EBC000-memory.dmp

memory/4692-304-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/3684-306-0x0000000072380000-0x0000000072B30000-memory.dmp

memory/3028-308-0x0000000072380000-0x0000000072B30000-memory.dmp

memory/3028-310-0x0000000005290000-0x00000000052A0000-memory.dmp

memory/4516-315-0x0000000002200000-0x0000000002201000-memory.dmp

memory/2084-318-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-323-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2084-325-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2464-317-0x0000000001FC0000-0x000000000205D000-memory.dmp

memory/2464-312-0x0000000002270000-0x000000000238B000-memory.dmp

memory/2084-313-0x0000000000400000-0x0000000000537000-memory.dmp

memory/3480-340-0x0000000000400000-0x00000000007E9000-memory.dmp

memory/1756-339-0x0000000005150000-0x0000000005328000-memory.dmp

memory/3684-338-0x00000000053D0000-0x00000000053E0000-memory.dmp

memory/1756-341-0x0000000072380000-0x0000000072B30000-memory.dmp

memory/1756-343-0x0000000004F70000-0x0000000005146000-memory.dmp

memory/1756-342-0x0000000004F60000-0x0000000004F70000-memory.dmp

memory/1756-352-0x0000000004F60000-0x0000000004F70000-memory.dmp

C:\Users\Admin\Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe

MD5 2a4592c9cb8724ad2635a3ce0a279b00
SHA1 e890072667c76c0e08aaf7249c42ba5cfb37b750
SHA256 5b0a20cabb3ce8cbb2219b05feef12f85ac86e4d0336f4e3dfbfc0a5af5b67a6
SHA512 923c474f1516783befc5cb5559017c7497ca69dd412ead986997fa6eff9dedac897eeba111d9fb816c55e4429eebb0bbc84f8cf733ebaceebd3b9edb43c57793

memory/3480-346-0x0000000000400000-0x00000000007E9000-memory.dmp

C:\Users\Admin\Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe

MD5 230e63c2deab217c08ade65aaf12aec8
SHA1 7897686c66d989833882879d3cd9c3ad2b464dff
SHA256 2148c3be3402e459e221cf6c4242190233530a3687c3bb959a4c81118654cdcb
SHA512 d6b069d71258019ee2bfe4ad524ffddc82422e590db06543847643ea4828dd136553ba76446bb0dd9d1e49d29c4c922120957cc1d5ac98bff56ff1443b8db140

memory/5064-374-0x0000000000400000-0x00000000006B0000-memory.dmp

memory/3972-373-0x00000000006A0000-0x00000000007A0000-memory.dmp

memory/4236-382-0x0000000000400000-0x0000000000574000-memory.dmp

memory/4236-385-0x0000000002150000-0x000000000219B000-memory.dmp

memory/5064-386-0x0000000000400000-0x00000000006B0000-memory.dmp

memory/1756-394-0x0000000002AB0000-0x0000000004AB0000-memory.dmp

memory/5064-396-0x0000000000400000-0x00000000006B0000-memory.dmp

memory/5064-397-0x0000000000400000-0x00000000006B0000-memory.dmp

memory/3972-393-0x0000000000400000-0x000000000044B000-memory.dmp

memory/1756-390-0x0000000072380000-0x0000000072B30000-memory.dmp

memory/3436-387-0x0000000002060000-0x0000000002076000-memory.dmp

memory/4692-407-0x0000000000400000-0x0000000000647000-memory.dmp

memory/400-408-0x0000000002EC0000-0x00000000037AB000-memory.dmp

memory/5064-411-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/400-410-0x0000000000400000-0x0000000000D1C000-memory.dmp

memory/5064-412-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/5064-413-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/5064-414-0x0000000000FE0000-0x0000000000FE1000-memory.dmp

memory/5064-418-0x0000000000400000-0x00000000006B0000-memory.dmp

memory/1372-420-0x0000000002440000-0x0000000002476000-memory.dmp

memory/1372-425-0x0000000072380000-0x0000000072B30000-memory.dmp

memory/1372-426-0x0000000002980000-0x0000000002990000-memory.dmp

memory/4516-429-0x0000000000400000-0x00000000004BC000-memory.dmp

memory/2084-434-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2400-441-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2400-442-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3pezzc0.vnp.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3480-470-0x0000000000400000-0x00000000007E9000-memory.dmp

memory/2400-468-0x0000000000400000-0x0000000000537000-memory.dmp

memory/4236-481-0x0000000000400000-0x0000000000574000-memory.dmp

memory/400-483-0x0000000000400000-0x0000000000D1C000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/2400-484-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2400-467-0x0000000000400000-0x0000000000537000-memory.dmp

memory/824-486-0x0000000000400000-0x0000000000451000-memory.dmp

memory/3960-485-0x0000000000770000-0x0000000001239000-memory.dmp

memory/3960-488-0x0000000000770000-0x0000000001239000-memory.dmp

memory/4692-487-0x0000000000400000-0x0000000000647000-memory.dmp

memory/3960-490-0x0000000000770000-0x0000000001239000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b