Analysis Overview
SHA256
5e630ec0b4b2a9e5127a888d72c5b20e121a46a26026c29d8d314f77bf243a25
Threat Level: Known bad
The file 2024-02-19_cd52eee363f347b388150800c63e1611_ryuk was found to be: Known bad.
Malicious Activity Summary
Djvu Ransomware
Glupteba
RisePro
Detected Djvu ransomware
SmokeLoader
Glupteba payload
Stealc
Detects executables containing URLs to raw contents of a Github gist
Detects executables referencing many varying, potentially fake Windows User-Agents
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
Detects executables packed with VMProtect.
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
Detects executables packed with unregistered version of .NET Reactor
Detects executables Discord URL observed in first stage droppers
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Detects Windows executables referencing non-Windows User-Agents
Detect binaries embedding considerable number of MFA browser extension IDs.
Detects executables containing artifacts associated with disabling Widnows Defender
Detects executables built or packed with MPress PE compressor
Downloads MZ/PE file
Checks BIOS information in registry
Executes dropped EXE
Reads data files stored by FTP clients
Checks computer location settings
Reads user/profile data of web browsers
Modifies file permissions
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Checks installed software on the system
Adds Run key to start application
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Unsigned PE
Modifies registry class
Suspicious use of UnmapMainImage
Suspicious behavior: MapViewOfSection
Checks processor information in registry
Checks SCSI registry key(s)
Uses Task Scheduler COM API
Suspicious use of AdjustPrivilegeToken
Kills process with taskkill
Suspicious use of FindShellTrayWindow
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-19 02:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-19 02:35
Reported
2024-02-19 02:38
Platform
win7-20231215-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe | N/A |
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2352 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe |
| PID 2352 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe |
| PID 2352 wrote to memory of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe | C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"
Network
Files
\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\WW13_64.exe
| MD5 | fa11e891181f71292e874762e54c309e |
| SHA1 | 6222e37af40fa08c4418d2170df3cb327e1821cc |
| SHA256 | f68ea8983c06306b36e0407d02e0df667edf628bf390f334b44a61b4ec5321d7 |
| SHA512 | 7e84a2773e29500a39db9fff5950b244bdde51a16574d24f61696c6877371765eb78a8d23e5a937b671861b3a84e1602d3da8d98554f5ab60c3f4db3eae2611e |
C:\Users\Admin\AppData\Local\Temp\onefile_2352_133527837583468000\python311.dll
| MD5 | 1fe47c83669491bf38a949253d7d960f |
| SHA1 | de5cc181c0e26cbcb31309fe00d9f2f5264d2b25 |
| SHA256 | 0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae |
| SHA512 | 05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-19 02:35
Reported
2024-02-19 02:38
Platform
win10v2004-20231222-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
Detect binaries embedding considerable number of MFA browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects Windows executables referencing non-Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables Discord URL observed in first stage droppers
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables built or packed with MPress PE compressor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing URLs to raw contents of a Github gist
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables containing artifacts associated with disabling Widnows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with VMProtect.
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables packed with unregistered version of .NET Reactor
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detects executables referencing many varying, potentially fake Windows User-Agents
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\57cc9ce3-611b-4997-9b81-c5e8cb3be2c9\\Pk7JI9CaeC_pHZ0_62slrid9.exe\" --AutoStart" | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2464 set thread context of 2084 | N/A | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe |
| PID 1756 set thread context of 5064 | N/A | C:\Users\Admin\Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3944 set thread context of 2400 | N/A | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ | N/A | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp | N/A |
Suspicious use of UnmapMainImage
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_cd52eee363f347b388150800c63e1611_ryuk.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe """
C:\Users\Admin\Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe
C:\Users\Admin/Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe """
C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe
C:\Users\Admin/Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe """
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\DLGTS9hVeQ3fDVtpD6KZc1BJ.exe """
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 824 -ip 824
C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe
C:\Users\Admin/Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 736
C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp" /SL5="$5006C,3944858,54272,C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe" ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe """
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe """
C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe
C:\Users\Admin/Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 824 -ip 824
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
"C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe" -i
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe """
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 744
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe """
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
"C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe" -s
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe """
C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe
C:\Users\Admin/Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe ""
C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe
C:\Users\Admin/Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe """
C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe
C:\Users\Admin/Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 824 -ip 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 744
C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe
C:\Users\Admin/Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe ""
C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe
C:\Users\Admin/Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe ""
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe
C:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe """
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe
C:\Users\Admin/Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 768
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe """
C:\Users\Admin\Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe
C:\Users\Admin/Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe ""
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 824 -ip 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 956
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 976
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\57cc9ce3-611b-4997-9b81-c5e8cb3be2c9" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe
"C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 824 -ip 824
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe
"C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 1356
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe """
C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe
C:\Users\Admin/Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe ""
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "yIg2NIrbMKONezGt8Zis12rj.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 824 -ip 824
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 824 -s 1404
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "yIg2NIrbMKONezGt8Zis12rj.exe" /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe """
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe """
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe """
C:\Users\Admin\Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe
C:\Users\Admin/Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe ""
C:\Users\Admin\Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe
C:\Users\Admin/Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe ""
C:\Users\Admin\Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe
C:\Users\Admin/Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe ""
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe """
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe """
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin/Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe """
C:\Users\Admin\Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe
C:\Users\Admin/Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe ""
C:\Users\Admin\Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe
C:\Users\Admin/Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe ""
C:\Users\Admin\Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe
C:\Users\Admin/Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe ""
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.147.105.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | vk.com | udp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | gugle.fun | udp |
| US | 8.8.8.8:53 | flex.sunaviat.com | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| US | 8.8.8.8:53 | cczhk.com | udp |
| RU | 5.42.65.115:80 | 5.42.65.115 | tcp |
| RU | 193.233.132.216:38324 | tcp | |
| US | 8.8.8.8:53 | cleued.com | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| RU | 93.186.225.194:443 | vk.com | tcp |
| US | 104.21.45.242:80 | flex.sunaviat.com | tcp |
| US | 172.67.215.205:443 | acenitive.shop | tcp |
| US | 104.21.17.209:443 | gugle.fun | tcp |
| US | 104.21.17.209:443 | gugle.fun | tcp |
| US | 104.21.17.209:443 | gugle.fun | tcp |
| US | 104.21.67.206:80 | 294down-river.sbs | tcp |
| US | 172.67.154.10:443 | cleued.com | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| KR | 211.181.24.133:80 | cczhk.com | tcp |
| US | 104.21.67.206:443 | 294down-river.sbs | tcp |
| US | 8.8.8.8:53 | pergor.com | udp |
| US | 8.8.8.8:53 | sun6-21.userapi.com | udp |
| NL | 95.142.206.2:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | sun6-20.userapi.com | udp |
| NL | 95.142.206.1:443 | tcp | |
| NL | 95.142.206.1:443 | tcp | |
| NL | 95.142.206.1:443 | tcp | |
| NL | 95.142.206.1:443 | tcp | |
| US | 172.67.156.81:443 | tcp | |
| NL | 95.142.206.0:443 | sun6-20.userapi.com | tcp |
| NL | 95.142.206.2:443 | tcp | |
| US | 8.8.8.8:53 | 632432.site | udp |
| NL | 194.104.136.64:443 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | udp | |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| US | 8.8.8.8:53 | 64.136.104.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 24.65.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | greenbowelsustainny.fun | udp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | snuggleapplicationswo.fun | udp |
| US | 8.8.8.8:53 | smallrabbitcrossing.site | udp |
| US | 8.8.8.8:53 | punchtelephoneverdi.store | udp |
| US | 8.8.8.8:53 | telephoneverdictyow.site | udp |
| US | 8.8.8.8:53 | strainriskpropos.store | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | habrafa.com | udp |
| IR | 151.233.51.166:80 | habrafa.com | tcp |
| US | 8.8.8.8:53 | 166.51.233.151.in-addr.arpa | udp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.132.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| AR | 190.224.203.37:80 | sjyey.com | tcp |
| AR | 190.224.203.37:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 37.203.224.190.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| AR | 190.224.203.37:80 | sjyey.com | tcp |
| AR | 190.224.203.37:80 | sjyey.com | tcp |
| AR | 190.224.203.37:80 | sjyey.com | tcp |
| AR | 190.224.203.37:80 | sjyey.com | tcp |
| AR | 190.224.203.37:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\python311.dll
| MD5 | 236f0f8f9e66863d1f2ab8bfe68a084e |
| SHA1 | d907c7cbb18df84b5b38c76a0704edf6d6c3ceef |
| SHA256 | 6f4da2b5620fed6bf81c1cefcd213f5d585e9a660111e414efb28e7fc376f964 |
| SHA512 | fe081e0f2257084d634890403bb96aa5df60de8d5c6d777e16abb64b31d6fc3d86def37aa86e4e848011ea25f48f9ce892f74563b0aaa0fcb9aa3f8fe428549e |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe
| MD5 | b196713f13177e41d7ac4ca4ebd64e62 |
| SHA1 | fc7acf5c9aba46eb87fc5c82a1c76d35b468e8f7 |
| SHA256 | 18fd9c1dba7d03ee76445aa57789373daba010272339c98f2715a3a9d6cf6d03 |
| SHA512 | be7b421b848b96128abf32209bd456f2025726bb25553366a3bbd495ad21300f86959035057a39254a4d56e388553efa3d0f09b715a1e4e3c5e1d0da1f080454 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\python311.dll
| MD5 | d48c701f2e8c722dc7d4324a48c8182a |
| SHA1 | 056d6b10f631806a5e1094b1a2c0320ecd2cdd0a |
| SHA256 | 4b2de451a3daa163bfac8af69954547263c6197900ec74a0deebc45762ac8dc9 |
| SHA512 | bd17512bba106244bd9fb967d616f8fcb42883f262b889cb55a3692669c8d0440b478cc07941d7cdb3c239bb6ef5ba9165fba38ac81abd9d69bb1813ba297f46 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\WW13_64.exe
| MD5 | 3ba8271395be382507883d87afa41cc6 |
| SHA1 | dc3c24ecd4503ebc68f2838f7d8abe19e38a8f00 |
| SHA256 | f2e582eee882d0272b1d788f958d2acc1e9385d8947e489b800ff1470a3e5705 |
| SHA512 | 5ad577dce50a8e7762714cd72dda3c9276bdb3ac70a54a8cc343a338c27f83ea0eaa7d72dd3e77e01c5f86e3c9dfa574aed563b297682382d6fdc240fcb7f6f0 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\vcruntime140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_socket.pyd
| MD5 | 290dbf92268aebde8b9507b157bef602 |
| SHA1 | bea7221d7abbbc48840b46a19049217b27d3d13a |
| SHA256 | e05c5342d55cb452e88e041061faba492d6dd9268a7f67614a8143540aca2bfe |
| SHA512 | 9ae02b75e722a736b2d76cec9c456d20f341327f55245fa6c5f78200be47cc5885cb73dc3e42e302c6f251922ba7b997c6d032b12a4a988f39bc03719f21d1a5 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ssl.pyd
| MD5 | 0a7eb5d67b14b983a38f82909472f380 |
| SHA1 | 596f94c4659a055d8c629bc21a719ce441d8b924 |
| SHA256 | 3bac94d8713a143095ef8e2f5d2b4a3765ebc530c8ca051080d415198cecf380 |
| SHA512 | 3b78fd4c03ee1b670e46822a7646e668fbaf1ef0f2d4cd53ccfcc4abc2399fcc74822f94e60af13b3cdcb522783c008096b0b265dc9588000b7a46c0ed5973e1 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\libcrypto-1_1.dll
| MD5 | 80b72c24c74d59ae32ba2b0ea5e7dad2 |
| SHA1 | 75f892e361619e51578b312605201571bfb67ff8 |
| SHA256 | eb975c94e5f4292edd9a8207e356fe4ea0c66e802c1e9305323d37185f85ad6d |
| SHA512 | 08014ee480b5646362c433b82393160edf9602e4654e12cd9b6d3c24e98c56b46add9bf447c2301a2b2e782f49c444cb8e37ee544f38330c944c87397bdd152a |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\libssl-1_1.dll
| MD5 | 86f2d9cc8cc54bbb005b15cabf715e5d |
| SHA1 | 396833cba6802cb83367f6313c6e3c67521c51ad |
| SHA256 | d98dd943517963fd0e790fde00965822aa4e4a48e8a479afad74abf14a300771 |
| SHA512 | 0013d487173b42e669a13752dc8a85b838c93524f976864d16ec0d9d7070d981d129577eda497d4fcf66fc6087366bd320cff92ead92ab79cfcaa946489ac6cb |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_hashlib.pyd
| MD5 | 1c88b53c50b5f2bb687b554a2fc7685d |
| SHA1 | bfe6fdb8377498bbefcaad1e6b8805473a4ccbf3 |
| SHA256 | 19dd3b5ebb840885543974a4cb6c8ea4539d76e3672be0f390a3a82443391778 |
| SHA512 | a312b11c85aaa325ab801c728397d5c7049b55fa00f24d30f32bf5cc0ad160678b40f354d9d5ec34384634950b5d6eda601e21934c929b4bc7f6ef50f16e3f59 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\unicodedata.pyd
| MD5 | 2ab7e66dff1893fea6f124971221a2a9 |
| SHA1 | 3be5864bc4176c552282f9da5fbd70cc1593eb02 |
| SHA256 | a5db7900ecd5ea5ab1c06a8f94b2885f00dd2e1adf34bcb50c8a71691a97804f |
| SHA512 | 985480fffcc7e1a25c0070f44492744c3820334a35b9a72b9147898395ab60c7a73ea8bbc761de5cc3b6f8799d07a96c2880a7b56953249230b05dd59a1390ad |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_lzma.pyd
| MD5 | bc07d7ac5fdc92db1e23395fde3420f2 |
| SHA1 | e89479381beeba40992d8eb306850977d3b95806 |
| SHA256 | ab822f7e846d4388b6f435d788a028942096ba1344297e0b7005c9d50814981b |
| SHA512 | b6105333bb15e65afea3cf976b3c2a8a4c0ebb09ce9a7898a94c41669e666ccfa7dc14106992502abf62f1deb057e926e1fd3368f2a2817bbf6845eada80803d |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\_ctypes.pyd
| MD5 | 496dcf8821ffc12f476878775999a8f3 |
| SHA1 | 6b89b8fdd7cd610c08e28c3a14b34f751580cffd |
| SHA256 | b59e103f8ec6c1190ded21eef27bea01579220909c3968eeec37d46d2ed39e80 |
| SHA512 | 07118f44b83d58f333bc4b853e9be66dffb3f7db8e65e0226975297bf5794ebdaa2c7a51ef84971faf4d4233a68a6b5e9ac02e737d16c0ac19a6cf65fad9443f |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\pywintypes311.dll
| MD5 | 90b786dc6795d8ad0870e290349b5b52 |
| SHA1 | 592c54e67cf5d2d884339e7a8d7a21e003e6482f |
| SHA256 | 89f2a5c6be1e70b3d895318fdd618506b8c0e9a63b6a1a4055dff4abdc89f18a |
| SHA512 | c6e1dbf25d260c723a26c88ec027d40d47f5e28fc9eb2dbc72a88813a1d05c7f75616b31836b68b87df45c65eef6f3eaed2a9f9767f9e2f12c45f672c2116e72 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\vcruntime140_1.dll
| MD5 | bba9680bc310d8d25e97b12463196c92 |
| SHA1 | 9a480c0cf9d377a4caedd4ea60e90fa79001f03a |
| SHA256 | e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab |
| SHA512 | 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\win32security.pyd
| MD5 | 0007e4004ee357b3242e446aad090d27 |
| SHA1 | 4a26e091ca095699e6d7ecc6a6bfbb52e8135059 |
| SHA256 | 10882e7945becf3e8f574b61d0209dd7442efd18ab33e95dceececc34148ab32 |
| SHA512 | 170fa5971f201a18183437fc9e97dcd5b11546909d2e47860a62c10bff513e2509cb4082b728e762f1357145df84dcee1797133225536bd15fc87b2345659858 |
C:\Users\Admin\AppData\Local\Temp\ONEFIL~1\certifi\cacert.pem
| MD5 | 78d9dd608305a97773574d1c0fb10b61 |
| SHA1 | 9e177f31a3622ad71c3d403422c9a980e563fe32 |
| SHA256 | 794d039ffdf277c047e26f2c7d58f81a5865d8a0eb7024a0fac1164fea4d27cf |
| SHA512 | 0c2d08747712ed227b4992f6f8f3cc21168627a79e81c6e860ee2b5f711af7f4387d3b71b390aa70a13661fc82806cc77af8ab1e8a8df82ad15e29e05fa911bf |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\libffi-8.dll
| MD5 | d86a9d75380fab7640bb950aeb05e50e |
| SHA1 | 1c61aaf9022cd1f09a959f7b2a65fb1372d187d7 |
| SHA256 | 68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b |
| SHA512 | 18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\_bz2.pyd
| MD5 | a8a37ba5e81d967433809bf14d34e81d |
| SHA1 | e4d9265449950b5c5a665e8163f7dda2badd5c41 |
| SHA256 | 50e21ce62f8d9bab92f6a7e9b39a86406c32d2df18408bb52ffb3d245c644c7b |
| SHA512 | b50f4334acb54a6fba776fc77ca07de4940810da4378468b3ca6f35d69c45121ff17e1f9c236752686d2e269bd0b7bce31d16506d3896b9328671049857ed979 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\charset_normalizer\md__mypyc.pyd
| MD5 | f4192b63f194d4b4e420e319f08fd398 |
| SHA1 | 03e2f59492e05f899cb5399a4971b3ee700f00c1 |
| SHA256 | 0be6ce456259ec228b1e42b8406d6eecf4c9fc4c96b9c3dc6255695f539bfdca |
| SHA512 | 447f4909a742e3f2abbe37c2f02d1e9106ded7be5c1d3c1bcbe3985d61791c2eac85bfc9870518fb6d99c7bd32a73c99e9961b797aeee95756f59bf0d2038009 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\charset_normalizer\md.pyd
| MD5 | 25e5dd43a30808f30857c6e46e6bc8df |
| SHA1 | 679cb7169813a9a0224f03624984645ea18aabe6 |
| SHA256 | 62639a735008dd068142c0efca7f3d0f96f4959a52278fcf70012946e8552974 |
| SHA512 | 904855da98f610a6ebe18ba76f7130a7f9a0ba5da0364fbc9ce79127728597c473aa85f8c0ccaf9f0af81da8f4e6ad7b722890839ee03f381e50177301661cc3 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\_queue.pyd
| MD5 | e0cc8c12f0b289ea87c436403bc357c1 |
| SHA1 | e342a4a600ef9358b3072041e66f66096fae4da4 |
| SHA256 | 9517689d7d97816dee9e6c01ffd35844a3af6cde3ff98f3a709d52157b1abe03 |
| SHA512 | 4d93f23db10e8640cd33e860241e7ea6a533daf64c36c4184844e6cca7b9f4bd41db007164a549e30f5aa9f983345318ff02d72815d51271f38c2e8750df4d77 |
C:\Users\Admin\AppData\Local\Temp\onefile_1096_133527837602965451\select.pyd
| MD5 | 4ac28414a1d101e94198ae0ac3bd1eb8 |
| SHA1 | 718fbf58ab92a2be2efdb84d26e4d37eb50ef825 |
| SHA256 | b5d4d5b6da675376bd3b2824d9cda957b55fe3d8596d5675381922ef0e64a0f5 |
| SHA512 | 2ac15e6a178c69115065be9d52c60f8ad63c2a8749af0b43634fc56c20220afb9d2e71ebed76305d7b0dcf86895ed5cdfb7d744c3be49122286b63b5ebce20c2 |
C:\Users\Admin\Documents\GuardFox\yIg2NIrbMKONezGt8Zis12rj.exe
| MD5 | 9562c5e354c4d0d1d207ee38a1cf3785 |
| SHA1 | 6267e562bc02a8fcf56a092113155e5cfb19abef |
| SHA256 | c2054e2d06bf0fd32c33e5a3ff8eb16f194648b7ae109c7db945afb332053c11 |
| SHA512 | fec9866fad198af04818470d14076399e6c26be35025072b6fbcff5c72613fb3aab8c4cffe40fc3a6a604e785535e270a2c818efa1becfea77c95461d95f9505 |
C:\Users\Admin\Documents\GuardFox\o4na_YhO7_2ub2zSjt0ITnhg.exe
| MD5 | b745bfd18f6232f090419de152ebebf0 |
| SHA1 | a45beb47818aa3d5388ecbd55069a43601153973 |
| SHA256 | 0f5c2a1369d97d2a6cfdcf5186cb62818c41efec976fe9930a4f070f06c6dbff |
| SHA512 | d12d160448810ed54bcda7c38fdcaf6ca4f1c31ccc0732153f87c4999364fdd4376ae9ad5e11453fd2294c5540f3ca1b1256a3d8d0d5ed7e731b6b85f418e018 |
C:\Users\Admin\Documents\GuardFox\Pk7JI9CaeC_pHZ0_62slrid9.exe
| MD5 | 8fd7f46e85795769df7e746b3869c7e3 |
| SHA1 | acbe34e48fd2e7d580bfe5fb913473bfab41edd8 |
| SHA256 | 09ffa44302fb7674b294d26a01d11a0510251f66d23fd3626cba5a98e5453ba3 |
| SHA512 | 5acdba0b24b8bf068cc1c1b080fecce9d3f8dffe13f3605a2f46a6cd28fef4630ea2ee575af0d230a89ca3f137da5051655cd4a2138920c76bfe9d1027d0380f |
C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe
| MD5 | 029139679a1e6fbf22f0617286ecd356 |
| SHA1 | 8cdd3591493e84b6b130af03a91065535ceb1890 |
| SHA256 | 6cd498c82768416078c6552229813120cfa11edbf06c123de39a9def8a019d4c |
| SHA512 | e33c2cb3876d69038d71e7fed457e5dd285e095137c13e842182242e042ec13e4df6939a8451d959be9f5f8794984faa219feec4106b17d8e7f5bdcd759941c4 |
memory/824-112-0x0000000000820000-0x0000000000920000-memory.dmp
memory/824-113-0x00000000021C0000-0x00000000021ED000-memory.dmp
C:\Users\Admin\Documents\GuardFox\7B0i9UF8dygAiGVKSt7YpXau.exe
| MD5 | 79f16592b6d173ed466c925f0f993c80 |
| SHA1 | b3ccee0b9c94fa77cd557580a5f1423a88edf90b |
| SHA256 | 0030a8277ec24f633189f2e9f037b529141044c141d3337ad50fcb2452bf8f53 |
| SHA512 | 77a6c66a496d566cab657809f23ca33943bc8f3f9c8b2674eea0e5963704926f178386a3f15219cd08001a89c03dbdb130f18d6a3b7d494da0cc0343f40b730f |
memory/4692-114-0x00000000023C0000-0x00000000023F4000-memory.dmp
C:\Users\Admin\Documents\GuardFox\DLGTS9hVeQ3fDVtpD6KZc1BJ.exe
| MD5 | d4512d526ce5b4c0b06c8806b128931e |
| SHA1 | 49f7d704819052ac2f2d7dd1b025e9ecf1dfa1d0 |
| SHA256 | 951a4295ca6bcfbb4b96c898fdf2d1597422c77c18be02a85c298ee816d1e45d |
| SHA512 | daa0819ef49f825e7a717a1fedf190451ee68ff74666480302e5dced6c9776f365d9efe4563560c8a2e1a866e046bd575a1218c4da4768966866542355c81626 |
memory/4692-123-0x0000000000750000-0x0000000000850000-memory.dmp
memory/824-116-0x0000000000400000-0x0000000000451000-memory.dmp
memory/4692-115-0x0000000000400000-0x0000000000647000-memory.dmp
C:\Users\Admin\Documents\GuardFox\WuaqRhk7_2kPdYrA5k4wAYDz.exe
| MD5 | 51c28761ace7ec8ac460c8dd43df85fd |
| SHA1 | bc175bced43b10474e450c21d6aa7c085e1ad975 |
| SHA256 | 0414dd8e438db4fc4ade1967a14911376ba0a6460747ab6379ac7f288f70f4ce |
| SHA512 | 4ed95565879b2260107ac6e3fbd68acb13eacae9c8e2a2208f055ef1857ef5f1ee0439fcca6995e650e3c492cb78d3ca30f9931f1c31a96cd5dbe7f016119ed2 |
C:\Users\Admin\Documents\GuardFox\HXrcVT_ajDIPXBrmbd5wnksw.exe
| MD5 | 5784afb380c6bf72e8cf58f245528883 |
| SHA1 | b5c3f926de2ab331dac1a5d7adca9a9c7215b1a4 |
| SHA256 | 9d965eda03984ab27d4d9d438860a80666c6e324e2232a153bcc5bc5cbec02df |
| SHA512 | c6a61deb5bfd01043b3af35ff4d2567e5c40f7e674b7a67f8203662078e0e56fd1fb54adf6c9af78a6ece5a99f1c08e4fb186fa5046b362727e3c86f1b2adcc3 |
C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe
| MD5 | 0c719aa00726d1875fee80e9034a150e |
| SHA1 | 5ff6e28f0e279260d0d14eaa873ebd768435301c |
| SHA256 | b79bb046c3bd503822a11dc1ec20ccdfc327e6895ec32ac2acc402cf561a24f9 |
| SHA512 | 24e55814bbec33430ab7b90c07be57ca361357906a614735f8c210193234e42587ca453ef3d273285aa4b986a6f5358294d3b4ac7edace3e47be1d066c72f562 |
memory/2448-138-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\GuardFox\8Ikaj6vUn6V3OZd_3u53unU2.exe
| MD5 | 3e0eb2c034444b2dbe7ec7e53821dd49 |
| SHA1 | f21740db8e5a2af19781566e0052910e54c128d4 |
| SHA256 | 5500d254228890f7823ee77eb1112f4224cade3460997e8c04b7a1a6fe1c872c |
| SHA512 | b4b862d475e9af063f1e3198f724738a3d4b5192d5b5acefe0d4e1b4376b55ee75e1d8b4f58fff78542a49aa6f6e1c979c9632259010fff9ae2814ee08494f53 |
C:\Users\Admin\Documents\GuardFox\xef0OvFS46pt2atJmqhryMoc.exe
| MD5 | a7373bba2722eef27389f5d94fe4e783 |
| SHA1 | 23972e45424c696943f2ddf2d66e672c87e5be67 |
| SHA256 | f426eef11c5054c02486f2280e8e97db372f9315eb6373d1bdbac64be4629ab3 |
| SHA512 | 7b9ad2b26a88bcaf4e3735b3c7ca928faf7b8852359853a2d792ea850965a2cb1703dabda09740a8be21420a44f467894655549bb9a5280d37d30d23cf4b232a |
C:\Users\Admin\AppData\Local\Temp\is-0800V.tmp\8Ikaj6vUn6V3OZd_3u53unU2.tmp
| MD5 | 956fd09810c6edb78fa81f98b7c7ae0d |
| SHA1 | 94170850cacdcb1c46348bf28aa84e135b2abbab |
| SHA256 | b0f8ef03f6da9ade9149c1fde5233c5e0b6a29f2ff64e7506e96c79bbbf180be |
| SHA512 | de28d055c13aa0fbe2d514d26515f635b37b24f58496864cdd2e17d088fe7397a73577a6e82e540fa9058d971b7573c1f99eb4bcbd1977624a75fea85b299e4a |
memory/4516-163-0x0000000002200000-0x0000000002201000-memory.dmp
C:\Users\Admin\Documents\GuardFox\8fdor5jGvAmVs43v58m3HWpJ.exe
| MD5 | ce42b3f356ec80a646a93353a5e5e9e6 |
| SHA1 | 9382fbb91ef69a8396162e2dab25331d5cb86250 |
| SHA256 | e179056e60c24f596f4badcb11473af4fc811ccefab89841c2b69297b7891440 |
| SHA512 | 53e2fa1ff1778c408968d7f52386770101196d0fdc253c331fd95735c8be7b99c4e6dfb1a1bf6845f2de30dd6264839cc067275a899e5ad4c2f88f47fd14c516 |
C:\Users\Admin\AppData\Local\Temp\is-QS2VN.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe
| MD5 | 98db1ccf5cf82b7917039e6c796c59a7 |
| SHA1 | 340b1194ebe6b18c2034430283bbbc3647afdf77 |
| SHA256 | 8b6fc239666d45099322783b2c2540cac961e0b7fd7992f41323ccdc40d5b681 |
| SHA512 | 7bf622f1c412e11e81f5602c30ba706a24b08eb490282ea6806d1babe708a66afa0ab5ba8a5d6e02f5432d24f721cb769dc73342f01694d269d24effb42ee1ea |
C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe
| MD5 | 20a686fada79f8ef9e92e80febfb42a0 |
| SHA1 | a9129265902ad4248f25891c59c7945715998771 |
| SHA256 | 72922eb704c0e300a20a943c2d28f4b51f11934c91487dc064c7b1f56e341489 |
| SHA512 | fcb9663ad1fd175268e2d64c9ebcb38bd60a365d305143136bca4e0cfbd6436f10988827a2d68b8f675d4f23cde81f43a5fba4d6052714d6f9294fb1b9c90ca7 |
C:\Users\Admin\Documents\GuardFox\geklkyJb1RJIjxIFhgOAcuBY.exe
| MD5 | 09badb8acf8fe1c8d35791aa2593c118 |
| SHA1 | 9c22f98c4d578b3f593b160362b10beb1a1ca901 |
| SHA256 | 8af7c3f82ad26852a76b872771b62edb87eaf52d3f38332daa06f577a2122850 |
| SHA512 | 9ace0b41912cc8b848fc619157423eb7ff118121202357c0831dbd7513a372e1c71ccb1ff8751ecb55709ed45fcec1c54583924d2555467c99823f2cbeffe955 |
C:\Users\Admin\Documents\GuardFox\SCx_AK26VfAhti6vdVI1640v.exe
| MD5 | a7c95606c6047218d78ea1ce15d342c8 |
| SHA1 | 680532e567ee20ff61c92ac696a1feebf5e22658 |
| SHA256 | adfba1915986c71a7276a8d5aead9cb9f9b66cbcd5d1d630f9e09ccfd7163d1c |
| SHA512 | 681dc330efdbe42ffd6cc4ca2771287ad9ea4d1598c4d1bd003e18de6bf7d21e9677d692ce92dda4113df012b41382de84b24804373b54cd95f3384681831315 |
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
| MD5 | 8fb2e718ed032a70e9f61075ee93b51d |
| SHA1 | adb8d88e1e42be01bd37279de91ad08ad96c4ff7 |
| SHA256 | 9427ae84f26283cf00820d1ccc89f3a34c6427ce19fc4476f0eaddabc7c4779e |
| SHA512 | d0c23df2a577277789e2296f15408aecfc90ea8e6a35803ef2fe43eaba78c8de9cb25e3c2fd6e963ba24748240b7a36a3a328102bfdd26d219157b57f133d344 |
C:\Users\Admin\Documents\GuardFox\d1vjVpWAF46uWXeME984fb8K.exe
| MD5 | 7497fdeba4aec1b75c8ceb591a4466c1 |
| SHA1 | 26a060abf1b3713fe6f02066853ae5d75bd89702 |
| SHA256 | 48786fd905f84291bb549b52a20868a09e8b9df993d5bab8d723fe5ff890a10b |
| SHA512 | 68b365e0d588f792474dd0af8f6df07add601ba88d9ff236fe2f275bd996c34c76218a8019ec949f36176846a2f41da206ca84ae80ba270305e326e788236329 |
memory/3684-242-0x0000000005720000-0x0000000005CC4000-memory.dmp
memory/3684-240-0x0000000072380000-0x0000000072B30000-memory.dmp
memory/1884-241-0x0000000000400000-0x00000000007E9000-memory.dmp
C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe
| MD5 | a7b1bf94d1cc0d4d7cc9a8adc0fd23b3 |
| SHA1 | b0c18bbb0803d3c4bd433660cbe49c0613f764db |
| SHA256 | c7702dd40864d2760d5245998dcd35408e6cb6a4beef18c6b63f68965991673e |
| SHA512 | 9170fdfea3e852f38be09c7a455b11fc0f174ee81ff59fa0002ff6b482ca9febd27e9ee7bddcb98e8024d25948d3e4f9d211ba88910059a66cf3c6e770570aac |
memory/3684-260-0x00000000053D0000-0x00000000053E0000-memory.dmp
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
| MD5 | ae1f9db87efd251c5b1aa2befb9c412f |
| SHA1 | c441902902c1ada6b552cecaeb6a062a96d5c642 |
| SHA256 | 18f0f3eb03ab85cf5b74ca51e666473e8ece4a75935f80053eaa8871909678de |
| SHA512 | 6f6884b731c5d9de05fc65a14c409bac05530e4e26336ee391d9d9e34aa5bb7b5e3deb5cc7f09f6fad8c5caa6f6da3a3bd035283ea59733dec61a9a375de6abf |
memory/3480-264-0x0000000000400000-0x00000000007E9000-memory.dmp
memory/3684-261-0x00000000052F0000-0x00000000052FA000-memory.dmp
memory/3480-265-0x0000000000400000-0x00000000007E9000-memory.dmp
memory/1884-253-0x0000000000400000-0x00000000007E9000-memory.dmp
memory/3684-251-0x0000000005250000-0x00000000052E2000-memory.dmp
C:\ProgramData\E_MountLite_66\E_MountLite_66.exe
| MD5 | 579a0fb769d745fffebe0785261f9386 |
| SHA1 | 6f4d1cd9cb9115324fc3353b2395fe01d33889c8 |
| SHA256 | 2f09d5b1bb25d55ceecd97222994d40ca5825502106e08f7bafbc9088bd1251f |
| SHA512 | e3947c147107b789cac855e560fe11c9c956781ee8ecbde7d8ceb9ccf3363ec1d2d246d040761cd0baed66615fc8239266961ae17f3e59265a22251a4470d187 |
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
| MD5 | 0871f2113db791bc05e503e95f284a50 |
| SHA1 | 65dce56912350cbabe26251abdadc7a3184616ab |
| SHA256 | 89c0f787c4fa1e4573f367227eb6e16613b3a91aee3bf21ee2b70a41124d1f37 |
| SHA512 | f0ce340d3e4bfb6cae4330eef0a0dbcb1da290ab24b57327a2e1d8db1c98d67b27cd01e149bb5a57eab3ad7b0ca9e9d3150369b13456b043b21086a2c0bfa206 |
C:\Users\Admin\Documents\GuardFox\7hPwKXVGbLuBuxEP1ly0pylG.exe
| MD5 | 71369ca5f9f41bf02e2fa138a6f459bd |
| SHA1 | caf54a41e6baf79239889eb9fddd6a9ddf8864cb |
| SHA256 | df47533cfffa37dd58da9bf666ea9cecf2f7ecb03d4fb179e64e6a54576d4bc0 |
| SHA512 | a1681cd1f3c4cb4d4ece24c4601688b428d6a2362aa3ee0d5387476d6655f33d5388c35a4291d5ef7133617bdf4fed35ce641edfc359c616974afa3683516363 |
memory/3684-239-0x0000000000950000-0x0000000000988000-memory.dmp
C:\Users\Admin\Documents\GuardFox\FlPaJanW_MDDpcdoUt4mW4My.exe
| MD5 | 91279277b9cc7d43752c76dcaea5fce6 |
| SHA1 | 5411e516c578887602f29e56294e841b854b8b7e |
| SHA256 | 18d4c4325fa3930646e04f03a812ccc0c3b8907297db98317bde5a77fed7ea08 |
| SHA512 | 3f4fbd59734f694ce2079ac10769d34366ec3d376f166c406acda9dc71bfa203e1a958e96bd218c6b6c1f47c12600c4bfc137675b6b2d297eed2107c80064696 |
C:\Users\Admin\Documents\GuardFox\vkhatfzAKrlpju9d6VodrldT.exe
| MD5 | 1c32647a706fbef6faeac45a75201489 |
| SHA1 | 9055c809cc813d8358bc465603165be70f9216b7 |
| SHA256 | f60e23e0d5cbd44794977c641d07228f8c7a9255f469a1fe9b2ae4c4cc009edc |
| SHA512 | c8acb58b5686b5daf16de893a9a09c61429892b61195442c456982b14be16baef714b4cf1ad61705480afb880c48d82ace5f65a055ad3bad204a8e776971a3d0 |
memory/3972-272-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/3972-273-0x00000000004D0000-0x00000000004DB000-memory.dmp
memory/3972-278-0x0000000000400000-0x000000000044B000-memory.dmp
memory/824-279-0x0000000000820000-0x0000000000920000-memory.dmp
memory/4236-281-0x0000000000400000-0x0000000000574000-memory.dmp
memory/4236-284-0x0000000002150000-0x000000000219B000-memory.dmp
memory/4692-285-0x0000000000400000-0x0000000000647000-memory.dmp
memory/4236-286-0x00000000021A0000-0x00000000021A2000-memory.dmp
C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe
| MD5 | eb58950924c6ac0cb91a8360fcb445fe |
| SHA1 | c04b6db5555ee5ddb660279c6b045779888bb80d |
| SHA256 | 14e0ec49dc3a135fdd01aec1c64c8ed51496f2d8e288eb8bfd5719e1ae8390b2 |
| SHA512 | 1803ffc4b1c7ef72245f2762d2261b1b001baa52741f754bd3d3a4f86ff3ac41234a9920a3260602a9361068b83a1a2dd4eeab1c953811efe98c9cd307c5f42e |
C:\Users\Admin\Documents\GuardFox\Y44BOUYkt1YKhQyTCmbAD40W.exe
| MD5 | a682c9962fa92d449eb49fda4272f571 |
| SHA1 | ac243bbb7a37ecb111509fbc7cd85f46695ffbf3 |
| SHA256 | f52f2ab5e9f0c169ba1cf8860dc2b03acc64eb274510a910cc79257b4f50c553 |
| SHA512 | db4c852d53661dbe4589ca4319c689b87186329cc42ee49811629de17813d92c262c228f2eb7335cf7c13d79c28a37e5100a0b23195f0dcd7b506ceae5034789 |
memory/4236-294-0x0000000002200000-0x0000000002202000-memory.dmp
memory/4236-293-0x0000000000400000-0x0000000000574000-memory.dmp
memory/4236-292-0x0000000000400000-0x0000000000574000-memory.dmp
memory/4692-295-0x0000000000750000-0x0000000000850000-memory.dmp
memory/4236-296-0x0000000000400000-0x0000000000574000-memory.dmp
memory/4236-287-0x0000000000400000-0x0000000000574000-memory.dmp
memory/400-298-0x0000000002EC0000-0x00000000037AB000-memory.dmp
memory/400-299-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/4236-283-0x0000000002150000-0x000000000219B000-memory.dmp
memory/2448-300-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4236-282-0x0000000000400000-0x0000000000574000-memory.dmp
memory/400-303-0x0000000002AC0000-0x0000000002EBC000-memory.dmp
memory/4692-304-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/3684-306-0x0000000072380000-0x0000000072B30000-memory.dmp
memory/3028-308-0x0000000072380000-0x0000000072B30000-memory.dmp
memory/3028-310-0x0000000005290000-0x00000000052A0000-memory.dmp
memory/4516-315-0x0000000002200000-0x0000000002201000-memory.dmp
memory/2084-318-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-323-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2084-325-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2464-317-0x0000000001FC0000-0x000000000205D000-memory.dmp
memory/2464-312-0x0000000002270000-0x000000000238B000-memory.dmp
memory/2084-313-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3480-340-0x0000000000400000-0x00000000007E9000-memory.dmp
memory/1756-339-0x0000000005150000-0x0000000005328000-memory.dmp
memory/3684-338-0x00000000053D0000-0x00000000053E0000-memory.dmp
memory/1756-341-0x0000000072380000-0x0000000072B30000-memory.dmp
memory/1756-343-0x0000000004F70000-0x0000000005146000-memory.dmp
memory/1756-342-0x0000000004F60000-0x0000000004F70000-memory.dmp
memory/1756-352-0x0000000004F60000-0x0000000004F70000-memory.dmp
C:\Users\Admin\Documents\GuardFox\4D0OGlAF0yCanDA3Ml3POQKo.exe
| MD5 | 2a4592c9cb8724ad2635a3ce0a279b00 |
| SHA1 | e890072667c76c0e08aaf7249c42ba5cfb37b750 |
| SHA256 | 5b0a20cabb3ce8cbb2219b05feef12f85ac86e4d0336f4e3dfbfc0a5af5b67a6 |
| SHA512 | 923c474f1516783befc5cb5559017c7497ca69dd412ead986997fa6eff9dedac897eeba111d9fb816c55e4429eebb0bbc84f8cf733ebaceebd3b9edb43c57793 |
memory/3480-346-0x0000000000400000-0x00000000007E9000-memory.dmp
C:\Users\Admin\Documents\GuardFox\YpU6qj2eThxCVR1PQE568Mbn.exe
| MD5 | 230e63c2deab217c08ade65aaf12aec8 |
| SHA1 | 7897686c66d989833882879d3cd9c3ad2b464dff |
| SHA256 | 2148c3be3402e459e221cf6c4242190233530a3687c3bb959a4c81118654cdcb |
| SHA512 | d6b069d71258019ee2bfe4ad524ffddc82422e590db06543847643ea4828dd136553ba76446bb0dd9d1e49d29c4c922120957cc1d5ac98bff56ff1443b8db140 |
memory/5064-374-0x0000000000400000-0x00000000006B0000-memory.dmp
memory/3972-373-0x00000000006A0000-0x00000000007A0000-memory.dmp
memory/4236-382-0x0000000000400000-0x0000000000574000-memory.dmp
memory/4236-385-0x0000000002150000-0x000000000219B000-memory.dmp
memory/5064-386-0x0000000000400000-0x00000000006B0000-memory.dmp
memory/1756-394-0x0000000002AB0000-0x0000000004AB0000-memory.dmp
memory/5064-396-0x0000000000400000-0x00000000006B0000-memory.dmp
memory/5064-397-0x0000000000400000-0x00000000006B0000-memory.dmp
memory/3972-393-0x0000000000400000-0x000000000044B000-memory.dmp
memory/1756-390-0x0000000072380000-0x0000000072B30000-memory.dmp
memory/3436-387-0x0000000002060000-0x0000000002076000-memory.dmp
memory/4692-407-0x0000000000400000-0x0000000000647000-memory.dmp
memory/400-408-0x0000000002EC0000-0x00000000037AB000-memory.dmp
memory/5064-411-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/400-410-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/5064-412-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/5064-413-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/5064-414-0x0000000000FE0000-0x0000000000FE1000-memory.dmp
memory/5064-418-0x0000000000400000-0x00000000006B0000-memory.dmp
memory/1372-420-0x0000000002440000-0x0000000002476000-memory.dmp
memory/1372-425-0x0000000072380000-0x0000000072B30000-memory.dmp
memory/1372-426-0x0000000002980000-0x0000000002990000-memory.dmp
memory/4516-429-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2084-434-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2400-441-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2400-442-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u3pezzc0.vnp.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3480-470-0x0000000000400000-0x00000000007E9000-memory.dmp
memory/2400-468-0x0000000000400000-0x0000000000537000-memory.dmp
memory/4236-481-0x0000000000400000-0x0000000000574000-memory.dmp
memory/400-483-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
memory/2400-484-0x0000000000400000-0x0000000000537000-memory.dmp
memory/2400-467-0x0000000000400000-0x0000000000537000-memory.dmp
memory/824-486-0x0000000000400000-0x0000000000451000-memory.dmp
memory/3960-485-0x0000000000770000-0x0000000001239000-memory.dmp
memory/3960-488-0x0000000000770000-0x0000000001239000-memory.dmp
memory/4692-487-0x0000000000400000-0x0000000000647000-memory.dmp
memory/3960-490-0x0000000000770000-0x0000000001239000-memory.dmp
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |