gcleaner | 6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421

Analysis

max time kernel
50s
max time network
150s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
11/03/2024, 04:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Size

4.5MB
MD5

20ed8b8eb556fa3cbc88b83882a6f1b0
SHA1

cd7ce6fc0068b6ef9c37d5dafec1319a39b88709
SHA256

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421
SHA512

868b859bdff27e41f63b527590214ad22dcaf332bb3d5c7daafd295ea648d71d5bd6d01fee29587eee8b7d4ef01384089eb0b2408f3d2e048021701c357e3b9b
SSDEEP

98304:in1GhDYSAEbWAtdt7Eea0+JJHOBMT6yCltq5CFvxWof8e45D4UO38cYd5:0gYfux7EF0CHqI6Xg5CFvxW2Pe

Malware Config

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

vidar

Version

8.1

Botnet

f074a4059ba1ecaca146518ebcd17bd0

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes

profile_id_v2
f074a4059ba1ecaca146518ebcd17bd0
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Extracted

Family

gcleaner

185.172.128.90

5.42.65.115

Extracted

Family

tofsee

vanaheim.cn

jotunheim.name

Extracted

Family

risepro

193.233.132.62

Extracted

Family

vidar

Version

8.1

Botnet

1ea8aee42f0abfcd960a0b72af3ab3d7

https://steamcommunity.com/profiles/76561199649267298

https://t.me/uprizin

Attributes

profile_id_v2
1ea8aee42f0abfcd960a0b72af3ab3d7
user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36 OPR/96.0.0.0

Signatures

Detect Vidar Stealer 14 IoCs

stealer

resource	yara_rule
behavioral1/memory/2948-1553-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-1565-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-1593-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-1590-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2904-1588-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-1596-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-1581-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2904-1579-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2904-1566-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-1557-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2904-1554-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2904-1551-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2904-1548-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7
behavioral1/memory/2948-1847-0x0000000000400000-0x0000000000644000-memory.dmp	family_vidar_v7

Detect ZGRat V1 5 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016cfd-849.dat	family_zgrat_v1
behavioral1/files/0x0007000000016d06-855.dat	family_zgrat_v1
behavioral1/files/0x0007000000016d06-1435.dat	family_zgrat_v1
behavioral1/memory/2612-1454-0x0000000000220000-0x0000000000290000-memory.dmp	family_zgrat_v1
behavioral1/memory/2468-1436-0x0000000000E50000-0x0000000000EC0000-memory.dmp	family_zgrat_v1

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 7 IoCs

resource	yara_rule
behavioral1/memory/488-1544-0x00000000029A0000-0x000000000328B000-memory.dmp	family_glupteba
behavioral1/memory/1736-1578-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/488-1580-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/488-1667-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1736-1666-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/1796-1684-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba
behavioral1/memory/2464-1753-0x0000000000400000-0x0000000000D1C000-memory.dmp	family_glupteba

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Tofsee
Backdoor/botnet which carries out malicious activities based on commands from a C2 server.
trojan tofsee
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Detect binaries embedding considerable number of MFA browser extension IDs. 4 IoCs

resource	yara_rule
behavioral1/memory/2284-1577-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/2284-1582-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/2284-1778-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs
behavioral1/memory/2284-1787-0x0000000000770000-0x0000000000870000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_MFA_Browser_Extension_IDs

Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 4 IoCs

resource	yara_rule
behavioral1/memory/2284-1577-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2284-1582-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2284-1778-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs
behavioral1/memory/2284-1787-0x0000000000770000-0x0000000000870000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs

Detects Windows executables referencing non-Windows User-Agents 20 IoCs

resource	yara_rule
behavioral1/memory/2948-1553-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2948-1565-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1736-1578-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2948-1593-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2948-1590-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2904-1588-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2948-1596-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2948-1581-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/488-1580-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2904-1579-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2904-1566-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2948-1557-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2904-1554-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2904-1551-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2904-1548-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/488-1667-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1736-1666-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/1796-1684-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2464-1753-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA
behavioral1/memory/2948-1847-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 3 IoCs

resource	yara_rule
behavioral1/memory/2284-1577-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2284-1582-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2284-1778-0x0000000000400000-0x000000000063B000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion 14 IoCs

resource	yara_rule
behavioral1/memory/2948-1553-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2948-1565-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2948-1593-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2948-1590-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2904-1588-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2948-1596-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2948-1581-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2904-1579-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2904-1566-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2948-1557-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2904-1554-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2904-1551-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2904-1548-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL
behavioral1/memory/2948-1847-0x0000000000400000-0x0000000000644000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SandboxHookingDLL

Detects executables Discord URL observed in first stage droppers 6 IoCs

resource	yara_rule
behavioral1/memory/1736-1578-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/488-1580-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/488-1667-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1736-1666-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/1796-1684-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL
behavioral1/memory/2464-1753-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_DiscordURL

Detects executables containing URLs to raw contents of a Github gist 6 IoCs

resource	yara_rule
behavioral1/memory/1736-1578-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/488-1580-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/488-1667-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1736-1666-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/1796-1684-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL
behavioral1/memory/2464-1753-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_RawGitHub_URL

Detects executables containing artifacts associated with disabling Widnows Defender 6 IoCs

resource	yara_rule
behavioral1/memory/1736-1578-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/488-1580-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/488-1667-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1736-1666-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/1796-1684-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender
behavioral1/memory/2464-1753-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_DisableWinDefender

Detects executables referencing many varying, potentially fake Windows User-Agents 6 IoCs

resource	yara_rule
behavioral1/memory/1736-1578-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/488-1580-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/488-1667-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1736-1666-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/1796-1684-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA
behavioral1/memory/2464-1753-0x0000000000400000-0x0000000000D1C000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_TooManyWindowsUA

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	GxjGkvtYhwN3nJQsyCtat_RT.exe

Modifies boot configuration data using bcdedit 14 IoCs

pid	Process
1640	bcdedit.exe
2144	bcdedit.exe
2848	bcdedit.exe
2076	bcdedit.exe
2816	bcdedit.exe
2472	bcdedit.exe
412	bcdedit.exe
1872	bcdedit.exe
2304	bcdedit.exe
2884	bcdedit.exe
2976	bcdedit.exe
2084	bcdedit.exe
1888	bcdedit.exe
2380	bcdedit.exe

UPX dump on OEP (original entry point) 1 IoCs

resource	yara_rule
behavioral1/files/0x000600000001a48f-2087.dat	UPX

Blocklisted process makes network request 1 IoCs

flow	pid	Process
165	1600	ckoeJj6elDTfuRxHXDebBLo5.exe

Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file

Modifies Windows Firewall 2 TTPs 3 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
112	netsh.exe
324	netsh.exe
2816	netsh.exe

Possible attempt to disable PatchGuard 2 TTPs
Rootkits can use kernel patching to embed themselves in an operating system.
evasion

Impair Defenses
T1562

Command and Scripting Interpreter
T1059
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks BIOS information in registry 2 TTPs 3 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	GxjGkvtYhwN3nJQsyCtat_RT.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	GxjGkvtYhwN3nJQsyCtat_RT.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

Executes dropped EXE 16 IoCs

pid	Process
1436	PDZfU58Kf9RSLOo3OlUFq_L0.exe
2468	M7CJfjOJnswOfsGOITpWfHBq.exe
1600	ckoeJj6elDTfuRxHXDebBLo5.exe
2628	g9naRJPwNQcy1nT7QWq1Boov.exe
2612	Xj_OtfRj9sOgU_AcIrQtTqf6.exe
2512	XdCcXx9rYaWS_8GVdD9nZ7ux.exe
1556	UAvM4CkuavIVH4xf5k40wV9m.exe
1360	gU_cMVt_5rERgDwNK6jm08MD.exe
1304	GxjGkvtYhwN3nJQsyCtat_RT.exe
2284	2EyAHqQbDk7PcZrTK8aU6xBq.exe
1944	NZ6oKoiKbrO7K7_ror4q00_D.exe
1736	u_6KeaEVc3DO9L4N7hASEl_g.exe
488	yc6El0Zpx_v76znxh8f534y2.exe
2340	gU_cMVt_5rERgDwNK6jm08MD.tmp
564	Install.exe
288	Install.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine	GxjGkvtYhwN3nJQsyCtat_RT.exe

Loads dropped DLL 17 IoCs

pid	Process
2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
1556	UAvM4CkuavIVH4xf5k40wV9m.exe
1556	UAvM4CkuavIVH4xf5k40wV9m.exe
1556	UAvM4CkuavIVH4xf5k40wV9m.exe
1360	gU_cMVt_5rERgDwNK6jm08MD.exe
2340	gU_cMVt_5rERgDwNK6jm08MD.tmp
2340	gU_cMVt_5rERgDwNK6jm08MD.tmp
2340	gU_cMVt_5rERgDwNK6jm08MD.tmp
1556	UAvM4CkuavIVH4xf5k40wV9m.exe
564	Install.exe
564	Install.exe
564	Install.exe
564	Install.exe
288	Install.exe
288	Install.exe
288	Install.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001a48f-2087.dat	upx

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
161	iplogger.org
46	bitbucket.org
67	bitbucket.org
77	bitbucket.org
45	bitbucket.org
160	iplogger.org
18	bitbucket.org
30	bitbucket.org
31	bitbucket.org

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
5	api.myip.com
8	ipinfo.io
9	ipinfo.io
4	api.myip.com

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2612 set thread context of 2904	2612	Xj_OtfRj9sOgU_AcIrQtTqf6.exe	49
PID 2468 set thread context of 2948	2468	M7CJfjOJnswOfsGOITpWfHBq.exe	50

Launches sc.exe 7 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2616	sc.exe
700	sc.exe
2868	sc.exe
1600	sc.exe
1592	sc.exe
2584	sc.exe
2176	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2024	2948	WerFault.exe	50

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PDZfU58Kf9RSLOo3OlUFq_L0.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PDZfU58Kf9RSLOo3OlUFq_L0.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	PDZfU58Kf9RSLOo3OlUFq_L0.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2EyAHqQbDk7PcZrTK8aU6xBq.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2EyAHqQbDk7PcZrTK8aU6xBq.exe

Creates scheduled task(s) 1 TTPs 5 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1344	schtasks.exe
3020	schtasks.exe
2976	schtasks.exe
2784	schtasks.exe
2780	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2180	timeout.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	Install.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	Install.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
904	taskkill.exe

Modifies system certificate store 2 TTPs 17 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2340	gU_cMVt_5rERgDwNK6jm08MD.tmp
2340	gU_cMVt_5rERgDwNK6jm08MD.tmp
2628	g9naRJPwNQcy1nT7QWq1Boov.exe
1436	PDZfU58Kf9RSLOo3OlUFq_L0.exe
1436	PDZfU58Kf9RSLOo3OlUFq_L0.exe
2284	2EyAHqQbDk7PcZrTK8aU6xBq.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1436	PDZfU58Kf9RSLOo3OlUFq_L0.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	taskkill.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2340	gU_cMVt_5rERgDwNK6jm08MD.tmp

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 1436	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	29
PID 2364 wrote to memory of 1436	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	29
PID 2364 wrote to memory of 1436	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	29
PID 2364 wrote to memory of 1436	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	29
PID 2364 wrote to memory of 2628	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	31
PID 2364 wrote to memory of 2628	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	31
PID 2364 wrote to memory of 2628	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	31
PID 2364 wrote to memory of 2468	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	30
PID 2364 wrote to memory of 2468	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	30
PID 2364 wrote to memory of 2468	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	30
PID 2364 wrote to memory of 2468	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	30
PID 2364 wrote to memory of 2612	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	108
PID 2364 wrote to memory of 2612	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	108
PID 2364 wrote to memory of 2612	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	108
PID 2364 wrote to memory of 2612	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	108
PID 2364 wrote to memory of 1600	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	126
PID 2364 wrote to memory of 1600	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	126
PID 2364 wrote to memory of 1600	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	126
PID 2364 wrote to memory of 1600	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	126
PID 2364 wrote to memory of 1556	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	35
PID 2364 wrote to memory of 1556	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	35
PID 2364 wrote to memory of 1556	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	35
PID 2364 wrote to memory of 1556	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	35
PID 2364 wrote to memory of 1556	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	35
PID 2364 wrote to memory of 1556	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	35
PID 2364 wrote to memory of 1556	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	35
PID 2364 wrote to memory of 2512	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	36
PID 2364 wrote to memory of 2512	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	36
PID 2364 wrote to memory of 2512	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	36
PID 2364 wrote to memory of 2512	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	36
PID 2364 wrote to memory of 1360	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	37
PID 2364 wrote to memory of 1360	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	37
PID 2364 wrote to memory of 1360	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	37
PID 2364 wrote to memory of 1360	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	37
PID 2364 wrote to memory of 1360	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	37
PID 2364 wrote to memory of 1360	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	37
PID 2364 wrote to memory of 1360	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	37
PID 2364 wrote to memory of 1944	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	38
PID 2364 wrote to memory of 1944	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	38
PID 2364 wrote to memory of 1944	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	38
PID 2364 wrote to memory of 1944	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	38
PID 2364 wrote to memory of 1304	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	39
PID 2364 wrote to memory of 1304	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	39
PID 2364 wrote to memory of 1304	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	39
PID 2364 wrote to memory of 1304	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	39
PID 2364 wrote to memory of 2284	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	41
PID 2364 wrote to memory of 2284	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	41
PID 2364 wrote to memory of 2284	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	41
PID 2364 wrote to memory of 2284	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	41
PID 2364 wrote to memory of 1736	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	42
PID 2364 wrote to memory of 1736	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	42
PID 2364 wrote to memory of 1736	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	42
PID 2364 wrote to memory of 1736	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	42
PID 2364 wrote to memory of 488	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	111
PID 2364 wrote to memory of 488	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	111
PID 2364 wrote to memory of 488	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	111
PID 2364 wrote to memory of 488	2364	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe	111
PID 1360 wrote to memory of 2340	1360	gU_cMVt_5rERgDwNK6jm08MD.exe	44
PID 1360 wrote to memory of 2340	1360	gU_cMVt_5rERgDwNK6jm08MD.exe	44
PID 1360 wrote to memory of 2340	1360	gU_cMVt_5rERgDwNK6jm08MD.exe	44
PID 1360 wrote to memory of 2340	1360	gU_cMVt_5rERgDwNK6jm08MD.exe	44
PID 1360 wrote to memory of 2340	1360	gU_cMVt_5rERgDwNK6jm08MD.exe	44
PID 1360 wrote to memory of 2340	1360	gU_cMVt_5rERgDwNK6jm08MD.exe	44
PID 1360 wrote to memory of 2340	1360	gU_cMVt_5rERgDwNK6jm08MD.exe	44

C:\Users\Admin\AppData\Local\Temp\6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
"C:\Users\Admin\AppData\Local\Temp\6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Drops file in System32 directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Users\Admin\Documents\GuardFox\PDZfU58Kf9RSLOo3OlUFq_L0.exe
  "C:\Users\Admin\Documents\GuardFox\PDZfU58Kf9RSLOo3OlUFq_L0.exe"
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1436
- C:\Users\Admin\Documents\GuardFox\M7CJfjOJnswOfsGOITpWfHBq.exe
  "C:\Users\Admin\Documents\GuardFox\M7CJfjOJnswOfsGOITpWfHBq.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2948
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2948 -s 1428
      4⤵
      Program crash
      PID:2024
- C:\Users\Admin\Documents\GuardFox\g9naRJPwNQcy1nT7QWq1Boov.exe
  "C:\Users\Admin\Documents\GuardFox\g9naRJPwNQcy1nT7QWq1Boov.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  PID:2628
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
    3⤵
    PID:1688
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
    3⤵
    PID:2076
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
    3⤵
    PID:2620
- - C:\Windows\system32\powercfg.exe
    C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
    3⤵
    PID:2388
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe delete "PHSWJLZY"
    3⤵
    - Launches sc.exe
    PID:1592
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe create "PHSWJLZY" binpath= "C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe" start= "auto"
    3⤵
    - Launches sc.exe
    PID:1600
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe stop eventlog
    3⤵
    - Launches sc.exe
    PID:2176
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start "PHSWJLZY"
    3⤵
    - Launches sc.exe
    PID:2584
- C:\Users\Admin\Documents\GuardFox\Xj_OtfRj9sOgU_AcIrQtTqf6.exe
  "C:\Users\Admin\Documents\GuardFox\Xj_OtfRj9sOgU_AcIrQtTqf6.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:2612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:2904
- C:\Users\Admin\Documents\GuardFox\ckoeJj6elDTfuRxHXDebBLo5.exe
  "C:\Users\Admin\Documents\GuardFox\ckoeJj6elDTfuRxHXDebBLo5.exe"
  2⤵
  - Blocklisted process makes network request
  - Executes dropped EXE
  PID:1600
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /c taskkill /im "ckoeJj6elDTfuRxHXDebBLo5.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\ckoeJj6elDTfuRxHXDebBLo5.exe" & exit
    3⤵
    PID:2864
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im "ckoeJj6elDTfuRxHXDebBLo5.exe" /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:904
- C:\Users\Admin\Documents\GuardFox\UAvM4CkuavIVH4xf5k40wV9m.exe
  "C:\Users\Admin\Documents\GuardFox\UAvM4CkuavIVH4xf5k40wV9m.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1556
- - C:\Users\Admin\AppData\Local\Temp\7zS9E52.tmp\Install.exe
    .\Install.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:564
  - - C:\Users\Admin\AppData\Local\Temp\7zSBAE6.tmp\Install.exe
      .\Install.exe /yeYdidN "525403" /S
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Loads dropped DLL
      Enumerates system info in registry
      PID:288
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
        5⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
        5⤵
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
        6⤵
        
        PID:2612
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
        7⤵
        
        PID:628
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
        7⤵
        
        PID:684
    - - C:\Windows\SysWOW64\forfiles.exe
        
        "C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
        5⤵
        
        PID:2052
      - C:\Windows\SysWOW64\cmd.exe
        
        /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
        6⤵
        
        PID:788
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
        7⤵
        
        PID:2360
        
        \??\c:\windows\SysWOW64\reg.exe
        
        REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
        7⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "gTCcpBEvb" /SC once /ST 02:33:05 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
        5⤵
        Creates scheduled task(s)
        
        PID:1344
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /run /I /tn "gTCcpBEvb"
        5⤵
        
        PID:912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /DELETE /F /TN "gTCcpBEvb"
        5⤵
        
        PID:2524
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /CREATE /TN "byGghvRStpVIiJkbMC" /SC once /ST 04:10:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\wDuQceUSuxrwPBUzz\WGDDUCEGaylPoGy\cbZNYIk.exe\" nw /FJsite_idVzQ 525403 /S" /V1 /F
        5⤵
        Creates scheduled task(s)
        
        PID:2976
- C:\Users\Admin\Documents\GuardFox\XdCcXx9rYaWS_8GVdD9nZ7ux.exe
  "C:\Users\Admin\Documents\GuardFox\XdCcXx9rYaWS_8GVdD9nZ7ux.exe"
  2⤵
  - Executes dropped EXE
  PID:2512
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C mkdir C:\Windows\SysWOW64\aydhxaqp\
    3⤵
    PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /C move /Y "C:\Users\Admin\AppData\Local\Temp\zgfsaaim.exe" C:\Windows\SysWOW64\aydhxaqp\
    3⤵
    PID:2932
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" create aydhxaqp binPath= "C:\Windows\SysWOW64\aydhxaqp\zgfsaaim.exe /d\"C:\Users\Admin\Documents\GuardFox\XdCcXx9rYaWS_8GVdD9nZ7ux.exe\"" type= own start= auto DisplayName= "wifi support"
    3⤵
    - Launches sc.exe
    PID:2616
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" description aydhxaqp "wifi internet conection"
    3⤵
    - Launches sc.exe
    PID:700
- - C:\Windows\SysWOW64\sc.exe
    "C:\Windows\System32\sc.exe" start aydhxaqp
    3⤵
    - Launches sc.exe
    PID:2868
- - C:\Windows\SysWOW64\netsh.exe
    "C:\Windows\System32\netsh.exe" advfirewall firewall add rule name="Host-process for services of Windows" dir=in action=allow program="C:\Windows\SysWOW64\svchost.exe" enable=yes>nul
    3⤵
    - Modifies Windows Firewall
    PID:112
- C:\Users\Admin\Documents\GuardFox\gU_cMVt_5rERgDwNK6jm08MD.exe
  "C:\Users\Admin\Documents\GuardFox\gU_cMVt_5rERgDwNK6jm08MD.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Users\Admin\AppData\Local\Temp\is-PT965.tmp\gU_cMVt_5rERgDwNK6jm08MD.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-PT965.tmp\gU_cMVt_5rERgDwNK6jm08MD.tmp" /SL5="$60120,1555821,56832,C:\Users\Admin\Documents\GuardFox\gU_cMVt_5rERgDwNK6jm08MD.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:2340
- C:\Users\Admin\Documents\GuardFox\NZ6oKoiKbrO7K7_ror4q00_D.exe
  "C:\Users\Admin\Documents\GuardFox\NZ6oKoiKbrO7K7_ror4q00_D.exe"
  2⤵
  - Executes dropped EXE
  PID:1944
- C:\Users\Admin\Documents\GuardFox\GxjGkvtYhwN3nJQsyCtat_RT.exe
  "C:\Users\Admin\Documents\GuardFox\GxjGkvtYhwN3nJQsyCtat_RT.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Identifies Wine through registry keys
  PID:1304
- C:\Users\Admin\Documents\GuardFox\2EyAHqQbDk7PcZrTK8aU6xBq.exe
  "C:\Users\Admin\Documents\GuardFox\2EyAHqQbDk7PcZrTK8aU6xBq.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe" /c timeout /t 5 & del /f /q "C:\Users\Admin\Documents\GuardFox\2EyAHqQbDk7PcZrTK8aU6xBq.exe" & del "C:\ProgramData\*.dll"" & exit
    3⤵
    PID:488
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:2180
- C:\Users\Admin\Documents\GuardFox\u_6KeaEVc3DO9L4N7hASEl_g.exe
  "C:\Users\Admin\Documents\GuardFox\u_6KeaEVc3DO9L4N7hASEl_g.exe"
  2⤵
  - Executes dropped EXE
  PID:1736
- - C:\Users\Admin\Documents\GuardFox\u_6KeaEVc3DO9L4N7hASEl_g.exe
    "C:\Users\Admin\Documents\GuardFox\u_6KeaEVc3DO9L4N7hASEl_g.exe"
    3⤵
    PID:2464
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:1600
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:324
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:896
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
        5⤵
        Creates scheduled task(s)
        
        PID:3020
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /delete /tn ScheduledUpdate /f
        5⤵
        
        PID:1140
    - - C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
        
        "C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
        5⤵
        
        PID:284
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1640
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2144
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2848
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2076
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2816
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2472
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:412
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1872
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2304
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2884
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2976
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -timeout 0
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:2084
      - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
        6⤵
        Modifies boot configuration data using bcdedit
        
        PID:1888
    - - C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
        5⤵
        
        PID:3056
    - - C:\Windows\system32\bcdedit.exe
        
        C:\Windows\Sysnative\bcdedit.exe /v
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:2380
    - - C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        
        C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
        5⤵
        
        PID:2132
- C:\Users\Admin\Documents\GuardFox\yc6El0Zpx_v76znxh8f534y2.exe
  "C:\Users\Admin\Documents\GuardFox\yc6El0Zpx_v76znxh8f534y2.exe"
  2⤵
  - Executes dropped EXE
  PID:488
- - C:\Users\Admin\Documents\GuardFox\yc6El0Zpx_v76znxh8f534y2.exe
    "C:\Users\Admin\Documents\GuardFox\yc6El0Zpx_v76znxh8f534y2.exe"
    3⤵
    PID:1796
  - - C:\Windows\system32\cmd.exe
      C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
      4⤵
      PID:384
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
        5⤵
        Modifies Windows Firewall
        
        PID:2816
  - - C:\Windows\rss\csrss.exe
      C:\Windows\rss\csrss.exe
      4⤵
      PID:2664

C:\Windows\SysWOW64\aydhxaqp\zgfsaaim.exe
C:\Windows\SysWOW64\aydhxaqp\zgfsaaim.exe /d"C:\Users\Admin\Documents\GuardFox\XdCcXx9rYaWS_8GVdD9nZ7ux.exe"
1⤵
PID:2516
- C:\Windows\SysWOW64\svchost.exe
  svchost.exe
  2⤵
  PID:2160

C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240311040856.log C:\Windows\Logs\CBS\CbsPersist_20240311040856.cab
1⤵
PID:1652

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-189751769370746233540220721-59762273220527140765124321251325086380888118918"
1⤵
PID:2932

C:\Windows\system32\taskeng.exe
taskeng.exe {7E139DE6-0D42-4333-8FB3-06A3F15C2EAD} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
1⤵
PID:2752
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
  2⤵
  PID:2564
- - C:\Windows\system32\gpupdate.exe
    "C:\Windows\system32\gpupdate.exe" /force
    3⤵
    PID:2716
- C:\Users\Admin\AppData\Roaming\sciwavw
  C:\Users\Admin\AppData\Roaming\sciwavw
  2⤵
  PID:784

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe
1⤵
PID:2612
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
  2⤵
  PID:2088
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
  2⤵
  PID:1532
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
  2⤵
  PID:648
- C:\Windows\system32\powercfg.exe
  C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
  2⤵
  PID:2596
- C:\Windows\system32\conhost.exe
  C:\Windows\system32\conhost.exe
  2⤵
  PID:2408
- C:\Windows\system32\svchost.exe
  svchost.exe
  2⤵
  PID:2152

C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:1820

C:\Users\Admin\AppData\Local\Temp\6078.exe
C:\Users\Admin\AppData\Local\Temp\6078.exe
1⤵
PID:1284

C:\Users\Admin\AppData\Local\Temp\6588.exe
C:\Users\Admin\AppData\Local\Temp\6588.exe
1⤵
PID:2640

C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\7207.dll
1⤵
PID:2756
- C:\Windows\SysWOW64\regsvr32.exe
  /s C:\Users\Admin\AppData\Local\Temp\7207.dll
  2⤵
  PID:2896

C:\Users\Admin\AppData\Local\Temp\823D.exe
C:\Users\Admin\AppData\Local\Temp\823D.exe
1⤵
PID:2516
- C:\Users\Admin\AppData\Local\Temp\823D.exe
  C:\Users\Admin\AppData\Local\Temp\823D.exe
  2⤵
  PID:2476

C:\Users\Admin\AppData\Local\Temp\98BB.exe
C:\Users\Admin\AppData\Local\Temp\98BB.exe
1⤵
PID:2768
- C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe
  "C:\Users\Admin\AppData\Local\Temp\InstallSetup_four.exe"
  2⤵
  PID:2608
- - C:\Users\Admin\AppData\Local\Temp\u20g.0.exe
    "C:\Users\Admin\AppData\Local\Temp\u20g.0.exe"
    3⤵
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\u20g.1.exe
    "C:\Users\Admin\AppData\Local\Temp\u20g.1.exe"
    3⤵
    PID:2336
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\chcp.com
        
        chcp 1251
        5⤵
        
        PID:1584
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
        5⤵
        Creates scheduled task(s)
        
        PID:2784
- C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
  "C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
  2⤵
  PID:2844

C:\Users\Admin\AppData\Local\Temp\A8C2.exe
C:\Users\Admin\AppData\Local\Temp\A8C2.exe
1⤵
PID:3052
- C:\Users\Admin\AppData\Local\Temp\is-IBKGO.tmp\A8C2.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-IBKGO.tmp\A8C2.tmp" /SL5="$801C2,1714247,56832,C:\Users\Admin\AppData\Local\Temp\A8C2.exe"
  2⤵
  PID:2308

C:\Windows\system32\taskeng.exe
taskeng.exe {C94E03DA-B34B-464A-91CD-153AB3EE6112} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2504
- C:\Users\Admin\AppData\Local\Temp\wDuQceUSuxrwPBUzz\WGDDUCEGaylPoGy\cbZNYIk.exe
  C:\Users\Admin\AppData\Local\Temp\wDuQceUSuxrwPBUzz\WGDDUCEGaylPoGy\cbZNYIk.exe nw /FJsite_idVzQ 525403 /S
  2⤵
  PID:2628
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /CREATE /TN "gMiCWuIDH" /SC once /ST 03:46:07 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
    3⤵
    - Creates scheduled task(s)
    PID:2780

C:\Users\Admin\AppData\Local\Temp\DC32.exe
C:\Users\Admin\AppData\Local\Temp\DC32.exe
1⤵
PID:2040
- C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe
  "C:\Users\Admin\AppData\Local\Temp\00c07260dc\explorgu.exe"
  2⤵
  PID:888
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
    3⤵
    PID:2144
  - - C:\Windows\system32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll, Main
      4⤵
      PID:2672
    - - C:\Windows\system32\netsh.exe
        
        netsh wlan show profiles
        5⤵
        
        PID:2876

C:\Users\Admin\AppData\Local\Temp\FD0B.exe
C:\Users\Admin\AppData\Local\Temp\FD0B.exe
1⤵
PID:1820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
8.5MB

MD5
d3a55785f4947601cd6da5ddb562c879

SHA1
c48fbb6af10caeaf79c5ee29cc75f21838bd2f14

SHA256
cdaf68fcd08acff8909486a8ac75bf5d05d2bf67c57ae1fb29a7bdfbc253c959

SHA512
cdc966c0e4a89a44b8325de559cf9a48e4a26525ac7b34c28373ce820e1a29865624ba7a4600f001e1e3934a451758901707dfab5aafd8ddf9cfd2a5c9b99167

Download Submit
C:\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
6.4MB

MD5
3f62723feabb6f4a5cc7fd5d072b5abc

SHA1
a4b8fe35c7e8914baf68c46103288515a687da5b

SHA256
e1169f276d3048605e4fe97900a965f2cade9d9e59c0f11a6041f8417309f40e

SHA512
ea99dada466249c525722ea8a16264495a9ebbb951703c85f9689d5f9740af9be128727bd31d14772e3a90ea9800e9e6daee86c0582d01f72ea997b445e82469

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
67KB

MD5
753df6889fd7410a2e9fe333da83a429

SHA1
3c425f16e8267186061dd48ac1c77c122962456e

SHA256
b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78

SHA512
9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
e8def7ca67a1b7f3c306c94b780f825e

SHA1
ca06d92b77eec4aa682430fbb29802137dd7afde

SHA256
e04235daa9baef2c715812dc822b9e68cda06d5e3c8dae6e01e76a5e6d2d204e

SHA512
df5498868b3e1ad0edcec755aeb8a7a68619d7770a7eac7726fba6358e926541c4a6fda290e4f93bda90ebccd4fe2243ed85574d4e19ab3d0a62c3fdc9fbf568

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5fd0f2b65d67c5ea33c76b8882b17b19

SHA1
fb6b8e44dd87bdc754542a0a6d59cf97d8c2a73e

SHA256
e09d52188ca8a7a19d524b92e78a7045dcf598d489d44a6ec89c6834d2cb1658

SHA512
94ae8ca69cfb307e29461ed25e9e7ad8e59908650bcaa43cc12f5162e2e790175c26650976e3b9e1323e00b0b38809d6658f67c36d456922718ecfb59d30fc1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
190c5b86b1266c4f32051915f3b4484a

SHA1
84e0aa0df57edb41a59705c6c91b4d7b02f338dc

SHA256
1fb44c6cec72bf01dd4a42da8c026cf73bc9649b16d639d31c17f00c9ec88573

SHA512
1298b4b526b31e90a5e806a126949f99300f7de3aaad618f57ed9c4c564d7fb4610ee1d043596f3f80a08792293d0860ee54a98d48fb1c2a9c10da3530d2805a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bdc81800c0ad9d4e112d0be083585a90

SHA1
04041d3141bbe18fd75103e65c2d151bdc6c526f

SHA256
4655135a68e634a965adf40461649e757a9d57d8d777c2a537aea72442655cda

SHA512
c1580701ac366edc0fc1aefeec08b71b4592b561b5a8b4cab752e606672f565dba34523c4ab3a9b29c7fd4e56884641c68ddddfd57d85d646d13968503b1a11d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
af46c4eaa665cfa8595b044863ed9dd2

SHA1
b2fd761d7a39fa74e9320eca61bd241eeb3fc7b9

SHA256
f33cd7dc759dc53593b400d432ed32d00dd66663124a99b979f4cc32e6ca5500

SHA512
158c8e9065b0ba98257ff60c09631e8a4f0f2e2bee282ddca760ee3b18f40b0a3ff2228d5a516e301e9424a659491027e77e367988bc5d65dc723bc25e6bef7b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dcbfbb71f28d4031c6a67f579cb66979

SHA1
dc6d84eec3c906360f09d794d057e9d3069698a1

SHA256
2dcac506275d734a41d22ef2725a8ec44b421c2d6443a76ec2f469641e0e39b7

SHA512
cd570644e8a509ba35d526243ecbf6b5fc2a8b7f83402cc8e69ac1a5b7a3d49503e91e145facb676b8621caaac5fc7318433fe3c613a23812e0f95e057f93978

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1514c059f6879d319a9cd3478e8e923e

SHA1
cadaf39249c2cfed5531b4c5914cfe7cf23d63ec

SHA256
db19494484bc3466df8de0b4ef972978d23ad84663cb1885146a981f8958187f

SHA512
2b7bf7bbc7707de83b579b9533a4ef77cd91acce029398a84f2f5624fc7736619d9c11956cf0224e7fb9fde9d696392e3c326240b0d0a79df0a6ade3c0c9ebfc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0ebd431ac57f20f2a5f29248688d5819

SHA1
cb4e5ec027663d605e3667236bb0a6599e3bc844

SHA256
d82f39174cdfbf26aa7cff996f9bf5004bdda4f186813888008bd90f505f63e3

SHA512
00c9d83948676630ccfe5426bc17bb67014680cd7ae43264cf47391ba1060d4d19de87040bbcce730376059ad893420a9de677a7e60b9eb4713a3c20f744cc4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
620479650f1c8c74da8b7cbb4048fc48

SHA1
4aef5162903a4e162a220dc6ee424e32a9ded345

SHA256
49a8f5bf42cdb3a13c6a568283ff9d11fbfc76b68137ef4fa0798c1616215054

SHA512
6dd35cbb8748c009e85406d74fddecf394ba6cde3636f8c54cdbd54506057427d9d3a799803d2050d816cd3d9df8e96b341d4ca13a803d0b824f86e4237d7fdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1efb42830e2cd0f1e496df1a36bca06b

SHA1
d43761bab79bb285f2608caf85142868464b1110

SHA256
ea05ca8678a7f2bfc04c397afd43f410c674569735ce099b9cc40ebdf3db3822

SHA512
cd72f81bd930619f094307867f95621c15db69262051d64e5201043fdfde77d7a24ab698a1a30da7c2fbe72814a4e156a7f04f61bcfb58ad2add2d2e6e2dc0d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
11c3292ae13d7caceca51720c373379e

SHA1
35c2b5cad4869840292a405f7c059360572cac02

SHA256
900e4d10767b1712e763920302aa22e58b057968761af74e7df44898e57e69fe

SHA512
3897137588f510cfe610b85c8c0ed3d9b2ddb3bd3a0ed2e4ddbe6b77d1597f8f0ba64755b81a009aa70469326057da9fc06c0d526f99cb607cc83b63d2716c7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7c66207265301639c6ca0c87aee9e4c4

SHA1
d37122d392cddbfbf198fdfc0899ce1f247c461d

SHA256
4a56dba26f033f03856f4aaee09c438e196dc7c8c3a5b545d25cb8f8f78f1c69

SHA512
cb321ee1645e060e55ffb8ec218f0443ccd13bd506d35518a42064c9e47f9491ba3b65cfdd2cc519afc911559d0ea1d44a4424e3b50150f12c28ac7a84a05d9c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
506fe8af25c4e59eb4dfc05d0b3683c1

SHA1
ac3d08afaf1a557b18eefd82a760446bec35f4d7

SHA256
6af6814b40eb69ee2b26e154eabe74287cff27825740b999f7c0b779c5ae53cc

SHA512
dbe06bf001109ed2bb6aaa77e6e79ac069840444f0f900b53c90786fa4ad55d5e6eb4b95ba3a6b47407d498000e41ea31f42e3797ce179f7ed7cc1d5e4f19f67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5d5048ceebcf2197e1cd7931ba4a7b8a

SHA1
9ee27eb3d7f0388fd79eff295a28367397d0eb23

SHA256
92bc4fe8bb17a6548d046911f06dbcf416bce060b4f628c66cae9a4c5abf0654

SHA512
b48b637989ef09d2add644e96a4ce41f0c820eff3dde399f9babfb8d533f2aadeb26e7a74eac9edac4ea8d7e8f4eface299a3f4d3c529363765314c2b47b2c98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
05ffe0db5293abeb4e7244cf1e28ac98

SHA1
9aaf334c90689b5e38c972566acdfe2bd5b8833f

SHA256
ff1ed046e2518142a72f6955c69d25d78008dec4286085f7215a2f8fda25ff1e

SHA512
cddf2ca08ca5fcc59e6741024aa3c2e0da0f2ddcc512cbfa3a02a86a0bfbf60fde199211b4236426a71a57f0d21e78ffb0566ac221d102c3e509f862f8f1a5de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
140e8c741219a63fbb00e46a38f4599c

SHA1
94089112f11527684baff1b24ca0fa1011e34b16

SHA256
9b7e5ca1fd62aa8e82b1eb2f95ed8ba0221b70056ae954a69409d17519a4f8cf

SHA512
6c839ea23e30036eee6dd1526415e4ae664cd2f20ee9df33950f3fd52824c93c29906fc5418ac08b4083fd68f7f4d5d84dda74097d63b06dadbb92136f474849

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
570791d12c0de38a7ddd3e6365b4cab1

SHA1
6b3711113a438b1414b86182c9935d69085f2d61

SHA256
2a2794a192b038d498d052791879618cb758a1825e26682520832ec7d42bb624

SHA512
0e6cd2dfcf74cea8c075e5791f1efa98604fa486ee32870aa660cdda88cf5dcd28e94b3ae9d972939baeb4046a718774ec0ba26658f4b62a4e096b44e54b2d05

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f077e55d130627e9c34153333f29005a

SHA1
e0dd631f075e0f633eb9d19d980bb1e319a93663

SHA256
b858cec956744a392bfde47beedf4483b6fc094166ee18a6b0faf9c8407ab420

SHA512
056fbdee271256f11211b11b1781d0c63043e88c411072c13412c1ca5e5c2eaba68080b75e5a4838bfb84c739da3547cbf6980359d71f8e3ae2595e804d859ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
10070a17b0c6d417fa144a017451dc3a

SHA1
1cc9b4dc7ce3c8e98609c78264ac65579831c945

SHA256
08467d7928d76de4c02ea15c72f5c85e2661810fea3fe4dc7d012d7e79793b1f

SHA512
6a105054dcd9e876449d47661cb81a62ee01a9ce1c8a308bfc78716a4870b5067e5e6792da9f1dcd081f0ca445c6d0162c6bbc616b90462919f22baf82ff3491

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
15f1d6fa40bb07b596ad519ec6203168

SHA1
19325a6524fbced22c4fb56c34bf716fec6010e8

SHA256
5e3da3336ec1f2206a71f1ba82729b609b6a102aecb0177de57b48acd1e56d43

SHA512
72f38dc88e15656a6d91ed3d51fdcd17862cc782dd35c5c5f83b28ca7daa5dc4b2d943356626dea2591c780ac375e8bef04ce33ac207345a22e79ec756d5bb9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
296bbdd695ca893d16741260ba5cc7bd

SHA1
0ad3c0f3ba7e36ebf139c9a6a2e8212461dd165a

SHA256
9346e59d804503e4df6bda2af4504a76194807caacdb2bbc2e6e6833ae98b8a0

SHA512
d7b33ed994e59b662e54bf8c64ea73cf5aa3dc62297251825458de336501cf26349f7fbc4fe015c6443d1542108186d89e7f0f602c149a3968054fbf476feed5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ad0757aff8101c89abcacdd553f40c2b

SHA1
abd362aefddd609869bed9fe52a083865c2161e6

SHA256
e5f121c4b6a750637a8ca4cda2934220fcf17e620d426137f6c599f709135af1

SHA512
95864ac80a178d1b71678fd4f2eca1461353285bc98b168f22ec5219d3bc98f6045d975faa191eebdf1f7ad9184e11049b8750da9255325b48a0d5c77f0cd6ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e7a329bfaec80a6b55ec4325c03d3b24

SHA1
d373a2ce0a181d2728b3f11e4f8f587d2fe15073

SHA256
b8c90542678d4df8d31d17220c007a1399d377231427cc0aa574a11ae4acb61c

SHA512
da312f7c3da455ce43af6d9551bad0a22f003f38b0dc759257a828035c604b7fc11baada33b4e102d7e68a196fb25076fc88976d6752ca85252d41087f245057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b2b34511107413411d70dbd2d7dee7e7

SHA1
350775bae9240e3f1549f5d72a32f56989fe3c62

SHA256
e63387d103195b20452b11432636f33a3f4b588e1b635a87f6ac659b8a152c08

SHA512
d8aced9023f526459bf9ed3abaccc13dbe67f729e601c2c7adaa7284d5110ef44763960e774dd75a1fdb3baacd3a477322f7caeb1e16c09d3fb04af94d8aeb5c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6c0c512b0d7826acd24fc90e5a7324fc

SHA1
1a3fb1f91db165dd5fd26c37e973e1939f54e1ce

SHA256
1cd0bd600d572205d36290efb363e4a4fac343425eaf24af6bbe8d2e2e9bd310

SHA512
0a47ccd4f38eb095cf2a46b8b9326a7ddaa1be755a3c3ae756f117e826b1d26f9b2d05cc1d3402289b71c6a6d2bc2ac21bfeb5371e4218e6eed422fd96562d9a

Download Submit
C:\Users\Admin\AppData\Local\Email Box Organizer\is-P3L4H.tmp

Filesize
122KB

MD5
6231b452e676ade27ca0ceb3a3cf874a

SHA1
f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1

SHA256
9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf

SHA512
f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

Filesize
3.5MB

MD5
753e3c3158b57595c33bdca6df6eb9b9

SHA1
fbad6a69a1b91ff227fa154b1e3ed8432cdd2644

SHA256
da8d3e7ba79f8bda81c2d9df2fb72404cf74e8414c8a1838b8c08982d8b67aa7

SHA512
2070d41c0ab3594af70158c811658cbe207205b8f00071bf06abcb1df2264c1db363902dff1843ab9bdbd0052a815ab23a62c6ec10070e7a2b8d6d9c9f750e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\6078.exe

Filesize
1.8MB

MD5
3bf261c0a00e880ee85c3e5d53f46e1e

SHA1
0e22830cd59a76ba4e7da643d1a4054deea4c7e5

SHA256
d0f4716356c11256ce372336dee85883a2696134f28b7b123e6fb76a6bf7fa3a

SHA512
538243d1b37f2b74c3fa5ab2d04ca379f743b758c268f11b5b16e2797427b3029ecf54896b9b5c0e67a7ae0c0de0c29cdb1f7f6ebb54aa059a4b1f3fbcab0d55

Download Submit
C:\Users\Admin\AppData\Local\Temp\6588.exe

Filesize
554KB

MD5
a1b5ee1b9649ab629a7ac257e2392f8d

SHA1
dc1b14b6d57589440fb3021c9e06a3e3191968dc

SHA256
2bfd95260a4c52d4474cd51e74469fc3de94caed28937ff0ce99ded66af97e65

SHA512
50ccbb9fd4ea2da847c6be5988e1e82e28d551b06cc9122b921dbd40eff4b657a81a010cea76f29e88fda06f8c053090b38d04eb89a6d63ec4f42ef68b1cf82b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9E52.tmp\Install.exe

Filesize
715KB

MD5
ca313fbf982f4666b5c3cb989b132afd

SHA1
c48fe5b2608388257336d3e2b4319b431f4da373

SHA256
abb2f76ba10c52f82eb0ae12c3c40e0b8164ba5dcccaf6e63a26bc7bfcb5a1b8

SHA512
7eb1d0f51a622f94c44bb630e86a426eff908eb2b1d1839edbdbbe1b049e9dd21c3aed3016558bdbdaaf95583eded64d6885af9ba8fceab62c7df909b98a19f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS9E52.tmp\Install.exe

Filesize
849KB

MD5
7ced8cbbc436e62268867034eed28d07

SHA1
bf006cac060809e916a105e848473ad20a39bd67

SHA256
8ecf5896f5eb4b8742affec274e411825eb4037eee96b67546f2d08aa5848c86

SHA512
463496ea70be639f92ff986b25a1cd034562d08e9f82fccd6e7beda62f1c185616cf2540b641f9d4b170811c7cedcc94f151fbd3241262d71366c77e79654001

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSBAE6.tmp\Install.exe

Filesize
2.1MB

MD5
c81a961ada5ccbb9f4144d07df19f6dc

SHA1
002ee88cc0cf340d67fe82c100e494d868c79f07

SHA256
21bdefe330c83b34e8b1f3bece8cbe0bdf14a022b8dba15e87a2871aed2b07b5

SHA512
c6a5c7e8465f86a124abaa0667b28d44c721f05171b693483d03d64c916d003aec12aeba3d17d0f57f365abc827f5d76183fa29d2272091d03298d9200c2c3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\823D.exe

Filesize
1.8MB

MD5
996c2b1fb60f980ea6618aeefbe4cebf

SHA1
a8553f7f723132a1d35f7a57cae1a2e267cbc2ac

SHA256
f91c0a4753cdb98cce0ade020917fdefe7a8daf88d23b4c07595de741402ca50

SHA512
4af8fb921a332c5ac3d43b85bc23c859e431702e00852537bf1831c7af8b990d880808d044a1317873c77fbdecb1af7c97bed9edd9e2185bcbfa390c463f9056

Download Submit
C:\Users\Admin\AppData\Local\Temp\FD0B.exe

Filesize
169KB

MD5
d13cd682374380b3a29076ba54e138f3

SHA1
61b56e0380a93e7bb347d4b954b7a4170bff0ff3

SHA256
b28db9f53e35e032f947ea02ab2b1f44c8504c5a9b1058b226aaebce82e60ea1

SHA512
2f853aaca0c44aec53df333e324c861b35d741e4395599f5f69c34ac517cbe737e5fbf29dff20950d930a7d65dbd1324ce4cd5cab01fb6c79380d8f931f8da24

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

Filesize
8.3MB

MD5
fd2727132edd0b59fa33733daa11d9ef

SHA1
63e36198d90c4c2b9b09dd6786b82aba5f03d29a

SHA256
3a72dbedc490773f90e241c8b3b839383a63ce36426a4f330a0f754b14b4d23e

SHA512
3e251be7d0e8db92d50092a4c4be3c74f42f3d564c72981f43a8e0fe06427513bfa0f67821a61a503a4f85741f0b150280389f8f4b4f01cdfd98edce5af29e6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

Filesize
492KB

MD5
fafbf2197151d5ce947872a4b0bcbe16

SHA1
a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020

SHA256
feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71

SHA512
acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFD0.tmp

Filesize
175KB

MD5
dd73cead4b93366cf3465c8cd32e2796

SHA1
74546226dfe9ceb8184651e920d1dbfb432b314e

SHA256
a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22

SHA512
ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-IBKGO.tmp\A8C2.tmp

Filesize
576KB

MD5
4bd1a40273ac3d7ccc171e4804c55af5

SHA1
c3f4e5b4a61c59a1329fdc21b486518cc4027c65

SHA256
5be769886aadc6b0d83cb1d5adceacac2b69851063ffe7cedcc0dc4851b9b2c4

SHA512
0453c74cb3a8a0f2ed677331f6ef5b1aa89ade81d71e48ed3f9661c8f5d88cb837e7fef5b285904d3535d8cc2adf1a122a62e6a8c50f939188f439f19fe5cea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

Filesize
5.3MB

MD5
1afff8d5352aecef2ecd47ffa02d7f7d

SHA1
8b115b84efdb3a1b87f750d35822b2609e665bef

SHA256
c41acc53cde89b94d55d6932ddd55a212ba910e1fade3da138670bb5b18ae4e1

SHA512
e5dc54c60be702e11772dc729eec5ec7140f293545aa3d57282adacddf686483393b0c940bbd397a9d50a6cda093865b143ae00c51ce3bf5d6b00241f97b3cdb

Download Submit
C:\Users\Admin\AppData\Local\Temp\osloader.exe

Filesize
591KB

MD5
e2f68dc7fbd6e0bf031ca3809a739346

SHA1
9c35494898e65c8a62887f28e04c0359ab6f63f5

SHA256
b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4

SHA512
26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

Download Submit
C:\Users\Admin\AppData\Local\Temp\u20g.0.exe

Filesize
199KB

MD5
61a90bfc0ac2f1bcf686df0bb9b551a2

SHA1
319f78b33887e20b266220571e685a99a23c4b3a

SHA256
f51f44e64bd7d8ff0774df5dff4382f898fd510166fca640976d71372939cf65

SHA512
4c843d5de8d8def4004b8d69101a641844a8a865ef180434e38306e248bd2694701a07d84aa6a692d8a34cbf2e33860b49a30f603d6f24696debd199391f0c45

Download Submit
C:\Users\Admin\AppData\Local\Temp\u20g.1.exe

Filesize
512KB

MD5
be1ac00f167db10466dd478c5fc84236

SHA1
88fdd87741500809227220714ebcdf6640ee12a5

SHA256
b2327156069cffc46a71de7796fa849247cb1be9e984baf38d3198aba6f0df84

SHA512
cf59ba95daaf312b504d5b86e222c9ff93f1b8b09dd0648bb3c712e61b83921bf3c00371c4aae0a9cbc81543a84d225dbc5e4803bd3486bbea2a0d537869a6bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\wDuQceUSuxrwPBUzz\WGDDUCEGaylPoGy\cbZNYIk.exe

Filesize
6.9MB

MD5
3ea4bd17505b077cca2b39ca4f91c60e

SHA1
ae0f344e6c8af2a160e9ea89ef6007d08f443d54

SHA256
fb5dacc89b0cc468d6906ba79753ec36cc074a0a2c1f6d908eb44433cf1b0f4a

SHA512
c3551c6689f3dca87347da04fcbccc4910db49070f1553da9035e89dc11a06dc24dcf538c73a161a08ae4d5a00f0a5000a8bf52891d8ac5b20b92a3e4db8a7d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zgfsaaim.exe

Filesize
1.2MB

MD5
7b0c8233d60fd5130ae6451f70c8513a

SHA1
91af08a203fdac0af50b6ad231b3ee0a147154eb

SHA256
97e221949c2115bdd09a99b7bcbc0902e953ec033d06c068e08ac45b2a8f6081

SHA512
7bdab527970696af2ae1177e526c5f0adc8a6b8f78cfd1bedc278f48178a3569309b281ce7b0f612c53b9b035d5a6650902d6d4bfa51c9ce79bb05712531512b

Download Submit
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

Filesize
1.2MB

MD5
92fbdfccf6a63acef2743631d16652a7

SHA1
971968b1378dd89d59d7f84bf92f16fc68664506

SHA256
b4588feacc183cd5a089f9bb950827b75df04bd5a6e67c95ff258e4a34aa0d72

SHA512
b8ea216d4a59d8858fd4128abb555f8dcf3acca9138e663b488f09dc5200db6dc11ecc235a355e801145bbbb44d7beac6147949d75d78b32fe9cfd2fa200d117

Download Submit
C:\Users\Admin\AppData\Roaming\Temp\Task.bat

Filesize
128B

MD5
11bb3db51f701d4e42d3287f71a6a43e

SHA1
63a4ee82223be6a62d04bdfe40ef8ba91ae49a86

SHA256
6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331

SHA512
907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

Download Submit
C:\Users\Admin\Documents\GuardFox\2EyAHqQbDk7PcZrTK8aU6xBq.exe

Filesize
199KB

MD5
ddccd52c133ba0b39be99d28d459bfe1

SHA1
c948793ffeee04b0012c3b16a01dd2133a6e9adf

SHA256
d56b93388319e4139dcd139b4276fb390aabd749d24535b6a3181fb628777988

SHA512
5cecfbc548128f7704b7ad164f39aac4556b2eb1b3d9ecf8d5ac74d92252d6c0a257e23b34a8bc7954579fe022b72062c41d972b436718b5bd426d3073201b3f

Download Submit
C:\Users\Admin\Documents\GuardFox\GxjGkvtYhwN3nJQsyCtat_RT.exe

Filesize
320KB

MD5
f426192d5347dedf2c14ef119e9f5ee1

SHA1
05b010404c0def6ec94df4c5f33e3b1d701e2bd5

SHA256
c6369fa0ebf3137431666ca2c30b4b2c7b1be8aad9ea97b15da79b22761aa9e5

SHA512
36eea7fdc56f5ab49363680c2c6a60673a20ef5ebea7c582d859e02c24bf9197924b402ca4b11e03240bab357e8d2a2742d14c7824af0fe56370e3f501f457c0

Download Submit
C:\Users\Admin\Documents\GuardFox\GxjGkvtYhwN3nJQsyCtat_RT.exe

Filesize
3.0MB

MD5
a52e6a83c5770c4790a775be0b3c49e9

SHA1
3d3dfb6b69a1977002ec8e9f3a508dd8a9ed1e37

SHA256
682801ba03f285dc2e97378ca30161e1c91e7ca1b939ec837c75d0e9606c9133

SHA512
6fb4c5867d8b278880dc6c15c0abf0d4a98bf3e0814d4a0fea3dbd3f73ca11c1ea6de0717055a532a25ffaddab8fd415fe3f732542443b8c5f80ef46e34db744

Download Submit
C:\Users\Admin\Documents\GuardFox\M7CJfjOJnswOfsGOITpWfHBq.exe

Filesize
128KB

MD5
c5714d0f1243d90c3bddfe6fe54701b2

SHA1
feb23eefc4f4c1c02ad675688cc2a4a1f3480a29

SHA256
fb9471c2079319a9dd1871ffe2f94bb00dbe197117a8c6fac58cd72dcc8d9b56

SHA512
43c701d89830f360c850a28c8f43888889633dbfb1f834768196dbd28a9c40fe1cb936fe2391b0db0576572fe9e7834622dd82bc0188dce57569823af0df0089

Download Submit
C:\Users\Admin\Documents\GuardFox\M7CJfjOJnswOfsGOITpWfHBq.exe

Filesize
440KB

MD5
6c3d7b00613458168c798ef8b4fb97f1

SHA1
4995e3bbbb8813de1652a02d236eab4d7a8e26be

SHA256
9e43e2e317a3399c9605decb6dcab5f4c727eb2309ba802d30e4e78c5481a45a

SHA512
bac50f22392db19142b9253e4d721312b2828d344cd82310a2f611b89f8b1d27850b250ec1515e2c37822c462cc3a0ee29c9f9efb2ac5aca09a8df6af6b36b44

Download Submit
C:\Users\Admin\Documents\GuardFox\NZ6oKoiKbrO7K7_ror4q00_D.exe

Filesize
169KB

MD5
2ffbe508f8b2cdfaac5e6bac9b1844d4

SHA1
207d9717061262311553964d68eb4ed360e32211

SHA256
bee13e4142e8d49032354dd4d1129f45ea11e4a994ab1eb5edb582c1c15319bd

SHA512
68558f5dad5595b78b3beac00b964eef9b9e4316be9e20d3715d3b3415a05d8607daf1d88622511af9d0836d23b0c00b9913269ec3266331dd96e133008c48de

Download Submit
C:\Users\Admin\Documents\GuardFox\PDZfU58Kf9RSLOo3OlUFq_L0.exe

Filesize
169KB

MD5
d7876ea17cd7db5202935127c4d955aa

SHA1
5f6317e8fdf31a0cad322a9febd8d10255231980

SHA256
bec442ea6db20ffc73c69220ae12fcfca036bda5667c0aedec4560998d89c7f7

SHA512
3881a1dfacfe47a47559bac8b1add9679def1bd0ddcb5783855b6c883d220ca9cf143967b1dfcee0219017e8c7ea0f6fb88486069f91ae49428985909ba71be4

Download Submit
C:\Users\Admin\Documents\GuardFox\UAvM4CkuavIVH4xf5k40wV9m.exe

Filesize
7.3MB

MD5
0659aea6890cb01607314d8b0acaafcb

SHA1
14cbcbcd6f68731707ba5ec6ebf446edc1c7f379

SHA256
89bc19e496aa3d95060ad6d1c2d47021da1cedfb65100293c715909395eeec7a

SHA512
bdce088c08d8e867048e0d1a9182d149e2c7d2827bd5acbbcf2019e7145fdc981383c0bc19c3423cd50872dfe767a2785e827fef8f4db3ef23e4386a9642aa6e

Download Submit
C:\Users\Admin\Documents\GuardFox\UAvM4CkuavIVH4xf5k40wV9m.exe

Filesize
2.0MB

MD5
bb580921875e7765f249f7c54133e739

SHA1
d2dcb41d51e03b55573f5e0e506866bc361a840b

SHA256
b908f4f0180972ecdf9c210d7be014b81eb679d74e83c88487d936d4ccab3fb6

SHA512
e601a97adc875b0e51bda48744e9d42cb41b52ced38a5ec3e0e1e8e1c841356409dda30a34c5e6f02717931a5d16ffeb9a78d3437e3a34099d986c9d549bbc59

Download Submit
C:\Users\Admin\Documents\GuardFox\UAvM4CkuavIVH4xf5k40wV9m.exe

Filesize
1.9MB

MD5
c1c1ab1330208dca532fe71723d5b067

SHA1
272d0f2852486987f932dd1246ba946c5921aa1e

SHA256
3265dc9bfa380d13d03554fba57b54256ec08b9dfadb19113d0b0d15c5512837

SHA512
67536d96bc0640822b8b1ba0b20f396eab258415743b59202e6d3332e24d896b74c8e45b6101bc1aaecd3c06b9aeda0a3ace32c7856f9d5873ef87e1a16add22

Download Submit
C:\Users\Admin\Documents\GuardFox\XdCcXx9rYaWS_8GVdD9nZ7ux.exe

Filesize
33KB

MD5
35571768530d81a27997d21800c5a465

SHA1
f515cea3531244450ab1d66e76645782901e83ef

SHA256
953a49480e3bd4f5a84d6d44fa83fcecae83e88a557470dc349ff7b89e2d7bee

SHA512
30249d9c8110bb27750437abad27f781cc92e0e3c7b6af6dda174d6280d60baa3852e7de7f7ada1084941cc15e6a5bcadb3518d870bc3e0a020a06e98ab1d564

Download Submit
C:\Users\Admin\Documents\GuardFox\XdCcXx9rYaWS_8GVdD9nZ7ux.exe

Filesize
169KB

MD5
b76816941f3cd0aa204e1308b917fd70

SHA1
31dae3b255fb018bd46758d168bcc1ac143d850d

SHA256
70e95a0a0110bdc8a6a3971f41386c5be5a6343de633d0965d03c35ff0d7ed1a

SHA512
b7b58a7e712013c0c20147cda406fe9d4b839a9c87b935da17ebf13b7798397a5c560942e692916674a27e7b974807344a1c89b78acd0b63e9b1a8ad05280bd6

Download Submit
C:\Users\Admin\Documents\GuardFox\Xj_OtfRj9sOgU_AcIrQtTqf6.exe

Filesize
440KB

MD5
61ecf62f4293b2b3e8858cbde1c4c684

SHA1
2ae56351179fdf3121b7561b6b00d3175e3fd0db

SHA256
39225535be216314df165d0c50a60717ac5563abb046c5f2e02d3d7ef98fcc74

SHA512
4e23e8f8fccd68e1349f437f6b9b503d3ffb53bed1f743073506aba1eb322cc7533a4da657b356e66a3b540bed8b967171705c6cea76bd8c73715e928141da6b

Download Submit
C:\Users\Admin\Documents\GuardFox\ckoeJj6elDTfuRxHXDebBLo5.exe

Filesize
222KB

MD5
6410d5a54714bbee2d34c32082e6ecd2

SHA1
e98ee40e25c1a52adaea2147bab0051bd510177a

SHA256
3a810c8e25c4e2bee013eff6ff95fc378456abb435299da1faffe6ac12d0934a

SHA512
2a139bf11167569722060fdf0cfe38628fafb09d4353f9801025bfcd454366588c9d9b11712a32d17938fb5dff73196704aa42a43257d0dc3ed903881e814c77

Download Submit
C:\Users\Admin\Documents\GuardFox\g9naRJPwNQcy1nT7QWq1Boov.exe

Filesize
1.7MB

MD5
a06f96090e8f8a9502e78725873e8474

SHA1
05467d23c2bb33d07cbefc52b4708b8a2ed49815

SHA256
f2ca8ce6d27d65cc65e6e9811e5ac05f36fa1ef121b2d1db84e786bdbd49a3a2

SHA512
76fa2028a30a0f99cef3c86f9ee0b8f0fce3d8bd08d22c618d3354b4a5e5248d9d3cef951a00f01a8f736b910d132c137b8c6aadf3b2c1e1d0d08026c7573d76

Download Submit
C:\Users\Admin\Documents\GuardFox\g9naRJPwNQcy1nT7QWq1Boov.exe

Filesize
2.1MB

MD5
9c35b47bd5ad6776410765ead8d37e5b

SHA1
1493c4bca668d5c13a40ce085ed41de94fd4282e

SHA256
c79beab895adcc3791936aff665da0385ded8e8308dac66911236e40b5254d1c

SHA512
1f86e21a52e10b1af968b1da385a47c9e5714af37be587dd1873379ba89fe31a9446fad99d879300d6c21c7f77d43d7a9a8774d1978515bb6ca936cc951ef354

Download Submit
C:\Users\Admin\Documents\GuardFox\g9naRJPwNQcy1nT7QWq1Boov.exe

Filesize
384KB

MD5
556d88a01192927d062a1c12f232b437

SHA1
e2281d17927c4116bfbb4a5b0954f59d59a1b30c

SHA256
0ea8923b4a880f6c8b69994a8dffa2712062a5060b4307b73fb24c962b23a4b2

SHA512
b2863a0edb553c16f8addc79afed8c22661b9afe174c1e43d00b9c7ecddc5a89c7de843e0e347eca217dbefa8ae54a1d66505d5f678844bf19fc633b36c2d8fb

Download Submit
C:\Users\Admin\Documents\GuardFox\gU_cMVt_5rERgDwNK6jm08MD.exe

Filesize
192KB

MD5
c4688ab9ebea4bc288a43db6af9e1a80

SHA1
9f92498ba1bfeb5b85adb5152593d464b3891a91

SHA256
ef075884beb41e23324303c7b7313ed27ee1514d3eee044643a97a466cc209ec

SHA512
efcd01c8a7d2d4eeb059e11753587f7921696f2ac6979469d2b78cea643e93438c4ecd58031341a961ae98d1138a58a47dac731456b2d464ef0932617c2f6dad

Download Submit
C:\Users\Admin\Documents\GuardFox\gU_cMVt_5rERgDwNK6jm08MD.exe

Filesize
1.8MB

MD5
72e7b94f3b840bb79df8246225bc825e

SHA1
6958315b06d3f81e6e5dc4a313493d8aa088ca77

SHA256
73525de87a9b967b3a23569fb67437ff9ffa3152d7497565fff927413ef7fb1d

SHA512
5e809de49a9f833a205fb83e2b1c6257ce454ac10c636c52b76a559a15ba3304ec9cbcf7d7ec31e2a3c172fd3f9bfe08b873e023ea74ca1f07b2ca115188123a

Download Submit
C:\Users\Admin\Documents\GuardFox\u_6KeaEVc3DO9L4N7hASEl_g.exe

Filesize
448KB

MD5
04a703d1de5324d1205acb8904b58158

SHA1
195bab3094f8dd6eba61e89024f1f13770960c34

SHA256
43bb2f8baccddd75e902188a0ac7d37039551caabe15d0482783fc466ed1b540

SHA512
7c6b7cf3d5e73a217ae0604d5920d133dbac7b8f21540dc2888569bc12ab4f322ad6cd10feb42e8ef418a4b49832a4f8ba288d2b47f64b58c094f30faf9035c9

Download Submit
C:\Users\Admin\Documents\GuardFox\u_6KeaEVc3DO9L4N7hASEl_g.exe

Filesize
545KB

MD5
0ed489b71f5c4a190291fc08bb259577

SHA1
bcd3ef69fe7f3b348d3726d30f5be70f509f093f

SHA256
7f59b71956dfa3071abd682a5a60d2316d161fabc89620f50bf18ebb7db19333

SHA512
221e1887b977fbaa23e2a7c1a8f16e210db8b5dcccb8454b770760e0a58d1534c1712e360bb3a097a115c300c5466ed084007c889511c2efdd137f974f699d51

Download Submit
C:\Users\Admin\Documents\GuardFox\u_6KeaEVc3DO9L4N7hASEl_g.exe

Filesize
1.4MB

MD5
311ac92e4a819edc4f775a5b3ed8d224

SHA1
007859ef7d745d196f211160b1b2d013c2162228

SHA256
a030ff882b552c2e3f5e07c58a566f8db9a088bc9cb1591a07d83ed5f235a9d5

SHA512
16f83680e9d0c57867ff199d53e4d2075367b4bebdc60c2d703dd331ac0816a66570cb39bcbaaf89a232f086c5cf36360395c3845d786594c53bd74dc1d8f941

Download Submit
C:\Users\Admin\Documents\GuardFox\u_6KeaEVc3DO9L4N7hASEl_g.exe

Filesize
4.1MB

MD5
46bbc10b554f1b6cba35defc237a1bac

SHA1
e575ea4266b5772d4b2e39d99748b1e6b17a9c1a

SHA256
5f1a6c83aced09c805c4a8391a4a5888a532ad47807ef7ab318cad87795ddf0f

SHA512
0818420904a7e23e6939fac0ec17053623b30520eff690efd595fdb603ee99c3cdfc6d175454dd34379c60663ae9507d7ae8a20100dba1edea3ff4634acf7f69

Download Submit
C:\Users\Admin\Documents\GuardFox\yc6El0Zpx_v76znxh8f534y2.exe

Filesize
256KB

MD5
dac885f2beb66783571d3f40f6cf8e5f

SHA1
bca7633cc1382b5b9e5ba174133e1613c562a220

SHA256
be0405c2f6c7900ee0a34f9c24466bb6a2509aa14e56b3f7a49a41115f0cb196

SHA512
1f5c202d8c9da11bb1972b21b0a510f3f283c5260ac3c68d24afc32402a8fe67c9141930bd20ea3805c8ab03e6dc807fe9ce5465caa58c28220c48f5bacc80da

Download Submit
C:\Users\Admin\Documents\GuardFox\yc6El0Zpx_v76znxh8f534y2.exe

Filesize
792KB

MD5
9aca3bcdf61ebb018489b12578dfac11

SHA1
355f778d072204111c9286da39352b10a38fe132

SHA256
10b5dc1d7ab202469a233d6b2884ceffc9a6eeb189d1eb4621d2579d373dbd31

SHA512
1ac01d98e297dd05e3158a8bfb3c19cbf3aa0cff0fdab42a1be62743600e26df5b3e145a3c455a6f263a54461e9bf304094e4f897fcdf92e55d4dde2751e3b26

Download Submit
C:\Users\Admin\Documents\GuardFox\yc6El0Zpx_v76znxh8f534y2.exe

Filesize
1.9MB

MD5
dd61d2d6b96ea7384f15f6371f156cd4

SHA1
a98fff518c5536ac69301e12c549b051b7c27fc7

SHA256
05df69b26b8a5f9374ff728ad7b82a2be8e91ceb1be5ad32e68870572db62f04

SHA512
dc1ffb00345315a360437893d0055b76e57d0fb2a464d4b7627346ae34f2d010efe4b29313a411490dbafa9b3a8ec6c8a8fb235264ea795f6719689ac22792f2

Download Submit
C:\Windows\SysWOW64\aydhxaqp\zgfsaaim.exe

Filesize
704KB

MD5
70f6ed4c8184764bc4a36476940eee91

SHA1
5c429e1cf28b55b3459ce2a5f2d4a5bbebee00f7

SHA256
e910e88cacb4b08c32218ed527a3dbd0d80d280e71750eda810e61c00b315373

SHA512
ad8ec32d1bc5065dd439c8822204152100805568b5f5904db85798e848058b86e124f1c2f428b569470f97bbb4471497399a624f75e503333439c707023e0a6f

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.9MB

MD5
c7c99e5a999182db4fb1147dfd5e6599

SHA1
e3897dbf80f18e1b4aa31842143cc20449b4c884

SHA256
9c724770f61d34eb4f6ea9cbde35bcf44b88f261302d155bd9af20473295f24c

SHA512
d55939decae546f034c308b680d081935df563640ffc6bfcc187f9df696d7036da9e871354a007ff491ea995e4a7e6c29f0da227ac4d7f02a2cf7e7a4842a684

Download Submit
C:\Windows\rss\csrss.exe

Filesize
1.4MB

MD5
93acd8e4eee219e6f57e3ee5f33b0241

SHA1
cef8cdca5a500dd31956be37ce84702f25da5765

SHA256
18df4a80431bf210c6036e7852babe09880343a8f54156cbec26e571da3e571e

SHA512
e2b694a9b5aa0acbb26a01d56ed6758756219994f825d4aa94aa37fe42b4b42189bd29b52febaa0bf214446ae21e4dcc4446804cb25ce5b90cd3c08c06c5ac7a

Download Submit
C:\Windows\rss\csrss.exe

Filesize
640KB

MD5
259b5399cdaf9c7e444057623c19fad8

SHA1
f2b51ee57933ce854ab3c48aafbc19a5e34f9bac

SHA256
d19537c416be0da86f03255db96c4c7b3b16e2dea9e121fe95d4ba8483aa65e4

SHA512
8a6337c62d105a86753ee8becb4c4d24f8a97a93cd6933cd393263b96222302b9784f511be4b72aaf9c1f40c9060fecc511949f4664f638e5e3d14e60d2cc773

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini

Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
7.4MB

MD5
160c12d911460b8fe29e3ec05726fe78

SHA1
7217ae9d643cafd6f8d26afafcc3a9bcf248e636

SHA256
f4a65dc445b26ef87e759b5a7d3f2070eb14beddda2349c62c9a7fa755bbdd04

SHA512
c32316a330bd89997d597429479eb93be3d0661b3a08484c7d9c7ac58e2edad9c018703068ed26e78b961762083415e2f43885706bf492b1371d6bd21f5d9b86

Download Submit
\ProgramData\jndraacsywhc\todymdgvwmgb.exe

Filesize
8.6MB

MD5
11fbc1ae18779b25f84061f889d463bf

SHA1
18309b04b4a829f5e042662794d2da67395cccf7

SHA256
806c6a27cff9378f20ce8f6bf8c61593b9e63e945c3ceec48675c4a2d2b0ae0c

SHA512
1aa1d628965b5201b6d33e3cd352b0fa69f5a6618de9a190d44f01a3f72fc99683eb43f37f435ad8cbb11cf5e3fa1f551ea710d26690e9ae5eec116f4201d3fc

Download Submit
\ProgramData\mozglue.dll

Filesize
320KB

MD5
359529e3fd3d1ef484b67ce5f3483d56

SHA1
d27c94914883ec2b7f6feab7b0f77d264a578c96

SHA256
4310414b8cf4ed75a52c8147b07d9fe4b03c818560878aaf829eff16fc172b50

SHA512
594dffe2101d93f6f9d16a9923c554025846c7df707d73c3a7c12545a39f3bf11243514b1aa351b99fc2bd5b96b944a4644fb02386eb59e969ca7b2d47744f41

Download Submit
\ProgramData\nss3.dll

Filesize
365KB

MD5
ff8bac421dbc8f04f10c0ffa88db7dda

SHA1
edfebea1b08f8973d75111a23ca8e37ffe20b99e

SHA256
6d6555586c3898ed1c6342c7f69188439bcd09c5cacd7099c50917fdd8e3fbcb

SHA512
0db09645e01d986f45487e799739314794f886e5f62386499c8521be244e01bb8f79de808824abbe51331ceac14ec152ed07945a9a283a36d6bf4d47dda730e5

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9E52.tmp\Install.exe

Filesize
640KB

MD5
11e50c6d2d6c3d5410809da99961057f

SHA1
b30645d018432794e594e2b2506385dbfce86905

SHA256
94d1a584cd5f366f6efe327605a8ac2a1c9dcc39d1a66b30050f5f91563246a6

SHA512
d2ecee28953ff486f672086bd531fc6f63f7f39a6af72763e82db6204d8357b42b03965ed56d3e06d53532718e8e4e09342d2279d73aae9c0ab6f5b9130226c6

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9E52.tmp\Install.exe

Filesize
800KB

MD5
16945cfd473d2fb7e59013d61374a501

SHA1
86bbeaa6267fb1487464dcbd187d3a508dd41553

SHA256
705528edefe11d0afdd46249ada402dbe8db8bb9976f4763af9553a3fecb6d88

SHA512
c9d27155efa449339bff74ae5007f6719682ea87da9f99d676b53e03dc2e52f8b44a7500f7228bd6f687f4e52723a3ca9f8636b70b34f021bc27c3d066eea691

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9E52.tmp\Install.exe

Filesize
949KB

MD5
cc806331d3d82aadec6d0250b3ce8704

SHA1
56a9db6b9ffefb67115272792eecced03895d3f7

SHA256
a571d26bc0f67609d157d4b5d2afc03891b73c83cb596b88941c3244dcedcd95

SHA512
2ca90467cb85db3497e2423f04c86106004ff7b6f0e4330b3fea3fd6d3bc50613b61aa6a3d96be3e6c2dfc17a460da312917fc2bd8749af1fc550bf14e2ed1a1

Download Submit
\Users\Admin\AppData\Local\Temp\7zS9E52.tmp\Install.exe

Filesize
836KB

MD5
308ec76b400f96345b127c97079fad50

SHA1
062b80fc2686538b01afc3247cb4f1bec2eb28c9

SHA256
142e8bb8b4b6a7bccb2981dffc0f0c20a95cde3c5c100c727341782b59f2c7e9

SHA512
e90537df72d13241fb67a0edc8d386b59216fb7be393e360c9f60e039e367980389e347382d0fa0e3baa5e1686412ff79dcd903d8796a97436f10bc049a97254

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBAE6.tmp\Install.exe

Filesize
2.2MB

MD5
8dd6d4120289ee050278af657102dbbb

SHA1
740a161f359aea94a7e441de281a59b6565ce216

SHA256
d3dbfc239d1b895bedce995ac1c2c0c113cab83fabca8d9348b412f0e5637f7d

SHA512
ce6ebca82c07e46bd68e876d9e4a09d61e74b71b60beea3ea7c0993fb23add92213037700b21770c43656ee033f93d591cd3dc1b7878f61cf4a83c055554ab0a

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBAE6.tmp\Install.exe

Filesize
1.8MB

MD5
c9e5775a2a563efb26faeeeb2097591d

SHA1
427af32e58c5d0eeab870f1e7ccf11a3bafdb30e

SHA256
7494b9ad5a26f3a48482eb13b806a01a63d72668be7ccc6c1c05de80457c01d8

SHA512
3ab9ee52be9186df27c72cc5601ba323fd0f6c6a08e88ac29d8eac5a1837a9347c3c5dee64016e5e9f510f07be2b27fceed5a812fbc405e6f06d93e314fe0913

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBAE6.tmp\Install.exe

Filesize
1.8MB

MD5
f68af9bf00daa5f2d48f7d267076fe23

SHA1
7d142ea731eb72798e975a468da7f78b120baaf0

SHA256
4e2d1ba501fdb4462cf366fcb62b7670fc0f444eb27690e5caf16efb9902807e

SHA512
19246f5a98d2c3e6c40a15bebfebb9b3756ac4594f1fbf391410fa76c40e2801017032ae74d9ce1690e2fe3c93b34a2e11990bc1c33d4980ff99948f59e2647f

Download Submit
\Users\Admin\AppData\Local\Temp\7zSBAE6.tmp\Install.exe

Filesize
1.8MB

MD5
cf79eda5e7c71367f168fa05beaf868a

SHA1
2964266e7438f0fb8007b9baa8043d88d0563e81

SHA256
abfe032933db3e466b5e528a908a03b4677c1d359af40cb25d151276469fbe60

SHA512
0dd6843fb3e9f6bd28dad2cfbd35888a6caf681ca0fd18977602c0a09f96d364e5bb77280a4ee7c76d6354dbca8c5fb203d7dea032cd0b68208a16a144aafff6

Download Submit
\Users\Admin\AppData\Local\Temp\is-OCRE2.tmp\_isetup\_iscrypt.dll

Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
\Users\Admin\AppData\Local\Temp\is-OCRE2.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-PT965.tmp\gU_cMVt_5rERgDwNK6jm08MD.tmp

Filesize
690KB

MD5
4df57aaf92a50f25127408e03415e9ae

SHA1
8f7670cfae2f405be830c8ec5f06856358d301a1

SHA256
d247810adf596b210b373af971bfeeeebea4f574cf2175d87d4899dcfa6e405c

SHA512
a2bbb20f3d41b86f01455640c188b2c80d2bf8559ffd335e4cbeac7d70b8d88da3f75432e19a3597ffb79c183c32e1f071f0d259b277caf9173cf60479d312b5

Download Submit
\Users\Admin\Documents\GuardFox\UAvM4CkuavIVH4xf5k40wV9m.exe

Filesize
1.9MB

MD5
c14b26aa150e05f8b2b626b08cb433a3

SHA1
17a8edccd1ffa7c1b3b58f2f54fd6a2555b39292

SHA256
dd4c4070ecfe43617e90045a5a7ccbac00957a288fb87856b65fc861089ab4e9

SHA512
dfcfb2f731a5357afe1b3f075c8cddfc6410200108230f40c1db6031dc2ba035c63d430d1e43c4704d97faef77e1891046434858d580f508b623f6be89fd9c82

Download Submit
\Users\Admin\Documents\GuardFox\g9naRJPwNQcy1nT7QWq1Boov.exe

Filesize
2.4MB

MD5
e09942c61c9313382ec60e19998f31d3

SHA1
f457347131324cb07a6bbf4d4ad42515d169e1a5

SHA256
3ba15ce821405cae7c82629456268976dd3a54ecf5fff201cd0a8683e570919a

SHA512
c07f628c9ce4d3848dae9aab09819b4eb951d3177dfb184bafc0ae349f272da49570c71091a28ed9878884f5e0936dd7726f07cde66854ec6a922c2f3a9940ab

Download Submit
\Users\Admin\Documents\GuardFox\g9naRJPwNQcy1nT7QWq1Boov.exe

Filesize
448KB

MD5
e57ead22ae7fc08097f3e01861f4f8e4

SHA1
79d7c2937e7deaa4ed54f2cda10ef290e6eb575e

SHA256
3d00984c51dd211c844fe0e30c1f690e1101c4773cd150844386f19212d5b17f

SHA512
91084cdf669622062cdc71e073720c1f09cef91e962573e9b8eaa06c04390b48e3cf11a0056a0c0a77f68b873acb769fc303c4776a0a6a63f9857f78851356e5

Download Submit
\Windows\rss\csrss.exe

Filesize
1.8MB

MD5
dd1c9ccf34dc83f90bfcef800dccb0c9

SHA1
80243be20ed25de5aec6991bebeb54808f97afd1

SHA256
8334e8a3aeccab1bbf3c4b6ef7d33c16b480d0e6669e7f08c055f6aa7558d1dc

SHA512
27c79754957479c31124177cd76c12e1d0e721508bf2510fe9dac2c65f1ffc03cf72a7d7a095d8648957c9bfe1fe5a2ccdc160ea31622be1802bc46da65fd3ab

Download Submit
\Windows\rss\csrss.exe

Filesize
2.2MB

MD5
48fe2dda022aa09aa8733ae1cc190fcf

SHA1
8055c0ffb4b38e1bc22cd3fa65a7f3bbcedaabb2

SHA256
a557153c33a293ec290c1143657395d3f931a1f648c4246cd68db3ba03ec009e

SHA512
5070721d8dc9380f4e694bc3c364f992bcaca20a938e63cb36d2014a7fc13fd8ffedce8bf0ca6d569d71ce35fb516fcd4140255c254b9fff918d23d097dffac0

Download Submit
\Windows\rss\csrss.exe

Filesize
832KB

MD5
9410105add057fc9c88d793c307c4b85

SHA1
59834ebb903c97f3b0944f03ee0cf3c1bea9e96e

SHA256
b088e9a025d36e05943f13a09a21904171c5023158e648a613623a4e471dcb92

SHA512
982e1402519c9789fc496b1fdf89d44eb7c1b80ef1c35f2811b53aa2fb9fd3a7ac1ac3af57caf83e02fa0b57f3ce83550205bb4b2c4d826a9c3648343298b1b7

Download Submit
memory/288-1517-0x0000000010000000-0x00000000105EA000-memory.dmp

Filesize
5.9MB

Download
memory/488-1667-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/488-1481-0x0000000000E60000-0x0000000001258000-memory.dmp

Filesize
4.0MB

Download
memory/488-1544-0x00000000029A0000-0x000000000328B000-memory.dmp

Filesize
8.9MB

Download
memory/488-1580-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/488-1541-0x0000000000E60000-0x0000000001258000-memory.dmp

Filesize
4.0MB

Download
memory/1304-1757-0x0000000001250000-0x00000000015FD000-memory.dmp

Filesize
3.7MB

Download
memory/1304-1576-0x0000000001250000-0x00000000015FD000-memory.dmp

Filesize
3.7MB

Download
memory/1304-1595-0x0000000001250000-0x00000000015FD000-memory.dmp

Filesize
3.7MB

Download
memory/1304-1434-0x0000000001250000-0x00000000015FD000-memory.dmp

Filesize
3.7MB

Download
memory/1304-1846-0x0000000001250000-0x00000000015FD000-memory.dmp

Filesize
3.7MB

Download
memory/1360-1570-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1360-1427-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1436-1549-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1436-1560-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1436-1601-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/1436-1546-0x00000000005D0000-0x00000000006D0000-memory.dmp

Filesize
1024KB

Download
memory/1600-1559-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/1600-1563-0x000000000065F000-0x000000000067B000-memory.dmp

Filesize
112KB

Download
memory/1600-1567-0x0000000000230000-0x000000000025D000-memory.dmp

Filesize
180KB

Download
memory/1736-1589-0x0000000001060000-0x0000000001458000-memory.dmp

Filesize
4.0MB

Download
memory/1736-1666-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1736-1578-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1736-1494-0x0000000001060000-0x0000000001458000-memory.dmp

Filesize
4.0MB

Download
memory/1796-1683-0x0000000000E10000-0x0000000001208000-memory.dmp

Filesize
4.0MB

Download
memory/1796-1684-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/1944-1529-0x0000000000220000-0x000000000022B000-memory.dmp

Filesize
44KB

Download
memory/1944-1528-0x000000000062F000-0x000000000063D000-memory.dmp

Filesize
56KB

Download
memory/1944-1527-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2160-1844-0x0000000000080000-0x0000000000095000-memory.dmp

Filesize
84KB

Download
memory/2284-1552-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/2284-1577-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2284-1555-0x0000000000220000-0x0000000000247000-memory.dmp

Filesize
156KB

Download
memory/2284-1582-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2284-1787-0x0000000000770000-0x0000000000870000-memory.dmp

Filesize
1024KB

Download
memory/2284-1778-0x0000000000400000-0x000000000063B000-memory.dmp

Filesize
2.2MB

Download
memory/2340-1594-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2340-1531-0x00000000003C0000-0x00000000003C1000-memory.dmp

Filesize
4KB

Download
memory/2364-1523-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2364-6-0x000000013FE60000-0x0000000140703000-memory.dmp

Filesize
8.6MB

Download
memory/2364-2-0x000000013FE60000-0x0000000140703000-memory.dmp

Filesize
8.6MB

Download
memory/2364-1340-0x000000013FE60000-0x0000000140703000-memory.dmp

Filesize
8.6MB

Download
memory/2364-1347-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2364-3-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2364-1522-0x000000013FE60000-0x0000000140703000-memory.dmp

Filesize
8.6MB

Download
memory/2364-0-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2364-7-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2364-5-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2464-1753-0x0000000000400000-0x0000000000D1C000-memory.dmp

Filesize
9.1MB

Download
memory/2464-1752-0x0000000000FF0000-0x00000000013E8000-memory.dmp

Filesize
4.0MB

Download
memory/2468-1591-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-1436-0x0000000000E50000-0x0000000000EC0000-memory.dmp

Filesize
448KB

Download
memory/2468-1530-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2468-1535-0x0000000004E40000-0x0000000004E80000-memory.dmp

Filesize
256KB

Download
memory/2512-1584-0x0000000000220000-0x0000000000233000-memory.dmp

Filesize
76KB

Download
memory/2512-1602-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2512-1568-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2512-1583-0x00000000005A0000-0x00000000006A0000-memory.dmp

Filesize
1024KB

Download
memory/2516-1655-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2516-1649-0x0000000000400000-0x0000000000474000-memory.dmp

Filesize
464KB

Download
memory/2516-1646-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/2564-1849-0x0000000002860000-0x00000000028E0000-memory.dmp

Filesize
512KB

Download
memory/2564-1850-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2564-1848-0x000007FEF5830000-0x000007FEF61CD000-memory.dmp

Filesize
9.6MB

Download
memory/2612-1821-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2612-1454-0x0000000000220000-0x0000000000290000-memory.dmp

Filesize
448KB

Download
memory/2612-1534-0x0000000004CC0000-0x0000000004D00000-memory.dmp

Filesize
256KB

Download
memory/2612-1573-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-1533-0x00000000747B0000-0x0000000074E9E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-1759-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2612-1774-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2612-1820-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2628-1477-0x0000000077D40000-0x0000000077D42000-memory.dmp

Filesize
8KB

Download
memory/2628-1538-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2628-1478-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2628-1739-0x0000000077B90000-0x0000000077D39000-memory.dmp

Filesize
1.7MB

Download
memory/2628-1733-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2628-1536-0x0000000140000000-0x000000014199B000-memory.dmp

Filesize
25.6MB

Download
memory/2796-1633-0x0000000001C30000-0x0000000001C70000-memory.dmp

Filesize
256KB

Download
memory/2796-1641-0x0000000073090000-0x000000007363B000-memory.dmp

Filesize
5.7MB

Download
memory/2796-1632-0x0000000073090000-0x000000007363B000-memory.dmp

Filesize
5.7MB

Download
memory/2904-1579-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2904-1588-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2904-1551-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2904-1548-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2904-1542-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2904-1554-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2904-1558-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2904-1566-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2904-1545-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1550-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1565-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1596-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1543-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1581-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1537-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1590-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1553-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1847-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1557-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download
memory/2948-1593-0x0000000000400000-0x0000000000644000-memory.dmp

Filesize
2.3MB

Download