gcleaner | 196d5b9c15745bc755fea17a32d6cbc9fc5221374966aca086872e8df44fe0e4

Analysis

max time kernel
103s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
02-04-2024 13:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
Size

4.5MB
MD5

20ed8b8eb556fa3cbc88b83882a6f1b0
SHA1

cd7ce6fc0068b6ef9c37d5dafec1319a39b88709
SHA256

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421
SHA512

868b859bdff27e41f63b527590214ad22dcaf332bb3d5c7daafd295ea648d71d5bd6d01fee29587eee8b7d4ef01384089eb0b2408f3d2e048021701c357e3b9b
SSDEEP

98304:in1GhDYSAEbWAtdt7Eea0+JJHOBMT6yCltq5CFvxWof8e45D4UO38cYd5:0gYfux7EF0CHqI6Xg5CFvxW2Pe

Malware Config

Extracted

Family

redline

Botnet

LogsDiller Cloud (TG: @logsdillabot)

5.42.65.0:29587

Extracted

Family

vidar

https://steamcommunity.com/profiles/76561199658817715

https://t.me/sa9ok

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

Extracted

Family

smokeloader

Botnet

pub3

Extracted

Family

gcleaner

185.172.128.90

5.42.65.64

Attributes

url_path
/advdlc.php

Extracted

Family

stealc

http://185.172.128.26

Attributes

url_path
/f993692117a3fda2.php

Signatures

Detect Vidar Stealer 5 IoCs

stealer

Processes:

resource	yara_rule
behavioral2/memory/4528-672-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/4528-664-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/992-636-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/992-624-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7
behavioral2/memory/992-612-0x0000000000400000-0x0000000000648000-memory.dmp	family_vidar_v7

Detect ZGRat V1 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2372-597-0x0000000000600000-0x0000000000C90000-memory.dmp	family_zgrat_v1
C:\Users\Admin\Documents\GuardFox\9UuOvCJBbHO5rFf7r8ZtRqDX.exe	family_zgrat_v1

GCleaner
GCleaner is a Pay-Per-Install malware loader first discovered in early 2019.
loader gcleaner
Glupteba
Glupteba is a modular loader written in Golang with various components.
loader dropper glupteba

Glupteba payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4564-729-0x0000000000400000-0x0000000002F44000-memory.dmp	family_glupteba
behavioral2/memory/1076-737-0x0000000000400000-0x0000000002F44000-memory.dmp	family_glupteba
behavioral2/memory/4564-655-0x0000000004FA0000-0x000000000588B000-memory.dmp	family_glupteba

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4632-662-0x0000000000400000-0x0000000000450000-memory.dmp	family_redline

RisePro
RisePro stealer is an infostealer distributed by PrivateLoader.
stealer risepro
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Stealc
Stealc is an infostealer written in C++.
stealer stealc
Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat
Creates new service(s) 1 TTPs
persistence

Windows Service
T1543.003
Downloads MZ/PE file
Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-566096764-1992588923-1249862864-1000\Control Panel\International\Geo\Nation	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
C:\Users\Admin\Documents\GuardFox\KJQg1RyhxZ_tnRxbDRxyaWKs.exe	themida
C:\Users\Admin\Documents\GuardFox\p98sZFnW9t_hN5qtgBko6JxR.exe	themida
behavioral2/memory/3136-603-0x0000000000D20000-0x0000000001CF4000-memory.dmp	themida
behavioral2/memory/4936-670-0x0000000000C10000-0x0000000001BE9000-memory.dmp	themida
behavioral2/memory/4936-593-0x0000000000C10000-0x0000000001BE9000-memory.dmp	themida
behavioral2/memory/4936-518-0x0000000000C10000-0x0000000001BE9000-memory.dmp	themida
behavioral2/memory/3136-471-0x0000000000D20000-0x0000000001CF4000-memory.dmp	themida

VMProtect packed file 3 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
C:\Users\Admin\Documents\GuardFox\wLGv3wVncHUS2BhXvExbNoMh.exe	vmprotect
behavioral2/memory/2172-639-0x0000000000BC0000-0x00000000014B1000-memory.dmp	vmprotect
behavioral2/memory/2172-608-0x0000000000BC0000-0x00000000014B1000-memory.dmp	vmprotect

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

38 bitbucket.org
46 bitbucket.org
58 bitbucket.org
179 iplogger.org
180 iplogger.org
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

24 ipinfo.io
25 ipinfo.io
20 api.myip.com
21 api.myip.com

flow	ioc
38	bitbucket.org
46	bitbucket.org
58	bitbucket.org
179	iplogger.org
180	iplogger.org

flow	ioc
24	ipinfo.io
25	ipinfo.io
20	api.myip.com
21	api.myip.com

Drops file in System32 directory 4 IoCs

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

description	ioc	process
File opened for modification	C:\Windows\System32\GroupPolicy	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
File opened for modification	C:\Windows\System32\GroupPolicy\GPT.INI	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

3720 sc.exe
2068 sc.exe
1704 sc.exe
3268 sc.exe

pid	process
3720	sc.exe
2068	sc.exe
1704	sc.exe
3268	sc.exe

Program crash 15 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
1984	2068	WerFault.exe	KnsG9hutnvYeYJSGyRRPqx8Z.exe
4328	3764	WerFault.exe
4296	64	WerFault.exe
4676	412	WerFault.exe
2376	412	WerFault.exe
2696	412	WerFault.exe
868	412	WerFault.exe
5040	412	WerFault.exe
2068	412	WerFault.exe
4324	412	WerFault.exe
4720	992	WerFault.exe
4772	412	WerFault.exe
2068	412	WerFault.exe
2644	4528	WerFault.exe	RegAsm.exe
1068	2372	WerFault.exe	9UuOvCJBbHO5rFf7r8ZtRqDX.exe

Creates scheduled task(s) 1 TTPs 4 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid process

1188 schtasks.exe
1560 schtasks.exe
1664 schtasks.exe
2024 schtasks.exe
Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

4540 taskkill.exe

pid	process
1188	schtasks.exe
1560	schtasks.exe
1664	schtasks.exe
2024	schtasks.exe

pid	process
4540	taskkill.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

pid	process
2916	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2916	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2916	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
2916	6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe

C:\Users\Admin\AppData\Local\Temp\6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe
"C:\Users\Admin\AppData\Local\Temp\6be4950d9a919f5d0150d19552b340e9b5ef1959a18fd97b18778bf39e1a6421.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
PID:2916

C:\Users\Admin\Documents\GuardFox\jjjeJq40TDVXByUwXzZaQT9F.exe
"C:\Users\Admin\Documents\GuardFox\jjjeJq40TDVXByUwXzZaQT9F.exe"
2⤵
PID:636

C:\Users\Admin\Documents\GuardFox\p98sZFnW9t_hN5qtgBko6JxR.exe
"C:\Users\Admin\Documents\GuardFox\p98sZFnW9t_hN5qtgBko6JxR.exe"
2⤵
PID:3136

C:\Users\Admin\Documents\GuardFox\fY0r2SKq62D1oy3SChGfMbl4.exe
"C:\Users\Admin\Documents\GuardFox\fY0r2SKq62D1oy3SChGfMbl4.exe"
2⤵
PID:1760

C:\Users\Admin\AppData\Local\Temp\7zSCD6D.tmp\Install.exe
.\Install.exe
3⤵
PID:2000

C:\Users\Admin\AppData\Local\Temp\7zSD8C7.tmp\Install.exe
.\Install.exe /zqrIdidneCT "525403" /S
4⤵
PID:1564

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
5⤵
PID:4768

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
6⤵
PID:5060

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
7⤵
PID:3572

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
7⤵
PID:1716

C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
5⤵
PID:3160

C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
6⤵
PID:2212

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
7⤵
PID:3756

\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
7⤵
PID:2320

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gelrIZrgY" /SC once /ST 12:58:39 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
5⤵
- Creates scheduled task(s)
PID:1664

C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gelrIZrgY"
5⤵
PID:3004

C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gelrIZrgY"
5⤵
PID:3572

C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "btbwILgIDOMomJfKYB" /SC once /ST 13:40:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\dYCYYvmNvBRqgTGOH\lchhETiXYelTvPX\QgmYWpX.exe\" RD /tmsite_idHwD 525403 /S" /V1 /F
5⤵
- Creates scheduled task(s)
PID:2024

C:\Users\Admin\Documents\GuardFox\pDtomBi7PPinOnzdpXp7mqBo.exe
"C:\Users\Admin\Documents\GuardFox\pDtomBi7PPinOnzdpXp7mqBo.exe"
2⤵
PID:1108

C:\Users\Admin\Documents\GuardFox\KJQg1RyhxZ_tnRxbDRxyaWKs.exe
"C:\Users\Admin\Documents\GuardFox\KJQg1RyhxZ_tnRxbDRxyaWKs.exe"
2⤵
PID:4936

C:\Users\Admin\Documents\GuardFox\KnsG9hutnvYeYJSGyRRPqx8Z.exe
"C:\Users\Admin\Documents\GuardFox\KnsG9hutnvYeYJSGyRRPqx8Z.exe"
2⤵
PID:2068

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:3032

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 992 -s 2128
4⤵
- Program crash
PID:4720

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2068 -s 884
3⤵
- Program crash
PID:1984

C:\Users\Admin\Documents\GuardFox\mrz0SHRBX0i37pdwJy1nL3BT.exe
"C:\Users\Admin\Documents\GuardFox\mrz0SHRBX0i37pdwJy1nL3BT.exe"
2⤵
PID:4564

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:1864

C:\Users\Admin\Documents\GuardFox\mrz0SHRBX0i37pdwJy1nL3BT.exe
"C:\Users\Admin\Documents\GuardFox\mrz0SHRBX0i37pdwJy1nL3BT.exe"
3⤵
PID:1724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:596

C:\Users\Admin\Documents\GuardFox\oArGcz5nQWCtvAEjcoyCBx6u.exe
"C:\Users\Admin\Documents\GuardFox\oArGcz5nQWCtvAEjcoyCBx6u.exe"
2⤵
PID:2932

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
3⤵
PID:4876

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
3⤵
PID:1984

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
3⤵
PID:3448

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
3⤵
PID:5020

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe delete "OBGPQMHF"
3⤵
- Launches sc.exe
PID:3720

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe create "OBGPQMHF" binpath= "C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe" start= "auto"
3⤵
- Launches sc.exe
PID:2068

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe stop eventlog
3⤵
- Launches sc.exe
PID:3268

C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start "OBGPQMHF"
3⤵
- Launches sc.exe
PID:1704

C:\Users\Admin\Documents\GuardFox\u3wR8JHNIheCmuFPPakOYtdA.exe
"C:\Users\Admin\Documents\GuardFox\u3wR8JHNIheCmuFPPakOYtdA.exe"
2⤵
PID:412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 748
3⤵
- Program crash
PID:2696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 756
3⤵
- Program crash
PID:4676

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 772
3⤵
- Program crash
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 780
3⤵
- Program crash
PID:868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 960
3⤵
- Program crash
PID:5040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 980
3⤵
- Program crash
PID:2068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1056
3⤵
- Program crash
PID:4324

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1348
3⤵
- Program crash
PID:4772

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "u3wR8JHNIheCmuFPPakOYtdA.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\u3wR8JHNIheCmuFPPakOYtdA.exe" & exit
3⤵
PID:4072

C:\Windows\SysWOW64\taskkill.exe
taskkill /im "u3wR8JHNIheCmuFPPakOYtdA.exe" /f
4⤵
- Kills process with taskkill
PID:4540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 412 -s 1368
3⤵
- Program crash
PID:2068

C:\Users\Admin\Documents\GuardFox\ZyVJhJm6AOmSdQFlmlN12fy1.exe
"C:\Users\Admin\Documents\GuardFox\ZyVJhJm6AOmSdQFlmlN12fy1.exe"
2⤵
PID:1076

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
3⤵
PID:5032

C:\Users\Admin\Documents\GuardFox\ZyVJhJm6AOmSdQFlmlN12fy1.exe
"C:\Users\Admin\Documents\GuardFox\ZyVJhJm6AOmSdQFlmlN12fy1.exe"
3⤵
PID:2276

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
4⤵
PID:2636

C:\Users\Admin\Documents\GuardFox\Ps6ehk391VWO5rVlo_Uzk84B.exe
"C:\Users\Admin\Documents\GuardFox\Ps6ehk391VWO5rVlo_Uzk84B.exe"
2⤵
PID:2552

C:\Users\Admin\AppData\Local\Temp\is-9UGLD.tmp\Ps6ehk391VWO5rVlo_Uzk84B.tmp
"C:\Users\Admin\AppData\Local\Temp\is-9UGLD.tmp\Ps6ehk391VWO5rVlo_Uzk84B.tmp" /SL5="$60226,1813257,54272,C:\Users\Admin\Documents\GuardFox\Ps6ehk391VWO5rVlo_Uzk84B.exe"
3⤵
PID:2204

C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe
"C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe" -i
4⤵
PID:4604

C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe
"C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe" -s
4⤵
PID:1392

C:\Users\Admin\Documents\GuardFox\BF_inL1DYVQ508_bdyfo9wHi.exe
"C:\Users\Admin\Documents\GuardFox\BF_inL1DYVQ508_bdyfo9wHi.exe"
2⤵
PID:4308

C:\Users\Admin\Documents\GuardFox\mg22CitY3m_9EhQH3cWVY3y7.exe
"C:\Users\Admin\Documents\GuardFox\mg22CitY3m_9EhQH3cWVY3y7.exe"
2⤵
PID:64

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4528 -s 2140
4⤵
- Program crash
PID:2644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 64 -s 792
3⤵
- Program crash
PID:4296

C:\Users\Admin\Documents\GuardFox\wLGv3wVncHUS2BhXvExbNoMh.exe
"C:\Users\Admin\Documents\GuardFox\wLGv3wVncHUS2BhXvExbNoMh.exe"
2⤵
PID:2172

C:\Users\Admin\Documents\GuardFox\jqiRdjb856_o5g884Vs3_Ky2.exe
"C:\Users\Admin\Documents\GuardFox\jqiRdjb856_o5g884Vs3_Ky2.exe"
2⤵
PID:964

C:\Users\Admin\Documents\GuardFox\pu1qXuL57jxrb3B7HtIXXdW_.exe
"C:\Users\Admin\Documents\GuardFox\pu1qXuL57jxrb3B7HtIXXdW_.exe"
2⤵
PID:3764

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
3⤵
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3764 -s 792
3⤵
- Program crash
PID:4328

C:\Users\Admin\Documents\GuardFox\4D7mB13iw0_ce5tbFmPyCDdB.exe
"C:\Users\Admin\Documents\GuardFox\4D7mB13iw0_ce5tbFmPyCDdB.exe"
2⤵
PID:1008

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP HR" /sc HOURLY /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1188

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\WinTrackerSP\WinTrackerSP.exe" /tn "WinTrackerSP LG" /sc ONLOGON /rl HIGHEST
3⤵
- Creates scheduled task(s)
PID:1560

C:\Users\Admin\Documents\GuardFox\9UuOvCJBbHO5rFf7r8ZtRqDX.exe
"C:\Users\Admin\Documents\GuardFox\9UuOvCJBbHO5rFf7r8ZtRqDX.exe"
2⤵
PID:2372

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
3⤵
PID:1136

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2372 -s 1008
3⤵
- Program crash
PID:1068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
1⤵
PID:4980

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2068 -ip 2068
1⤵
PID:1668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 412 -ip 412
1⤵
PID:4876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3764 -ip 3764
1⤵
PID:3584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 64 -ip 64
1⤵
PID:1020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 412 -ip 412
1⤵
PID:3876

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 412 -ip 412
1⤵
PID:4740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 412 -ip 412
1⤵
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 412 -ip 412
1⤵
PID:2492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 412 -ip 412
1⤵
PID:3396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 500 -p 412 -ip 412
1⤵
PID:4328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 992 -ip 992
1⤵
PID:4524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 412 -ip 412
1⤵
PID:2072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 412 -ip 412
1⤵
PID:1256

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
1⤵
PID:5008

C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
1⤵
PID:2284

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 0
2⤵
PID:660

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 0
2⤵
PID:4708

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-ac 0
2⤵
PID:5080

C:\Windows\system32\powercfg.exe
C:\Windows\system32\powercfg.exe /x -standby-timeout-dc 0
2⤵
PID:4184

C:\Windows\system32\conhost.exe
C:\Windows\system32\conhost.exe
2⤵
PID:2696

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:2176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 4528 -ip 4528
1⤵
PID:4644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2372 -ip 2372
1⤵
PID:4312

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Impair Defenses

T1562

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Web Service

T1102

Impact

Service Stop

T1489

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Are.docx
Filesize
11KB

MD5
a33e5b189842c5867f46566bdbf7a095

SHA1
e1c06359f6a76da90d19e8fd95e79c832edb3196

SHA256
5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454

SHA512
f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Download Submit
C:\ProgramData\mozglue.dll
Filesize
593KB

MD5
c8fd9be83bc728cc04beffafc2907fe9

SHA1
95ab9f701e0024cedfbd312bcfe4e726744c4f2e

SHA256
ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a

SHA512
fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
Filesize
4.8MB

MD5
27e2a47d4f0a7a7ab67aa79cb9512991

SHA1
45458b9be6eec7d56b8bfefa4926de549d87c52b

SHA256
e9c7cc177732fe093d5ebfb87572abaa8f01c1887d356734e9c9a7990de87a70

SHA512
21c541a005dcc3b06aa513b956f04129d15312ae02647f4bd343d1920b37848908e43b8d7bdad0da915ce39ed45a4f47a3e23e50293d3f992bd96ab21ed97db6

Download Submit
C:\ProgramData\ndfbaljqaqzm\dckuybanmlgp.exe
Filesize
4.4MB

MD5
a8a67857566fab937e8605309ce868fb

SHA1
da72e410f09f831f224575495ccaeee6b4a0016e

SHA256
1fb76d32f686e87a0d37d3fef1e0700a72b21fd6f2400846e35a6b33a64b5e53

SHA512
2c3f06ccf74c611b7ea8d3019bd3d59e2ca8cfe7133203074b9d7c06208db5f22b696182ba92410b04bb7aa2474bc93c3dddd782b237eb44035eabb3221a8f6f

Download Submit
C:\ProgramData\nss3.dll
Filesize
2.0MB

MD5
1cc453cdf74f31e4d913ff9c10acdde2

SHA1
6e85eae544d6e965f15fa5c39700fa7202f3aafe

SHA256
ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5

SHA512
dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K4KS10IH\76561199658817715[1].htm
Filesize
33KB

MD5
e366a9c3af7efb329df01029d497c6f4

SHA1
7042a7c91fb292d46775a0b63ef62690c246cd6a

SHA256
b638b6d45beb094a65220a83246e88606fb1218caca29c6eb66721c57c360cdf

SHA512
bcac7217f8952e272316e041d8b1a8601099a0ccf49813fb77371802e103c13133173b0ca2d06922089a399f378718acb74c301fc74a96161b056cd34bf3a34a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSCD6D.tmp\Install.exe
Filesize
6.4MB

MD5
0c094a05b7aa7cbbb58a396228794a0e

SHA1
687a6a3a810f573f8327765b48a24b390a3574cf

SHA256
ada3510b6dec2bd1abbbdca85511e90d7aee784ef77e5b4665c81f90b4c42650

SHA512
51542a27ad060e336a83cae8ffb530541f24db5fe6f7702354b7e708095a0d17e97f252db0708f3e0972d45e38e72b8138edc36aec4d38a8d7b862617250eff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD8C7.tmp\Install.exe
Filesize
1.1MB

MD5
1839d3086219294e4416827b0c6416ef

SHA1
75f044571b90a7716de226ea2a1b979fa0e1b9b8

SHA256
0a8efa3b92796d343a51e3a4fc60095bbc42fe6448ac2a4fab1e5089f0504be8

SHA512
6a4dd9de05a9555d9d377604fe7c3aa2519593802135abde478ef05a094a1f9ee7ce5255c8d00b1fe7fc56a2439f5b93e6e04c3b4bc9026d417ba51444fc5975

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zSD8C7.tmp\Install.exe
Filesize
6.5MB

MD5
4687316a4e2acfcfbec0a98a3d8cfcb0

SHA1
38b7cd8393936e22569750bf3a982ba57baf61fe

SHA256
079693ad7b2e2fb2cb2a3de1f99bf9ca1360a4b4d44f1e6fd3374622d39f37e1

SHA512
7dfdd3a609c633a21ad2507cd9badf27b24b3847540d48a8eac00e5c4112bebbd0f62667a4934769368ec647ddc1be767eecac035fbde262e0ac0f3ebed68e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
Filesize
742KB

MD5
544cd51a596619b78e9b54b70088307d

SHA1
4769ddd2dbc1dc44b758964ed0bd231b85880b65

SHA256
dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd

SHA512
f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tmp620C.tmp
Filesize
2KB

MD5
1420d30f964eac2c85b2ccfe968eebce

SHA1
bdf9a6876578a3e38079c4f8cf5d6c79687ad750

SHA256
f3327793e3fd1f3f9a93f58d033ed89ce832443e2695beca9f2b04adba049ed9

SHA512
6fcb6ce148e1e246d6805502d4914595957061946751656567a5013d96033dd1769a22a87c45821e7542cde533450e41182cee898cd2ccf911c91bc4822371a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2i4q21pd.524.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9UGLD.tmp\Ps6ehk391VWO5rVlo_Uzk84B.tmp
Filesize
680KB

MD5
64e7c305eb8a49523431d8e2e22075ef

SHA1
3dae34858bff591623afc780afae221949ffbc35

SHA256
51b4b1463a5416a9995e22bdeaf43253e2136a541ab6410440c839d76c294a11

SHA512
6c696a3acef9ed421713ce3c002be619c4079d7e2eb22277ee57354faee1880039a645c5a5b574896ee6cd1746bda995101895574b252dadf7e3a50209740102

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-P719M.tmp\_isetup\_iscrypt.dll
Filesize
2KB

MD5
a69559718ab506675e907fe49deb71e9

SHA1
bc8f404ffdb1960b50c12ff9413c893b56f2e36f

SHA256
2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc

SHA512
e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

Download Submit
C:\Users\Admin\AppData\Local\Website Screenshot Generator\wsgen.exe
Filesize
1.9MB

MD5
df8008bee0e492671fa157c1a585db65

SHA1
ba83bb5364c41dafcd34a238dafe485645509a28

SHA256
c8234bb4a63aae87ab9589af098da2fd094998cc6bd0a710e98055f72a920120

SHA512
73ff81c18c8fc2620e7e3000711cf46668a6537f5c11a8596769c5ae2452d83d83604aaaaf6bc66a49446334d7f7457dbf68f2a0e5383634328750d185eae39c

Download Submit
C:\Users\Admin\Documents\GuardFox\4D7mB13iw0_ce5tbFmPyCDdB.exe
Filesize
6.3MB

MD5
50ec910a3831fc70fd3b70d14ba0ad50

SHA1
addd46bfdeb72116d124b40fd4d9f2f3e2e346c1

SHA256
c6dfdbcf044a0657b08cc4c87249186be20e13ea41ad937c589020eebef9178b

SHA512
a0df5bb9f18e6635ef044b000e52b79f6eb02990a87738fe10cfc6bd434a639ff3d57921c06fee5059e93ff2c1d3fd936615b77968d50b18c28c705671e27d9f

Download Submit
C:\Users\Admin\Documents\GuardFox\4D7mB13iw0_ce5tbFmPyCDdB.exe
Filesize
6.3MB

MD5
c4602c700a3796e72933abd123eac296

SHA1
7921c32fb0ab96cf615787e75078708e78e01b9d

SHA256
c1539ba94c7dbafa391aa83f94a2b9a536097c8c8d6f1c522a93156941ce4c86

SHA512
73f02cb9ed902e1e226e86bd57289674a2409eca548d1d3214ec1a41042a124a866c36aa388fe20363203b36ecbcc9854575c12786951f90a1511e9a57e02d26

Download Submit
C:\Users\Admin\Documents\GuardFox\9UuOvCJBbHO5rFf7r8ZtRqDX.exe
Filesize
6.5MB

MD5
110bfe0779774743e145c3e36a7d2bd2

SHA1
8dbbd992ff2d6bc2d414b86f65ea58883d6e5f7f

SHA256
0adea3cf3cf92094c9f1f4f5ca5e3f2cd2cce310a2894419ec922cc6420f41f5

SHA512
c1b60152b0f307495fe76edbf4dbfd4d744f24d0c816e03e52bbd6010f3e13ff37917d06b644e4041fcb017bcaf46a120c34b6710661f31abe91aadf47342da6

Download Submit
C:\Users\Admin\Documents\GuardFox\9UuOvCJBbHO5rFf7r8ZtRqDX.exe
Filesize
6.5MB

MD5
682e25cf5897e24f3a31f21741fb0f11

SHA1
d9b228b9b20f3397514d3f12b67ad42e166cab39

SHA256
9978122d8b90575e7bfeb09cba339e5c6336d852724a37dc2b4d4de6813696d1

SHA512
1313b05abe9c79863856eabdc60a228ad320d8e4928758c072b33b1735418b309489d05c70b9e86a08280efa4f9a0af8f9ebf307630392a3088fdb97c15efe98

Download Submit
C:\Users\Admin\Documents\GuardFox\BF_inL1DYVQ508_bdyfo9wHi.exe
Filesize
220KB

MD5
a2d4aaba12122327336e3b5a23855d27

SHA1
a868e2f7b6c7318a4338a3fae18e6877216115d8

SHA256
e757d92507147f6b109e27567e35e3b3273d38a5625f5df07663d4a7112fab5a

SHA512
26606e40db3f248acb639d271e47b999e2960b29b15aacd7cc2ffff1018cc4802a416a3e49ec5d9b639c35d1485d1a3e2a990b9fffde5fa68ea7909c6fcdc078

Download Submit
C:\Users\Admin\Documents\GuardFox\KJQg1RyhxZ_tnRxbDRxyaWKs.exe
Filesize
5.9MB

MD5
bf0137e15637ddd2eefc0922092ba059

SHA1
e267abe1428aa6906e7f78dd4e2ba27ba2c5094d

SHA256
007b625dbf26d9e0c83eabe4a77317bf7aacb1aebd26799b494308ef28a6fab8

SHA512
f5809b5b591024176076a15086929e0ffa56f74a7208b4a85a9c45ec5a4bc29e5acc0984d231a38562cac83c5a764eaa2f215aecdd3105d3ed2ca5400e9332b8

Download Submit
C:\Users\Admin\Documents\GuardFox\KnsG9hutnvYeYJSGyRRPqx8Z.exe
Filesize
234KB

MD5
a17efa3f07ace71dea8c084c1a502f36

SHA1
08c0d817dfef6c1ce36dc1c20390f5c8f7ebee07

SHA256
59d959aea023ad0840ab3694261ba36c4590f65f07ad5e500e791c64a3455142

SHA512
9e2e6d458fbb66af052635fde8a017cdb0a9bce5d839cb8b8deae79a63544ee3b2a5c87bb352c9a5c2079c63a9e450e712345629244c30e28d3d3625518c2681

Download Submit
C:\Users\Admin\Documents\GuardFox\Ps6ehk391VWO5rVlo_Uzk84B.exe
Filesize
2.1MB

MD5
6d3f16a2c065e31856d34a17955a7e70

SHA1
61e551ca329140d7bc95ddb2bca366e37fba8243

SHA256
5df8ed22a815496bd2013871e6188103d34365cedc9207fb42888ea5bda98d3b

SHA512
2e2ca5555eeafea789da6220121c818d1eed74525921910148dfb440c535b40439c95b69f5cb3eca1a0a16999ee35e4dd1dd7847de2c179eced15056dcf36d3c

Download Submit
C:\Users\Admin\Documents\GuardFox\ZyVJhJm6AOmSdQFlmlN12fy1.exe
Filesize
4.1MB

MD5
20ede07f69f48d9327cf32f0ec5fd61f

SHA1
1c28ed1f312d8ff3ce92bc96c5ee0968dabfbe4f

SHA256
83cfe3205749b1989c53bda7c6410cfeb9c8194eb9e9f3a0d5eb6e99973258f2

SHA512
6bd2863a8d55fff03313407007fcc6753279b66dea883035ba4909220377aacc0c34dfbd566b85ec73ff99e5b3efd724f4fa9182fa7078fa0577de370cb6adec

Download Submit
C:\Users\Admin\Documents\GuardFox\fY0r2SKq62D1oy3SChGfMbl4.exe
Filesize
7.5MB

MD5
300a72697a1c9bd5031024f62a793c6b

SHA1
958fdfd8d3c768e8078c9eaaa4646434c1681f39

SHA256
c0f0757cddb79a690691bf69bd79eab8e5e26de5a829c295f00ac599ebbd4f89

SHA512
759aa31ae6c2f5844610778a3bc7e7f745d49c7763619e8fa8022c1af55de0a7c32f342222fd390ed582483eaa4f10c060ea3f0d7b7ff396742f232335015eb4

Download Submit
C:\Users\Admin\Documents\GuardFox\jjjeJq40TDVXByUwXzZaQT9F.exe
Filesize
230KB

MD5
782b1e629bf1856518d1ab568516307d

SHA1
abdd5742b47c895922c9cb0f02948f236d04b3c6

SHA256
7f41c072abf407bb0cf67b467036a8fad9fce9c7efa0d49a72d7519bf7ee523e

SHA512
1e1c0b696a67d6fab314534b7d5798e2c66d790af7e4c6a7054f2871c728d0cb24f82ec55da1890d6f50b42f050f4042b480b9e51b9b247fbe37fd6a7b32dd8b

Download Submit
C:\Users\Admin\Documents\GuardFox\jqiRdjb856_o5g884Vs3_Ky2.exe
Filesize
1.0MB

MD5
a4702dad93dc851947aa6bd7b9652c46

SHA1
99f23b3077fa0f57c3c0cb95341adf38fdeb6142

SHA256
2cd378dd3e9c3ddb6196c7c8a9dc1c88ecf74b2371f1394bd01ff37857a8c7d5

SHA512
9a436fd6a9a9fd447dee0a61fc485a5369db0349faefac2e5071295a31941c39db3a39529672213178f79f391df0e6fb64e73cee70641e5ab8e8a6d322f8da80

Download Submit
C:\Users\Admin\Documents\GuardFox\jqiRdjb856_o5g884Vs3_Ky2.exe
Filesize
1.0MB

MD5
a86a4d0ccd7cb368cd15c30889ab88da

SHA1
d3eec60e00a7b13950e050bf6d2679a59229dd3b

SHA256
3b5c449f0c63c521f5509aa64be2f11eab2d08be5a17671acf3dae24d252273f

SHA512
7d3bae35ade11a167b04d0cdd001a95e6541a6e03a06a03ed1bee8ec1d80c4c2e5ffce35d31312806c70afb8ecd073b924f023fb1fcaa56e4c8c609fd61f133b

Download Submit
C:\Users\Admin\Documents\GuardFox\mg22CitY3m_9EhQH3cWVY3y7.exe
Filesize
244KB

MD5
2caa34244dd6726f37dbccc7fe9b59fd

SHA1
0ec728e4614ae0f3ae5db4ed255a1a344d654659

SHA256
5bde316bb02a4d1c0e5530093c04f48e6bb862a828f154b5ad2a19c3a032937d

SHA512
2a471bf75e21b6637839626f25668e03fd60c7bdd2f11b838c3842999e6b615a26c6bd1bcf3ecdcdae37a6ce11a046e7590194c8fdc40aef2ab44854238669b2

Download Submit
C:\Users\Admin\Documents\GuardFox\mrz0SHRBX0i37pdwJy1nL3BT.exe
Filesize
4.1MB

MD5
d67fef3f5f73e674cc45f03cc6ef6fe7

SHA1
bdfe108dc57311976217d435ede27e77d9a2b3c3

SHA256
a3b99681771a50eaa1a56a324ca149244c85b453e5742adf527a7eedcc1f6997

SHA512
63fc4bf2b7552dce21e19bbe548370f554337473d861a5ac290b8dcb5fe459e7316d26fde476510622f32a7193ee83c05b17b78ae4124e39da4608ba5f769c44

Download Submit
C:\Users\Admin\Documents\GuardFox\oArGcz5nQWCtvAEjcoyCBx6u.exe
Filesize
10.7MB

MD5
b091c4848287be6601d720997394d453

SHA1
9180e34175e1f4644d5fa63227d665b2be15c75b

SHA256
d0b06ca6ece3fef6671fa8acd3d560a9400891abcd10f5cedcfe7bd1e6050dfe

SHA512
a3b3663fd343389aee2cbf76f426401d436992b2b56cea3b60e9c2e385510fa874fa45b2ac75703074f0303934c4223eaee1983851374a2e753fd0302042cc5a

Download Submit
C:\Users\Admin\Documents\GuardFox\oArGcz5nQWCtvAEjcoyCBx6u.exe
Filesize
8.3MB

MD5
c100c2c6619559d995f4a9f0e7038be8

SHA1
5b4bd99cd2b46d7ce54316244c0a439f05b93b73

SHA256
920b628ce745128702b3830681835ce928a5fc0971eb76bec0fa60b371306c18

SHA512
c3c6e565643a4d7757ab4029765d5d8b2a09391e1b4718f40859ddbfc12c6bb429992e0f4e4d8f10f5c7dc4c4224b84025408a10d8f7985ae7cc1bf9006ed8db

Download Submit
C:\Users\Admin\Documents\GuardFox\oArGcz5nQWCtvAEjcoyCBx6u.exe
Filesize
7.1MB

MD5
5a160066bc99b7b8f22ba60f2725926c

SHA1
28b17c59ef53731a8727ec15e8312a69b31568dc

SHA256
f5f31a6ecd3744ac6373e4e8e8bd58ca9d1af0fb84924afab4a98de6108bcbaa

SHA512
613815a71851ce5ba51a104fc8ceac08c71d9edb87ce93e4c2a9561a419faadc139afdac46381355c57780f59dd100ccb78c73fdb8580dbb814085df9b8a742a

Download Submit
C:\Users\Admin\Documents\GuardFox\p98sZFnW9t_hN5qtgBko6JxR.exe
Filesize
5.9MB

MD5
1f3e864a338535e78391706a36779415

SHA1
611c1fdc38ff4032c7912b2cba74f8608b2e9082

SHA256
68e5335ef6066297ae018a6ed5071c38659d8edad80f79099a17f6fb7b2f07d4

SHA512
0501367c18c49a2cec82d7225be192f997f262192253eb6483f2a5a15f9f8dc083951afa6eb302abbcdc9b36efbebfcaaa353fe1d189420c8d20f7f70060cfc1

Download Submit
C:\Users\Admin\Documents\GuardFox\pDtomBi7PPinOnzdpXp7mqBo.exe
Filesize
871KB

MD5
324b6dc1d74d0fa83010c59562203b31

SHA1
21715af633e6f90984af3a8b6fd58bd86758840d

SHA256
a8cc7d8092e02077f21bf65badf8871748630912e3738a2410ff5cd18ead2fbb

SHA512
5ecb30f6f3312463b5d32ea5a8aa1f9426c265cc85616651ffcc22cdcd54eac66a97928f33a4602f191f9a03d294ce9f6289311d95bccccb5aeb7aafe9fb798c

Download Submit
C:\Users\Admin\Documents\GuardFox\pu1qXuL57jxrb3B7HtIXXdW_.exe
Filesize
342KB

MD5
c813ab1235cc9880b05c865da8f0ebae

SHA1
8cde3afb841711bb299066d8e8d1ff750de5de41

SHA256
f73a31c7e19e74128d45775a82f8df09150bcaef5bf3c98e2c29a2b90c275a67

SHA512
b3ab59bc5656580bc116905f69e34c8f2ad8424082074e5d69083f77521f2f6a44b1e8100a41e4b9cf1843a012911287b4a766f9de8d2d4ea12912af2babfcfc

Download Submit
C:\Users\Admin\Documents\GuardFox\u3wR8JHNIheCmuFPPakOYtdA.exe
Filesize
285KB

MD5
633dafb32efe66f46f40334bd0d3d754

SHA1
f371fdfd054929e950531de9d539ed5d4a775c03

SHA256
7745d456bd3d7ddabe2170d182acde6dd5d918dc14aeee9b27ab3c7ec008ad7b

SHA512
8209cba2b03f842f31c1dcd0a3a88c9cc7c65055531166fc39b51c76c5896a6f17f1aab02817309bf3ef47139cd5fa909d2adcd52b107734145fc99456f9f0a3

Download Submit
C:\Users\Admin\Documents\GuardFox\wLGv3wVncHUS2BhXvExbNoMh.exe
Filesize
5.5MB

MD5
6a3b7e59a93a69b0cd778bfa367fdd6a

SHA1
61452b8d0d1a89b879dc0df14d23e544a400f709

SHA256
035707071519591d3e0346ce245cdd9fc9cb324039ef40a22bd869c57ba87fa6

SHA512
25439948fa9a481de9a01c3b9b76e4e5c3cb5455302794c0b3183e0627663339486c69b9d7f9955c6629da76e0cbed815236ec03a9a6e392d796f9166530dd48

Download Submit
C:\Users\Admin\Documents\GuardFox\wLGv3wVncHUS2BhXvExbNoMh.exe
Filesize
5.5MB

MD5
416b9a727ad53c9a2194806a008a0b56

SHA1
a7aa54462d33c564d3a0c2b544b36360f7433143

SHA256
a497c7203a2819ee19f5e60af591ffaecd4c8e0d4b897f67fba9c3aa3df250fd

SHA512
63b93650bcc34d44957a07a72d39fba36ee74a5616aea0bdbc4456606276e1357fa224ef18f32289a51b892a7527d3e738c8f7985bf48ddb288cad2d96bcdb66

Download Submit
C:\Users\Public\Desktop\Google Chrome.lnk
Filesize
2KB

MD5
f73bded273c551901d94aabacad693f6

SHA1
ba45a4d8a79bbdedb38c2b3a47eaf42b6d03f2e6

SHA256
b8a998ea770aa4f66bd638e8378f7fbf31ba5e2a503bd23b279eeee8baf4ae63

SHA512
d8571aae96050e6df10f71ca2580627b7a7a548f41aa665bc0aca5c945440a0299a6ed23694eba9f17f1bf771851144afdb5d137c03ea3b59a61273d93976a3b

Download Submit
C:\Users\Public\Desktop\Microsoft Edge.lnk
Filesize
2KB

MD5
c75ff6972ad7aee1c2a12838f83a9b17

SHA1
61e1012e239c13efb82ede15f07657fec59563f9

SHA256
29b9b7b848aaea113183e1dbd9e06cf0542cea61c93260a4979fc62bfe27fa1e

SHA512
da88addcd943cf47a78f6edd970517380664eccda9a117a0d9d37e658d554770fab2482ad83bc620b92a51b80a2cc5637082e1a13e3435742db636d76b29bb38

Download Submit
C:\Windows\system32\GroupPolicy\gpt.ini
Filesize
268B

MD5
a62ce44a33f1c05fc2d340ea0ca118a4

SHA1
1f03eb4716015528f3de7f7674532c1345b2717d

SHA256
9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a

SHA512
9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

Download Submit
memory/64-629-0x00000000003B0000-0x00000000003EE000-memory.dmp

Filesize
248KB

Download
memory/64-720-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/412-724-0x0000000002CE0000-0x0000000002D0D000-memory.dmp

Filesize
180KB

Download
memory/412-725-0x0000000000400000-0x0000000002B71000-memory.dmp

Filesize
39.4MB

Download
memory/412-723-0x0000000002D40000-0x0000000002E40000-memory.dmp

Filesize
1024KB

Download
memory/636-713-0x0000000000400000-0x0000000002B62000-memory.dmp

Filesize
39.4MB

Download
memory/636-707-0x0000000002BA0000-0x0000000002BAB000-memory.dmp

Filesize
44KB

Download
memory/636-658-0x0000000000400000-0x0000000002B62000-memory.dmp

Filesize
39.4MB

Download
memory/636-704-0x0000000002BE9000-0x0000000002BF7000-memory.dmp

Filesize
56KB

Download
memory/964-532-0x0000000000810000-0x00000000008B1000-memory.dmp

Filesize
644KB

Download
memory/992-624-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/992-636-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/992-612-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/1008-661-0x0000000001150000-0x0000000001151000-memory.dmp

Filesize
4KB

Download
memory/1008-669-0x0000000001450000-0x0000000001451000-memory.dmp

Filesize
4KB

Download
memory/1008-656-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/1008-651-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/1008-663-0x0000000001440000-0x0000000001441000-memory.dmp

Filesize
4KB

Download
memory/1008-659-0x0000000001140000-0x0000000001141000-memory.dmp

Filesize
4KB

Download
memory/1008-738-0x00000000005C0000-0x0000000001119000-memory.dmp

Filesize
11.3MB

Download
memory/1008-671-0x00000000005C0000-0x0000000001119000-memory.dmp

Filesize
11.3MB

Download
memory/1008-647-0x0000000000590000-0x0000000000591000-memory.dmp

Filesize
4KB

Download
memory/1076-737-0x0000000000400000-0x0000000002F44000-memory.dmp

Filesize
43.3MB

Download
memory/1076-646-0x0000000004C60000-0x0000000005067000-memory.dmp

Filesize
4.0MB

Download
memory/1108-489-0x0000000002640000-0x000000000278F000-memory.dmp

Filesize
1.3MB

Download
memory/1108-487-0x0000000002580000-0x0000000002631000-memory.dmp

Filesize
708KB

Download
memory/1108-495-0x0000000000400000-0x00000000008F8000-memory.dmp

Filesize
5.0MB

Download
memory/1392-745-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/1564-635-0x0000000010000000-0x00000000105E0000-memory.dmp

Filesize
5.9MB

Download
memory/2068-631-0x0000000002BA0000-0x0000000004BA0000-memory.dmp

Filesize
32.0MB

Download
memory/2068-556-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/2068-520-0x0000000000930000-0x000000000096C000-memory.dmp

Filesize
240KB

Download
memory/2068-711-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/2172-608-0x0000000000BC0000-0x00000000014B1000-memory.dmp

Filesize
8.9MB

Download
memory/2172-744-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/2172-734-0x0000000001850000-0x0000000001851000-memory.dmp

Filesize
4KB

Download
memory/2172-733-0x0000000000BB0000-0x0000000000BB1000-memory.dmp

Filesize
4KB

Download
memory/2172-639-0x0000000000BC0000-0x00000000014B1000-memory.dmp

Filesize
8.9MB

Download
memory/2172-726-0x0000000000400000-0x0000000002B71000-memory.dmp

Filesize
39.4MB

Download
memory/2172-602-0x0000000000BA0000-0x0000000000BA1000-memory.dmp

Filesize
4KB

Download
memory/2204-596-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2372-597-0x0000000000600000-0x0000000000C90000-memory.dmp

Filesize
6.6MB

Download
memory/2372-604-0x0000000005540000-0x00000000055DC000-memory.dmp

Filesize
624KB

Download
memory/2372-752-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/2552-486-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2552-536-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2916-605-0x00007FF640800000-0x00007FF6410A3000-memory.dmp

Filesize
8.6MB

Download
memory/2916-1-0x00007FF640800000-0x00007FF6410A3000-memory.dmp

Filesize
8.6MB

Download
memory/2916-139-0x00007FF640800000-0x00007FF6410A3000-memory.dmp

Filesize
8.6MB

Download
memory/2916-2-0x00007FF640800000-0x00007FF6410A3000-memory.dmp

Filesize
8.6MB

Download
memory/2916-0-0x00007FFD94AD0000-0x00007FFD94AD2000-memory.dmp

Filesize
8KB

Download
memory/2932-633-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2932-727-0x0000000140000000-0x0000000141A14000-memory.dmp

Filesize
26.1MB

Download
memory/2932-625-0x00007FFD94AD0000-0x00007FFD94AD2000-memory.dmp

Filesize
8KB

Download
memory/3136-595-0x0000000000A70000-0x0000000000A71000-memory.dmp

Filesize
4KB

Download
memory/3136-613-0x0000000000CD0000-0x0000000000CD1000-memory.dmp

Filesize
4KB

Download
memory/3136-748-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

Filesize
960KB

Download
memory/3136-601-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

Filesize
4KB

Download
memory/3136-603-0x0000000000D20000-0x0000000001CF4000-memory.dmp

Filesize
15.8MB

Download
memory/3136-471-0x0000000000D20000-0x0000000001CF4000-memory.dmp

Filesize
15.8MB

Download
memory/3136-600-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download
memory/3136-607-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

Filesize
4KB

Download
memory/3136-749-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

Filesize
960KB

Download
memory/3136-750-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

Filesize
960KB

Download
memory/3136-619-0x0000000000CE0000-0x0000000000CE1000-memory.dmp

Filesize
4KB

Download
memory/3764-718-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/3764-628-0x0000000000DC0000-0x0000000000E16000-memory.dmp

Filesize
344KB

Download
memory/4308-731-0x0000000004660000-0x0000000004687000-memory.dmp

Filesize
156KB

Download
memory/4308-732-0x0000000000400000-0x0000000002B61000-memory.dmp

Filesize
39.4MB

Download
memory/4308-730-0x0000000002DC0000-0x0000000002EC0000-memory.dmp

Filesize
1024KB

Download
memory/4528-672-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4528-664-0x0000000000400000-0x0000000000648000-memory.dmp

Filesize
2.3MB

Download
memory/4564-729-0x0000000000400000-0x0000000002F44000-memory.dmp

Filesize
43.3MB

Download
memory/4564-655-0x0000000004FA0000-0x000000000588B000-memory.dmp

Filesize
8.9MB

Download
memory/4564-642-0x0000000004BA0000-0x0000000004F9F000-memory.dmp

Filesize
4.0MB

Download
memory/4604-630-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4604-611-0x0000000000400000-0x00000000005F0000-memory.dmp

Filesize
1.9MB

Download
memory/4632-751-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/4632-676-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/4632-703-0x00000000052E0000-0x000000000531C000-memory.dmp

Filesize
240KB

Download
memory/4632-746-0x0000000074600000-0x0000000074DB0000-memory.dmp

Filesize
7.7MB

Download
memory/4632-705-0x0000000005460000-0x00000000054AC000-memory.dmp

Filesize
304KB

Download
memory/4632-662-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/4632-696-0x0000000005280000-0x0000000005292000-memory.dmp

Filesize
72KB

Download
memory/4632-695-0x0000000005350000-0x000000000545A000-memory.dmp

Filesize
1.0MB

Download
memory/4632-692-0x0000000006130000-0x0000000006748000-memory.dmp

Filesize
6.1MB

Download
memory/4632-684-0x0000000005020000-0x000000000502A000-memory.dmp

Filesize
40KB

Download
memory/4632-680-0x0000000005050000-0x00000000050E2000-memory.dmp

Filesize
584KB

Download
memory/4936-741-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

Filesize
960KB

Download
memory/4936-573-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/4936-594-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/4936-740-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

Filesize
960KB

Download
memory/4936-747-0x0000000077754000-0x0000000077756000-memory.dmp

Filesize
8KB

Download
memory/4936-739-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

Filesize
960KB

Download
memory/4936-518-0x0000000000C10000-0x0000000001BE9000-memory.dmp

Filesize
15.8MB

Download
memory/4936-670-0x0000000000C10000-0x0000000001BE9000-memory.dmp

Filesize
15.8MB

Download
memory/4936-555-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/4936-543-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/4936-593-0x0000000000C10000-0x0000000001BE9000-memory.dmp

Filesize
15.8MB

Download
memory/4936-742-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

Filesize
960KB

Download
memory/4936-743-0x0000000076DB0000-0x0000000076EA0000-memory.dmp

Filesize
960KB

Download
memory/4936-559-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/4936-592-0x0000000000A80000-0x0000000000A81000-memory.dmp

Filesize
4KB

Download