e42260ec10ff5fbb54a7cd2e1f236b5658826bb1f2139fd5b0cafffe9423941e

Analysis

max time kernel
149s
max time network
124s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
15/10/2023, 19:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Size

8.8MB
MD5

f9a54e53247feac3ffc37e48ca67f300
SHA1

348ee9568deec8cb5f30bedd38e2ff170ba0073d
SHA256

e42260ec10ff5fbb54a7cd2e1f236b5658826bb1f2139fd5b0cafffe9423941e
SHA512

e834e85512f188e07524238e3d7747f24d3f8dd0b2697c917fdd079051fec98bb2645f2dd0623cd03ba74b83386e411554090ae3ef592ec11352f19c1d8b5728
SSDEEP

196608:5SGyUYmlrVndt5dAZ1/lYbrHVTZ9rUqlcBhf:oGyKlx/5uZRlYbrHV3jlcBhf

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File created	C:\Windows\system32\drivers\is-A6HQT.tmp	SetupTmp.tmp

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\ItlsHKOT\ImagePath = "\\??\\C:\\Windows\\SysWOW64\\ItlsHKOT64.sys"	DrvOTInj64.Exe

Executes dropped EXE 10 IoCs

pid	Process
240	SetupTmp.exe
1816	SetupTmp.tmp
2392	instdrvOT.Exe
1800	CPManager.exe
2212	CPManager.exe
2560	instdrvOT.exe
2692	MgOT64.exe
2580	ClipLDR64.exe
2704	MyGuardTray.exe
1980	DrvOTInj64.Exe

Loads dropped DLL 36 IoCs

pid	Process
1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
240	SetupTmp.exe
1816	SetupTmp.tmp
1816	SetupTmp.tmp
1816	SetupTmp.tmp
2392	instdrvOT.Exe
2392	instdrvOT.Exe
2392	instdrvOT.Exe
1816	SetupTmp.tmp
1816	SetupTmp.tmp
1816	SetupTmp.tmp
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe
2212	CPManager.exe
2212	CPManager.exe
2212	CPManager.exe
1800	CPManager.exe
2560	instdrvOT.exe
2560	instdrvOT.exe
2560	instdrvOT.exe
1800	CPManager.exe
2692	MgOT64.exe
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe
1980	DrvOTInj64.Exe
2692	MgOT64.exe
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 50 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\is-JV2U9.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-VGQ3L.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-69MM9.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-NLU0A.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-I5C62.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-PM74K.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-A7MC3.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-45UI0.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-U66JK.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-DG4RA.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-P4ER7.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-07SFK.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-VJCJT.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-A2MK8.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-E6DQB.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-0DEA4.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-UREE1.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-CFLV2.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-U0992.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-GTC8N.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-SPD41.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-CNB7M.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-9R2UO.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-1BN9V.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-FMEMN.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-75MEQ.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-C9I43.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-B7B73.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-MUFR8.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-4RDEO.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-E05MF.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-29EFI.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-M1064.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-DR2AP.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-M16C6.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-1TQAC.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-NDCCD.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-LNF0I.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-G1L16.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-LKKG6.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-9GOC4.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-U0NMK.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-ADV8H.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-3S4O4.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-7PFH9.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-53IL1.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-1GR3E.tmp	SetupTmp.tmp
File created	C:\Windows\system32\is-71PD8.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-QSSPT.tmp	SetupTmp.tmp
File created	C:\Windows\SysWOW64\is-E8SU5.tmp	SetupTmp.tmp

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\CryptorPlus\unins000.dat	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-2F7AQ.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-1EOG1.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-43CPL.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-550C6.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-Q9816.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-LBJ3C.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\unins000.dat	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-KU9TS.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-2FOBQ.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-KUO1A.tmp	SetupTmp.tmp
File created	C:\Program Files (x86)\CryptorPlus\is-GRO50.tmp	SetupTmp.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile	SetupTmp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile\shell	SetupTmp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile\shell\cpdopen	SetupTmp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile\shell\cpdopen\command\ = "C:\\Program Files (x86)\\CryptorPlus\\CPManager.exe %1"	SetupTmp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.cpd	SetupTmp.tmp
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cpd\ = "cpdfile"	SetupTmp.tmp
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\cpdfile\shell\cpdopen\command	SetupTmp.tmp

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	f9a54e53247feac3ffc37e48ca67f300_exe32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	f9a54e53247feac3ffc37e48ca67f300_exe32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe
1800	CPManager.exe

Suspicious behavior: LoadsDriver 3 IoCs

pid	Process
464	Process not Found
464	Process not Found
1980	DrvOTInj64.Exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeSecurityPrivilege	2392	instdrvOT.Exe
Token: SeSecurityPrivilege	2560	instdrvOT.exe
Token: SeDebugPrivilege	1800	CPManager.exe
Token: SeIncreaseQuotaPrivilege	1980	DrvOTInj64.Exe
Token: SeSecurityPrivilege	1980	DrvOTInj64.Exe
Token: SeLoadDriverPrivilege	1980	DrvOTInj64.Exe
Token: SeSystemProfilePrivilege	1980	DrvOTInj64.Exe
Token: SeSystemtimePrivilege	1980	DrvOTInj64.Exe
Token: SeProfSingleProcessPrivilege	1980	DrvOTInj64.Exe
Token: SeIncBasePriorityPrivilege	1980	DrvOTInj64.Exe
Token: SeCreatePagefilePrivilege	1980	DrvOTInj64.Exe
Token: SeShutdownPrivilege	1980	DrvOTInj64.Exe
Token: SeDebugPrivilege	1980	DrvOTInj64.Exe
Token: SeSystemEnvironmentPrivilege	1980	DrvOTInj64.Exe
Token: SeRemoteShutdownPrivilege	1980	DrvOTInj64.Exe
Token: SeUndockPrivilege	1980	DrvOTInj64.Exe
Token: SeManageVolumePrivilege	1980	DrvOTInj64.Exe
Token: 33	1980	DrvOTInj64.Exe
Token: 34	1980	DrvOTInj64.Exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1800	CPManager.exe
1800	CPManager.exe

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1800	CPManager.exe
1800	CPManager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1732 wrote to memory of 240	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	28
PID 1732 wrote to memory of 240	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	28
PID 1732 wrote to memory of 240	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	28
PID 1732 wrote to memory of 240	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	28
PID 1732 wrote to memory of 240	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	28
PID 1732 wrote to memory of 240	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	28
PID 1732 wrote to memory of 240	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	28
PID 240 wrote to memory of 1816	240	SetupTmp.exe	29
PID 240 wrote to memory of 1816	240	SetupTmp.exe	29
PID 240 wrote to memory of 1816	240	SetupTmp.exe	29
PID 240 wrote to memory of 1816	240	SetupTmp.exe	29
PID 240 wrote to memory of 1816	240	SetupTmp.exe	29
PID 240 wrote to memory of 1816	240	SetupTmp.exe	29
PID 240 wrote to memory of 1816	240	SetupTmp.exe	29
PID 1816 wrote to memory of 1740	1816	SetupTmp.tmp	30
PID 1816 wrote to memory of 1740	1816	SetupTmp.tmp	30
PID 1816 wrote to memory of 1740	1816	SetupTmp.tmp	30
PID 1816 wrote to memory of 1740	1816	SetupTmp.tmp	30
PID 1816 wrote to memory of 1372	1816	SetupTmp.tmp	32
PID 1816 wrote to memory of 1372	1816	SetupTmp.tmp	32
PID 1816 wrote to memory of 1372	1816	SetupTmp.tmp	32
PID 1816 wrote to memory of 1372	1816	SetupTmp.tmp	32
PID 1816 wrote to memory of 2392	1816	SetupTmp.tmp	34
PID 1816 wrote to memory of 2392	1816	SetupTmp.tmp	34
PID 1816 wrote to memory of 2392	1816	SetupTmp.tmp	34
PID 1816 wrote to memory of 2392	1816	SetupTmp.tmp	34
PID 1816 wrote to memory of 2392	1816	SetupTmp.tmp	34
PID 1816 wrote to memory of 2392	1816	SetupTmp.tmp	34
PID 1816 wrote to memory of 2392	1816	SetupTmp.tmp	34
PID 1816 wrote to memory of 1800	1816	SetupTmp.tmp	35
PID 1816 wrote to memory of 1800	1816	SetupTmp.tmp	35
PID 1816 wrote to memory of 1800	1816	SetupTmp.tmp	35
PID 1816 wrote to memory of 1800	1816	SetupTmp.tmp	35
PID 1732 wrote to memory of 2212	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	36
PID 1732 wrote to memory of 2212	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	36
PID 1732 wrote to memory of 2212	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	36
PID 1732 wrote to memory of 2212	1732	f9a54e53247feac3ffc37e48ca67f300_exe32.exe	36
PID 1800 wrote to memory of 2560	1800	CPManager.exe	37
PID 1800 wrote to memory of 2560	1800	CPManager.exe	37
PID 1800 wrote to memory of 2560	1800	CPManager.exe	37
PID 1800 wrote to memory of 2560	1800	CPManager.exe	37
PID 1800 wrote to memory of 2560	1800	CPManager.exe	37
PID 1800 wrote to memory of 2560	1800	CPManager.exe	37
PID 1800 wrote to memory of 2560	1800	CPManager.exe	37
PID 1800 wrote to memory of 2692	1800	CPManager.exe	38
PID 1800 wrote to memory of 2692	1800	CPManager.exe	38
PID 1800 wrote to memory of 2692	1800	CPManager.exe	38
PID 1800 wrote to memory of 2692	1800	CPManager.exe	38
PID 1800 wrote to memory of 2580	1800	CPManager.exe	39
PID 1800 wrote to memory of 2580	1800	CPManager.exe	39
PID 1800 wrote to memory of 2580	1800	CPManager.exe	39
PID 1800 wrote to memory of 2580	1800	CPManager.exe	39
PID 1800 wrote to memory of 288	1800	CPManager.exe	40
PID 1800 wrote to memory of 288	1800	CPManager.exe	40
PID 1800 wrote to memory of 288	1800	CPManager.exe	40
PID 1800 wrote to memory of 288	1800	CPManager.exe	40
PID 2876 wrote to memory of 2704	2876	explorer.exe	42
PID 2876 wrote to memory of 2704	2876	explorer.exe	42
PID 2876 wrote to memory of 2704	2876	explorer.exe	42
PID 2876 wrote to memory of 2704	2876	explorer.exe	42
PID 1800 wrote to memory of 1980	1800	CPManager.exe	43
PID 1800 wrote to memory of 1980	1800	CPManager.exe	43
PID 1800 wrote to memory of 1980	1800	CPManager.exe	43
PID 1800 wrote to memory of 1980	1800	CPManager.exe	43

C:\Users\Admin\AppData\Local\Temp\f9a54e53247feac3ffc37e48ca67f300_exe32.exe
"C:\Users\Admin\AppData\Local\Temp\f9a54e53247feac3ffc37e48ca67f300_exe32.exe"
1⤵
- Loads dropped DLL
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:1732
- C:\ProgramData\MyGuard\SetupTmp.exe
  "C:\ProgramData\MyGuard\SetupTmp.exe" /Silent
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:240
- - C:\Users\Admin\AppData\Local\Temp\is-S5NUP.tmp\SetupTmp.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-S5NUP.tmp\SetupTmp.tmp" /SL5="$4016E,7067166,53248,C:\ProgramData\MyGuard\SetupTmp.exe" /Silent
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Windows\system32\cacls.exe
      "cacls" "C:\ProgramData\MyGuard" /T /C /E /P Everyone:F
      4⤵
      PID:1740
  - - C:\Windows\system32\cacls.exe
      "cacls" "C:\ProgramData\CryptorPlus" /T /C /E /P Everyone:F
      4⤵
      PID:1372
  - - C:\Windows\SysWOW64\instdrvOT.Exe
      "C:\Windows\SysWOW64\instdrvOT.Exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of AdjustPrivilegeToken
      PID:2392
  - - C:\Program Files (x86)\CryptorPlus\CPManager.exe
      "C:\Program Files (x86)\CryptorPlus\CPManager.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:1800
    - - C:\Windows\SysWow64\instdrvOT.exe
        
        "C:\Windows\SysWow64\instdrvOT.exe" ITMSYSTEM hide C
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
    - - C:\Windows\SysWow64\MgOT64.exe
        
        "C:\Windows\SysWow64\MgOT64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2692
    - - C:\Windows\SysWow64\ClipLDR64.exe
        
        "C:\Windows\SysWow64\ClipLDR64.exe"
        5⤵
        Executes dropped EXE
        
        PID:2580
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe" C:\Program Files (x86)\CryptorPlus\MyGuardTray.exe
        5⤵
        
        PID:288
    - - C:\Windows\SysWOW64\DrvOTInj64.Exe
        
        "C:\Windows\system32\DrvOTInj64.Exe" LItlsHKOT/ITLSHKOT.sys/ItlsHKOT64.sys/HKOTAPI.DLL/HKOTAPI64.DLL/*/svchost.exe/
        5⤵
        Sets service image path in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious behavior: LoadsDriver
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
- C:\Program Files (x86)\CryptorPlus\CPManager.exe
  "C:\Program Files (x86)\CryptorPlus\CPManager.exe" CPEXE
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2212

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:2876
- C:\Program Files (x86)\CryptorPlus\MyGuardTray.exe
  "C:\Program Files (x86)\CryptorPlus\MyGuardTray.exe"
  2⤵
  - Executes dropped EXE
  PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\CryptorPlus\CPLng.Dat

Filesize
25KB

MD5
7e3384d9172f29b19620abf08b9b0b82

SHA1
d227ad21874430b873377e2407081b2401a6ef56

SHA256
21b508dfc8a79aa7410740111617ea0af36fc07d0b60ab4d66a389e37d74db64

SHA512
1f67a6d2d270db13ded8900204e337c338bea8074722e1fa4e07951acca4baa5d2537457927d14881bc7c2ad16ac661ae0b63adaaeb946523d53ca5cc3a8f4b5

Download Submit
C:\Program Files (x86)\CryptorPlus\CPManager.exe

Filesize
1.5MB

MD5
b256b7e1abb9111ecfd68449c4947fa8

SHA1
7e41b95b5fe013262f7ff929f65c71fc73c1f091

SHA256
5af3ee9d717a170c9cc7174838f0547fdfdd5f70f693bc1db5b2e40d86b8ec3b

SHA512
c04af25194e8d1e976d9c6d9750818f2ab1f07c545ff68f8d5a5ce7c8030961cef0b132097620910f68ee5dcd3e79a295c5391b9852b7c7d18bf016ada4560df

Download Submit
C:\Program Files (x86)\CryptorPlus\CPManager.exe

Filesize
1.5MB

MD5
b256b7e1abb9111ecfd68449c4947fa8

SHA1
7e41b95b5fe013262f7ff929f65c71fc73c1f091

SHA256
5af3ee9d717a170c9cc7174838f0547fdfdd5f70f693bc1db5b2e40d86b8ec3b

SHA512
c04af25194e8d1e976d9c6d9750818f2ab1f07c545ff68f8d5a5ce7c8030961cef0b132097620910f68ee5dcd3e79a295c5391b9852b7c7d18bf016ada4560df

Download Submit
C:\Program Files (x86)\CryptorPlus\CPManager.exe

Filesize
1.5MB

MD5
b256b7e1abb9111ecfd68449c4947fa8

SHA1
7e41b95b5fe013262f7ff929f65c71fc73c1f091

SHA256
5af3ee9d717a170c9cc7174838f0547fdfdd5f70f693bc1db5b2e40d86b8ec3b

SHA512
c04af25194e8d1e976d9c6d9750818f2ab1f07c545ff68f8d5a5ce7c8030961cef0b132097620910f68ee5dcd3e79a295c5391b9852b7c7d18bf016ada4560df

Download Submit
C:\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
C:\Program Files (x86)\CryptorPlus\MyGuardTray.exe

Filesize
6KB

MD5
095cbdabe7d688e59a6ba5aa75c2c824

SHA1
e342e70f67ac4c8a3ad903efd6b2361de9f35690

SHA256
f21eb70b2c5f8b64b8eaa97bc202ca0d7693fea436dbcf7adf2495c8c90fc1e9

SHA512
8e0f62897fad86ef4d0ebde467e77c2d73da4142ed68c31d4888ee2dfae622996e5c8444022768a7f19c895caeb257bc338155590a357cc3f40b0ee08866ebd1

Download Submit
C:\Program Files (x86)\CryptorPlus\MyGuardTray.exe

Filesize
6KB

MD5
095cbdabe7d688e59a6ba5aa75c2c824

SHA1
e342e70f67ac4c8a3ad903efd6b2361de9f35690

SHA256
f21eb70b2c5f8b64b8eaa97bc202ca0d7693fea436dbcf7adf2495c8c90fc1e9

SHA512
8e0f62897fad86ef4d0ebde467e77c2d73da4142ed68c31d4888ee2dfae622996e5c8444022768a7f19c895caeb257bc338155590a357cc3f40b0ee08866ebd1

Download Submit
C:\ProgramData\MyGuard\CryptorTmp\20231012093051223742\System.zip

Filesize
7.1MB

MD5
d056e4f22ff19219e3c943a1958ff7c6

SHA1
ba1905ca6d4fa30c8d6059911383fbeabf57618c

SHA256
fe1bb39ead2250bf4d575b195e608947bccdc125166f5f0c1360c51f5d74f374

SHA512
6de81c4bcbab52e0f3ecc452aa526ae8bb3c3772aeab99f725af54b18e4958bb0aa8879faf9fd78ecaa040b728de1ecaff436639e190cd8bbda16a873e8bd3a9

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
5KB

MD5
9b8ececb3b6385d7fd3df3b567777dd5

SHA1
833305564d6e9e17f34bfb97126f2541fa9270d3

SHA256
d87ccdf081440ac94722c6252f62d3ad60f6fd20ec10738cfebe874302fc976a

SHA512
964eef2b50a7eaab852e4b064570f9f9147341f34f20a841db0629979c1e23f1fac8ee75ccb85d302f53315e970a728c52f7d3e3129a64b30263009910c91cc8

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
6KB

MD5
25d7c4dd9c5d0b760e28b43a69d3145f

SHA1
369c9a2813b6c9224d94a4ca0d57e97bf89ba9b3

SHA256
349869a2b3dee6b4a44d2ff88d8b57f6fc28b63b9a000d0e9e4590efd62e5c6d

SHA512
59894ce4583f0c6a00f9219f8cc0f35068bdada280b5cadb04e05ad8285bcf03a138ce0e8e8c06eb8349493155446508002a72fb3332f127dfcef2d14e7b959f

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
6KB

MD5
34b6727725da6fd6ee8ed886499ce5f7

SHA1
4b3b34a700e65521ee77084f5c0b5e9dad69639e

SHA256
0d39512c7913025e06876c7bfd640ea1f2b317bfe18814348dbc9b21fa700a5c

SHA512
e7feb5ca92c8453de6881a00161d545940e7512d469ff18e2f8e42afa42eff8e91e92ae7cb96254c271741976bf136024b72a8debaa9cfed4b64f08781838ec4

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
6KB

MD5
7bc601b747ad4b8277f81c3ad85f1b7d

SHA1
a4e8ffd80bf9f8e452619ec4b879f71fb8de1ac7

SHA256
ccbbf4fe5596aff24b62c97626b5d365f76d8f9e44054ee63b21d86398c57245

SHA512
294d1c919117d83df57f2925de6c34efcb1cf0758817b1379d4cfa8512507d3b2d3a5c3f3862462ceb68e920be7c621218be5345acb91eb9d02f680f5ee4190d

Download Submit
C:\ProgramData\MyGuard\Log\Cryptor Plus\20231016.log

Filesize
6KB

MD5
cac980b905c50f20176882a110cb8744

SHA1
b55685aa9d1b8b865f28a2e3ecb648b895b71db7

SHA256
ecde598628595ca253c4104a7221e180a06e73e8e088752d7f6f256cec337aa5

SHA512
0e611ef680f0af9579bcf1cad2f4a357f903cadbc1b7c92ed79a05e823ca40fe473675fb5188f5fe95639820cfd800d19f3d1b019c65cd26051b2654875e6584

Download Submit
C:\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
C:\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
C:\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
1KB

MD5
24bf0db099091e98b2759b8d2cbe10d2

SHA1
29fa76ec7596fbecef79833e1c758c5b0b31e92e

SHA256
90cb640fa18391ee390c6f2282896c2d44d2d4351afee3b678e45154aac98d8f

SHA512
43b5967636241617e46e5d66419877d20987162b4ed7b28fd8a483f4325a5c69b4885eb4fa4058d56cb1c022330b0872508029eb6dae4bb763ed23a3f6184ec5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_EA8D92B3458A834F48476616FF4FBC8F

Filesize
1KB

MD5
24741648bc3fc6d634b0f1a7074f2bd5

SHA1
96516be6d6ca8fc9ec2accc77ab3ab946d4f6b54

SHA256
49b5a91a6a21875f012fa963cb2bbd8b16a8f2e5c392fb3a9ccfae30928989d3

SHA512
f217293a36cc4e796ceb853ef14a3188b7b5b8b83ab954faaf6424ef48843f67d45c083bfc8f4106ab3b3a599f8ac4ad9798e3a0f8a889ef2c7ca31b35b9820d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
394B

MD5
3e20b6e0c78a4522a368d8b776fe69a6

SHA1
a532cbb6c6b60de253ca81f8e86778894306adf2

SHA256
03e76916959ab9a45129df0f911a1ee34a3072613236da62b82a281e75dad52b

SHA512
cf2b932b736b38fd0d65b807f5969ca16014e2856b6ac2385848bc1f1b5b5a74546fb726c76e870d702688d9cb57d722aa36906d0d16a8fb6905e8d8f9617fba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_EA8D92B3458A834F48476616FF4FBC8F

Filesize
398B

MD5
057e540b862a0f269c76929f552bf417

SHA1
58e929836368bf40dd8f5b8f0e4ac9fb80ca9ea6

SHA256
099514ccebd8534763e4635d3c4be99fd7765484d782ddfbe53dc5f0c77049d7

SHA512
c271c750f6c9f259853f06db47ce0836137d9e7d7b7005027c8cd029f2072ce34c66fe8ab6feef95b414c845315bdb0f3c62ef193815d651891f2d7332e9e2bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
81cc4a5859bfc40c88bc8b43fa13e12c

SHA1
70fe67bd182da261fe013ef9979a723d217e9592

SHA256
bb538e37268d2ec142092aa8988e38c02fd1d2771d8a357c08621bf2c729099d

SHA512
e4cafd98cb93a34fdfd2329ab4317051722edf5cf1beafc6352c1baebf235eb79250c009714e35105d30fa15801bdb52c1eabea1a9b9bcc2cda6038816153ccf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A16.tmp

Filesize
61KB

MD5
f3441b8572aae8801c04f3060b550443

SHA1
4ef0a35436125d6821831ef36c28ffaf196cda15

SHA256
6720349e7d82ee0a8e73920d3c2b7cb2912d9fcf2edb6fd98f2f12820158b0bf

SHA512
5ba01ba421b50030e380ae6bbcd2f681f2a91947fe7fedb3c8e6b5f24dce9517abf57b1cf26cc6078d4bb53bde6fcfb2561591337c841f8f2cb121a3d71661b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A28.tmp

Filesize
163KB

MD5
9441737383d21192400eca82fda910ec

SHA1
725e0d606a4fc9ba44aa8ffde65bed15e65367e4

SHA256
bc3a6e84e41faeb57e7c21aa3b60c2a64777107009727c5b7c0ed8fe658909e5

SHA512
7608dd653a66cd364392a78d4711b48d1707768d36996e4d38871c6843b5714e1d7da4b4cc6db969e6000cfa182bcb74216ef6823d1063f036fc5c3413fb8dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S5NUP.tmp\SetupTmp.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-S5NUP.tmp\SetupTmp.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
C:\Windows\SysWOW64\ClipLDR64.exe

Filesize
60KB

MD5
c020333b90b1ad4988c719dc57d16206

SHA1
cab91531e0177f8e503ecf4c2cb700dd9cecbd5d

SHA256
6485291fc3de7d8056469ab4b77ecaa20eb56562da838edb8e3eb69f646b35d8

SHA512
431ef3ede783893fdef00f484986393f8b8ad4f8f46ce7297c294db5ff9af7b7f23ce1c3e6e536459c15072e2f236b961adafc727dcd81294970737d1661647c

Download Submit
C:\Windows\SysWOW64\DrvOTInj64.Exe

Filesize
328KB

MD5
b9a770560e3650fb1b55cc0c2cab13af

SHA1
ba906f724a53f7d4c35e34a1c7df9ae19e2cca46

SHA256
50cc811cdff30aaab942bdd0413fea886d44e06f0ac1f1ec1064790e13b43c50

SHA512
7052e622dd84ec6f15f97dc975ad1aaf8c5f8724f7efbbd012a15b20c34cba55aa7f68edc5a4777abefab154339ded9424cf0adbd0423f9c9c1abdfd52d3d19b

Download Submit
C:\Windows\SysWOW64\ItlsOTN.dll

Filesize
86KB

MD5
259eaa95e96f82656b4379c2228156cb

SHA1
ad3460c7ee721a769a7f91d05bc65ae0cc2b2ac5

SHA256
603e635a9e06257c75813aaa8f4dafd29bdcaa7e8018e194fe756ca58d997f76

SHA512
999b7f60868a6b8f08f2b389307e4dfe86b4855072258e3bd8d5c5ca6d52532c7bf5d6fac959c211134fe3614f7f4991101b7d7d1a09fcc0557bd2ec3ec360a6

Download Submit
C:\Windows\SysWOW64\MGOT64.exe

Filesize
78KB

MD5
87f2495983292f0d5303dff91c592abf

SHA1
25c1b0f4af4ae83f004e68d918b887d36f6a7a20

SHA256
f5062d5d9c84664ec0c259df18e75b13d85530b332540f55e1ba0ab849e0d12d

SHA512
87292cb8d46ef95a4e207906a1758ea5557d8ed6d395d66f78178b3d25d9b1efa0dd3e94bb21fc8e644a124d23ba44da26a6fd3d3b494814cb96a51edf3c2a7e

Download Submit
C:\Windows\SysWOW64\PtrWide.dll

Filesize
23KB

MD5
58104f9d25d65c3a59214f76a9e86a60

SHA1
67972991162cc001472b2ca6d96dd40770b8443a

SHA256
19f0c9df24cdc16cb161176b10a93323d3d5180c858332e66a44163ebc42b517

SHA512
199ead98db6644f747618498a5418bd44d836210b8bd553b364a87661be6151763a34ce0187f2f9d996edda29a6ea5d4e25ed91605e943a6ddd9ba8e70029e7d

Download Submit
C:\Windows\SysWOW64\instdrvOT.Exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
C:\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
C:\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
C:\Windows\SysWOW64\itlsNUOT.dll

Filesize
7.0MB

MD5
e7faf6e859e007b9baf8e2641040ee5f

SHA1
eb088d1fbf46fb022bfc489b28ecaa87966372d7

SHA256
b42bc961e97e223e72a1cc0f629a7654afa2d5c722a4b79a5d30bc4a475d6c7d

SHA512
0bd96ba9c5084374608809a8cb33d0518d42454ea00cf3fd3a5a60b5cf3e75e277e63df319414d383496f1accf838025b27433720e17750ba4c48e0793b22086

Download Submit
C:\Windows\SysWOW64\miscfunc.dll

Filesize
29KB

MD5
2a6450207d3c9722939b7ac55a97dc85

SHA1
216ede312428b076ba795bd7e7658cbabb38cdf1

SHA256
42d0823fe84641010a9d51e4d9256d4ae6033bdcf398bb5337c3cc7fd101dfd4

SHA512
57615d67c4ebac9d819f2d0274d87fc65d2c6160795ecf3b32dbc8f35b7b8eeb8e481b9753799b17d561285635aed5f5bd10d69b0a39d46973de833f8e2424b0

Download Submit
C:\Windows\SysWow64\ClipLDR64.exe

Filesize
60KB

MD5
c020333b90b1ad4988c719dc57d16206

SHA1
cab91531e0177f8e503ecf4c2cb700dd9cecbd5d

SHA256
6485291fc3de7d8056469ab4b77ecaa20eb56562da838edb8e3eb69f646b35d8

SHA512
431ef3ede783893fdef00f484986393f8b8ad4f8f46ce7297c294db5ff9af7b7f23ce1c3e6e536459c15072e2f236b961adafc727dcd81294970737d1661647c

Download Submit
C:\Windows\SysWow64\MgOT64.exe

Filesize
78KB

MD5
87f2495983292f0d5303dff91c592abf

SHA1
25c1b0f4af4ae83f004e68d918b887d36f6a7a20

SHA256
f5062d5d9c84664ec0c259df18e75b13d85530b332540f55e1ba0ab849e0d12d

SHA512
87292cb8d46ef95a4e207906a1758ea5557d8ed6d395d66f78178b3d25d9b1efa0dd3e94bb21fc8e644a124d23ba44da26a6fd3d3b494814cb96a51edf3c2a7e

Download Submit
C:\Windows\system32\AgentComMod64.dll

Filesize
41KB

MD5
9350fd9ae2e18b7ecf072cbce52c6bdc

SHA1
7a746b5428c915500183be221b70496986e7efef

SHA256
b6b2f38583e14d9ff342d4a547ec3bdd47bc1542ad7ff5ddb90a75fbf865a894

SHA512
55d5aafb7ff39efd9d92ce997d3b3f3a87bb9e181366eb57fd413a140b970cd140547b550013b71c05159428795a0a2b9a281ef211d463b6d9bf196b0b5b8e5a

Download Submit
\Program Files (x86)\CryptorPlus\CPManager.exe

Filesize
1.5MB

MD5
b256b7e1abb9111ecfd68449c4947fa8

SHA1
7e41b95b5fe013262f7ff929f65c71fc73c1f091

SHA256
5af3ee9d717a170c9cc7174838f0547fdfdd5f70f693bc1db5b2e40d86b8ec3b

SHA512
c04af25194e8d1e976d9c6d9750818f2ab1f07c545ff68f8d5a5ce7c8030961cef0b132097620910f68ee5dcd3e79a295c5391b9852b7c7d18bf016ada4560df

Download Submit
\Program Files (x86)\CryptorPlus\CPManager.exe

Filesize
1.5MB

MD5
b256b7e1abb9111ecfd68449c4947fa8

SHA1
7e41b95b5fe013262f7ff929f65c71fc73c1f091

SHA256
5af3ee9d717a170c9cc7174838f0547fdfdd5f70f693bc1db5b2e40d86b8ec3b

SHA512
c04af25194e8d1e976d9c6d9750818f2ab1f07c545ff68f8d5a5ce7c8030961cef0b132097620910f68ee5dcd3e79a295c5391b9852b7c7d18bf016ada4560df

Download Submit
\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
\Program Files (x86)\CryptorPlus\MgNetLib.dll

Filesize
485KB

MD5
7fca45a04fae4661ab8ff4689ea928f5

SHA1
e0ed854b85a59ba182c943e05790ebf294736364

SHA256
59599804ac57260d6cb1b32e015466c841a4c098007196350d070360eb1050f9

SHA512
2d1166a7d951b86bbff5cfe391ea124fc2958dbd68a9ac3b05d583c62ef983c7941ce030a180949779e91847885cf5035dd4bcd0232b194ddef182f488ad4aa9

Download Submit
\Program Files (x86)\CryptorPlus\unins000.exe

Filesize
679KB

MD5
1e0a864574fd98b420cca7a233d6632b

SHA1
7677774e0a099f5ea2b6e281a88051bab484b4b3

SHA256
5d10a170cb5f24d3d3f7be74d391d4249c606f78f536bcec2486d59ca7460a0b

SHA512
235dd62b759acc0bd07f7ef0ed36f84115b00c0860c718e5868d41e4a3355051695306a61c2bcb8bbe54c56dcdb45b4290d4c31a3ed618fc6e4d1df5dc099818

Download Submit
\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
\ProgramData\MyGuard\SetupTmp.exe

Filesize
7.1MB

MD5
9d7d875bc8c6b94884151ddd978ee0f7

SHA1
61185986d24916c54751c022e98c2166fbd2fba0

SHA256
36ad6161db62967ebfdbdd32be09d4555396b56613aaad3265de3e01de974f4e

SHA512
0c566f6474bc76b0f814d0b6917db8257f7b6c63ec36e6cd1107a35c3853dec3429432c286568e1f5b03bf6eb04fb7566bbf412cff4c273cc30070e696788654

Download Submit
\Users\Admin\AppData\Local\Temp\is-KKTD3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-KKTD3.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-S5NUP.tmp\SetupTmp.tmp

Filesize
669KB

MD5
52950ac9e2b481453082f096120e355a

SHA1
159c09db1abcee9114b4f792ffba255c78a6e6c3

SHA256
25fbc88c7c967266f041ae4d47c2eae0b96086f9e440cca10729103aee7ef6cd

SHA512
5b61c28bbcaedadb3b6cd3bb8a392d18016c354c4c16e01395930666addc95994333dfc45bea1a1844f6f1585e79c729136d3714ac118b5848becde0bdb182ba

Download Submit
\Windows\SysWOW64\ClipLDR64.exe

Filesize
60KB

MD5
c020333b90b1ad4988c719dc57d16206

SHA1
cab91531e0177f8e503ecf4c2cb700dd9cecbd5d

SHA256
6485291fc3de7d8056469ab4b77ecaa20eb56562da838edb8e3eb69f646b35d8

SHA512
431ef3ede783893fdef00f484986393f8b8ad4f8f46ce7297c294db5ff9af7b7f23ce1c3e6e536459c15072e2f236b961adafc727dcd81294970737d1661647c

Download Submit
\Windows\SysWOW64\ItlsOTN.dll

Filesize
86KB

MD5
259eaa95e96f82656b4379c2228156cb

SHA1
ad3460c7ee721a769a7f91d05bc65ae0cc2b2ac5

SHA256
603e635a9e06257c75813aaa8f4dafd29bdcaa7e8018e194fe756ca58d997f76

SHA512
999b7f60868a6b8f08f2b389307e4dfe86b4855072258e3bd8d5c5ca6d52532c7bf5d6fac959c211134fe3614f7f4991101b7d7d1a09fcc0557bd2ec3ec360a6

Download Submit
\Windows\SysWOW64\MGOT64.exe

Filesize
78KB

MD5
87f2495983292f0d5303dff91c592abf

SHA1
25c1b0f4af4ae83f004e68d918b887d36f6a7a20

SHA256
f5062d5d9c84664ec0c259df18e75b13d85530b332540f55e1ba0ab849e0d12d

SHA512
87292cb8d46ef95a4e207906a1758ea5557d8ed6d395d66f78178b3d25d9b1efa0dd3e94bb21fc8e644a124d23ba44da26a6fd3d3b494814cb96a51edf3c2a7e

Download Submit
\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
\Windows\SysWOW64\instdrvOT.exe

Filesize
91KB

MD5
a2f32de5774bf45fa37f1f049bf262ce

SHA1
8e83357a1dfa9ea7306314bfa472074ab673f1e9

SHA256
85754c29d729c71972b65765d1a4dbef9394f92c2d0d394f35ce34c00fcea080

SHA512
573973b88ea2d53bf3a580584178edaf2381e8536e534d43241be5add5f7173ce852a280a2dfe683b9688620604052106e7039c5ad6899465beaba220922feab

Download Submit
\Windows\SysWOW64\itlsNUOT.dll

Filesize
7.0MB

MD5
e7faf6e859e007b9baf8e2641040ee5f

SHA1
eb088d1fbf46fb022bfc489b28ecaa87966372d7

SHA256
b42bc961e97e223e72a1cc0f629a7654afa2d5c722a4b79a5d30bc4a475d6c7d

SHA512
0bd96ba9c5084374608809a8cb33d0518d42454ea00cf3fd3a5a60b5cf3e75e277e63df319414d383496f1accf838025b27433720e17750ba4c48e0793b22086

Download Submit
\Windows\SysWOW64\miscfunc.dll

Filesize
29KB

MD5
2a6450207d3c9722939b7ac55a97dc85

SHA1
216ede312428b076ba795bd7e7658cbabb38cdf1

SHA256
42d0823fe84641010a9d51e4d9256d4ae6033bdcf398bb5337c3cc7fd101dfd4

SHA512
57615d67c4ebac9d819f2d0274d87fc65d2c6160795ecf3b32dbc8f35b7b8eeb8e481b9753799b17d561285635aed5f5bd10d69b0a39d46973de833f8e2424b0

Download Submit
\Windows\SysWOW64\ptrwide.dll

Filesize
23KB

MD5
58104f9d25d65c3a59214f76a9e86a60

SHA1
67972991162cc001472b2ca6d96dd40770b8443a

SHA256
19f0c9df24cdc16cb161176b10a93323d3d5180c858332e66a44163ebc42b517

SHA512
199ead98db6644f747618498a5418bd44d836210b8bd553b364a87661be6151763a34ce0187f2f9d996edda29a6ea5d4e25ed91605e943a6ddd9ba8e70029e7d

Download Submit
\Windows\System32\AgentComMod64.dll

Filesize
41KB

MD5
9350fd9ae2e18b7ecf072cbce52c6bdc

SHA1
7a746b5428c915500183be221b70496986e7efef

SHA256
b6b2f38583e14d9ff342d4a547ec3bdd47bc1542ad7ff5ddb90a75fbf865a894

SHA512
55d5aafb7ff39efd9d92ce997d3b3f3a87bb9e181366eb57fd413a140b970cd140547b550013b71c05159428795a0a2b9a281ef211d463b6d9bf196b0b5b8e5a

Download Submit
memory/240-316-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/240-130-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1732-287-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/1732-221-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1732-0-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1732-478-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1732-1-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1732-2-0x00000000023B0000-0x00000000023F0000-memory.dmp

Filesize
256KB

Download
memory/1800-326-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-388-0x0000000008AC0000-0x00000000091C7000-memory.dmp

Filesize
7.0MB

Download
memory/1800-412-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1800-479-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1800-314-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1800-480-0x0000000008AC0000-0x00000000091C7000-memory.dmp

Filesize
7.0MB

Download
memory/1800-315-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1800-342-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1800-345-0x0000000000120000-0x0000000000160000-memory.dmp

Filesize
256KB

Download
memory/1800-477-0x0000000006240000-0x0000000006241000-memory.dmp

Filesize
4KB

Download
memory/1800-411-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/1816-309-0x0000000000400000-0x00000000004B6000-memory.dmp

Filesize
728KB

Download
memory/1816-139-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2212-341-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-327-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/2392-281-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2560-367-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2692-426-0x0000000080010000-0x0000000080014000-memory.dmp

Filesize
16KB

Download
memory/2692-442-0x0000000080060000-0x0000000080062000-memory.dmp

Filesize
8KB

Download
memory/2692-430-0x000007FEFDEB0000-0x000007FEFDEB2000-memory.dmp

Filesize
8KB

Download
memory/2692-434-0x000007FEFDEA0000-0x000007FEFDEA4000-memory.dmp

Filesize
16KB

Download
memory/2692-436-0x0000000080040000-0x0000000080042000-memory.dmp

Filesize
8KB

Download
memory/2692-439-0x0000000080030000-0x0000000080034000-memory.dmp

Filesize
16KB

Download
memory/2692-441-0x0000000080000000-0x0000000080001000-memory.dmp

Filesize
4KB

Download
memory/2692-425-0x000007FEFFFF0000-0x000007FEFFFF1000-memory.dmp

Filesize
4KB

Download
memory/2692-445-0x0000000080000000-0x0000000080001000-memory.dmp

Filesize
4KB

Download
memory/2692-446-0x0000000080050000-0x0000000080054000-memory.dmp

Filesize
16KB

Download
memory/2692-482-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2692-427-0x0000000077BB0000-0x0000000077D59000-memory.dmp

Filesize
1.7MB

Download
memory/2692-417-0x0000000080020000-0x0000000080022000-memory.dmp

Filesize
8KB

Download
memory/2704-402-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-481-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download
memory/2704-408-0x0000000074F10000-0x00000000754BB000-memory.dmp

Filesize
5.7MB

Download